[vim/vim] stack-buffer-overflow - ex_cmds.c (#7399)
12 views
Skip to first unread message
Dhiraj Mishra
Dec 1, 2020, 12:55:12 AM12/1/20
to vim/vim, Subscribed
Summary: While fuzzing VIM in persistent + LAF mode, causes a crash and triggers stack overflow, tested on v8.2.2072.
System: Linux 4.15.0-106-generic 107-Ubuntu SMP x86_64 x86_64 x86_64 GNU/Linux
VIM Version:
./vim --version
VIM - Vi IMproved 8.2 (2019 Dec 12, compiled Nov 30 2020 23:21:48)
Included patches: 1-2072
Compiled by dhiraj@s157903
Huge version without GUI. Features included (+) or not (-):
+acl -farsi +mouse_sgr +tag_binary
+arabic +file_in_path -mouse_sysmouse -tag_old_static
+autocmd +find_in_path +mouse_urxvt -tag_any_white
+autochdir +float +mouse_xterm -tcl
-autoservername +folding +multi_byte +termguicolors
-balloon_eval -footer +multi_lang +terminal
+balloon_eval_term +fork() -mzscheme +terminfo
-browse +gettext +netbeans_intg +termresponse
++builtin_terms -hangul_input +num64 +textobjects
+byte_offset +iconv +packages +textprop
+channel +insert_expand +path_extra +timers
+cindent +ipv6 -perl +title
-clientserver +job +persistent_undo -toolbar
-clipboard +jumplist +popupwin +user_commands
+cmdline_compl +keymap +postscript +vartabs
+cmdline_hist +lambda +printer +vertsplit
+cmdline_info +langmap +profile +virtualedit
+comments +libcall -python +visual
+conceal +linebreak -python3 +visualextra
+cryptv +lispindent +quickfix +viminfo
+cscope +listcmds +reltime +vreplace
+cursorbind +localmap +rightleft +wildignore
+cursorshape -lua -ruby +wildmenu
+dialog_con +menu +scrollbind +windows
+diff +mksession +signs +writebackup
+digraphs +modify_fname +smartindent -X11
-dnd +mouse -sound -xfontset
-ebcdic -mouseshape +spell -xim
+emacs_tags +mouse_dec +startuptime -xpm
+eval -mouse_gpm +statusline -xsmp
+ex_extra -mouse_jsbterm -sun_workshop -xterm_clipboard
+extra_search +mouse_netterm +syntax -xterm_save
system vimrc file: "$VIM/vimrc"
user vimrc file: "$HOME/.vimrc"
2nd user vimrc file: "~/.vim/vimrc"
user exrc file: "$HOME/.exrc"
defaults file: "$VIMRUNTIME/defaults.vim"
fall-back for $VIM: "/usr/local/share/vim"
Compilation: gcc -c -I. -Iproto -DHAVE_CONFIG_H -g -O2 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=1
Linking: gcc -Wl,--as-needed -o vim -lm -ltinfo -ldl
Command: ./vim -u NONE -e -s -S poc -c qa
BT:
Reading symbols from ./vim...done.
(gdb) r -u NONE -e -s -S poc -c qa
Starting program: /home/dhiraj/vim/src/vim -u NONE -e -s -S poc -c qa
Program received signal SIGSEGV, Segmentation fault.
print_line (lnum=48, use_number=<optimized out>, list=0) at ex_cmds.c:1748
1748 msg_putchar('\n');
(gdb) bt
#0 print_line (lnum=48, use_number=<optimized out>, list=0) at ex_cmds.c:1748
#1 0x000000000053800c in ex_print (eap=0x7fffffffb5d0) at ex_docmd.c:5928
#2 0x000000000051bbec in do_one_cmd (sourcing=<optimized out>, cstack=<optimized out>, cmdlinep=<optimized out>, fgetline=<optimized out>, cookie=<optimized out>) at ex_docmd.c:1960
#3 do_cmdline (cmdline=<optimized out>, fgetline=0x9dd99dd99dd99dd9, cookie=0x7fffffffbf20, flags=7) at ex_docmd.c:992
#4 0x00000000007fca09 in do_source (fname=0xd22823 "poc", check_other=0, is_vimrc=0, ret_sid=0x0) at scriptfile.c:1436
#5 0x00000000007fb4a7 in cmd_source (fname=0xd22823 "poc", eap=<optimized out>) at scriptfile.c:971
#6 0x00000000005221b3 in do_one_cmd (sourcing=<optimized out>, cstack=<optimized out>, cmdlinep=<optimized out>, fgetline=<optimized out>, cookie=<optimized out>) at ex_docmd.c:2575
#7 do_cmdline (cmdline=<optimized out>, fgetline=0x0, cookie=0x0, flags=11) at ex_docmd.c:992
#8 0x0000000000a1d48a in exe_commands (parmp=<optimized out>) at main.c:3051
#9 vim_main2 () at main.c:768
#10 0x0000000000a1ae85 in main (argc=<optimized out>, argv=<optimized out>) at main.c:412
(gdb) i r
rax 0xdb03 56067
rbx 0x9dd99dd99dd99dd9 -7072448181826904615
rcx 0x7ffff7ee5010 140737352978448
rdx 0x7ffff7ee5010 140737352978448
rsi 0x0 0
rdi 0xd2ceeb 13815531
rbp 0x0 0x0
rsp 0x7fffffffb510 0x7fffffffb510
r8 0x0 0
r9 0x1 1
r10 0xffffffff 4294967295
r11 0xa57dc9 10845641
r12 0x9dd99dd99dd99dd9 -7072448181826904615
r13 0x9dd99dd99dd99dd9 -7072448181826904615
r14 0x0 0
r15 0x30 48
rip 0x5087e6 0x5087e6 <print_line+278>
eflags 0x10282 [ SF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb)
ASAN:
==23212==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7fffffff9e76 at pc 0x0000004dbb75 bp 0x7fffffff9e30 sp 0x7fffffff95e0
WRITE of size 48 at 0x7fffffff9e76 thread T0
#0 0x4dbb74 in __asan_memmove (/home/dhiraj/vim/src/vim+0x4dbb74)
#1 0x170b89d in msg_prt_line /home/dhiraj/vim/src/message.c:1871:3
#2 0x833020 in print_line_no_prefix /home/dhiraj/vim/src/ex_cmds.c:1727:5
#3 0x833020 in print_line /home/dhiraj/vim/src/ex_cmds.c:1745
#4 0x8bff8b in ex_print /home/dhiraj/vim/src/ex_docmd.c:5952:6
#5 0x86db3e in do_one_cmd /home/dhiraj/vim/src/ex_docmd.c:1973:3
#6 0x86db3e in do_cmdline /home/dhiraj/vim/src/ex_docmd.c:1003
#7 0x105f87b in do_source /home/dhiraj/vim/src/scriptfile.c:1436:5
#8 0x105c742 in cmd_source /home/dhiraj/vim/src/scriptfile.c:971:14
#9 0x875065 in do_one_cmd /home/dhiraj/vim/src/ex_docmd.c:2588:2
#10 0x875065 in do_cmdline /home/dhiraj/vim/src/ex_docmd.c:1003
#11 0x16d2a9a in exe_commands /home/dhiraj/vim/src/main.c:3049:2
#12 0x16d2a9a in vim_main2 /home/dhiraj/vim/src/main.c:760
#13 0x16cae67 in main /home/dhiraj/vim/src/main.c:412:12
#14 0x7ffff6bf8bf6 in __libc_start_main /build/glibc-S7xCS9/glibc-2.27/csu/../csu/libc-start.c:310
#15 0x41c499 in _start (/home/dhiraj/vim/src/vim+0x41c499)
Address 0x7fffffff9e76 is located in stack of thread T0
SUMMARY: AddressSanitizer: dynamic-stack-buffer-overflow (/home/dhiraj/vim/src/vim+0x4dbb74) in __asan_memmove
Shadow bytes around the buggy address:
0x10007fff7370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff73a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff73b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10007fff73c0: 00 00 00 00 00 00 00 00 ca ca ca ca 00 00[06]cb
0x10007fff73d0: cb cb cb cb ca ca ca ca f8 f8 f8 cb cb cb cb cb
0x10007fff73e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff73f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7400: 00 00 00 00 00 00 00 00 00 00 00 00 ca ca ca ca
0x10007fff7410: 00 00 00 06 cb cb cb cb 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==23212==ABORTING
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.
Dominique Pellé
Dec 1, 2020, 5:40:16 PM12/1/20
to vim/vim, Subscribed
I can reproduce it.
I reduced the size of the poc file to still reproduce it.
I attach file poc-minimized (which looks rather non-sense):
When vim-8.2.2077 is built with asan, it crashes at line message.c:1872:
$ ./vim --clean -S poc-minimized 2> asan.log
Vim: Caught deadly signal ABRT
Vim: preserving files...
Vim: Finished.
Aborted (core dumped)
asan.log contains:
message.c:1872:6: runtime error: index 22 out of bounds for type 'char_u [22]'
#0 0x55bd313e1d67 in msg_prt_line /home/pel/sb/vim/src/message.c:1872
#1 0x55bd3093269d in print_line_no_prefix /home/pel/sb/vim/src/ex_cmds.c:1727
#2 0x55bd3093281a in print_line /home/pel/sb/vim/src/ex_cmds.c:1745
#3 0x55bd3098b212 in ex_print /home/pel/sb/vim/src/ex_docmd.c:5952
#4 0x55bd30966010 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2588
#5 0x55bd309596b1 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1003
#6 0x55bd30e8ff27 in do_source /home/pel/sb/vim/src/scriptfile.c:1436
#7 0x55bd30e8cbde in cmd_source /home/pel/sb/vim/src/scriptfile.c:971
#8 0x55bd30e8cd96 in ex_source /home/pel/sb/vim/src/scriptfile.c:997
#9 0x55bd30966010 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2588
#10 0x55bd309596b1 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1003
#11 0x55bd309572a6 in do_cmdline_cmd /home/pel/sb/vim/src/ex_docmd.c:593
#12 0x55bd313c8b77 in exe_commands /home/pel/sb/vim/src/main.c:3049
#13 0x55bd313ba7a9 in vim_main2 /home/pel/sb/vim/src/main.c:760
#14 0x55bd313b9c93 in main /home/pel/sb/vim/src/main.c:412
#15 0x7fb253ca1bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
#16 0x55bd306ef3f9 in _start (/home/pel/sb/vim/src/vim+0x11883f9)
message.c:1872:10: runtime error: store to address 0x7ffff6e69716 with insufficient space for an object of type 'char_u'
0x7ffff6e69716: note: pointer points here
d9 9d d9 9d 00 00 70 97 e6 f6 ff 7f 00 00 01 00 00 00 00 00 00 00 00 29 00 00 00 00 00 00 01 00
^
#0 0x55bd313e1da6 in msg_prt_line /home/pel/sb/vim/src/message.c:1872
#1 0x55bd3093269d in print_line_no_prefix /home/pel/sb/vim/src/ex_cmds.c:1727
#2 0x55bd3093281a in print_line /home/pel/sb/vim/src/ex_cmds.c:1745
#3 0x55bd3098b212 in ex_print /home/pel/sb/vim/src/ex_docmd.c:5952
#4 0x55bd30966010 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2588
#5 0x55bd309596b1 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1003
#6 0x55bd30e8ff27 in do_source /home/pel/sb/vim/src/scriptfile.c:1436
#7 0x55bd30e8cbde in cmd_source /home/pel/sb/vim/src/scriptfile.c:971
#8 0x55bd30e8cd96 in ex_source /home/pel/sb/vim/src/scriptfile.c:997
#9 0x55bd30966010 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2588
#10 0x55bd309596b1 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1003
#11 0x55bd309572a6 in do_cmdline_cmd /home/pel/sb/vim/src/ex_docmd.c:593
#12 0x55bd313c8b77 in exe_commands /home/pel/sb/vim/src/main.c:3049
#13 0x55bd313ba7a9 in vim_main2 /home/pel/sb/vim/src/main.c:760
#14 0x55bd313b9c93 in main /home/pel/sb/vim/src/main.c:412
#15 0x7fb253ca1bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
#16 0x55bd306ef3f9 in _start (/home/pel/sb/vim/src/vim+0x11883f9)
With gdb:
1829│ char_u buf[MB_MAXBYTES + 1];
...snip...
1859│ else if (has_mbyte && (l = (*mb_ptr2len)(s)) > 1)
1860│ {
1861│ col += (*mb_ptr2cells)(s);
1862│ if (lcs_nbsp != NUL && list
1863│ && (mb_ptr2char(s) == 160
1864│ || mb_ptr2char(s) == 0x202f))
1865│ {
1866│ mb_char2bytes(lcs_nbsp, buf);
1867│ buf[(*mb_ptr2len)(buf)] = NUL;
1868│ }
1869│ else
1870│ {
1871│ mch_memmove(buf, s, (size_t)l);
1872├> buf[l] = NUL;
1873│ }
1874│ msg_puts((char *)buf);
1875│ s += l;
1876│ continue;
1877│ }
(gdb) p l
$1 = 22
buf is a buffer of MB_MAXBYTES + 1 bytes i.e. 21 + 1.
Dominique Pellé
Dec 1, 2020, 6:00:58 PM12/1/20
to vim/vim, Subscribed
A simpler way to reproduce it when vim-8.2.2077 is built with asan:
$ ./vim --clean crash.txt -c p
Vim: Caught deadly signal ABRT
Vim: Finished.
Aborted (core dumped)
Where crash.txt is the attached file which contains combined
characters:
Bram Moolenaar
Dec 2, 2020, 6:38:39 AM12/2/20
to vim...@googlegroups.com, Dominique Pellé
Dominique wrote:
> A simpler way to reproduce it when vim-8.2.2077 is built with asan:
> ```
> $ ./vim --clean crash.txt -c p
> Vim: Caught deadly signal ABRT
> Vim: Finished.
> Aborted (core dumped)
> ```
> Where crash.txt is the attached file which contains combined
> characters:
>
Thanks for narrowing down the problem. The text contains more combining
characters than Vim can handle, mb_ptr2len() returns more than
MB_MAXBYTES.
I'll fix this specific problem, but there might be more. Can the fuzzer
be instructed to do all kinds of commands with this text?
--
MESKIMEN'S LAW
There's never time to do it right, but always time to do it over.
/// Bram Moolenaar -- Br...@Moolenaar.net -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ an exciting new programming language -- http://www.Zimbu.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
Reply all
Reply to author
Forward
0 new messages