Skip to content

Integer Overflow in :history command

Moderate
chrisbra published GHSA-q22m-h7m2-9mgm Oct 26, 2023

Package

Vim (C)

Affected versions

9.0.2067

Patched versions

9.0.2068

Description

Environment

Distributor ID:	Debian
Description:	Debian GNU/Linux bookworm/sid

Version

I checked against the master branch at commit 5f5131d .

Description

Heap-use-after-free in memory allocated in the function ga_grow_inner in in the file src/alloc.c at line 748, which is freed in the file src/ex_docmd.c in the function do_cmdline at line 1010 and then used again in src/cmdhist.c at line 759

POC

./bins/vim -u NONE -i NONE -n -e -s -S ./crashmin/gchar_cursor -c :qa!

ASAN

=================================================================
==27059==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000000700 at pc 0x5561472e4d7e bp 0x7ffc40ff1ad0 sp 0x7ffc40ff1ac8
READ of size 4 at 0x611000000700 thread T0
    #0 0x5561472e4d7d in ex_history /path/vim/src/cmdhist.c:759:62
    #1 0x55614743ea18 in do_one_cmd /path/vim/src/ex_docmd.c:2582:2
    #2 0x55614743ea18 in do_cmdline /path/vim/src/ex_docmd.c:994:17
    #3 0x55614788323a in do_source_ext /path/vim/src/scriptfile.c:1762:5
    #4 0x556147880fab in do_source /path/vim/src/scriptfile.c:1908:12
    #5 0x556147880fab in cmd_source /path/vim/src/scriptfile.c:1253:14
    #6 0x55614743ea18 in do_one_cmd /path/vim/src/ex_docmd.c:2582:2
    #7 0x55614743ea18 in do_cmdline /path/vim/src/ex_docmd.c:994:17
    #8 0x556147c96613 in exe_commands /path/vim/src/main.c:3173:2
    #9 0x556147c96613 in vim_main2 /path/vim/src/main.c:790:2
    #10 0x556147c933ae in main /path/vim/src/main.c:441:12
    #11 0x7f2312dde1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #12 0x7f2312dde284 in __libc_start_main csu/../csu/libc-start.c:360:3
    #13 0x556147170760 in _start (/path/vim/fuzzfuzzfuzz/bins/vim+0x208760) (BuildId: 0021b8b45c0d1823917b83c6743ec61faf0b7ab3)

0x611000000700 is located 128 bytes inside of 250-byte region [0x611000000680,0x61100000077a)
freed by thread T0 here:
    #0 0x5561471f3302 in __interceptor_free (/path/vim/fuzzfuzzfuzz/bins/vim+0x28b302) (BuildId: 0021b8b45c0d1823917b83c6743ec61faf0b7ab3)
    #1 0x556147439233 in do_cmdline /path/vim/src/ex_docmd.c:1010:6
    #2 0x55614788323a in do_source_ext /path/vim/src/scriptfile.c:1762:5
    #3 0x556147880fab in do_source /path/vim/src/scriptfile.c:1908:12
    #4 0x556147880fab in cmd_source /path/vim/src/scriptfile.c:1253:14
    #5 0x556147c96613 in exe_commands /path/vim/src/main.c:3173:2
    #6 0x556147c96613 in vim_main2 /path/vim/src/main.c:790:2
    #7 0x556147c933ae in main /path/vim/src/main.c:441:12
    #8 0x7f2312dde1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

previously allocated by thread T0 here:
    #0 0x5561471f39d6 in __interceptor_realloc (/path/vim/fuzzfuzzfuzz/bins/vim+0x28b9d6) (BuildId: 0021b8b45c0d1823917b83c6743ec61faf0b7ab3)
    #1 0x55614723054b in ga_grow_inner /path/vim/src/alloc.c:748:10
    #2 0x55614723054b in ga_grow /path/vim/src/alloc.c:713:9

SUMMARY: AddressSanitizer: heap-use-after-free /path/vim/src/cmdhist.c:759:62 in ex_history
Shadow bytes around the buggy address:
  0x0c227fff8090: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c227fff80a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c227fff80b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff80c0: 00 00 00 00 00 00 00 02 fa fa fa fa fa fa fa fa
  0x0c227fff80d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c227fff80e0:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fff80f0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c227fff8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff8110: 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa fa
  0x0c227fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff8130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==27059==ABORTING

Impact

When using the :history command, it's possible that the provided argument overflows the accepted value. Causing an Integer Overflow and potentially later an use-after-free. This is not a major issue as most users probably won't use intentionally large values for the :history command

Patches

Problem is patched in version: 9.0.2068

Credits

Thanks to Cole Dilorenzo for notifying the vim-security mailinglist

Severity

Moderate
4.0
/ 10

CVSS base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVE ID

CVE-2023-46246

Weaknesses

No CWEs