Headline
CVE-2023-4733: Heap-use-after-free in function buflist_altfpos in vim in vim
Use After Free in GitHub repository vim/vim prior to 9.0.1840.
Description
Heap-use-after-free in function buflist_altfpos at buffer.c:3703
Proof of Concept
./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc_huaf -c :qa!
==1404==ERROR: AddressSanitizer: heap-use-after-free on address 0x625000011940 at pc 0x0000004a4dbe bp 0x7ffc6204d090 sp 0x7ffc6204d080
READ of size 4 at 0x625000011940 thread T0
#0 0x4a4dbd in buflist_altfpos /home/fuzz/asan_program/vim/src/buffer.c:3703
#1 0x78a8b7 in do_ecmd /home/fuzz/asan_program/vim/src/ex_cmds.c:2694
#2 0x457614 in do_argfile /home/fuzz/asan_program/vim/src/arglist.c:738
#3 0x457614 in ex_rewind /home/fuzz/asan_program/vim/src/arglist.c:649
#4 0x8047e5 in do_one_cmd /home/fuzz/asan_program/vim/src/ex_docmd.c:2582
#5 0x80d399 in do_cmdline /home/fuzz/asan_program/vim/src/ex_docmd.c:994
#6 0xf03484 in do_source_ext /home/fuzz/asan_program/vim/src/scriptfile.c:1760
#7 0xf21643 in do_source /home/fuzz/asan_program/vim/src/scriptfile.c:1906
#8 0xf21643 in cmd_source /home/fuzz/asan_program/vim/src/scriptfile.c:1251
#9 0xf21643 in ex_source /home/fuzz/asan_program/vim/src/scriptfile.c:1277
#10 0x8047e5 in do_one_cmd /home/fuzz/asan_program/vim/src/ex_docmd.c:2582
#11 0x80d399 in do_cmdline /home/fuzz/asan_program/vim/src/ex_docmd.c:994
#12 0x15ec5af in exe_commands /home/fuzz/asan_program/vim/src/main.c:3173
#13 0x15ec5af in vim_main2 /home/fuzz/asan_program/vim/src/main.c:790
#14 0x442afa in main /home/fuzz/asan_program/vim/src/main.c:441
#15 0x7fee94545554 in __libc_start_main (/lib64/libc.so.6+0x22554)
#16 0x446fde (/home/fuzz/bug_finder/bug_validate/vimtest1/vim_asan+0x446fde)
0x625000011940 is located 64 bytes inside of 9176-byte region [0x625000011900,0x625000013cd8)
freed by thread T0 here:
#0 0x7fee9555c23f in free (/lib64/libasan.so.5+0x10c23f)
#1 0x47886c in apply_autocmds_group /home/fuzz/asan_program/vim/src/autocmd.c:2385
#2 0x481acf in apply_autocmds /home/fuzz/asan_program/vim/src/autocmd.c:1780
#3 0xb0cfda in may_trigger_modechanged /home/fuzz/asan_program/vim/src/misc1.c:2806
#4 0xbcd17e in end_visual_mode_keep_button /home/fuzz/asan_program/vim/src/normal.c:1165
#5 0xbcd17e in end_visual_mode /home/fuzz/asan_program/vim/src/normal.c:1120
#6 0xbcd17e in reset_VIsual /home/fuzz/asan_program/vim/src/normal.c:1190
#7 0xbcd17e in reset_VIsual /home/fuzz/asan_program/vim/src/normal.c:1186
#8 0x7899d4 in do_ecmd /home/fuzz/asan_program/vim/src/ex_cmds.c:2653
#9 0x457614 in do_argfile /home/fuzz/asan_program/vim/src/arglist.c:738
#10 0x457614 in ex_rewind /home/fuzz/asan_program/vim/src/arglist.c:649
#11 0x8047e5 in do_one_cmd /home/fuzz/asan_program/vim/src/ex_docmd.c:2582
#12 0x80d399 in do_cmdline /home/fuzz/asan_program/vim/src/ex_docmd.c:994
#13 0xf03484 in do_source_ext /home/fuzz/asan_program/vim/src/scriptfile.c:1760
#14 0xf21643 in do_source /home/fuzz/asan_program/vim/src/scriptfile.c:1906
#15 0xf21643 in cmd_source /home/fuzz/asan_program/vim/src/scriptfile.c:1251
#16 0xf21643 in ex_source /home/fuzz/asan_program/vim/src/scriptfile.c:1277
#17 0x8047e5 in do_one_cmd /home/fuzz/asan_program/vim/src/ex_docmd.c:2582
#18 0x80d399 in do_cmdline /home/fuzz/asan_program/vim/src/ex_docmd.c:994
#19 0x15ec5af in exe_commands /home/fuzz/asan_program/vim/src/main.c:3173
#20 0x15ec5af in vim_main2 /home/fuzz/asan_program/vim/src/main.c:790
#21 0x442afa in main /home/fuzz/asan_program/vim/src/main.c:441
#22 0x7fee94545554 in __libc_start_main (/lib64/libc.so.6+0x22554)
previously allocated by thread T0 here:
#0 0x7fee9555c82e in calloc (/lib64/libasan.so.5+0x10c82e)
#1 0x447ab4 in lalloc /home/fuzz/asan_program/vim/src/alloc.c:246
#2 0x447ab4 in alloc_clear /home/fuzz/asan_program/vim/src/alloc.c:177
#3 0x140d552 in win_alloc /home/fuzz/asan_program/vim/src/window.c:5502
#4 0x1454b36 in win_split_ins /home/fuzz/asan_program/vim/src/window.c:1187
#5 0x457164 in do_argfile /home/fuzz/asan_program/vim/src/arglist.c:708
#6 0x457164 in ex_rewind /home/fuzz/asan_program/vim/src/arglist.c:649
#7 0x8047e5 in do_one_cmd /home/fuzz/asan_program/vim/src/ex_docmd.c:2582
#8 0x80d399 in do_cmdline /home/fuzz/asan_program/vim/src/ex_docmd.c:994
#9 0xf03484 in do_source_ext /home/fuzz/asan_program/vim/src/scriptfile.c:1760
#10 0xf21643 in do_source /home/fuzz/asan_program/vim/src/scriptfile.c:1906
#11 0xf21643 in cmd_source /home/fuzz/asan_program/vim/src/scriptfile.c:1251
#12 0xf21643 in ex_source /home/fuzz/asan_program/vim/src/scriptfile.c:1277
#13 0x8047e5 in do_one_cmd /home/fuzz/asan_program/vim/src/ex_docmd.c:2582
#14 0x80d399 in do_cmdline /home/fuzz/asan_program/vim/src/ex_docmd.c:994
#15 0x15ec5af in exe_commands /home/fuzz/asan_program/vim/src/main.c:3173
#16 0x15ec5af in vim_main2 /home/fuzz/asan_program/vim/src/main.c:790
#17 0x442afa in main /home/fuzz/asan_program/vim/src/main.c:441
#18 0x7fee94545554 in __libc_start_main (/lib64/libc.so.6+0x22554)
SUMMARY: AddressSanitizer: heap-use-after-free /home/fuzz/asan_program/vim/src/buffer.c:3703 in buflist_altfpos
Shadow bytes around the buggy address:
0x0c4a7fffa2d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fffa2e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fffa2f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fffa300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fffa310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4a7fffa320: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
0x0c4a7fffa330: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a7fffa340: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a7fffa350: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a7fffa360: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a7fffa370: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1404==ABORTING
here are three different triggering poc : https://github.com/fizz-is-on-the-way/vim/blob/main/poc_huaf1?raw=true https://github.com/fizz-is-on-the-way/vim/blob/main/poc_huaf2?raw=true https://github.com/fizz-is-on-the-way/vim/blob/main/poc_huaf3?raw=true
Impact
This vulnerability is capable of crashing software, modify memory, and possible remote execution.
Related news
Apple Security Advisory 10-25-2023-4 - macOS Sonoma 14.1 addresses bypass, code execution, spoofing, and use-after-free vulnerabilities.
Ubuntu Security Notice 6452-1 - It was discovered that Vim could be made to divide by zero. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 23.04. It was discovered that Vim did not properly manage memory. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. It was discovered that Vim contained an arithmetic overflow. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 22.04 LTS, Ubuntu 23.04, and Ubuntu 23.10.
A logic issue was addressed with improved state management. This issue is fixed in macOS Sonoma 14.1. An attacker with knowledge of a standard user's credentials can unlock another standard user's locked screen on the same Mac.