Use After Free in function find_pattern_in_path in vim/vim
Valid
Reported on
May 25th 2022
Description
Use After Free in function find_pattern_in_path at search.c:3653
vim version
git log
commit 4c3d21acaa09d929e6afe10288babe1d0af3de35 (HEAD -> master, tag: v8.2.5014, origin/master, origin/HEAD)
POC
./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/poc_h16_s.dat -c :qa!
=================================================================
==2466037==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000007d70 at pc 0x000000431c9f bp 0x7fffffff6f10 sp 0x7fffffff66b0
READ of size 1 at 0x602000007d70 thread T0
#0 0x431c9e in strncmp (/home/fuzz/fuzz-vim/vim/src/vim+0x431c9e)
#1 0xe8a896 in find_pattern_in_path /home/fuzz/fuzz/vim/vim/src/search.c:3653:15
#2 0xb54726 in nv_brackets /home/fuzz/fuzz/vim/vim/src/normal.c:4460:6
#3 0xb1ffe1 in normal_cmd /home/fuzz/fuzz/vim/vim/src/normal.c:930:5
#4 0x813dfe in exec_normal /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:8762:6
#5 0x813628 in exec_normal_cmd /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:8725:5
#6 0x8131d9 in ex_normal /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:8643:6
#7 0x7dc2e9 in do_one_cmd /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:2567:2
#8 0x7c90a5 in do_cmdline /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:992:17
#9 0xe57b3c in do_source_ext /home/fuzz/fuzz/vim/vim/src/scriptfile.c:1674:5
#10 0xe54596 in do_source /home/fuzz/fuzz/vim/vim/src/scriptfile.c:1801:12
#11 0xe53ecc in cmd_source /home/fuzz/fuzz/vim/vim/src/scriptfile.c:1174:14
#12 0xe535ae in ex_source /home/fuzz/fuzz/vim/vim/src/scriptfile.c:1200:2
#13 0x7dc2e9 in do_one_cmd /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:2567:2
#14 0x7c90a5 in do_cmdline /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:992:17
#15 0x7cdcf1 in do_cmdline_cmd /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:586:12
#16 0x1423d62 in exe_commands /home/fuzz/fuzz/vim/vim/src/main.c:3106:2
#17 0x141fefb in vim_main2 /home/fuzz/fuzz/vim/vim/src/main.c:780:2
#18 0x14155f5 in main /home/fuzz/fuzz/vim/vim/src/main.c:432:12
#19 0x7ffff7bec082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#20 0x41ea6d in _start (/home/fuzz/fuzz-vim/vim/src/vim+0x41ea6d)
0x602000007d70 is located 0 bytes inside of 2-byte region [0x602000007d70,0x602000007d72)
freed by thread T0 here:
#0 0x499a62 in free (/home/fuzz/fuzz-vim/vim/src/vim+0x499a62)
#1 0x4cbe06 in vim_free /home/fuzz/fuzz/vim/vim/src/alloc.c:621:2
#2 0xa648a5 in ml_flush_line /home/fuzz/fuzz/vim/vim/src/memline.c:4063:2
#3 0xa7a0a5 in ml_get_buf /home/fuzz/fuzz/vim/vim/src/memline.c:2651:2
#4 0xa76209 in ml_get /home/fuzz/fuzz/vim/vim/src/memline.c:2564:12
#5 0xe87ef3 in find_pattern_in_path /home/fuzz/fuzz/vim/vim/src/search.c:3412:12
#6 0xb54726 in nv_brackets /home/fuzz/fuzz/vim/vim/src/normal.c:4460:6
#7 0xb1ffe1 in normal_cmd /home/fuzz/fuzz/vim/vim/src/normal.c:930:5
#8 0x813dfe in exec_normal /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:8762:6
#9 0x813628 in exec_normal_cmd /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:8725:5
#10 0x8131d9 in ex_normal /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:8643:6
#11 0x7dc2e9 in do_one_cmd /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:2567:2
#12 0x7c90a5 in do_cmdline /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:992:17
#13 0xe57b3c in do_source_ext /home/fuzz/fuzz/vim/vim/src/scriptfile.c:1674:5
#14 0xe54596 in do_source /home/fuzz/fuzz/vim/vim/src/scriptfile.c:1801:12
#15 0xe53ecc in cmd_source /home/fuzz/fuzz/vim/vim/src/scriptfile.c:1174:14
#16 0xe535ae in ex_source /home/fuzz/fuzz/vim/vim/src/scriptfile.c:1200:2
#17 0x7dc2e9 in do_one_cmd /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:2567:2
#18 0x7c90a5 in do_cmdline /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:992:17
#19 0x7cdcf1 in do_cmdline_cmd /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:586:12
#20 0x1423d62 in exe_commands /home/fuzz/fuzz/vim/vim/src/main.c:3106:2
#21 0x141fefb in vim_main2 /home/fuzz/fuzz/vim/vim/src/main.c:780:2
#22 0x14155f5 in main /home/fuzz/fuzz/vim/vim/src/main.c:432:12
#23 0x7ffff7bec082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
previously allocated by thread T0 here:
#0 0x499ccd in malloc (/home/fuzz/fuzz-vim/vim/src/vim+0x499ccd)
#1 0x4cb3aa in lalloc /home/fuzz/fuzz/vim/vim/src/alloc.c:246:11
#2 0x4cb28a in alloc /home/fuzz/fuzz/vim/vim/src/alloc.c:151:12
#3 0x54c95d in ins_char_bytes /home/fuzz/fuzz/vim/vim/src/change.c:1095:12
#4 0x54d63b in ins_char /home/fuzz/fuzz/vim/vim/src/change.c:1010:5
#5 0x69654f in insertchar /home/fuzz/fuzz/vim/vim/src/edit.c:2277:6
#6 0x68e5e9 in insert_special /home/fuzz/fuzz/vim/vim/src/edit.c:2040:2
#7 0x673dd7 in edit /home/fuzz/fuzz/vim/vim/src/edit.c:1361:3
#8 0xb6a68c in invoke_edit /home/fuzz/fuzz/vim/vim/src/normal.c:7028:9
#9 0xb6c3a4 in n_opencmd /home/fuzz/fuzz/vim/vim/src/normal.c:6275:6
#10 0xb52b56 in nv_open /home/fuzz/fuzz/vim/vim/src/normal.c:7409:2
#11 0xb1ffe1 in normal_cmd /home/fuzz/fuzz/vim/vim/src/normal.c:930:5
#12 0x813dfe in exec_normal /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:8762:6
#13 0x813628 in exec_normal_cmd /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:8725:5
#14 0x8131d9 in ex_normal /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:8643:6
#15 0x7dc2e9 in do_one_cmd /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:2567:2
#16 0x7c90a5 in do_cmdline /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:992:17
#17 0xe57b3c in do_source_ext /home/fuzz/fuzz/vim/vim/src/scriptfile.c:1674:5
#18 0xe54596 in do_source /home/fuzz/fuzz/vim/vim/src/scriptfile.c:1801:12
#19 0xe53ecc in cmd_source /home/fuzz/fuzz/vim/vim/src/scriptfile.c:1174:14
#20 0xe535ae in ex_source /home/fuzz/fuzz/vim/vim/src/scriptfile.c:1200:2
#21 0x7dc2e9 in do_one_cmd /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:2567:2
#22 0x7c90a5 in do_cmdline /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:992:17
#23 0x7cdcf1 in do_cmdline_cmd /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:586:12
#24 0x1423d62 in exe_commands /home/fuzz/fuzz/vim/vim/src/main.c:3106:2
#25 0x141fefb in vim_main2 /home/fuzz/fuzz/vim/vim/src/main.c:780:2
#26 0x14155f5 in main /home/fuzz/fuzz/vim/vim/src/main.c:432:12
#27 0x7ffff7bec082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-use-after-free (/home/fuzz/fuzz-vim/vim/src/vim+0x431c9e) in strncmp
Shadow bytes around the buggy address:
0x0c047fff8f50: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd
0x0c047fff8f60: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fa
0x0c047fff8f70: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fa
0x0c047fff8f80: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c047fff8f90: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fa
=>0x0c047fff8fa0: fa fa 01 fa fa fa 00 00 fa fa 01 fa fa fa[fd]fa
0x0c047fff8fb0: fa fa 05 fa fa fa 02 fa fa fa 01 fa fa fa 00 00
0x0c047fff8fc0: fa fa 00 07 fa fa 06 fa fa fa 06 fa fa fa 06 fa
0x0c047fff8fd0: fa fa 01 fa fa fa 01 fa fa fa 06 fa fa fa 01 fa
0x0c047fff8fe0: fa fa 01 fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2466037==ABORTING
Impact
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.
We are processing your report and will contact the
vim
team within 24 hours.
2 years ago
We have contacted a member of the
vim
team and are waiting to hear back
2 years ago
Similar to what was fixed by Patch 8.2.4979
Uinitech
has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
to join this conversation