Headline
CVE-2022-2580: heap-buffer-overflow occurs in function eval_string ./vim/src/typval.c:2226 in vim
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0102.
Description
heap-buffer-overflow occurs in eval_string ./vim/src/typval.c:2226, it should be allocated more memory at ./vim/src/typval.c:2126
vim version
git log
commit 5154a8880034b7bb94186d37bcecc6ee1a96f732 (HEAD -> master, tag: v9.0.0057, origin/master, origin/HEAD)
Proof of Concept
Poc
# ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./vim-poc-min
==2558612==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000cb8 at pc 0x5634a09bf8fe bp 0x7ffd079bf250 sp 0x7ffd079bf248
WRITE of size 1 at 0x603000000cb8 thread T0
#0 0x5634a09bf8fd in eval_string /src/vim/src/typval.c:2226:10
#1 0x5634a09c406e in eval_interp_string /src/vim/src/typval.c:2349:12
#2 0x56349ec66fcf in eval9 /src/vim/src/eval.c:3929:13
#3 0x56349ec8477f in eval8 /src/vim/src/eval.c:3602:11
#4 0x56349ec7fc41 in eval7 /src/vim/src/eval.c:3394:9
#5 0x56349ec7d007 in eval6 /src/vim/src/eval.c:3235:6
#6 0x56349ec7613b in eval5 /src/vim/src/eval.c:3046:9
#7 0x56349ec72c5f in eval4 /src/vim/src/eval.c:2897:9
#8 0x56349ec6f4a8 in eval3 /src/vim/src/eval.c:2758:9
#9 0x56349ec10fd8 in eval2 /src/vim/src/eval.c:2632:9
#10 0x56349ebc2361 in eval1 /src/vim/src/eval.c:2478:9
#11 0x56349e998e3d in eval_dict /src/vim/src/dict.c:955:10
#12 0x56349ec6698a in eval9 /src/vim/src/eval.c:3915:13
#13 0x56349ec8477f in eval8 /src/vim/src/eval.c:3602:11
#14 0x56349ec7fc41 in eval7 /src/vim/src/eval.c:3394:9
#15 0x56349ec79868 in eval6 /src/vim/src/eval.c:3157:9
#16 0x56349ec7613b in eval5 /src/vim/src/eval.c:3046:9
#17 0x56349ec72c5f in eval4 /src/vim/src/eval.c:2897:9
#18 0x56349ec6f4a8 in eval3 /src/vim/src/eval.c:2758:9
#19 0x56349ec10fd8 in eval2 /src/vim/src/eval.c:2632:9
#20 0x56349ebc2361 in eval1 /src/vim/src/eval.c:2478:9
#21 0x56349ec59884 in ex_echo /src/vim/src/eval.c:6629:6
#22 0x56349ef01e6c in do_one_cmd /src/vim/src/ex_docmd.c:2570:2
#23 0x56349eed94e0 in do_cmdline /src/vim/src/ex_docmd.c:992:17
#24 0x5634a014d7f4 in do_source_ext /src/vim/src/scriptfile.c:1674:5
#25 0x5634a0145055 in do_source /src/vim/src/scriptfile.c:1801:12
#26 0x5634a0144464 in cmd_source /src/vim/src/scriptfile.c:1174:14
#27 0x5634a0142ed1 in ex_source /src/vim/src/scriptfile.c:1200:2
#28 0x56349ef01e6c in do_one_cmd /src/vim/src/ex_docmd.c:2570:2
#29 0x56349eed94e0 in do_cmdline /src/vim/src/ex_docmd.c:992:17
#30 0x56349eee23e0 in do_cmdline_cmd /src/vim/src/ex_docmd.c:586:12
#31 0x5634a13b0267 in exe_commands /src/vim/src/main.c:3133:2
#32 0x5634a13a5b60 in vim_main2 /src/vim/src/main.c:780:2
#33 0x5634a1384e19 in main /src/vim/src/main.c:432:12
#34 0x7f1f31a72d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 89c3cb85f9e55046776471fed05ec441581d1969)
#35 0x7f1f31a72e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 89c3cb85f9e55046776471fed05ec441581d1969)
#36 0x56349e5b5ab4 in _start (/src/vim/src/vim+0xa08ab4) (BuildId: 0e0cdde570029ceb72ce60e78e3c78972e5ea98e)
0x603000000cb8 is located 0 bytes to the right of 24-byte region [0x603000000ca0,0x603000000cb8)
allocated by thread T0 here:
#0 0x56349e6388fe in __interceptor_malloc (/src/vim/src/vim+0xa8b8fe) (BuildId: 0e0cdde570029ceb72ce60e78e3c78972e5ea98e)
#1 0x56349e673dfb in lalloc /src/vim/src/alloc.c:246:11
#2 0x56349e673cf9 in alloc /src/vim/src/alloc.c:151:12
#3 0x5634a09b8d7b in eval_string /src/vim/src/typval.c:2126:28
#4 0x5634a09c406e in eval_interp_string /src/vim/src/typval.c:2349:12
#5 0x56349ec66fcf in eval9 /src/vim/src/eval.c:3929:13
#6 0x56349ec8477f in eval8 /src/vim/src/eval.c:3602:11
#7 0x56349ec7fc41 in eval7 /src/vim/src/eval.c:3394:9
#8 0x56349ec7d007 in eval6 /src/vim/src/eval.c:3235:6
#9 0x56349ec7613b in eval5 /src/vim/src/eval.c:3046:9
#10 0x56349ec72c5f in eval4 /src/vim/src/eval.c:2897:9
#11 0x56349ec6f4a8 in eval3 /src/vim/src/eval.c:2758:9
#12 0x56349ec10fd8 in eval2 /src/vim/src/eval.c:2632:9
#13 0x56349ebc2361 in eval1 /src/vim/src/eval.c:2478:9
#14 0x56349e998e3d in eval_dict /src/vim/src/dict.c:955:10
#15 0x56349ec6698a in eval9 /src/vim/src/eval.c:3915:13
#16 0x56349ec8477f in eval8 /src/vim/src/eval.c:3602:11
#17 0x56349ec7fc41 in eval7 /src/vim/src/eval.c:3394:9
#18 0x56349ec79868 in eval6 /src/vim/src/eval.c:3157:9
#19 0x56349ec7613b in eval5 /src/vim/src/eval.c:3046:9
#20 0x56349ec72c5f in eval4 /src/vim/src/eval.c:2897:9
#21 0x56349ec6f4a8 in eval3 /src/vim/src/eval.c:2758:9
#22 0x56349ec10fd8 in eval2 /src/vim/src/eval.c:2632:9
#23 0x56349ebc2361 in eval1 /src/vim/src/eval.c:2478:9
#24 0x56349ec59884 in ex_echo /src/vim/src/eval.c:6629:6
#25 0x56349ef01e6c in do_one_cmd /src/vim/src/ex_docmd.c:2570:2
#26 0x56349eed94e0 in do_cmdline /src/vim/src/ex_docmd.c:992:17
#27 0x5634a014d7f4 in do_source_ext /src/vim/src/scriptfile.c:1674:5
#28 0x5634a0145055 in do_source /src/vim/src/scriptfile.c:1801:12
#29 0x5634a0144464 in cmd_source /src/vim/src/scriptfile.c:1174:14
SUMMARY: AddressSanitizer: heap-buffer-overflow /src/vim/src/typval.c:2226:10 in eval_string
Shadow bytes around the buggy address:
0x0c067fff8140: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 01 fa
0x0c067fff8150: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
0x0c067fff8160: fd fa fa fa 00 00 00 02 fa fa fd fd fd fd fa fa
0x0c067fff8170: 00 00 00 02 fa fa 00 00 00 fa fa fa fd fd fd fd
0x0c067fff8180: fa fa 00 00 00 fa fa fa 00 00 00 02 fa fa 00 00
=>0x0c067fff8190: 00 fa fa fa 00 00 00[fa]fa fa fa fa fa fa fa fa
0x0c067fff81a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff81b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff81c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff81d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff81e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2558612==ABORTING
Impact
This may result in corruption of sensitive information, a crash, or code execution among other things.
Related news
Ubuntu Security Notice 6302-1 - It was discovered that Vim incorrectly handled memory when opening certain files. If an attacker could trick a user into opening a specially crafted file, it could cause Vim to crash, or possibly execute arbitrary code. This issue only affected Ubuntu 22.04 LTS. It was discovered that Vim did not properly perform bounds checks in the diff mode in certain situations. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
Dell VxRail, versions prior to 7.0.410, contain a Container Escape Vulnerability. A local high-privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the container's underlying OS. Exploitation may lead to a system take over by an attacker.