Headline
CVE-2022-1942: Heap-based Buffer Overflow in function vim_regsub_both in vim
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.
Description
Heap-based Buffer Overflow in function vim_regsub_both at regexp.c:1954
vim version
git log
commit 4d97a565ae8be0d4debba04ebd2ac3e75a0c8010 (HEAD -> master, tag: v8.2.5037, origin/master, origin/HEAD)
POC
./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/poc_obw5_s.dat -c :qa!
=================================================================
==2583207==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x606000003595 at pc 0x000000485358 bp 0x7fffffff7230 sp 0x7fffffff69f0
WRITE of size 2 at 0x606000003595 thread T0
#0 0x485357 in strcpy (/home/fuzz/fuzz/vim/vim/src/vim+0x485357)
#1 0xced574 in vim_regsub_both /home/fuzz/fuzz/vim/vim/src/regexp.c:1954:3
#2 0xcf1973 in vim_regsub_multi /home/fuzz/fuzz/vim/vim/src/regexp.c:1897:14
#3 0x7b4663 in ex_substitute /home/fuzz/fuzz/vim/vim/src/ex_cmds.c:4529:9
#4 0x7dd699 in do_one_cmd /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:2568:2
#5 0x7ca405 in do_cmdline /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:992:17
#6 0xe5998c in do_source_ext /home/fuzz/fuzz/vim/vim/src/scriptfile.c:1674:5
#7 0xe563e6 in do_source /home/fuzz/fuzz/vim/vim/src/scriptfile.c:1801:12
#8 0xe55d1c in cmd_source /home/fuzz/fuzz/vim/vim/src/scriptfile.c:1174:14
#9 0xe553fe in ex_source /home/fuzz/fuzz/vim/vim/src/scriptfile.c:1200:2
#10 0x7dd699 in do_one_cmd /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:2568:2
#11 0x7ca405 in do_cmdline /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:992:17
#12 0x7cf0a1 in do_cmdline_cmd /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:586:12
#13 0x14258e2 in exe_commands /home/fuzz/fuzz/vim/vim/src/main.c:3106:2
#14 0x1421a7b in vim_main2 /home/fuzz/fuzz/vim/vim/src/main.c:780:2
#15 0x1417175 in main /home/fuzz/fuzz/vim/vim/src/main.c:432:12
#16 0x7ffff7bec082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#17 0x41ea6d in _start (/home/fuzz/fuzz/vim/vim/src/vim+0x41ea6d)
0x606000003595 is located 0 bytes to the right of 53-byte region [0x606000003560,0x606000003595)
allocated by thread T0 here:
#0 0x499ccd in malloc (/home/fuzz/fuzz/vim/vim/src/vim+0x499ccd)
#1 0x4cb3aa in lalloc /home/fuzz/fuzz/vim/vim/src/alloc.c:246:11
#2 0x4cb28a in alloc /home/fuzz/fuzz/vim/vim/src/alloc.c:151:12
#3 0x7b42c7 in ex_substitute /home/fuzz/fuzz/vim/vim/src/ex_cmds.c:4491:24
#4 0x7dd699 in do_one_cmd /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:2568:2
#5 0x7ca405 in do_cmdline /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:992:17
#6 0xe5998c in do_source_ext /home/fuzz/fuzz/vim/vim/src/scriptfile.c:1674:5
#7 0xe563e6 in do_source /home/fuzz/fuzz/vim/vim/src/scriptfile.c:1801:12
#8 0xe55d1c in cmd_source /home/fuzz/fuzz/vim/vim/src/scriptfile.c:1174:14
#9 0xe553fe in ex_source /home/fuzz/fuzz/vim/vim/src/scriptfile.c:1200:2
#10 0x7dd699 in do_one_cmd /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:2568:2
#11 0x7ca405 in do_cmdline /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:992:17
#12 0x7cf0a1 in do_cmdline_cmd /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:586:12
#13 0x14258e2 in exe_commands /home/fuzz/fuzz/vim/vim/src/main.c:3106:2
#14 0x1421a7b in vim_main2 /home/fuzz/fuzz/vim/vim/src/main.c:780:2
#15 0x1417175 in main /home/fuzz/fuzz/vim/vim/src/main.c:432:12
#16 0x7ffff7bec082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/fuzz/fuzz/vim/vim/src/vim+0x485357) in strcpy
Shadow bytes around the buggy address:
0x0c0c7fff8660: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
0x0c0c7fff8670: fd fd fd fd fd fd fd fd fa fa fa fa 00 00 00 00
0x0c0c7fff8680: 00 00 02 fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0c7fff8690: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
0x0c0c7fff86a0: 00 00 00 00 00 00 02 fa fa fa fa fa 00 00 00 00
=>0x0c0c7fff86b0: 00 00[05]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff86c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff86d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff86e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff86f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff8700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2583207==ABORTING
poc_obw5_s.dat
Impact
This may result in corruption of sensitive information, a crash, or code execution among other things.
Related news
Gentoo Linux Security Advisory 202305-16 - Multiple vulnerabilities have been found in Vim, the worst of which could result in denial of service. Versions less than 9.0.1157 are affected.
Ubuntu Security Notice 5995-1 - It was discovered that Vim incorrectly handled memory when opening certain files. If an attacker could trick a user into opening a specially crafted file, it could cause Vim to crash, or possible execute arbitrary code. This issue only affected Ubuntu 14.04 ESM, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.
Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]
A memory corruption issue existed in the processing of ICC profiles. This issue was addressed with improved input validation. This issue is fixed in macOS Ventura 13. Processing a maliciously crafted image may lead to arbitrary code execution.
Gentoo Linux Security Advisory 202208-32 - Multiple vulnerabilities have been discovered in Vim, the worst of which could result in denial of service. Versions less than 9.0.0060 are affected.
Ubuntu Security Notice 5507-1 - It was discovered that Vim incorrectly handled memory access. An attacker could potentially use this issue to cause the program to crash, use unexpected values, or execute arbitrary code. It was discovered that Vim incorrectly handled memory access. An attacker could potentially use this issue to cause the corruption of sensitive information, a crash, or arbitrary code execution.