[patch] fixed access to invalid memory when doing :exe "sc"

[Dominique Pellé]

Hi

Vim-7.4.803 (and older) accesses invalid memory beyond end of
string when doing:

$ vim -u NONE -c 'exe "sc"'

Bug is fixed in attached patch.

Apparently, ":sc" is doing a :substitute command with the
'c' flag. I could not find where it is documented, but perhaps
I missed it in the doc.

Bug was found using afl-fuzz + asan. Here is asan's report:

=================================================================
==5082==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000016d33 at pc 0x52c4de bp 0x7ffc38814d00 sp 0x7ffc38814cf8
READ of size 1 at 0x602000016d33 thread T0
#0 0x52c4dd in find_command /home/pel/sb/vim/src/ex_docmd.c:3133
#1 0x527ba7 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2114
#2 0x523388 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1133
#3 0x4d7ef8 in ex_execute /home/pel/sb/vim/src/eval.c:22155
#4 0x52afb6 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2941
#5 0x523388 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1133
#6 0x521f6c in do_cmdline_cmd /home/pel/sb/vim/src/ex_docmd.c:738
#7 0x9450df in exe_commands /home/pel/sb/vim/src/main.c:2926
#8 0x93e9b5 in main /home/pel/sb/vim/src/main.c:961
#9 0x7f1fdb67eec4 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#10 0x40ea18 (/home/pel/sb/vim/src/vim+0x40ea18)

0x602000016d33 is located 0 bytes to the right of 3-byte region
[0x602000016d30,0x602000016d33)
allocated by thread T0 here:
#0 0x7f1fde44f7df in __interceptor_malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.1+0x547df)
#1 0x664ca7 in lalloc /home/pel/sb/vim/src/misc2.c:921
#2 0x664a8b in alloc /home/pel/sb/vim/src/misc2.c:820
#3 0x665533 in vim_strsave /home/pel/sb/vim/src/misc2.c:1246
#4 0x522f35 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1063
#5 0x4d7ef8 in ex_execute /home/pel/sb/vim/src/eval.c:22155
#6 0x52afb6 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2941
#7 0x523388 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1133
#8 0x521f6c in do_cmdline_cmd /home/pel/sb/vim/src/ex_docmd.c:738
#9 0x9450df in exe_commands /home/pel/sb/vim/src/main.c:2926
#10 0x93e9b5 in main /home/pel/sb/vim/src/main.c:961
#11 0x7f1fdb67eec4 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/pel/sb/vim/src/ex_docmd.c:3133 find_command
Shadow bytes around the buggy address:
0x0c047fffad50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffad60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffad70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffad80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffad90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fffada0: fa fa fa fa fa fa[03]fa fa fa fd fa fa fa 00 01
0x0c047fffadb0: fa fa 04 fa fa fa 00 00 fa fa 00 00 fa fa 00 00
0x0c047fffadc0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
0x0c047fffadd0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c047fffade0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c047fffadf0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==5082==ABORTING

Regards
Dominique

[James McCoy]

On Sat, Aug 01, 2015 at 04:27:53AM +0200, Dominique Pellé wrote:
> Hi
>
> Vim-7.4.803 (and older) accesses invalid memory beyond end of
> string when doing:
>
> $ vim -u NONE -c 'exe "sc"'
>
> Bug is fixed in attached patch.
>
> Apparently, ":sc" is doing a :substitute command with the
> 'c' flag. I could not find where it is documented, but perhaps
> I missed it in the doc.

:[range]s[ubstitute] [flags] [count]
:[range]&[&][flags] [count] *:&*
…
The space between `:substitute` and the 'c', 'g' and
'r' flags isn't required, but in scripts it's a good
idea to keep it to avoid confusion.

Cheers,
--
James
GPG Key: 4096R/331BA3DB 2011-12-05 James McCoy <jame...@jamessan.com>

[Dominique Pellé]

James McCoy wrote:

> On Sat, Aug 01, 2015 at 04:27:53AM +0200, Dominique Pellé wrote:
>> Hi
>>
>> Vim-7.4.803 (and older) accesses invalid memory beyond end of
>> string when doing:
>>
>> $ vim -u NONE -c 'exe "sc"'
>>
>> Bug is fixed in attached patch.
>>
>> Apparently, ":sc" is doing a :substitute command with the
>> 'c' flag. I could not find where it is documented, but perhaps
>> I missed it in the doc.
>
> :[range]s[ubstitute] [flags] [count]
> :[range]&[&][flags] [count] *:&*
> …
> The space between `:substitute` and the 'c', 'g' and
> 'r' flags isn't required, but in scripts it's a good
> idea to keep it to avoid confusion.

Thanks James,

OK, so :sc is documented after all. But the documentation
is incomplete. It's missing flags 'i' and 'I'. See attached doc patch.

Regards
Dominique

[Bram Moolenaar]

Dominique wrote:
>
> Vim-7.4.803 (and older) accesses invalid memory beyond end of
> string when doing:
>
> $ vim -u NONE -c 'exe "sc"'
>
> Bug is fixed in attached patch.
>
> Apparently, ":sc" is doing a :substitute command with the
> 'c' flag. I could not find where it is documented, but perhaps
> I missed it in the doc.
>
> Bug was found using afl-fuzz + asan. Here is asan's report:
>
> =================================================================
> ==5082==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x602000016d33 at pc 0x52c4de bp 0x7ffc38814d00 sp 0x7ffc38814cf8
> READ of size 1 at 0x602000016d33 thread T0
> #0 0x52c4dd in find_command /home/pel/sb/vim/src/ex_docmd.c:3133
> #1 0x527ba7 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2114
> #2 0x523388 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1133
> #3 0x4d7ef8 in ex_execute /home/pel/sb/vim/src/eval.c:22155
> #4 0x52afb6 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2941
> #5 0x523388 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1133
> #6 0x521f6c in do_cmdline_cmd /home/pel/sb/vim/src/ex_docmd.c:738
> #7 0x9450df in exe_commands /home/pel/sb/vim/src/main.c:2926
> #8 0x93e9b5 in main /home/pel/sb/vim/src/main.c:961
> #9 0x7f1fdb67eec4 in __libc_start_main

[...]

Thanks!


--
I'd like to meet the man who invented sex and see what he's working on now.

/// Bram Moolenaar -- Br...@Moolenaar.net -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ an exciting new programming language -- http://www.Zimbu.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///

[Bram Moolenaar]

Dominique wrote:

> James McCoy wrote:
>

> > On Sat, Aug 01, 2015 at 04:27:53AM +0200, Dominique Pell=C3=A9 wrote:
> >> Hi
> >>
> >> Vim-7.4.803 (and older) accesses invalid memory beyond end of
> >> string when doing:
> >>
> >> $ vim -u NONE -c 'exe "sc"'
> >>
> >> Bug is fixed in attached patch.
> >>
> >> Apparently, ":sc" is doing a :substitute command with the
> >> 'c' flag. I could not find where it is documented, but perhaps
> >> I missed it in the doc.
> >
> > :[range]s[ubstitute] [flags] [count]
> > :[range]&[&][flags] [count] *:&*

> > =E2=80=A6
> > The space between `:substitute` and the 'c', 'g' =
> and
> > 'r' flags isn't required, but in scripts it's a g=

> ood
> > idea to keep it to avoid confusion.
>
>
> Thanks James,
>
> OK, so :sc is documented after all. But the documentation
> is incomplete. It's missing flags 'i' and 'I'. See attached doc patch.

Thanks!

--
Not too long ago, unzipping in public was illegal...