Headline
CVE-2022-2581: Out-of-bounds Read in function utf_ptr2char in vim
Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.0104.
Description
Out-of-bounds Read in function utf_ptr2char at mbyte.c:1794
vim version
git log
commit 324478037923feef1eb8a771648e38ade9e5e05a (HEAD -> master, tag: v9.0.0042, origin/master, origin/HEAD)
POC
./afl/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc_obr5_s.dat -c :qa!
=================================================================
==11944==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000062f2 at pc 0x000000a46869 bp 0x7ffea3585660 sp 0x7ffea3585658
READ of size 1 at 0x6020000062f2 thread T0
#0 0xa46868 in utf_ptr2char /home/fuzz/fuzz/vim/afl/src/mbyte.c:1794:9
#1 0xd996cc in find_match_text /home/fuzz/fuzz/vim/afl/src/./regexp_nfa.c:5648:25
#2 0xd97afb in nfa_regexec_both /home/fuzz/fuzz/vim/afl/src/./regexp_nfa.c:7370:13
#3 0xcfa1f5 in nfa_regexec_nl /home/fuzz/fuzz/vim/afl/src/./regexp_nfa.c:7567:12
#4 0xcf64ad in vim_regexec_string /home/fuzz/fuzz/vim/afl/src/regexp.c:2865:14
#5 0xcf6cf9 in vim_regexec /home/fuzz/fuzz/vim/afl/src/regexp.c:2931:12
#6 0x541a4b in fname_match /home/fuzz/fuzz/vim/afl/src/buffer.c:2954:6
#7 0x51d9ca in buflist_match /home/fuzz/fuzz/vim/afl/src/buffer.c:2928:13
#8 0x51836b in buflist_findpat /home/fuzz/fuzz/vim/afl/src/buffer.c:2645:11
#9 0x7dd3d1 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2535:13
#10 0x7ca915 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
#11 0xe5c8fe in do_source_ext /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1674:5
#12 0xe58940 in cmd_source /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1157:6
#13 0xe583de in ex_source /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1200:2
#14 0x7dda59 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
#15 0x7ca915 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
#16 0xe5c8fe in do_source_ext /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1674:5
#17 0xe59396 in do_source /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1801:12
#18 0xe58cd3 in cmd_source /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1174:14
#19 0xe583de in ex_source /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1200:2
#20 0x7dda59 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
#21 0x7ca915 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
#22 0x7cf591 in do_cmdline_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:586:12
#23 0x1427482 in exe_commands /home/fuzz/fuzz/vim/afl/src/main.c:3133:2
#24 0x142361b in vim_main2 /home/fuzz/fuzz/vim/afl/src/main.c:780:2
#25 0x1418b2d in main /home/fuzz/fuzz/vim/afl/src/main.c:432:12
#26 0x7f885dc42082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#27 0x41ea5d in _start (/home/fuzz/fuzz/vim/afl/src/vim+0x41ea5d)
0x6020000062f2 is located 0 bytes to the right of 2-byte region [0x6020000062f0,0x6020000062f2)
allocated by thread T0 here:
#0 0x499cbd in malloc (/home/fuzz/fuzz/vim/afl/src/vim+0x499cbd)
#1 0x4cb392 in lalloc /home/fuzz/fuzz/vim/afl/src/alloc.c:246:11
#2 0x4cb27a in alloc /home/fuzz/fuzz/vim/afl/src/alloc.c:151:12
#3 0xf90e26 in vim_strsave /home/fuzz/fuzz/vim/afl/src/strings.c:27:9
#4 0x50f9a3 in buflist_new /home/fuzz/fuzz/vim/afl/src/buffer.c:2105:18
#5 0x5289f2 in buflist_add /home/fuzz/fuzz/vim/afl/src/buffer.c:3605:11
#6 0x4d0f00 in alist_add /home/fuzz/fuzz/vim/afl/src/arglist.c:206:6
#7 0x4d0aaa in alist_set /home/fuzz/fuzz/vim/afl/src/arglist.c:173:6
#8 0x4d2ccf in do_arglist /home/fuzz/fuzz/vim/afl/src/arglist.c:484:6
#9 0x4d56f7 in ex_next /home/fuzz/fuzz/vim/afl/src/arglist.c:751:10
#10 0x7dda59 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
#11 0x7ca915 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
#12 0xe5c8fe in do_source_ext /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1674:5
#13 0xe59396 in do_source /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1801:12
#14 0xe58cd3 in cmd_source /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1174:14
#15 0xe583de in ex_source /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1200:2
#16 0x7dda59 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
#17 0x7ca915 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
#18 0x7cf591 in do_cmdline_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:586:12
#19 0x1427482 in exe_commands /home/fuzz/fuzz/vim/afl/src/main.c:3133:2
#20 0x142361b in vim_main2 /home/fuzz/fuzz/vim/afl/src/main.c:780:2
#21 0x1418b2d in main /home/fuzz/fuzz/vim/afl/src/main.c:432:12
#22 0x7f885dc42082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fuzz/fuzz/vim/afl/src/mbyte.c:1794:9 in utf_ptr2char
Shadow bytes around the buggy address:
0x0c047fff8c00: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8c10: fa fa fd fa fa fa fd fa fa fa 00 00 fa fa 00 00
0x0c047fff8c20: fa fa 05 fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8c30: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8c40: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
=>0x0c047fff8c50: fa fa 00 03 fa fa fd fa fa fa 02 fa fa fa[02]fa
0x0c047fff8c60: fa fa 01 fa fa fa 05 fa fa fa 00 04 fa fa 01 fa
0x0c047fff8c70: fa fa 01 fa fa fa 01 fa fa fa 01 fa fa fa 07 fa
0x0c047fff8c80: fa fa 03 fa fa fa 00 06 fa fa 00 04 fa fa 01 fa
0x0c047fff8c90: fa fa 01 fa fa fa 03 fa fa fa 01 fa fa fa 01 fa
0x0c047fff8ca0: fa fa 01 fa fa fa 01 fa fa fa 01 fa fa fa 01 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==11944==ABORTING
poc_obr5_s.dat
Impact
This vulnerability is capable of crashing software, modify memory, and possible remote execution.
Related news
Ubuntu Security Notice 5995-1 - It was discovered that Vim incorrectly handled memory when opening certain files. If an attacker could trick a user into opening a specially crafted file, it could cause Vim to crash, or possible execute arbitrary code. This issue only affected Ubuntu 14.04 ESM, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.
Dell VxRail, versions prior to 7.0.410, contain a Container Escape Vulnerability. A local high-privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the container's underlying OS. Exploitation may lead to a system take over by an attacker.
Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]
Ubuntu Security Notice 5775-1 - It was discovered that Vim uses freed memory in recursive substitution of specially crafted patterns. An attacker could possibly use this to crash Vim and cause denial of service. It was discovered that Vim makes illegal memory calls when patterns start with an illegal byte. An attacker could possibly use this to crash Vim, access or modify memory, or execute arbitrary commands. It was discovered that Vim could be made to crash when parsing invalid line numbers. An attacker could possibly use this to crash Vim and cause denial of service.