Headline
CVE-2022-1619: Heap-based Buffer Overflow in function cmdline_erase_chars in vim
Heap-based Buffer Overflow in function cmdline_erase_chars in GitHub repository vim/vim prior to 8.2.4899. This vulnerabilities are capable of crashing software, modify memory, and possible remote execution
Description
Heap-based Buffer Overflow in function cmdline_erase_chars at ex_getln.c:1085
POC
./vim -u NONE -X -Z -e -s -S ./poc_h1.dat -c :qa!
=================================================================
==3840814==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b00000087f at pc 0x00000088665a bp 0x7fffffff67e0 sp 0x7fffffff67d8
READ of size 1 at 0x60b00000087f thread T0
#0 0x886659 in cmdline_erase_chars /home/fuzz/vim/vim-master/src/ex_getln.c:1085:22
#1 0x86c472 in getcmdline_int /home/fuzz/vim/vim-master/src/ex_getln.c:2029:12
#2 0x86483e in getcmdline /home/fuzz/vim/vim-master/src/ex_getln.c:1571:12
#3 0x872ce6 in getexline /home/fuzz/vim/vim-master/src/ex_getln.c:2853:12
#4 0x7e3982 in do_cmdline /home/fuzz/vim/vim-master/src/ex_docmd.c:875:46
#5 0xb70283 in nv_colon /home/fuzz/vim/vim-master/src/normal.c:3191:19
#6 0xb45243 in normal_cmd /home/fuzz/vim/vim-master/src/normal.c:930:5
#7 0x82eefe in exec_normal /home/fuzz/vim/vim-master/src/ex_docmd.c:8753:6
#8 0x82e728 in exec_normal_cmd /home/fuzz/vim/vim-master/src/ex_docmd.c:8716:5
#9 0x82e2d9 in ex_normal /home/fuzz/vim/vim-master/src/ex_docmd.c:8634:6
#10 0x7f7a25 in do_one_cmd /home/fuzz/vim/vim-master/src/ex_docmd.c:2567:2
#11 0x7e49a5 in do_cmdline /home/fuzz/vim/vim-master/src/ex_docmd.c:992:17
#12 0xe88e0c in do_source_ext /home/fuzz/vim/vim-master/src/scriptfile.c:1674:5
#13 0xe85866 in do_source /home/fuzz/vim/vim-master/src/scriptfile.c:1801:12
#14 0xe8519c in cmd_source /home/fuzz/vim/vim-master/src/scriptfile.c:1174:14
#15 0xe8487e in ex_source /home/fuzz/vim/vim-master/src/scriptfile.c:1200:2
#16 0x7f7a25 in do_one_cmd /home/fuzz/vim/vim-master/src/ex_docmd.c:2567:2
#17 0x7e49a5 in do_cmdline /home/fuzz/vim/vim-master/src/ex_docmd.c:992:17
#18 0x7e95f1 in do_cmdline_cmd /home/fuzz/vim/vim-master/src/ex_docmd.c:586:12
#19 0x144d0a2 in exe_commands /home/fuzz/vim/vim-master/src/main.c:3108:2
#20 0x144922d in vim_main2 /home/fuzz/vim/vim-master/src/main.c:780:2
#21 0x143e484 in main /home/fuzz/vim/vim-master/src/main.c:432:12
#22 0x7ffff78260b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
#23 0x41fe5d in _start (/home/fuzz/fuzz-vim/vim-master/src/vim+0x41fe5d)
0x60b00000087f is located 1 bytes to the left of 100-byte region [0x60b000000880,0x60b0000008e4)
allocated by thread T0 here:
#0 0x49b0bd in malloc (/home/fuzz/fuzz-vim/vim-master/src/vim+0x49b0bd)
#1 0x4cc79a in lalloc /home/fuzz/vim/vim-master/src/alloc.c:246:11
#2 0x4cc67a in alloc /home/fuzz/vim/vim-master/src/alloc.c:151:12
#3 0x876aa5 in alloc_cmdbuff /home/fuzz/vim/vim-master/src/ex_getln.c:3283:22
#4 0x8807c0 in init_ccline /home/fuzz/vim/vim-master/src/ex_getln.c:1525:5
#5 0x865080 in getcmdline_int /home/fuzz/vim/vim-master/src/ex_getln.c:1638:9
#6 0x86483e in getcmdline /home/fuzz/vim/vim-master/src/ex_getln.c:1571:12
#7 0x872ce6 in getexline /home/fuzz/vim/vim-master/src/ex_getln.c:2853:12
#8 0x7e3982 in do_cmdline /home/fuzz/vim/vim-master/src/ex_docmd.c:875:46
#9 0xb70283 in nv_colon /home/fuzz/vim/vim-master/src/normal.c:3191:19
#10 0xb45243 in normal_cmd /home/fuzz/vim/vim-master/src/normal.c:930:5
#11 0x82eefe in exec_normal /home/fuzz/vim/vim-master/src/ex_docmd.c:8753:6
#12 0x82e728 in exec_normal_cmd /home/fuzz/vim/vim-master/src/ex_docmd.c:8716:5
#13 0x82e2d9 in ex_normal /home/fuzz/vim/vim-master/src/ex_docmd.c:8634:6
#14 0x7f7a25 in do_one_cmd /home/fuzz/vim/vim-master/src/ex_docmd.c:2567:2
#15 0x7e49a5 in do_cmdline /home/fuzz/vim/vim-master/src/ex_docmd.c:992:17
#16 0xe88e0c in do_source_ext /home/fuzz/vim/vim-master/src/scriptfile.c:1674:5
#17 0xe85866 in do_source /home/fuzz/vim/vim-master/src/scriptfile.c:1801:12
#18 0xe8519c in cmd_source /home/fuzz/vim/vim-master/src/scriptfile.c:1174:14
#19 0xe8487e in ex_source /home/fuzz/vim/vim-master/src/scriptfile.c:1200:2
#20 0x7f7a25 in do_one_cmd /home/fuzz/vim/vim-master/src/ex_docmd.c:2567:2
#21 0x7e49a5 in do_cmdline /home/fuzz/vim/vim-master/src/ex_docmd.c:992:17
#22 0x7e95f1 in do_cmdline_cmd /home/fuzz/vim/vim-master/src/ex_docmd.c:586:12
#23 0x144d0a2 in exe_commands /home/fuzz/vim/vim-master/src/main.c:3108:2
#24 0x144922d in vim_main2 /home/fuzz/vim/vim-master/src/main.c:780:2
#25 0x143e484 in main /home/fuzz/vim/vim-master/src/main.c:432:12
#26 0x7ffff78260b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fuzz/vim/vim-master/src/ex_getln.c:1085:22 in cmdline_erase_chars
Shadow bytes around the buggy address:
0x0c167fff80b0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c167fff80c0: 00 00 00 00 00 fa fa fa fa fa fa fa fa fa 00 00
0x0c167fff80d0: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
0x0c167fff80e0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x0c167fff80f0: 00 fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
=>0x0c167fff8100: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa[fa]
0x0c167fff8110: 00 00 00 00 00 00 00 00 00 00 00 00 04 fa fa fa
0x0c167fff8120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff8130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff8150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3840814==ABORTING
poc_h1.dat
Impact
This vulnerabilities are capable of crashing software, modify memory, and possible remote execution
Related news
Gentoo Linux Security Advisory 202305-16 - Multiple vulnerabilities have been found in Vim, the worst of which could result in denial of service. Versions less than 9.0.1157 are affected.
Dell VxRail, versions prior to 7.0.410, contain a Container Escape Vulnerability. A local high-privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the container's underlying OS. Exploitation may lead to a system take over by an attacker.
Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]
A memory corruption issue existed in the processing of ICC profiles. This issue was addressed with improved input validation. This issue is fixed in macOS Ventura 13. Processing a maliciously crafted image may lead to arbitrary code execution.
Ubuntu Security Notice 5613-2 - USN-5613-1 fixed vulnerabilities in Vim. Unfortunately that update failed to include binary packages for some architectures. This update fixes that regression. It was discovered that Vim was not properly performing bounds checks when executing spell suggestion commands. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. It was discovered that Vim was using freed memory when dealing with regular expressions through its old regular expression engine. If a user were tricked into opening a specially crafted file, an attacker could crash the application, leading to a denial of service, or possibly achieve code execution. It was discovered that Vim was not properly performing checks on name of lambda functions. An attacker could possibly use this issue to cause a denial of service. This issue affected only Ubuntu 22.04 LTS. It was discovered that Vim was incorrectly performing bounds checks when processing invalid...
Ubuntu Security Notice 5613-1 - It was discovered that Vim was not properly performing bounds checks when executing spell suggestion commands. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. It was discovered that Vim was using freed memory when dealing with regular expressions through its old regular expression engine. If a user were tricked into opening a specially crafted file, an attacker could crash the application, leading to a denial of service, or possibly achieve code execution.
Gentoo Linux Security Advisory 202208-32 - Multiple vulnerabilities have been discovered in Vim, the worst of which could result in denial of service. Versions less than 9.0.0060 are affected.
Ubuntu Security Notice 5460-1 - It was discovered that Vim was incorrectly processing Vim buffers. An attacker could possibly use this issue to perform illegal memory access and expose sensitive information. It was discovered that Vim was not properly performing bounds checks for column numbers when replacing tabs with spaces or spaces with tabs, which could cause a heap buffer overflow. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.