Headline
CVE-2023-4750: heap-use-after-free in function bt_quickfix in vim
Use After Free in GitHub repository vim/vim prior to 9.0.1857.
Description
heap-use-after-free in function bt_quickfix at buffer.c:5770
Vim Version
git log
commit 32ff96ef018eb1a5bea0953648b4892a6ee71658 (HEAD -> master, tag: v9.0.1307, origin/master, origin/HEAD)
Proof of Concept
./vim -u NONE -i NONE -n -m -X -Z -e -s -S bt_quickfix_poc -c :qa!
=================================================================
==693059==ERROR: AddressSanitizer: heap-use-after-free on address 0x625000018438 at pc 0x5643bc7b3ff3 bp 0x7ffd7a50df20 sp 0x7ffd7a50df10
READ of size 8 at 0x625000018438 thread T0
#0 0x5643bc7b3ff2 in bt_quickfix /home/limweicheng/Desktop/Fuzz/vim/src/buffer.c:5770
#1 0x5643bd02b95c in is_qf_win /home/limweicheng/Desktop/Fuzz/vim/src/quickfix.c:4482
#2 0x5643bd02d0db in qf_find_buf /home/limweicheng/Desktop/Fuzz/vim/src/quickfix.c:4526
#3 0x5643bd03cd1b in qf_update_buffer /home/limweicheng/Desktop/Fuzz/vim/src/quickfix.c:4579
#4 0x5643bd074848 in ex_vimgrep /home/limweicheng/Desktop/Fuzz/vim/src/quickfix.c:6495
#5 0x5643bcb254ff in do_one_cmd /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:2580
#6 0x5643bcb254ff in do_cmdline /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:993
#7 0x5643bd1fe495 in do_source_ext /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1759
#8 0x5643bd20505b in cmd_source /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1233
#9 0x5643bcb254ff in do_one_cmd /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:2580
#10 0x5643bcb254ff in do_cmdline /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:993
#11 0x5643bd1fe495 in do_source_ext /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1759
#12 0x5643bd204d60 in do_source /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1905
#13 0x5643bd204d60 in cmd_source /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1250
#14 0x5643bcb254ff in do_one_cmd /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:2580
#15 0x5643bcb254ff in do_cmdline /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:993
#16 0x5643bd85e301 in exe_commands /home/limweicheng/Desktop/Fuzz/vim/src/main.c:3146
#17 0x5643bd85e301 in vim_main2 /home/limweicheng/Desktop/Fuzz/vim/src/main.c:782
#18 0x5643bc75ae97 in main /home/limweicheng/Desktop/Fuzz/vim/src/main.c:433
#19 0x7f80b2980d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#20 0x7f80b2980e3f in __libc_start_main_impl ../csu/libc-start.c:392
#21 0x5643bc761b44 in _start (/home/limweicheng/Desktop/Fuzz/vim/src/vim+0x19ab44)
0x625000018438 is located 6968 bytes inside of 9424-byte region [0x625000016900,0x625000018dd0)
freed by thread T0 here:
#0 0x7f80b341a517 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
#1 0x5643bc762def in vim_free /home/limweicheng/Desktop/Fuzz/vim/src/alloc.c:615
previously allocated by thread T0 here:
#0 0x7f80b341a867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x5643bc76209a in lalloc /home/limweicheng/Desktop/Fuzz/vim/src/alloc.c:246
SUMMARY: AddressSanitizer: heap-use-after-free /home/limweicheng/Desktop/Fuzz/vim/src/buffer.c:5770 in bt_quickfix
Shadow bytes around the buggy address:
0x0c4a7fffb030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a7fffb040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a7fffb050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a7fffb060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a7fffb070: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c4a7fffb080: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
0x0c4a7fffb090: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a7fffb0a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a7fffb0b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a7fffb0c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a7fffb0d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==693059==ABORTING
Impact
This is capable of causing crashes by using unexpected value, or possible code execution.
Related news
Apple Security Advisory 10-25-2023-4 - macOS Sonoma 14.1 addresses bypass, code execution, spoofing, and use-after-free vulnerabilities.
Ubuntu Security Notice 6452-1 - It was discovered that Vim could be made to divide by zero. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 23.04. It was discovered that Vim did not properly manage memory. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. It was discovered that Vim contained an arithmetic overflow. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 22.04 LTS, Ubuntu 23.04, and Ubuntu 23.10.
A logic issue was addressed with improved state management. This issue is fixed in macOS Sonoma 14.1. An attacker with knowledge of a standard user's credentials can unlock another standard user's locked screen on the same Mac.