OOB Write ops.c in vim/vim
Valid
Reported on
May 26th 2023
Environment
Distributor ID: Debian
Description: Debian GNU/Linux bookworm/sid
Version
I checked against the master branch at commit 50809a45ebde327cb6fdcc727d7466e926aed713 .
Description
This AddressSanitizer output is indicating a write to the 0x7fd0c2103000 address, this is because the testcase causes line 2923 in /src/ops.c in the do_addsub() function to read outside the bounds of buf2.
C Code
buf2[i++] = ((n >> (bit - 1)) & 0x1) ? '1' : '0';
Assembly from debugging
Relevant registers
*RAX 0x7ffff720e800 ◂— 0xbebebebebebebebe # the 0xbe repeating is an artifact from afl/asan instrumentation
*R8 0xfffffffff720e800
Relevant asm line
mov cl, byte ptr [rax + r8] #do_addsub+19009
POC
ASAN_OPTIONS=verbosity=2 AFL_MAP_SIZE=410000 ./vim -u NONE -i NONE -n -m -X -Z -e -s -S a_small_crash -c :qa!
ASAN
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3654==ERROR: AddressSanitizer: SEGV on unknown address 0x7fd0c2103000 (pc 0x559b90d55551 bp 0x7ffc229e5210 sp 0x7ffc229e4de0 T0)
==3654==The signal is caused by a READ memory access.
#0 0x559b90d55551 in do_addsub /path/to/vim/src/ops.c:2923:13
#1 0x559b90d4ff2e in op_addsub /path/to/vim/src/ops.c:2444:15
#2 0x559b90c9c9e6 in nv_addsub /path/to/vim/src/normal.c:2032:2
#3 0x559b90d24cfc in normal_cmd /path/to/vim/src/normal.c:939:5
#4 0x559b90904981 in exec_normal /path/to/vim/src/ex_docmd.c
#5 0x559b90896656 in exec_normal_cmd /path/to/vim/src/ex_docmd.c:8875:5
#6 0x559b90896656 in ex_normal //path/to/vim/src/ex_docmd.c:8793:6
#7 0x559b908bf9b4 in do_one_cmd /path/to/vim/src/ex_docmd.c:2582:2
#8 0x559b908bf9b4 in do_cmdline /path/to/vim/src/ex_docmd.c:994:17
#9 0x559b9108a548 in do_source_ext /path/to/vim/src/scriptfile.c:1760:5
#10 0x559b9109dc31 in do_source /path/to/vim/src/scriptfile.c:1906:12
#11 0x559b9109dc31 in cmd_source /path/to/vim/src/scriptfile.c:1251:14
#12 0x559b908bf9b4 in do_one_cmd /path/to/vim/src/ex_docmd.c:2582:2
#13 0x559b908bf9b4 in do_cmdline /path/to/vim/src/ex_docmd.c:994:17
#14 0x559b91771818 in do_cmdline_cmd /path/to/vim/src/ex_docmd.c:588:12
#15 0x559b91771818 in exe_commands /path/to/vim/src/main.c:3150:2
#16 0x559b91771818 in vim_main2 /path/to/vim/src/main.c:782:2
#17 0x559b91769146 in main /path/to/vim/src/main.c:433:12
#18 0x7fd06122a189 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#19 0x7fd06122a244 in __libc_start_main csu/../csu/libc-start.c:381:3
#20 0x559b903d3260 in _start (/path/to/vim_tmp/vim+0x2f9260) (BuildId: ad6111dc02ebe39a)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /path/to/vim/src/ops.c:2923:13 in do_addsub
==3654==ABORTING
# Impact
crashing vim in with vim script has a fairly low impact since it requires someone to run the script or to be loaded with an environment. A out of bounds write could cause a crash, affecting the availability of vim until thOccurrences
ops.c L2922-L2923
line that triggers the OOB
We are processing your report and will contact the
vim
team within 24 hours.
6 months ago
We have contacted a member of the
vim
team and are waiting to hear back
6 months ago
Christian Brabandt Christian
commented
3 months ago
Hi, I cannot verify the OOB write for buf2. However, I think the following patch would fix it:
diff --git a/src/ops.c b/src/ops.c
index d46a049fe..f4524d3d7 100644
--- a/src/ops.c
+++ b/src/ops.c
@@ -2919,7 +2919,7 @@ do_addsub(
for (bit = bits; bit > 0; bit--)
if ((n >> (bit - 1)) & 0x1) break;
- for (i = 0; bit > 0; bit--)
+ for (i = 0; bit > 0 && i < (NUMBUFLEN - 1); bit--)
buf2[i++] = ((n >> (bit - 1)) & 0x1) ? '1' : '0';
buf2[i] = '\0';
can you please verify?
Christian Brabandt Christian
commented
3 months ago
Also, sorry for taking that long. I did not notice those open bug reports here. I had a look a few weeks ago and I did not see any open reports. It's just yesterday that I noticed those open ones here.
The researcher's credibility has increased: +7
ops.c#L2922-L2923
has been validated
to join this conversation