Headline

CVE-2023-4750: heap-use-after-free in function bt_quickfix in vim

Use After Free in GitHub repository vim/vim prior to 9.0.1857.

12 months ago

Description

heap-use-after-free in function bt_quickfix at buffer.c:5770

Vim Version

git log
commit 32ff96ef018eb1a5bea0953648b4892a6ee71658 (HEAD -> master, tag: v9.0.1307, origin/master, origin/HEAD)

Proof of Concept

./vim -u NONE -i NONE -n -m -X -Z -e -s -S bt_quickfix_poc -c :qa!
=================================================================
==693059==ERROR: AddressSanitizer: heap-use-after-free on address 0x625000018438 at pc 0x5643bc7b3ff3 bp 0x7ffd7a50df20 sp 0x7ffd7a50df10
READ of size 8 at 0x625000018438 thread T0
    #0 0x5643bc7b3ff2 in bt_quickfix /home/limweicheng/Desktop/Fuzz/vim/src/buffer.c:5770
    #1 0x5643bd02b95c in is_qf_win /home/limweicheng/Desktop/Fuzz/vim/src/quickfix.c:4482
    #2 0x5643bd02d0db in qf_find_buf /home/limweicheng/Desktop/Fuzz/vim/src/quickfix.c:4526
    #3 0x5643bd03cd1b in qf_update_buffer /home/limweicheng/Desktop/Fuzz/vim/src/quickfix.c:4579
    #4 0x5643bd074848 in ex_vimgrep /home/limweicheng/Desktop/Fuzz/vim/src/quickfix.c:6495
    #5 0x5643bcb254ff in do_one_cmd /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:2580
    #6 0x5643bcb254ff in do_cmdline /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:993
    #7 0x5643bd1fe495 in do_source_ext /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1759
    #8 0x5643bd20505b in cmd_source /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1233
    #9 0x5643bcb254ff in do_one_cmd /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:2580
    #10 0x5643bcb254ff in do_cmdline /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:993
    #11 0x5643bd1fe495 in do_source_ext /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1759
    #12 0x5643bd204d60 in do_source /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1905
    #13 0x5643bd204d60 in cmd_source /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1250
    #14 0x5643bcb254ff in do_one_cmd /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:2580
    #15 0x5643bcb254ff in do_cmdline /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:993
    #16 0x5643bd85e301 in exe_commands /home/limweicheng/Desktop/Fuzz/vim/src/main.c:3146
    #17 0x5643bd85e301 in vim_main2 /home/limweicheng/Desktop/Fuzz/vim/src/main.c:782
    #18 0x5643bc75ae97 in main /home/limweicheng/Desktop/Fuzz/vim/src/main.c:433
    #19 0x7f80b2980d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #20 0x7f80b2980e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #21 0x5643bc761b44 in _start (/home/limweicheng/Desktop/Fuzz/vim/src/vim+0x19ab44)

0x625000018438 is located 6968 bytes inside of 9424-byte region [0x625000016900,0x625000018dd0)
freed by thread T0 here:
    #0 0x7f80b341a517 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
    #1 0x5643bc762def in vim_free /home/limweicheng/Desktop/Fuzz/vim/src/alloc.c:615

previously allocated by thread T0 here:
    #0 0x7f80b341a867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x5643bc76209a in lalloc /home/limweicheng/Desktop/Fuzz/vim/src/alloc.c:246

SUMMARY: AddressSanitizer: heap-use-after-free /home/limweicheng/Desktop/Fuzz/vim/src/buffer.c:5770 in bt_quickfix
Shadow bytes around the buggy address:
  0x0c4a7fffb030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffb040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffb050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffb060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffb070: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c4a7fffb080: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
  0x0c4a7fffb090: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffb0a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffb0b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffb0c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffb0d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:          00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:    fa
  Freed heap region:    fd
  Stack left redzone:   f1
  Stack mid redzone:    f2
  Stack right redzone:  f3
  Stack after return:   f5
  Stack use after scope:   f8
  Global redzone:       f9
  Global init order:    f6
  Poisoned by user:     f7
  Container overflow:   fc
  Array cookie:         ac
  Intra object redzone: bb
  ASan internal:        fe
  Left alloca redzone:  ca
  Right alloca redzone: cb
  Shadow gap:           cc
==693059==ABORTING

Impact

This is capable of causing crashes by using unexpected value, or possible code execution.

Related news

Apple Security Advisory 10-25-2023-4

Apple Security Advisory 10-25-2023-4 - macOS Sonoma 14.1 addresses bypass, code execution, spoofing, and use-after-free vulnerabilities.

10 months ago

Packet Storm

Open in Source

#vulnerability #web #mac #windows #apple #google #dos #js #auth #zero_day #webkit

Ubuntu Security Notice USN-6452-1

Ubuntu Security Notice 6452-1 - It was discovered that Vim could be made to divide by zero. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 23.04. It was discovered that Vim did not properly manage memory. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. It was discovered that Vim contained an arithmetic overflow. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 22.04 LTS, Ubuntu 23.04, and Ubuntu 23.10.

10 months ago

Packet Storm

Open in Source

#vulnerability #ubuntu #dos #perl

CVE-2023-42861: About the security content of macOS Sonoma 14.1

A logic issue was addressed with improved state management. This issue is fixed in macOS Sonoma 14.1. An attacker with knowledge of a standard user's credentials can unlock another standard user's locked screen on the same Mac.

11 months ago

CVE

Open in Source

#vulnerability #web #mac #windows #dos #js #auth #zero_day #webkit