Headline
CVE-2023-46246: Integer Overflow in :history command
Vim is an improved version of the good old UNIX editor Vi. Heap-use-after-free in memory allocated in the function ga_grow_inner in in the file src/alloc.c at line 748, which is freed in the file src/ex_docmd.c in the function do_cmdline at line 1010 and then used again in src/cmdhist.c at line 759. When using the :history command, it’s possible that the provided argument overflows the accepted value. Causing an Integer Overflow and potentially later an use-after-free. This vulnerability has been patched in version 9.0.2068.
Environment
Distributor ID: Debian Description: Debian GNU/Linux bookworm/sid
Version
I checked against the master branch at commit 5f5131d .
Description
Heap-use-after-free in memory allocated in the function ga_grow_inner in in the file src/alloc.c at line 748, which is freed in the file src/ex_docmd.c in the function do_cmdline at line 1010 and then used again in src/cmdhist.c at line 759
POC
./bins/vim -u NONE -i NONE -n -e -s -S ./crashmin/gchar_cursor -c :qa!
ASAN
================================================================= ==27059==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000000700 at pc 0x5561472e4d7e bp 0x7ffc40ff1ad0 sp 0x7ffc40ff1ac8 READ of size 4 at 0x611000000700 thread T0 #0 0x5561472e4d7d in ex_history /path/vim/src/cmdhist.c:759:62 #1 0x55614743ea18 in do_one_cmd /path/vim/src/ex_docmd.c:2582:2 #2 0x55614743ea18 in do_cmdline /path/vim/src/ex_docmd.c:994:17 #3 0x55614788323a in do_source_ext /path/vim/src/scriptfile.c:1762:5 #4 0x556147880fab in do_source /path/vim/src/scriptfile.c:1908:12 #5 0x556147880fab in cmd_source /path/vim/src/scriptfile.c:1253:14 #6 0x55614743ea18 in do_one_cmd /path/vim/src/ex_docmd.c:2582:2 #7 0x55614743ea18 in do_cmdline /path/vim/src/ex_docmd.c:994:17 #8 0x556147c96613 in exe_commands /path/vim/src/main.c:3173:2 #9 0x556147c96613 in vim_main2 /path/vim/src/main.c:790:2 #10 0x556147c933ae in main /path/vim/src/main.c:441:12 #11 0x7f2312dde1c9 in __libc_start_call_main csu/…/sysdeps/nptl/libc_start_call_main.h:58:16 #12 0x7f2312dde284 in __libc_start_main csu/…/csu/libc-start.c:360:3 #13 0x556147170760 in _start (/path/vim/fuzzfuzzfuzz/bins/vim+0x208760) (BuildId: 0021b8b45c0d1823917b83c6743ec61faf0b7ab3)
0x611000000700 is located 128 bytes inside of 250-byte region [0x611000000680,0x61100000077a) freed by thread T0 here: #0 0x5561471f3302 in __interceptor_free (/path/vim/fuzzfuzzfuzz/bins/vim+0x28b302) (BuildId: 0021b8b45c0d1823917b83c6743ec61faf0b7ab3) #1 0x556147439233 in do_cmdline /path/vim/src/ex_docmd.c:1010:6 #2 0x55614788323a in do_source_ext /path/vim/src/scriptfile.c:1762:5 #3 0x556147880fab in do_source /path/vim/src/scriptfile.c:1908:12 #4 0x556147880fab in cmd_source /path/vim/src/scriptfile.c:1253:14 #5 0x556147c96613 in exe_commands /path/vim/src/main.c:3173:2 #6 0x556147c96613 in vim_main2 /path/vim/src/main.c:790:2 #7 0x556147c933ae in main /path/vim/src/main.c:441:12 #8 0x7f2312dde1c9 in __libc_start_call_main csu/…/sysdeps/nptl/libc_start_call_main.h:58:16
previously allocated by thread T0 here: #0 0x5561471f39d6 in __interceptor_realloc (/path/vim/fuzzfuzzfuzz/bins/vim+0x28b9d6) (BuildId: 0021b8b45c0d1823917b83c6743ec61faf0b7ab3) #1 0x55614723054b in ga_grow_inner /path/vim/src/alloc.c:748:10 #2 0x55614723054b in ga_grow /path/vim/src/alloc.c:713:9
SUMMARY: AddressSanitizer: heap-use-after-free /path/vim/src/cmdhist.c:759:62 in ex_history Shadow bytes around the buggy address: 0x0c227fff8090: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa 0x0c227fff80a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c227fff80b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c227fff80c0: 00 00 00 00 00 00 00 02 fa fa fa fa fa fa fa fa 0x0c227fff80d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c227fff80e0:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c227fff80f0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c227fff8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c227fff8110: 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa fa 0x0c227fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c227fff8130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==27059==ABORTING
Impact
When using the :history command, it’s possible that the provided argument overflows the accepted value. Causing an Integer Overflow and potentially later an use-after-free. This is not a major issue as most users probably won’t use intentionally large values for the :history command
Patches
Problem is patched in version: 9.0.2068
Credits
Thanks to Cole Dilorenzo for notifying the vim-security mailinglist
Related news
Ubuntu Security Notice 6557-1 - It was discovered that Vim could be made to dereference invalid memory. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. It was discovered that Vim could be made to recurse infinitely. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.