ac11b6a710
|
||
|---|---|---|
| .. | ||
| POC1 | ||
| POC2 | ||
| README.md | ||
README.md
Description
Heap-based Buffer Overflow in function same_leader at textformat.c:558 Heap-based Buffer Overflow in function utfc_ptr2len at mbyte.c:2138
Vim Version
git log commit f97a295ccaa9803367f3714cdefce4e2283c771d (HEAD -> master, tag: v9.0.1221, origin/master, origin/HEAD)
Able to replicate the same bug in version 9.0.1224: ./vim -version VIM - Vi IMproved 9.0 (2022 Jun 28, compiled Jan 21 2023 19:27:29) git log commit 47bba53bdb6d59057887149e2eeb2071803e547e (HEAD -> master, tag: v9.0.1224, origin/master, origin/HEAD)
Proof of Concept (same_leader)
./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./POC1 -c :qa!
==2551383==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100001510d at pc 0x5579aa32a5f2 bp 0x7ffd2182a1e0 sp 0x7ffd2182a1d0 READ of size 1 at 0x62100001510d thread T0 #0 0x5579aa32a5f1 in same_leader /home/limweicheng/Desktop/Fuzz/vim/src/textformat.c:558 #1 0x5579aa333a53 in format_lines /home/limweicheng/Desktop/Fuzz/vim/src/textformat.c:1091 #2 0x5579aa337d77 in op_format /home/limweicheng/Desktop/Fuzz/vim/src/textformat.c:852 #3 0x5579a9de190a in do_pending_operator /home/limweicheng/Desktop/Fuzz/vim/src/ops.c:4192 #4 0x5579a9d8e9ff in normal_cmd /home/limweicheng/Desktop/Fuzz/vim/src/normal.c:960 #5 0x5579a99cef22 in exec_normal /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:8887 #6 0x5579a99cf8e1 in exec_normal_cmd /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:8850 #7 0x5579a99cf8e1 in ex_normal /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:8768 #8 0x5579a99e89fc in do_one_cmd /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:2580 #9 0x5579a99e89fc in do_cmdline /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:993 #10 0x5579aa0bcc05 in do_source_ext /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1672 #11 0x5579aa0c34c0 in do_source /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1818 #12 0x5579aa0c34c0 in cmd_source /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1163 #13 0x5579a99e89fc in do_one_cmd /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:2580 #14 0x5579a99e89fc in do_cmdline /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:993 #15 0x5579aa716321 in exe_commands /home/limweicheng/Desktop/Fuzz/vim/src/main.c:3146 #16 0x5579aa716321 in vim_main2 /home/limweicheng/Desktop/Fuzz/vim/src/main.c:782 #17 0x5579a961f8b7 in main /home/limweicheng/Desktop/Fuzz/vim/src/main.c:433 #18 0x7ff853b96d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #19 0x7ff853b96e3f in __libc_start_main_impl ../csu/libc-start.c:392 #20 0x5579a9626574 in _start (/home/limweicheng/Desktop/Fuzz/vim/src/vim+0x199574)
0x62100001510d is located 13 bytes to the right of 4096-byte region [0x621000014100,0x621000015100) allocated by thread T0 here: #0 0x7ff854630867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145 #1 0x5579a9626aca in lalloc /home/limweicheng/Desktop/Fuzz/vim/src/alloc.c:246
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/limweicheng/Desktop/Fuzz/vim/src/textformat.c:558 in same_leader Shadow bytes around the buggy address: 0x0c427fffa9d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fffa9e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fffa9f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fffaa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fffaa10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c427fffaa20: fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fffaa30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fffaa40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fffaa50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fffaa60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fffaa70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==2551383==ABORTING
Proof of Concept (utfc_ptr2len)
./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./POC2 -c :qa!
==2554992==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000006ed2 at pc 0x5649350fbbce bp 0x7ffc71a4da10 sp 0x7ffc71a4da00 READ of size 1 at 0x602000006ed2 thread T0 #0 0x5649350fbbcd in utfc_ptr2len /home/limweicheng/Desktop/Fuzz/vim/src/mbyte.c:2138 #1 0x564935236185 in get_visual_text /home/limweicheng/Desktop/Fuzz/vim/src/normal.c:3678 #2 0x56493523c47b in nv_zg_zw /home/limweicheng/Desktop/Fuzz/vim/src/normal.c:2613 #3 0x56493523c47b in nv_zet /home/limweicheng/Desktop/Fuzz/vim/src/normal.c:2990 #4 0x56493522b305 in normal_cmd /home/limweicheng/Desktop/Fuzz/vim/src/normal.c:938 #5 0x564934e6cf22 in exec_normal /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:8887 #6 0x564934e6d8e1 in exec_normal_cmd /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:8850 #7 0x564934e6d8e1 in ex_normal /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:8768 #8 0x564934e869fc in do_one_cmd /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:2580 #9 0x564934e869fc in do_cmdline /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:993 #10 0x56493555ac05 in do_source_ext /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1672 #11 0x5649355614c0 in do_source /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1818 #12 0x5649355614c0 in cmd_source /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1163 #13 0x564934e869fc in do_one_cmd /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:2580 #14 0x564934e869fc in do_cmdline /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:993 #15 0x564935bb4321 in exe_commands /home/limweicheng/Desktop/Fuzz/vim/src/main.c:3146 #16 0x564935bb4321 in vim_main2 /home/limweicheng/Desktop/Fuzz/vim/src/main.c:782 #17 0x564934abd8b7 in main /home/limweicheng/Desktop/Fuzz/vim/src/main.c:433 #18 0x7f4dacd1ed8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #19 0x7f4dacd1ee3f in __libc_start_main_impl ../csu/libc-start.c:392 #20 0x564934ac4574 in _start (/home/limweicheng/Desktop/Fuzz/vim/src/vim+0x199574) 0x602000006ed2 is located 0 bytes to the right of 2-byte region [0x602000006ed0,0x602000006ed2) allocated by thread T0 here: #0 0x7f4dad7b8867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145 #1 0x564934ac4aca in lalloc /home/limweicheng/Desktop/Fuzz/vim/src/alloc.c:246
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/limweicheng/Desktop/Fuzz/vim/src/mbyte.c:2138 in utfc_ptr2len Shadow bytes around the buggy address: 0x0c047fff8d80: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fd 0x0c047fff8d90: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd 0x0c047fff8da0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd 0x0c047fff8db0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd 0x0c047fff8dc0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa 01 fa =>0x0c047fff8dd0: fa fa 00 00 fa fa 01 fa fa fa[02]fa fa fa fd fa 0x0c047fff8de0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c047fff8df0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c047fff8e00: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c047fff8e10: fa fa fd fd fa fa fd fa fa fa fd fa fa fa 07 fa 0x0c047fff8e20: fa fa 01 fa fa fa 01 fa fa fa 05 fa fa fa 01 fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==2554992==ABORTING