[vim/vim] Use after free when search for ~ (#8994)
34 views
Skip to first unread message
Dominique Pellé
Oct 12, 2021, 7:23:29 AM10/12/21
to vim/vim, Subscribed
Steps to reproduce
I can reproduce a heap-user-after-free bug all the times with vim-8.2.3499 (huge) when I open a c or cpp file and search type /~.
I'm not sure yet whether it's a recent regression.
Steps to reproduce:
- build vim with asan
- Do this:
$ cd vim/src
$ ./vim main.c 2> asan.log
- Then type `/~' followed by return. It gives:
E33: No previous substitute regular expression
E383: Invalid search string: ~
- Then type
/followed by return. It gives:
E33: No previous substitute regular expression
- Then type
/again (you don't even need to type return this time) and vim crashes immediately:
Vim: Caught deadly signal ABRT
asan.log shows a heap-use-after-free bug:
=================================================================
==25511==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000153090 at pc 0x7f359633db97 bp 0x7fff2d604950 sp 0x7fff2d6040f8
READ of size 2 at 0x602000153090 thread T0
#0 0x7f359633db96 (/usr/lib/x86_64-linux-gnu/libasan.so.6+0x3cb96)
#1 0x55988db7ca1a in vim_vsnprintf_typval /home/pel/sb/vim/src/strings.c:2128
#2 0x55988db7b890 in vim_vsnprintf /home/pel/sb/vim/src/strings.c:1879
#3 0x55988ddce2bc in semsg /home/pel/sb/vim/src/message.c:803
#4 0x55988dae8777 in searchit /home/pel/sb/vim/src/search.c:678
#5 0x55988daec43b in do_search /home/pel/sb/vim/src/search.c:1566
#6 0x55988d97b3a3 in normal_search /home/pel/sb/vim/src/normal.c:4394
#7 0x55988d97ac91 in nv_search /home/pel/sb/vim/src/normal.c:4345
#8 0x55988d966e4f in normal_cmd /home/pel/sb/vim/src/normal.c:1099
#9 0x55988ddbe18b in main_loop /home/pel/sb/vim/src/main.c:1501
#10 0x55988ddbcdc0 in vim_main2 /home/pel/sb/vim/src/main.c:878
#11 0x55988ddbc407 in main /home/pel/sb/vim/src/main.c:425
#12 0x7f3593a3ebf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
#13 0x55988d649a59 in _start (/home/pel/sb/vim/src/vim+0x145a59)
0x602000153090 is located 0 bytes inside of 2-byte region [0x602000153090,0x602000153092)
freed by thread T0 here:
#0 0x7f35963b3a7f in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.6+0xb2a7f)
#1 0x55988d64a133 in vim_free /home/pel/sb/vim/src/alloc.c:616
#2 0x55988dae6ff3 in restore_search_patterns /home/pel/sb/vim/src/search.c:309
#3 0x55988dc53af7 in call_user_func_check /home/pel/sb/vim/src/userfunc.c:2853
#4 0x55988dc55c49 in call_func /home/pel/sb/vim/src/userfunc.c:3336
#5 0x55988dc54958 in call_callback /home/pel/sb/vim/src/userfunc.c:3120
#6 0x55988dc146e6 in timer_callback /home/pel/sb/vim/src/time.c:483
#7 0x55988dc15075 in check_due_timer /home/pel/sb/vim/src/time.c:550
#8 0x55988dc232d9 in ui_wait_for_chars_or_timer /home/pel/sb/vim/src/ui.c:455
#9 0x55988d9f5997 in WaitForChar /home/pel/sb/vim/src/os_unix.c:6038
#10 0x55988dc230d4 in inchar_loop /home/pel/sb/vim/src/ui.c:384
#11 0x55988d9e6d8b in mch_inchar /home/pel/sb/vim/src/os_unix.c:388
#12 0x55988dc22ba1 in ui_inchar /home/pel/sb/vim/src/ui.c:232
#13 0x55988d86e5e0 in inchar /home/pel/sb/vim/src/getchar.c:3562
#14 0x55988d86d6f8 in vgetorpeek /home/pel/sb/vim/src/getchar.c:3341
#15 0x55988d864dc4 in vgetc /home/pel/sb/vim/src/getchar.c:1689
#16 0x55988d865bee in safe_vgetc /home/pel/sb/vim/src/getchar.c:1918
#17 0x55988ddcfb76 in wait_return /home/pel/sb/vim/src/message.c:1200
#18 0x55988ddda5a7 in msg_end /home/pel/sb/vim/src/message.c:3433
#19 0x55988ddcb316 in msg_attr_keep /home/pel/sb/vim/src/message.c:178
#20 0x55988ddcb0e2 in msg_attr /home/pel/sb/vim/src/message.c:123
#21 0x55988ddce07b in emsg_core /home/pel/sb/vim/src/message.c:761
#22 0x55988ddce10d in emsg /home/pel/sb/vim/src/message.c:777
#23 0x55988da93e6a in nfa_regatom /home/pel/sb/vim/src/regexp_nfa.c:1530
#24 0x55988da97ebd in nfa_regpiece /home/pel/sb/vim/src/regexp_nfa.c:2211
#25 0x55988da98dc4 in nfa_regconcat /home/pel/sb/vim/src/regexp_nfa.c:2455
#26 0x55988da98e8a in nfa_regbranch /home/pel/sb/vim/src/regexp_nfa.c:2488
#27 0x55988da99321 in nfa_reg /home/pel/sb/vim/src/regexp_nfa.c:2549
#28 0x55988da99785 in re2post /home/pel/sb/vim/src/regexp_nfa.c:2969
#29 0x55988daad2e1 in nfa_regcomp /home/pel/sb/vim/src/regexp_nfa.c:7488
previously allocated by thread T0 here:
#0 0x7f35963b3dd7 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.6+0xb2dd7)
#1 0x55988d649e85 in lalloc /home/pel/sb/vim/src/alloc.c:244
#2 0x55988d649c7f in alloc /home/pel/sb/vim/src/alloc.c:151
#3 0x55988db737b4 in vim_strsave /home/pel/sb/vim/src/strings.c:27
#4 0x55988dae6eff in save_search_patterns /home/pel/sb/vim/src/search.c:293
#5 0x55988dc53927 in call_user_func_check /home/pel/sb/vim/src/userfunc.c:2839
#6 0x55988dc55c49 in call_func /home/pel/sb/vim/src/userfunc.c:3336
#7 0x55988dc54958 in call_callback /home/pel/sb/vim/src/userfunc.c:3120
#8 0x55988dc146e6 in timer_callback /home/pel/sb/vim/src/time.c:483
#9 0x55988dc15075 in check_due_timer /home/pel/sb/vim/src/time.c:550
#10 0x55988dc232d9 in ui_wait_for_chars_or_timer /home/pel/sb/vim/src/ui.c:455
#11 0x55988d9f5997 in WaitForChar /home/pel/sb/vim/src/os_unix.c:6038
#12 0x55988dc230d4 in inchar_loop /home/pel/sb/vim/src/ui.c:384
#13 0x55988d9e6d8b in mch_inchar /home/pel/sb/vim/src/os_unix.c:388
#14 0x55988dc22ba1 in ui_inchar /home/pel/sb/vim/src/ui.c:232
#15 0x55988d86e5e0 in inchar /home/pel/sb/vim/src/getchar.c:3562
#16 0x55988d86d6f8 in vgetorpeek /home/pel/sb/vim/src/getchar.c:3341
#17 0x55988d864dc4 in vgetc /home/pel/sb/vim/src/getchar.c:1689
#18 0x55988d865bee in safe_vgetc /home/pel/sb/vim/src/getchar.c:1918
#19 0x55988ddcfb76 in wait_return /home/pel/sb/vim/src/message.c:1200
#20 0x55988ddda5a7 in msg_end /home/pel/sb/vim/src/message.c:3433
#21 0x55988ddcb316 in msg_attr_keep /home/pel/sb/vim/src/message.c:178
#22 0x55988ddcb0e2 in msg_attr /home/pel/sb/vim/src/message.c:123
#23 0x55988ddce07b in emsg_core /home/pel/sb/vim/src/message.c:761
#24 0x55988ddce2ef in semsg /home/pel/sb/vim/src/message.c:805
#25 0x55988dae8777 in searchit /home/pel/sb/vim/src/search.c:678
#26 0x55988daec43b in do_search /home/pel/sb/vim/src/search.c:1566
#27 0x55988d97b3a3 in normal_search /home/pel/sb/vim/src/normal.c:4394
#28 0x55988d97ac91 in nv_search /home/pel/sb/vim/src/normal.c:4345
#29 0x55988d966e4f in normal_cmd /home/pel/sb/vim/src/normal.c:1099
SUMMARY: AddressSanitizer: heap-use-after-free (/usr/lib/x86_64-linux-gnu/libasan.so.6+0x3cb96)
Shadow bytes around the buggy address:
0x0c04800225c0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c04800225d0: fa fa fd fd fa fa 00 06 fa fa 00 06 fa fa fd fa
0x0c04800225e0: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fd
0x0c04800225f0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa
0x0c0480022600: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa
=>0x0c0480022610: fa fa[fd]fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c0480022620: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd
0x0c0480022630: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd
0x0c0480022640: fa fa fd fd fa fa fd fd fa fa 00 02 fa fa 00 02
0x0c0480022650: fa fa fd fd fa fa 00 04 fa fa 00 04 fa fa fd fa
0x0c0480022660: fa fa fd fa fa fa 00 04 fa fa 00 04 fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==25511==ABORTING
AddressSanitizer: nested bug in the same thread, aborting.
I also see the bug with valgrind:
==24130==
==24130== Invalid read of size 1
==24130== at 0x4C38D92: strlen (vg_replace_strmem.c:469)
==24130== by 0x34669F: vim_vsnprintf_typval (strings.c:2128)
==24130== by 0x345D57: vim_vsnprintf (strings.c:1879)
==24130== by 0x431665: semsg (message.c:803)
==24130== by 0x308DE3: searchit (search.c:678)
==24130== by 0x30AB21: do_search (search.c:1566)
==24130== by 0x274CCE: normal_search (normal.c:4394)
==24130== by 0x274B07: nv_search (normal.c:4345)
==24130== by 0x26EDDF: normal_cmd (normal.c:1099)
==24130== by 0x42A940: main_loop (main.c:1501)
==24130== by 0x429C8B: vim_main2 (main.c:878)
==24130== by 0x429430: main (main.c:425)
==24130== Address 0xa795570 is 0 bytes inside a block of size 2 free'd
==24130== at 0x4C3589F: free (vg_replace_malloc.c:755)
==24130== by 0x142C73: vim_free (alloc.c:616)
==24130== by 0x308395: restore_search_patterns (search.c:309)
==24130== by 0x39AD0A: call_user_func_check (userfunc.c:2853)
==24130== by 0x39BAFF: call_func (userfunc.c:3336)
==24130== by 0x39B289: call_callback (userfunc.c:3120)
==24130== by 0x3820BC: timer_callback (time.c:483)
==24130== by 0x3822D2: check_due_timer (time.c:550)
==24130== by 0x3880BF: ui_wait_for_chars_or_timer (ui.c:455)
==24130== by 0x29E9F5: WaitForChar (os_unix.c:6038)
==24130== by 0x387FAD: inchar_loop (ui.c:384)
==24130== by 0x298543: mch_inchar (os_unix.c:388)
==24130== by 0x387D97: ui_inchar (ui.c:232)
==24130== by 0x20DEE2: inchar (getchar.c:3562)
==24130== by 0x20DAC4: vgetorpeek (getchar.c:3341)
==24130== by 0x20B1C5: vgetc (getchar.c:1689)
==24130== by 0x20B815: safe_vgetc (getchar.c:1918)
==24130== by 0x431F59: wait_return (message.c:1200)
==24130== by 0x43565B: msg_end (message.c:3433)
==24130== by 0x430260: msg_attr_keep (message.c:178)
==24130== by 0x43010C: msg_attr (message.c:123)
==24130== by 0x431535: emsg_core (message.c:761)
==24130== by 0x43157C: emsg (message.c:777)
==24130== by 0x2E7177: nfa_regatom (regexp_nfa.c:1530)
==24130== by 0x2E9496: nfa_regpiece (regexp_nfa.c:2211)
==24130== by 0x2E9DBD: nfa_regconcat (regexp_nfa.c:2455)
==24130== by 0x2E9E49: nfa_regbranch (regexp_nfa.c:2488)
==24130== by 0x2EA117: nfa_reg (regexp_nfa.c:2549)
==24130== by 0x2EA396: re2post (regexp_nfa.c:2969)
==24130== by 0x2F2F3B: nfa_regcomp (regexp_nfa.c:7488)
==24130== by 0x2F335F: vim_regcomp (regexp.c:2663)
==24130== by 0x30803C: search_regcomp (search.c:205)
==24130== by 0x308DA5: searchit (search.c:674)
==24130== by 0x30AB21: do_search (search.c:1566)
==24130== by 0x274CCE: normal_search (normal.c:4394)
==24130== by 0x274B07: nv_search (normal.c:4345)
==24130== by 0x26EDDF: normal_cmd (normal.c:1099)
==24130== by 0x42A940: main_loop (main.c:1501)
==24130== by 0x429C8B: vim_main2 (main.c:878)
==24130== by 0x429430: main (main.c:425)
==24130== Block was alloc'd at
==24130== at 0x4C32FB5: malloc (vg_replace_malloc.c:380)
==24130== by 0x142AEB: lalloc (alloc.c:244)
==24130== by 0x142993: alloc (alloc.c:151)
==24130== by 0x342721: vim_strsave (strings.c:27)
==24130== by 0x3082DB: save_search_patterns (search.c:293)
==24130== by 0x39AC4E: call_user_func_check (userfunc.c:2839)
==24130== by 0x39BAFF: call_func (userfunc.c:3336)
==24130== by 0x39B289: call_callback (userfunc.c:3120)
==24130== by 0x3820BC: timer_callback (time.c:483)
==24130== by 0x3822D2: check_due_timer (time.c:550)
==24130== by 0x3880BF: ui_wait_for_chars_or_timer (ui.c:455)
==24130== by 0x29E9F5: WaitForChar (os_unix.c:6038)
==24130== by 0x387FAD: inchar_loop (ui.c:384)
==24130== by 0x298543: mch_inchar (os_unix.c:388)
==24130== by 0x387D97: ui_inchar (ui.c:232)
==24130== by 0x20DEE2: inchar (getchar.c:3562)
==24130== by 0x20DAC4: vgetorpeek (getchar.c:3341)
==24130== by 0x20B1C5: vgetc (getchar.c:1689)
==24130== by 0x20B815: safe_vgetc (getchar.c:1918)
==24130== by 0x1E6906: getcmdline_int (ex_getln.c:1772)
==24130== by 0x1E6457: getcmdline (ex_getln.c:1562)
==24130== by 0x274A76: nv_search (normal.c:4337)
==24130== by 0x26EDDF: normal_cmd (normal.c:1099)
==24130== by 0x42A940: main_loop (main.c:1501)
==24130== by 0x429C8B: vim_main2 (main.c:878)
==24130== by 0x429430: main (main.c:425)
==24130==
I have not been able to automate it yet. But I can reproduce interactively 100% of the times.
TODO: I can only reproduce it with my ~/.vimrc at the moment.
So I will have to minimize the content of my ~/.vimrc and my plugins to see what triggers it.
I may also have to bissect in case it's a recent regression.
Expected behaviour
Vim should not crash.
Operating system
xubuntu-18.04.6
Version of Vim
vim-8.2.3499 (huge)
Logs and stack traces
No response
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub.
Triage notifications on the go with GitHub Mobile for iOS or Android.
Dominique Pellé
Oct 12, 2021, 11:31:17 AM10/12/21
to vim/vim, Subscribed
TODO: I can only reproduce it with my ~/.vimrc at the moment.
So I will have to minimize the content of my ~/.vimrc and my plugins to see what triggers it.
I found so far that the YouCompleteMe Vim plugin (https://github.com/ycm-core/YouCompleteMe )
is needed to reproduce this bug. It shouldn't be a problem in the plugin though as a plugin should not cause Vim to crash.
The stack shows a timer probably setup by the YouCompleteMe plugin. Perhaps we can reproduce this in a simpler way but I'm not sure yet how. Hopefully the provided stack in bug description already give enough information to understand why the bug happens.
Dominique Pellé
Oct 12, 2021, 12:12:30 PM10/12/21
to vim/vim, Subscribed
It was easier than expected to reproduce it without any plugin after all.
$ cd vim/src
$ cat > bug.vim <<EOF
func TimerHandler(timer)
endfunc
call timer_start(100, 'TimerHandler', {'repeat': -1})
/~
EOF
$ valgrind --num-callers=50 ./vim --clean -S bug.vim 2> valgrind.log
Then type interactively / and press return.
Repeat typing / + return a couple of times till valgrind detects use of free memory in valgrind.log.
Dominique Pellé
Oct 12, 2021, 12:23:30 PM10/12/21
to vim/vim, Subscribed
It's not a recent regression, as at least Vim-8.1.1453 from Ubuntu-18.04.6 apt packages has the same bug reproducible with valgrind.
Christian Brabandt
Oct 12, 2021, 12:51:35 PM10/12/21
to vim/vim, Subscribed
Hm, shouldn't emsg() set did_emsg before msg_attr(), so that no timer and callbacks are executed?
Bram Moolenaar
Oct 12, 2021, 1:00:51 PM10/12/21
to vim/vim, Subscribed
> It was easier than expected to reproduce it without any plugin after all.
>
> ```
> $ cd vim/src
> $ cat > bug.vim <<EOF
> func TimerHandler(timer)
> endfunc
> call timer_start(100, 'TimerHandler', {'repeat': -1})
> /~
> EOF
>
> $ valgrind --num-callers=50 ./vim --clean -S bug.vim 2> valgrind.log
> ```
> Then type interactively `/` and press return.
Is it possible to reproduce without interaction? Would be hard to write
a test otherwise.
--
hundred-and-one symptoms of being an internet addict:
137. You decide to stay in college for an additional year or two,
just so you can have the free Internet access.
/// Bram Moolenaar -- ***@***.*** -- http://www.Moolenaar.net \\\
/// \\\
\\\ sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
Dominique Pellé
Oct 12, 2021, 3:00:32 PM10/12/21
to vim/vim, Subscribed
@brammool wrote:
Is it possible to reproduce without interaction?
This reproduces the heap-use-after-free automatically:
$ cat > bug.vim <<EOF
call timer_start(10, {-> ''}, {'repeat': -1})
/~
call feedkeys("/\<CR>")
sleep 100m
call feedkeys("\<CR>", 'L')
EOF
$ valgrind --num-callers=50 ./vim --clean -S bug.vim 2> valgrind.log
And valgrind.log show stack of a heap-use-after-free bug.
Dominique Pellé
Oct 12, 2021, 3:34:16 PM10/12/21
to vim/vim, Subscribed
Although the commands in my previous comment completely automate
reproduction of heap-use-after-free bug, I don't see yet how to reproduce
it in a vim test :-/
Bram Moolenaar
Oct 15, 2021, 7:23:03 AM10/15/21
to vim/vim, Subscribed
I can reproduce it manually now. Running that script during a test doesn't show the problem though. Also when run in a terminal window. Not sure what else to try.
Christian Brabandt
Oct 18, 2021, 3:37:08 AM10/18/21
to vim/vim, Subscribed
fixed by a2cff1d
Christian Brabandt
Oct 18, 2021, 3:37:10 AM10/18/21
to vim/vim, Subscribed
Closed #8994.
Reply all
Reply to author
Forward
0 new messages