heap-buffer-overflow in function utfc_ptr2len in vim/vim
Valid
Reported on
Jan 22nd 2023
Description
Heap-based Buffer Overflow in function utfc_ptr2len at mbyte.c:2145
Vim Version
git log
commit ebfec1c531f32d424bb2aca6e7391ef3bfcbfe20 (HEAD -> master, tag: v9.0.1234, origin/master, origin/HEAD)
Both POCs also apply to v9.0.1262:
git log
commit f2e30d0c448b9754d0d4daa901b51fbbf4c30747 (HEAD -> master, tag: v9.0.1262, origin/master, origin/HEAD)
Proof of Concept
./vim -u NONE -i NONE -n -m -X -Z -e -s -S POC4 -c :qa!
=================================================================
==2677684==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000006ed2 at pc 0x55eb9e00811e bp 0x7fff6aa0cb30 sp 0x7fff6aa0cb20
READ of size 1 at 0x602000006ed2 thread T0
#0 0x55eb9e00811d in utfc_ptr2len /home/limweicheng/Desktop/Fuzz/vim/src/mbyte.c:2145
#1 0x55eb9e142732 in get_visual_text /home/limweicheng/Desktop/Fuzz/vim/src/normal.c:3678
#2 0x55eb9e148a2b in nv_zg_zw /home/limweicheng/Desktop/Fuzz/vim/src/normal.c:2613
#3 0x55eb9e148a2b in nv_zet /home/limweicheng/Desktop/Fuzz/vim/src/normal.c:2990
#4 0x55eb9e1378c5 in normal_cmd /home/limweicheng/Desktop/Fuzz/vim/src/normal.c:938
#5 0x55eb9dd79252 in exec_normal /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:8887
#6 0x55eb9dd79c11 in exec_normal_cmd /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:8850
#7 0x55eb9dd79c11 in ex_normal /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:8768
#8 0x55eb9dd92d41 in do_one_cmd /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:2580
#9 0x55eb9dd92d41 in do_cmdline /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:993
#10 0x55eb9e467315 in do_source_ext /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1726
#11 0x55eb9e46dbd0 in do_source /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1872
#12 0x55eb9e46dbd0 in cmd_source /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1217
#13 0x55eb9dd92d41 in do_one_cmd /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:2580
#14 0x55eb9dd92d41 in do_cmdline /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:993
#15 0x55eb9eac1b81 in exe_commands /home/limweicheng/Desktop/Fuzz/vim/src/main.c:3146
#16 0x55eb9eac1b81 in vim_main2 /home/limweicheng/Desktop/Fuzz/vim/src/main.c:782
#17 0x55eb9d9c98e7 in main /home/limweicheng/Desktop/Fuzz/vim/src/main.c:433
#18 0x7f58cd15dd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#19 0x7f58cd15de3f in __libc_start_main_impl ../csu/libc-start.c:392
#20 0x55eb9d9d0594 in _start (/home/limweicheng/Desktop/Fuzz/vim/src/vim+0x199594)
0x602000006ed2 is located 0 bytes to the right of 2-byte region [0x602000006ed0,0x602000006ed2)
allocated by thread T0 here:
#0 0x7f58cdbf7867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x55eb9d9d0aea in lalloc /home/limweicheng/Desktop/Fuzz/vim/src/alloc.c:246
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/limweicheng/Desktop/Fuzz/vim/src/mbyte.c:2145 in utfc_ptr2len
Shadow bytes around the buggy address:
0x0c047fff8d80: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fd
0x0c047fff8d90: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd
0x0c047fff8da0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd
0x0c047fff8db0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c047fff8dc0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa 01 fa
=>0x0c047fff8dd0: fa fa 00 00 fa fa 01 fa fa fa[02]fa fa fa fd fa
0x0c047fff8de0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8df0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8e00: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8e10: fa fa fd fd fa fa fd fa fa fa fd fa fa fa 07 fa
0x0c047fff8e20: fa fa 01 fa fa fa 01 fa fa fa 05 fa fa fa 01 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2677684==ABORTING
Impact
This vulnerability is capable of crashing software, modify memory, and possible remote execution.
References
We are processing your report and will contact the
vim
team within 24 hours.
10 months ago
soaarony modified the report
10 months ago
We have contacted a member of the
vim
team and are waiting to hear back
10 months ago
soaarony modified the report
10 months ago
soaarony modified the report
10 months ago
soaarony modified the report
10 months ago
soaarony modified the report
10 months ago
soaarony modified the report
10 months ago
soaarony modified the report
10 months ago
soaarony modified the report
10 months ago
I cannot reproduce the problem. The stack trace indicates that Visual mode is active, but in the POC I don't see a command that starts Visual mode. I cannot guess what matters for reproducing the problem.
Hi Sir, this vulnerability is patched at here
But the vulnerability is found same time as same_leader under this link . It was my bad back then to report two bugs in a single report. Not sure if a CVE can still be assigned to the finding of this vulnerability?
If not, I don't mind closing this bug report on my end. Thank you!!
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
The researcher's credibility has increased: +7
The fix bounty has been dropped
This vulnerability has been assigned a CVE
to join this conversation