Environment
Distributor ID: Debian
Description: Debian GNU/Linux bookworm/sid
Version
I checked against the master branch at commit 5f5131d .
Description
Heap-use-after-free in memory allocated in the function ga_grow_inner
in in the file src/alloc.c
at line 748, which is freed in the file src/ex_docmd.c
in the function do_cmdline
at line 1010 and then used again in src/cmdhist.c
at line 759
POC
./bins/vim -u NONE -i NONE -n -e -s -S ./crashmin/gchar_cursor -c :qa!
ASAN
=================================================================
==27059==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000000700 at pc 0x5561472e4d7e bp 0x7ffc40ff1ad0 sp 0x7ffc40ff1ac8
READ of size 4 at 0x611000000700 thread T0
#0 0x5561472e4d7d in ex_history /path/vim/src/cmdhist.c:759:62
#1 0x55614743ea18 in do_one_cmd /path/vim/src/ex_docmd.c:2582:2
#2 0x55614743ea18 in do_cmdline /path/vim/src/ex_docmd.c:994:17
#3 0x55614788323a in do_source_ext /path/vim/src/scriptfile.c:1762:5
#4 0x556147880fab in do_source /path/vim/src/scriptfile.c:1908:12
#5 0x556147880fab in cmd_source /path/vim/src/scriptfile.c:1253:14
#6 0x55614743ea18 in do_one_cmd /path/vim/src/ex_docmd.c:2582:2
#7 0x55614743ea18 in do_cmdline /path/vim/src/ex_docmd.c:994:17
#8 0x556147c96613 in exe_commands /path/vim/src/main.c:3173:2
#9 0x556147c96613 in vim_main2 /path/vim/src/main.c:790:2
#10 0x556147c933ae in main /path/vim/src/main.c:441:12
#11 0x7f2312dde1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#12 0x7f2312dde284 in __libc_start_main csu/../csu/libc-start.c:360:3
#13 0x556147170760 in _start (/path/vim/fuzzfuzzfuzz/bins/vim+0x208760) (BuildId: 0021b8b45c0d1823917b83c6743ec61faf0b7ab3)
0x611000000700 is located 128 bytes inside of 250-byte region [0x611000000680,0x61100000077a)
freed by thread T0 here:
#0 0x5561471f3302 in __interceptor_free (/path/vim/fuzzfuzzfuzz/bins/vim+0x28b302) (BuildId: 0021b8b45c0d1823917b83c6743ec61faf0b7ab3)
#1 0x556147439233 in do_cmdline /path/vim/src/ex_docmd.c:1010:6
#2 0x55614788323a in do_source_ext /path/vim/src/scriptfile.c:1762:5
#3 0x556147880fab in do_source /path/vim/src/scriptfile.c:1908:12
#4 0x556147880fab in cmd_source /path/vim/src/scriptfile.c:1253:14
#5 0x556147c96613 in exe_commands /path/vim/src/main.c:3173:2
#6 0x556147c96613 in vim_main2 /path/vim/src/main.c:790:2
#7 0x556147c933ae in main /path/vim/src/main.c:441:12
#8 0x7f2312dde1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
previously allocated by thread T0 here:
#0 0x5561471f39d6 in __interceptor_realloc (/path/vim/fuzzfuzzfuzz/bins/vim+0x28b9d6) (BuildId: 0021b8b45c0d1823917b83c6743ec61faf0b7ab3)
#1 0x55614723054b in ga_grow_inner /path/vim/src/alloc.c:748:10
#2 0x55614723054b in ga_grow /path/vim/src/alloc.c:713:9
SUMMARY: AddressSanitizer: heap-use-after-free /path/vim/src/cmdhist.c:759:62 in ex_history
Shadow bytes around the buggy address:
0x0c227fff8090: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
0x0c227fff80a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c227fff80b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c227fff80c0: 00 00 00 00 00 00 00 02 fa fa fa fa fa fa fa fa
0x0c227fff80d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c227fff80e0:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c227fff80f0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c227fff8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c227fff8110: 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa fa
0x0c227fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c227fff8130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==27059==ABORTING
Impact
When using the :history
command, it's possible that the provided argument overflows the accepted value. Causing an Integer Overflow and potentially later an use-after-free. This is not a major issue as most users probably won't use intentionally large values for the :history command
Patches
Problem is patched in version: 9.0.2068
Credits
Thanks to Cole Dilorenzo for notifying the vim-security mailinglist
Environment
Version
I checked against the master branch at commit 5f5131d .
Description
Heap-use-after-free in memory allocated in the function
ga_grow_inner
in in the filesrc/alloc.c
at line 748, which is freed in the filesrc/ex_docmd.c
in the functiondo_cmdline
at line 1010 and then used again insrc/cmdhist.c
at line 759POC
./bins/vim -u NONE -i NONE -n -e -s -S ./crashmin/gchar_cursor -c :qa!
ASAN
Impact
When using the
:history
command, it's possible that the provided argument overflows the accepted value. Causing an Integer Overflow and potentially later an use-after-free. This is not a major issue as most users probably won't use intentionally large values for the :history commandPatches
Problem is patched in version: 9.0.2068
Credits
Thanks to Cole Dilorenzo for notifying the vim-security mailinglist