Created
February 4, 2024 07:41
-
-
Save henices/3ecdf6a5e5ceb31a0f692bb931f1e9bc to your computer and use it in GitHub Desktop.
CVE-2024-22666.txt
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [CVE ID] | |
| CVE-2024-22666 | |
| [PRODUCT] | |
| Vim is a highly configurable text editor built to make creating and changing any kind of text very efficient. It is included as "vi" with most UNIX systems and with Apple OS X. | |
| [AFFECTED VERSION] | |
| vim - vim < 9.0.2141 are affected, fixed in 9.0.2141 | |
| [PROBLEM TYPE] | |
| buffer-overflow in suggest_trie_walk | |
| [DESCRIPTION] | |
| vim < 9.0.2141 is vulnerable to Buffer Overflow in suggest_trie_walk. | |
| [TECHNICAL DETAILS] | |
| ./vim -u NONE -i NONE -X -Z -m -n -e -s -S tests_02926335a6990ecd2ecaa9d9528c5e9c2d7b0ec0 -c ':qa!' | |
| ================================================================= | |
| ==69820==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6060000038f4 at pc 0x000000805eb7 bp 0x7fff0ee68a10 sp 0x7fff0ee68a08 | |
| READ of size 1 at 0x6060000038f4 thread T0 | |
| #0 0x805eb6 in suggest_trie_walk /home/henices/tests/vim/src/spellsuggest.c:2178 | |
| #1 0x80ad72 in suggest_try_change /home/henices/tests/vim/src/spellsuggest.c:1223 | |
| #2 0x80ad72 in spell_suggest_intern /home/henices/tests/vim/src/spellsuggest.c:1019 | |
| #3 0x80ad72 in spell_find_suggest /home/henices/tests/vim/src/spellsuggest.c:894 | |
| #4 0x80d15c in spell_suggest /home/henices/tests/vim/src/spellsuggest.c:556 | |
| #5 0x69709c in nv_zet /home/henices/tests/vim/src/normal.c:3017 | |
| #6 0x692b5d in normal_cmd /home/henices/tests/vim/src/normal.c:949 | |
| #7 0x55191d in exec_normal /home/henices/tests/vim/src/ex_docmd.c:9024 | |
| #8 0x551b02 in exec_normal_cmd /home/henices/tests/vim/src/ex_docmd.c:8987 | |
| #9 0x5521c2 in ex_normal /home/henices/tests/vim/src/ex_docmd.c:8905 | |
| #10 0x559dd1 in do_one_cmd /home/henices/tests/vim/src/ex_docmd.c:2582 | |
| #11 0x559dd1 in do_cmdline /home/henices/tests/vim/src/ex_docmd.c:994 | |
| #12 0x79ed0e in do_source_ext /home/henices/tests/vim/src/scriptfile.c:1761 | |
| #13 0x7a1565 in do_source /home/henices/tests/vim/src/scriptfile.c:1907 | |
| #14 0x7a259e in cmd_source /home/henices/tests/vim/src/scriptfile.c:1253 | |
| #15 0x7a25ec in ex_source /home/henices/tests/vim/src/scriptfile.c:1279 | |
| #16 0x559dd1 in do_one_cmd /home/henices/tests/vim/src/ex_docmd.c:2582 | |
| #17 0x559dd1 in do_cmdline /home/henices/tests/vim/src/ex_docmd.c:994 | |
| #18 0x55edd6 in do_cmdline_cmd /home/henices/tests/vim/src/ex_docmd.c:588 | |
| #19 0x9d95b7 in exe_commands /home/henices/tests/vim/src/main.c:3173 | |
| #20 0x9d95b7 in vim_main2 /home/henices/tests/vim/src/main.c:790 | |
| #21 0x9dc30f in main /home/henices/tests/vim/src/main.c:441 | |
| #22 0x7fcc775bc149 in __libc_start_call_main (/lib64/libc.so.6+0x28149) (BuildId: 4fdf4b58ec1880e064d0d3fe13f1bb3e8ed1c420) | |
| #23 0x7fcc775bc20a in __libc_start_main_impl (/lib64/libc.so.6+0x2820a) (BuildId: 4fdf4b58ec1880e064d0d3fe13f1bb3e8ed1c420) | |
| #24 0x4074d4 in _start (/home/henices/tests/vim/src/vim+0x4074d4) (BuildId: f58f836b397bb305c28092d23847feabbcd502a6) | |
| 0x6060000038f4 is located 0 bytes after 52-byte region [0x6060000038c0,0x6060000038f4) | |
| allocated by thread T0 here: | |
| #0 0x7fcc77ad92ef in malloc (/lib64/libasan.so.8+0xd92ef) (BuildId: 6f17f87dc4c1aa9f9dde7c4856604c3a25ba4872) | |
| #1 0x40776f in lalloc /home/henices/tests/vim/src/alloc.c:246 | |
| #2 0x407824 in alloc /home/henices/tests/vim/src/alloc.c:151 | |
| #3 0x7df435 in spell_read_tree /home/henices/tests/vim/src/spellfile.c:1605 | |
| #4 0x7ef1fe in spell_load_file /home/henices/tests/vim/src/spellfile.c:553 | |
| #5 0x7f4ca2 in spell_reload_one /home/henices/tests/vim/src/spellfile.c:1763 | |
| #6 0x7f4ca2 in mkspell /home/henices/tests/vim/src/spellfile.c:6129 | |
| #7 0x7f7d1d in spell_add_word /home/henices/tests/vim/src/spellfile.c:6369 | |
| #8 0x696a6d in nv_zg_zw /home/henices/tests/vim/src/normal.c:2654 | |
| #9 0x696a6d in nv_zet /home/henices/tests/vim/src/normal.c:3011 | |
| #10 0x692b5d in normal_cmd /home/henices/tests/vim/src/normal.c:949 | |
| #11 0x55191d in exec_normal /home/henices/tests/vim/src/ex_docmd.c:9024 | |
| #12 0x551b02 in exec_normal_cmd /home/henices/tests/vim/src/ex_docmd.c:8987 | |
| #13 0x5521c2 in ex_normal /home/henices/tests/vim/src/ex_docmd.c:8905 | |
| #14 0x559dd1 in do_one_cmd /home/henices/tests/vim/src/ex_docmd.c:2582 | |
| #15 0x559dd1 in do_cmdline /home/henices/tests/vim/src/ex_docmd.c:994 | |
| #16 0x79ed0e in do_source_ext /home/henices/tests/vim/src/scriptfile.c:1761 | |
| #17 0x7a1565 in do_source /home/henices/tests/vim/src/scriptfile.c:1907 | |
| #18 0x7a259e in cmd_source /home/henices/tests/vim/src/scriptfile.c:1253 | |
| #19 0x7a25ec in ex_source /home/henices/tests/vim/src/scriptfile.c:1279 | |
| #20 0x559dd1 in do_one_cmd /home/henices/tests/vim/src/ex_docmd.c:2582 | |
| #21 0x559dd1 in do_cmdline /home/henices/tests/vim/src/ex_docmd.c:994 | |
| #22 0x55edd6 in do_cmdline_cmd /home/henices/tests/vim/src/ex_docmd.c:588 | |
| #23 0x9d95b7 in exe_commands /home/henices/tests/vim/src/main.c:3173 | |
| #24 0x9d95b7 in vim_main2 /home/henices/tests/vim/src/main.c:790 | |
| #25 0x9dc30f in main /home/henices/tests/vim/src/main.c:441 | |
| #26 0x7fcc775bc149 in __libc_start_call_main (/lib64/libc.so.6+0x28149) (BuildId: 4fdf4b58ec1880e064d0d3fe13f1bb3e8ed1c420) | |
| #27 0x7fcc775bc20a in __libc_start_main_impl (/lib64/libc.so.6+0x2820a) (BuildId: 4fdf4b58ec1880e064d0d3fe13f1bb3e8ed1c420) | |
| #28 0x4074d4 in _start (/home/henices/tests/vim/src/vim+0x4074d4) (BuildId: f58f836b397bb305c28092d23847feabbcd502a6) | |
| SUMMARY: AddressSanitizer: heap-buffer-overflow /home/henices/tests/vim/src/spellsuggest.c:2178 in suggest_trie_walk | |
| Shadow bytes around the buggy address: | |
| 0x606000003600: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa | |
| 0x606000003680: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd | |
| 0x606000003700: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd | |
| 0x606000003780: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa | |
| 0x606000003800: 00 00 00 00 00 00 01 fa fa fa fa fa fd fd fd fd | |
| =>0x606000003880: fd fd fd fd fa fa fa fa 00 00 00 00 00 00[04]fa | |
| 0x606000003900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | |
| 0x606000003980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | |
| 0x606000003a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | |
| 0x606000003a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | |
| 0x606000003b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | |
| Shadow byte legend (one shadow byte represents 8 application bytes): | |
| Addressable: 00 | |
| Partially addressable: 01 02 03 04 05 06 07 | |
| Heap left redzone: fa | |
| Freed heap region: fd | |
| Stack left redzone: f1 | |
| Stack mid redzone: f2 | |
| Stack right redzone: f3 | |
| Stack after return: f5 | |
| Stack use after scope: f8 | |
| Global redzone: f9 | |
| Global init order: f6 | |
| Poisoned by user: f7 | |
| Container overflow: fc | |
| Array cookie: ac | |
| Intra object redzone: bb | |
| ASan internal: fe | |
| Left alloca redzone: ca | |
| Right alloca redzone: cb | |
| ==69820==ABORTING | |
| [Reporter] | |
| Zhen Zhou of NSFOCUS Tianji Lab | |
| [Solution] | |
| Update vim to 9.0.2141 or newer version. | |
| [References] | |
| http://www.vim.org/ | |
| https://github.com/vim/vim/commit/0fb375aae608d7306b4baf9c1f906961f32e2abf | |
| [Disclosure Timeline] | |
| 2023/11/29 - Issue reported to vendor | |
| 2023-12-02 - Vendor fix the issues | |
| 2024-01-29 - CVE Team RESERVED CVE-2024-22666 for this issue | |
| 2021-02-04 - Public Release |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment