henices/gist:2467e7f22dcc2aa97a2453e197b55a0c

## gistfile1.txt
[CVE ID]
CVE-2024-22667

[PRODUCT]
Vim is a highly configurable text editor built to make creating and changing any kind of text very efficient.
It is included as "vi" with most UNIX systems and with Apple OS X.

[AFFECTED VERSION]
vim - vim  < 9.0.2142 are affected, fixed in 9.0.2142

[PROBLEM TYPE]
Buffer Overflow

[DESCRIPTION]
In vim < 9.0.2142, a Stack-buffer-overflow was found in option callback
functions, vim pass the error buffer down to the option callback
functions, but in some parts of the code, simply use sprintf(buf) to
write into the error buffer, which can overflow.

[TECHNICAL DETAILS]

./vim -u NONE -i NONE -X -Z -m -n -e -s -S poc -c ':qa!'

=================================================================
==71931==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f74c2102a50 at pc 0x7f74c4692e8c bp 0x7fffd8c8f2b0 sp 0x7fffd8c8ea70
WRITE of size 142 at 0x7f74c2102a50 thread T0
    #0 0x7f74c4692e8b in __interceptor_vsprintf (/lib64/libasan.so.8+0x92e8b) (BuildId: 6f17f87dc4c1aa9f9dde7c4856604c3a25ba4872)
    #1 0x7f74c469306e in __interceptor_sprintf (/lib64/libasan.so.8+0x9306e) (BuildId: 6f17f87dc4c1aa9f9dde7c4856604c3a25ba4872)
    #2 0x619d4e in sprintf /usr/include/bits/stdio2.h:30
    #3 0x619d4e in did_set_langmap /home/henices/tests/vim/src/map.c:3117
    #4 0x6ddff1 in did_set_string_option /home/henices/tests/vim/src/optionstr.c:4390
    #5 0x6d39de in do_set_option_string /home/henices/tests/vim/src/option.c:2031
    #6 0x6d39de in do_set_option_value /home/henices/tests/vim/src/option.c:2289
    #7 0x6d39de in do_set_option /home/henices/tests/vim/src/option.c:2505
    #8 0x6d39de in do_set /home/henices/tests/vim/src/option.c:2585
    #9 0x6d446a in ex_set /home/henices/tests/vim/src/option.c:1310
    #10 0x559dd1 in do_one_cmd /home/henices/tests/vim/src/ex_docmd.c:2582
    #11 0x559dd1 in do_cmdline /home/henices/tests/vim/src/ex_docmd.c:994
    #12 0x79ed0e in do_source_ext /home/henices/tests/vim/src/scriptfile.c:1761
    #13 0x7a1565 in do_source /home/henices/tests/vim/src/scriptfile.c:1907
    #14 0x7a259e in cmd_source /home/henices/tests/vim/src/scriptfile.c:1253
    #15 0x7a25ec in ex_source /home/henices/tests/vim/src/scriptfile.c:1279
    #16 0x559dd1 in do_one_cmd /home/henices/tests/vim/src/ex_docmd.c:2582
    #17 0x559dd1 in do_cmdline /home/henices/tests/vim/src/ex_docmd.c:994
    #18 0x55edd6 in do_cmdline_cmd /home/henices/tests/vim/src/ex_docmd.c:588
    #19 0x9d95b7 in exe_commands /home/henices/tests/vim/src/main.c:3173
    #20 0x9d95b7 in vim_main2 /home/henices/tests/vim/src/main.c:790
    #21 0x9dc30f in main /home/henices/tests/vim/src/main.c:441
    #22 0x7f74c4164149 in __libc_start_call_main (/lib64/libc.so.6+0x28149) (BuildId: 4fdf4b58ec1880e064d0d3fe13f1bb3e8ed1c420)
    #23 0x7f74c416420a in __libc_start_main_impl (/lib64/libc.so.6+0x2820a) (BuildId: 4fdf4b58ec1880e064d0d3fe13f1bb3e8ed1c420)
    #24 0x4074d4 in _start (/home/henices/tests/vim/src/vim+0x4074d4) (BuildId: f58f836b397bb305c28092d23847feabbcd502a6)

Address 0x7f74c2102a50 is located in stack of thread T0 at offset 592 in frame
    #0 0x6cf4da in do_set /home/henices/tests/vim/src/option.c:2536

  This frame has 20 object(s):
    [48, 50) 'key_name' (line 2338)
    [64, 68) 'did_show' (line 2539)
    [80, 84) 'opt_idx' (line 2332)
    [96, 100) 'key' (line 2342)
    [112, 116) 'len' (line 2343)
    [128, 132) 'value_checked' (line 2255)
    [144, 148) 'i' (line 2125)
    [160, 168) 'arg' (line 2537)
    [192, 200) 'arg' (line 2333)
    [224, 232) 'errmsg' (line 2341)
    [256, 264) 'errmsg' (line 2256)
    [288, 296) 'arg' (line 2257)
    [320, 328) 'value' (line 2124)
    [352, 360) 'arg' (line 1815)
    [384, 392) 'origval' (line 1816)
    [416, 424) 'origval_l' (line 1817)
    [448, 456) 'origval_g' (line 1818)
    [480, 488) 'oldval' (line 1819)
    [512, 592) 'errbuf' (line 2582)
    [624, 704) 'whichwrap' (line 1824) <== Memory access at offset 592 partially underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/lib64/libasan.so.8+0x92e8b) (BuildId: 6f17f87dc4c1aa9f9dde7c4856604c3a25ba4872) in __interceptor_vsprintf
Shadow bytes around the buggy address:
  0x7f74c2102780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7f74c2102800: f1 f1 f1 f1 f1 f1 02 f2 04 f2 04 f2 04 f2 04 f2
  0x7f74c2102880: 04 f2 04 f2 00 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2
  0x7f74c2102900: 00 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2 f8 f2 f2 f2
  0x7f74c2102980: f8 f2 f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f2 f2 f2
=>0x7f74c2102a00: 00 00 00 00 00 00 00 00 00 00[f2]f2 f2 f2 f8 f8
  0x7f74c2102a80: f8 f8 f8 f8 f8 f8 f8 f8 f3 f3 f3 f3 00 00 00 00
  0x7f74c2102b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7f74c2102b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7f74c2102c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7f74c2102c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==71931==ABORTING

[Reporter]
Zhen Zhou of NSFOCUS Tianji Lab

[Solution]
Update vim to 9.0.2142 or newer version.

[References]
http://www.vim.org/
https://github.com/vim/vim/commit/b39b240c386a5a29241415541f1c99e2e6b8ce47

[Disclosure Timeline]
2023/11/29 - Issue reported to vendor
2023-12-02 - Vendor fix the issues
2024-01-29 - CVE Team RESERVED CVE-2024-22667 for this issue
2021-02-04 - Public Release
	[CVE ID]
	CVE-2024-22667

	[PRODUCT]
	Vim is a highly configurable text editor built to make creating and changing any kind of text very efficient.
	It is included as "vi" with most UNIX systems and with Apple OS X.

	[AFFECTED VERSION]
	vim - vim < 9.0.2142 are affected, fixed in 9.0.2142

	[PROBLEM TYPE]
	Buffer Overflow

	[DESCRIPTION]
	In vim < 9.0.2142, a Stack-buffer-overflow was found in option callback
	functions, vim pass the error buffer down to the option callback
	functions, but in some parts of the code, simply use sprintf(buf) to
	write into the error buffer, which can overflow.

	[TECHNICAL DETAILS]

	./vim -u NONE -i NONE -X -Z -m -n -e -s -S poc -c ':qa!'

	=================================================================
	==71931==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f74c2102a50 at pc 0x7f74c4692e8c bp 0x7fffd8c8f2b0 sp 0x7fffd8c8ea70
	WRITE of size 142 at 0x7f74c2102a50 thread T0
	#0 0x7f74c4692e8b in __interceptor_vsprintf (/lib64/libasan.so.8+0x92e8b) (BuildId: 6f17f87dc4c1aa9f9dde7c4856604c3a25ba4872)
	#1 0x7f74c469306e in __interceptor_sprintf (/lib64/libasan.so.8+0x9306e) (BuildId: 6f17f87dc4c1aa9f9dde7c4856604c3a25ba4872)
	#2 0x619d4e in sprintf /usr/include/bits/stdio2.h:30
	#3 0x619d4e in did_set_langmap /home/henices/tests/vim/src/map.c:3117
	#4 0x6ddff1 in did_set_string_option /home/henices/tests/vim/src/optionstr.c:4390
	#5 0x6d39de in do_set_option_string /home/henices/tests/vim/src/option.c:2031
	#6 0x6d39de in do_set_option_value /home/henices/tests/vim/src/option.c:2289
	#7 0x6d39de in do_set_option /home/henices/tests/vim/src/option.c:2505
	#8 0x6d39de in do_set /home/henices/tests/vim/src/option.c:2585
	#9 0x6d446a in ex_set /home/henices/tests/vim/src/option.c:1310
	#10 0x559dd1 in do_one_cmd /home/henices/tests/vim/src/ex_docmd.c:2582
	#11 0x559dd1 in do_cmdline /home/henices/tests/vim/src/ex_docmd.c:994
	#12 0x79ed0e in do_source_ext /home/henices/tests/vim/src/scriptfile.c:1761
	#13 0x7a1565 in do_source /home/henices/tests/vim/src/scriptfile.c:1907
	#14 0x7a259e in cmd_source /home/henices/tests/vim/src/scriptfile.c:1253
	#15 0x7a25ec in ex_source /home/henices/tests/vim/src/scriptfile.c:1279
	#16 0x559dd1 in do_one_cmd /home/henices/tests/vim/src/ex_docmd.c:2582
	#17 0x559dd1 in do_cmdline /home/henices/tests/vim/src/ex_docmd.c:994
	#18 0x55edd6 in do_cmdline_cmd /home/henices/tests/vim/src/ex_docmd.c:588
	#19 0x9d95b7 in exe_commands /home/henices/tests/vim/src/main.c:3173
	#20 0x9d95b7 in vim_main2 /home/henices/tests/vim/src/main.c:790
	#21 0x9dc30f in main /home/henices/tests/vim/src/main.c:441
	#22 0x7f74c4164149 in __libc_start_call_main (/lib64/libc.so.6+0x28149) (BuildId: 4fdf4b58ec1880e064d0d3fe13f1bb3e8ed1c420)
	#23 0x7f74c416420a in __libc_start_main_impl (/lib64/libc.so.6+0x2820a) (BuildId: 4fdf4b58ec1880e064d0d3fe13f1bb3e8ed1c420)
	#24 0x4074d4 in _start (/home/henices/tests/vim/src/vim+0x4074d4) (BuildId: f58f836b397bb305c28092d23847feabbcd502a6)

	Address 0x7f74c2102a50 is located in stack of thread T0 at offset 592 in frame
	#0 0x6cf4da in do_set /home/henices/tests/vim/src/option.c:2536

	This frame has 20 object(s):
	[48, 50) 'key_name' (line 2338)
	[64, 68) 'did_show' (line 2539)
	[80, 84) 'opt_idx' (line 2332)
	[96, 100) 'key' (line 2342)
	[112, 116) 'len' (line 2343)
	[128, 132) 'value_checked' (line 2255)
	[144, 148) 'i' (line 2125)
	[160, 168) 'arg' (line 2537)
	[192, 200) 'arg' (line 2333)
	[224, 232) 'errmsg' (line 2341)
	[256, 264) 'errmsg' (line 2256)
	[288, 296) 'arg' (line 2257)
	[320, 328) 'value' (line 2124)
	[352, 360) 'arg' (line 1815)
	[384, 392) 'origval' (line 1816)
	[416, 424) 'origval_l' (line 1817)
	[448, 456) 'origval_g' (line 1818)
	[480, 488) 'oldval' (line 1819)
	[512, 592) 'errbuf' (line 2582)
	[624, 704) 'whichwrap' (line 1824) <== Memory access at offset 592 partially underflows this variable
	HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
	(longjmp and C++ exceptions are supported)
	SUMMARY: AddressSanitizer: stack-buffer-overflow (/lib64/libasan.so.8+0x92e8b) (BuildId: 6f17f87dc4c1aa9f9dde7c4856604c3a25ba4872) in __interceptor_vsprintf
	Shadow bytes around the buggy address:
	0x7f74c2102780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	0x7f74c2102800: f1 f1 f1 f1 f1 f1 02 f2 04 f2 04 f2 04 f2 04 f2
	0x7f74c2102880: 04 f2 04 f2 00 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2
	0x7f74c2102900: 00 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2 f8 f2 f2 f2
	0x7f74c2102980: f8 f2 f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f2 f2 f2
	=>0x7f74c2102a00: 00 00 00 00 00 00 00 00 00 00[f2]f2 f2 f2 f8 f8
	0x7f74c2102a80: f8 f8 f8 f8 f8 f8 f8 f8 f3 f3 f3 f3 00 00 00 00
	0x7f74c2102b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	0x7f74c2102b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	0x7f74c2102c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	0x7f74c2102c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	Shadow byte legend (one shadow byte represents 8 application bytes):
	Addressable: 00
	Partially addressable: 01 02 03 04 05 06 07
	Heap left redzone: fa
	Freed heap region: fd
	Stack left redzone: f1
	Stack mid redzone: f2
	Stack right redzone: f3
	Stack after return: f5
	Stack use after scope: f8
	Global redzone: f9
	Global init order: f6
	Poisoned by user: f7
	Container overflow: fc
	Array cookie: ac
	Intra object redzone: bb
	ASan internal: fe
	Left alloca redzone: ca
	Right alloca redzone: cb
	==71931==ABORTING

	[Reporter]
	Zhen Zhou of NSFOCUS Tianji Lab

	[Solution]
	Update vim to 9.0.2142 or newer version.

	[References]
	http://www.vim.org/
	https://github.com/vim/vim/commit/b39b240c386a5a29241415541f1c99e2e6b8ce47

	[Disclosure Timeline]
	2023/11/29 - Issue reported to vendor
	2023-12-02 - Vendor fix the issues
	2024-01-29 - CVE Team RESERVED CVE-2024-22667 for this issue
	2021-02-04 - Public Release
No results found