OOB Write ops.c in vim/vim


Reported on

May 26th 2023


Distributor ID: Debian
Description:    Debian GNU/Linux bookworm/sid


I checked against the master branch at commit 50809a45ebde327cb6fdcc727d7466e926aed713 .


This AddressSanitizer output is indicating a write to the 0x7fd0c2103000 address, this is because the testcase causes line 2923 in /src/ops.c in the do_addsub() function to read outside the bounds of buf2.

C Code

buf2[i++] = ((n >> (bit - 1)) & 0x1) ? '1' : '0';  

Assembly from debugging

Relevant registers
*RAX  0x7ffff720e800 ◂— 0xbebebebebebebebe # the 0xbe repeating is an artifact from afl/asan instrumentation
*R8   0xfffffffff720e800

Relevant asm line
mov    cl, byte ptr [rax + r8] #do_addsub+19009


ASAN_OPTIONS=verbosity=2 AFL_MAP_SIZE=410000 ./vim -u NONE -i NONE -n -m -X -Z -e -s -S a_small_crash -c :qa!

POC File


==3654==ERROR: AddressSanitizer: SEGV on unknown address 0x7fd0c2103000 (pc 0x559b90d55551 bp 0x7ffc229e5210 sp 0x7ffc229e4de0 T0)
==3654==The signal is caused by a READ memory access.
    #0 0x559b90d55551 in do_addsub /path/to/vim/src/ops.c:2923:13
    #1 0x559b90d4ff2e in op_addsub /path/to/vim/src/ops.c:2444:15
    #2 0x559b90c9c9e6 in nv_addsub /path/to/vim/src/normal.c:2032:2
    #3 0x559b90d24cfc in normal_cmd /path/to/vim/src/normal.c:939:5
    #4 0x559b90904981 in exec_normal /path/to/vim/src/ex_docmd.c
    #5 0x559b90896656 in exec_normal_cmd /path/to/vim/src/ex_docmd.c:8875:5
    #6 0x559b90896656 in ex_normal //path/to/vim/src/ex_docmd.c:8793:6
    #7 0x559b908bf9b4 in do_one_cmd /path/to/vim/src/ex_docmd.c:2582:2
    #8 0x559b908bf9b4 in do_cmdline /path/to/vim/src/ex_docmd.c:994:17
    #9 0x559b9108a548 in do_source_ext /path/to/vim/src/scriptfile.c:1760:5
    #10 0x559b9109dc31 in do_source /path/to/vim/src/scriptfile.c:1906:12
    #11 0x559b9109dc31 in cmd_source /path/to/vim/src/scriptfile.c:1251:14
    #12 0x559b908bf9b4 in do_one_cmd /path/to/vim/src/ex_docmd.c:2582:2
    #13 0x559b908bf9b4 in do_cmdline /path/to/vim/src/ex_docmd.c:994:17
    #14 0x559b91771818 in do_cmdline_cmd /path/to/vim/src/ex_docmd.c:588:12
    #15 0x559b91771818 in exe_commands /path/to/vim/src/main.c:3150:2
    #16 0x559b91771818 in vim_main2 /path/to/vim/src/main.c:782:2
    #17 0x559b91769146 in main /path/to/vim/src/main.c:433:12
    #18 0x7fd06122a189 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #19 0x7fd06122a244 in __libc_start_main csu/../csu/libc-start.c:381:3
    #20 0x559b903d3260 in _start (/path/to/vim_tmp/vim+0x2f9260) (BuildId: ad6111dc02ebe39a)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /path/to/vim/src/ops.c:2923:13 in do_addsub

# Impact

crashing vim in with vim script has a fairly low impact since it requires someone to run the script or to be loaded with an environment. A out of bounds write could cause a crash, affecting the availability of vim until th


line that triggers the OOB

We are processing your report and will contact the vim team within 24 hours. 6 months ago
We have contacted a member of the vim team and are waiting to hear back 6 months ago
6 months ago


Let me know if you want my harness.

6 months ago


@admin can you ping please

6 months ago


Bram the maintainer is on the platform, please be patient

3 months ago

Hi, I cannot verify the OOB write for buf2. However, I think the following patch would fix it:

diff --git a/src/ops.c b/src/ops.c
index d46a049fe..f4524d3d7 100644
--- a/src/ops.c
+++ b/src/ops.c
@@ -2919,7 +2919,7 @@ do_addsub(
            for (bit = bits; bit > 0; bit--)
                if ((n >> (bit - 1)) & 0x1) break;

-           for (i = 0; bit > 0; bit--)
+           for (i = 0; bit > 0 && i < (NUMBUFLEN - 1); bit--)
                buf2[i++] = ((n >> (bit - 1)) & 0x1) ? '1' : '0';

            buf2[i] = '\0';

can you please verify?

3 months ago

Also, sorry for taking that long. I did not notice those open bug reports here. I had a look a few weeks ago and I did not see any open reports. It's just yesterday that I noticed those open ones here.

3 months ago


Will test patch and report back.

Christian Brabandt validated this vulnerability 3 months ago
Renzo has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Christian Brabandt marked this as fixed in 9.0.1847 with commit 889f6a 3 months ago
Christian Brabandt has been awarded the fix bounty
This vulnerability has been assigned a CVE
Christian Brabandt published this vulnerability 3 months ago
ops.c#L2922-L2923 has been validated
to join this conversation