[patch] fixed invalid memory in vim-7.4.803 when doing :fun X(
16 views
Skip to first unread message
Dominique Pellé
Jul 31, 2015, 11:30:02 PM7/31/15
to vim_dev
Hi
Vim-7.4.803 (and older) accesses invalid memory when doing:
$ vim -u NONE -c 'fun X('
Attached patch fixes it.
Bug was found with afl-fuzz + asan. Here's asan's report:
=================================================================
==8351==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000014fb7 at pc 0x437a42 bp 0x7fff2eedb810 sp 0x7fff2eedb808
READ of size 1 at 0x602000014fb7 thread T0
#0 0x437a41 in skipwhite /home/pel/sb/vim/src/charset.c:1552
#1 0x4da110 in ex_function /home/pel/sb/vim/src/eval.c:22498
#2 0x52afb6 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2941
#3 0x523388 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1133
#4 0x521f6c in do_cmdline_cmd /home/pel/sb/vim/src/ex_docmd.c:738
#5 0x9450df in exe_commands /home/pel/sb/vim/src/main.c:2926
#6 0x93e9b5 in main /home/pel/sb/vim/src/main.c:961
#7 0x7ff967b2cec4 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#8 0x40ea18 (/home/pel/sb/vim/src/vim+0x40ea18)
0x602000014fb7 is located 0 bytes to the right of 7-byte region
[0x602000014fb0,0x602000014fb7)
allocated by thread T0 here:
#0 0x7ff96a8fd7df in __interceptor_malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.1+0x547df)
#1 0x664ca7 in lalloc /home/pel/sb/vim/src/misc2.c:921
#2 0x664a8b in alloc /home/pel/sb/vim/src/misc2.c:820
#3 0x665533 in vim_strsave /home/pel/sb/vim/src/misc2.c:1246
#4 0x522f35 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1063
#5 0x521f6c in do_cmdline_cmd /home/pel/sb/vim/src/ex_docmd.c:738
#6 0x9450df in exe_commands /home/pel/sb/vim/src/main.c:2926
#7 0x93e9b5 in main /home/pel/sb/vim/src/main.c:961
#8 0x7ff967b2cec4 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/pel/sb/vim/src/charset.c:1552 skipwhite
Shadow bytes around the buggy address:
0x0c047fffa9a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffa9b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffa9c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffa9d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffa9e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 05
=>0x0c047fffa9f0: fa fa 02 fa fa fa[07]fa fa fa 04 fa fa fa 00 00
0x0c047fffaa00: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
0x0c047fffaa10: fa fa 00 00 fa fa 00 00 fa fa fd fd fa fa fd fd
0x0c047fffaa20: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c047fffaa30: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c047fffaa40: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==8351==ABORTING
Regards
Dominique
Vim-7.4.803 (and older) accesses invalid memory when doing:
$ vim -u NONE -c 'fun X('
Attached patch fixes it.
Bug was found with afl-fuzz + asan. Here's asan's report:
=================================================================
==8351==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000014fb7 at pc 0x437a42 bp 0x7fff2eedb810 sp 0x7fff2eedb808
READ of size 1 at 0x602000014fb7 thread T0
#0 0x437a41 in skipwhite /home/pel/sb/vim/src/charset.c:1552
#1 0x4da110 in ex_function /home/pel/sb/vim/src/eval.c:22498
#2 0x52afb6 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2941
#3 0x523388 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1133
#4 0x521f6c in do_cmdline_cmd /home/pel/sb/vim/src/ex_docmd.c:738
#5 0x9450df in exe_commands /home/pel/sb/vim/src/main.c:2926
#6 0x93e9b5 in main /home/pel/sb/vim/src/main.c:961
#7 0x7ff967b2cec4 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#8 0x40ea18 (/home/pel/sb/vim/src/vim+0x40ea18)
0x602000014fb7 is located 0 bytes to the right of 7-byte region
[0x602000014fb0,0x602000014fb7)
allocated by thread T0 here:
#0 0x7ff96a8fd7df in __interceptor_malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.1+0x547df)
#1 0x664ca7 in lalloc /home/pel/sb/vim/src/misc2.c:921
#2 0x664a8b in alloc /home/pel/sb/vim/src/misc2.c:820
#3 0x665533 in vim_strsave /home/pel/sb/vim/src/misc2.c:1246
#4 0x522f35 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1063
#5 0x521f6c in do_cmdline_cmd /home/pel/sb/vim/src/ex_docmd.c:738
#6 0x9450df in exe_commands /home/pel/sb/vim/src/main.c:2926
#7 0x93e9b5 in main /home/pel/sb/vim/src/main.c:961
#8 0x7ff967b2cec4 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/pel/sb/vim/src/charset.c:1552 skipwhite
Shadow bytes around the buggy address:
0x0c047fffa9a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffa9b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffa9c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffa9d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffa9e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 05
=>0x0c047fffa9f0: fa fa 02 fa fa fa[07]fa fa fa 04 fa fa fa 00 00
0x0c047fffaa00: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
0x0c047fffaa10: fa fa 00 00 fa fa 00 00 fa fa fd fd fa fa fd fd
0x0c047fffaa20: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c047fffaa30: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c047fffaa40: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==8351==ABORTING
Regards
Dominique
Reply all
Reply to author
Forward
0 new messages