Created
February 4, 2024 09:35
-
-
Save henices/636c9fc858b2c0a666a302800090e2e1 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [CVE ID] | |
| CVE-2024-22668 | |
| [PRODUCT] | |
| Vim is a highly configurable text editor built to make creating and changing any kind of text very efficient. | |
| It is included as "vi" with most UNIX systems and with Apple OS X. | |
| [AFFECTED VERSION] | |
| vim - vim < 9.0.2140 are affected, fixed in 9.0.2140 | |
| [PROBLEM TYPE] | |
| Buffer Overflow | |
| [DESCRIPTION] | |
| vim < 9.0.2140 is vulnerable to Use after free in win-enter. | |
| [TECHNICAL DETAILS] | |
| ./vim -u NONE -i NONE -X -Z -m -n -e -s -S ./poc -c ':qa!' | |
| ==41112==ERROR: AddressSanitizer: heap-use-after-free on address 0x625000011908 at pc 0x000000964b03 bp 0x7fffa80570f0 sp 0x7fffa80570e8 | |
| READ of size 8 at 0x625000011908 thread T0 | |
| SCARINESS: 51 (8-byte-read-heap-use-after-free) | |
| #0 0x964b02 in win_enter_ext /home/henices/tests/vim/src/window.c:5346 | |
| #1 0x96517a in win_enter /home/henices/tests/vim/src/window.c:5273 | |
| #2 0x96517a in win_goto /home/henices/tests/vim/src/window.c:5049 | |
| #3 0x539f47 in ex_listdo /home/henices/tests/vim/src/ex_cmds2.c:584 | |
| #4 0x559dd1 in do_one_cmd /home/henices/tests/vim/src/ex_docmd.c:2582 | |
| #5 0x559dd1 in do_cmdline /home/henices/tests/vim/src/ex_docmd.c:994 | |
| #6 0x79ed0e in do_source_ext /home/henices/tests/vim/src/scriptfile.c:1761 | |
| #7 0x7a1565 in do_source /home/henices/tests/vim/src/scriptfile.c:1907 | |
| #8 0x7a259e in cmd_source /home/henices/tests/vim/src/scriptfile.c:1253 | |
| #9 0x7a25ec in ex_source /home/henices/tests/vim/src/scriptfile.c:1279 | |
| #10 0x559dd1 in do_one_cmd /home/henices/tests/vim/src/ex_docmd.c:2582 | |
| #11 0x559dd1 in do_cmdline /home/henices/tests/vim/src/ex_docmd.c:994 | |
| #12 0x55edd6 in do_cmdline_cmd /home/henices/tests/vim/src/ex_docmd.c:588 | |
| #13 0x9d95b7 in exe_commands /home/henices/tests/vim/src/main.c:3173 | |
| #14 0x9d95b7 in vim_main2 /home/henices/tests/vim/src/main.c:790 | |
| #15 0x9dc30f in main /home/henices/tests/vim/src/main.c:441 | |
| #16 0x7fe661b24149 in __libc_start_call_main (/lib64/libc.so.6+0x28149) (BuildId: 4fdf4b58ec1880e064d0d3fe13f1bb3e8ed1c420) | |
| #17 0x7fe661b2420a in __libc_start_main_impl (/lib64/libc.so.6+0x2820a) (BuildId: 4fdf4b58ec1880e064d0d3fe13f1bb3e8ed1c420) | |
| #18 0x4074d4 in _start (/home/henices/tests/vim/src/vim+0x4074d4) (BuildId: 4a7ed82142f08ed1905e10bbba5070b990273631) | |
| 0x625000011908 is located 8 bytes inside of 9192-byte region [0x625000011900,0x625000013ce8) | |
| freed by thread T0 here: | |
| #0 0x7fe6620d7fb8 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xd7fb8) (BuildId: 6f17f87dc4c1aa9f9dde7c4856604c3a25ba4872) | |
| #1 0x407a34 in vim_free /home/henices/tests/vim/src/alloc.c:616 | |
| #2 0x414c72 in apply_autocmds_group /home/henices/tests/vim/src/autocmd.c:2384 | |
| #3 0x417321 in apply_autocmds /home/henices/tests/vim/src/autocmd.c:1779 | |
| #4 0x6545c4 in may_trigger_modechanged /home/henices/tests/vim/src/misc1.c:2815 | |
| #5 0x68bf89 in end_visual_mode_keep_button /home/henices/tests/vim/src/normal.c:1175 | |
| #6 0x68c051 in end_visual_mode /home/henices/tests/vim/src/normal.c:1130 | |
| #7 0x68cb2c in reset_VIsual_and_resel /home/henices/tests/vim/src/normal.c:1186 | |
| #8 0x96516d in win_goto /home/henices/tests/vim/src/window.c:5042 | |
| #9 0x539f47 in ex_listdo /home/henices/tests/vim/src/ex_cmds2.c:584 | |
| #10 0x559dd1 in do_one_cmd /home/henices/tests/vim/src/ex_docmd.c:2582 | |
| #11 0x559dd1 in do_cmdline /home/henices/tests/vim/src/ex_docmd.c:994 | |
| #12 0x79ed0e in do_source_ext /home/henices/tests/vim/src/scriptfile.c:1761 | |
| #13 0x7a1565 in do_source /home/henices/tests/vim/src/scriptfile.c:1907 | |
| #14 0x7a259e in cmd_source /home/henices/tests/vim/src/scriptfile.c:1253 | |
| #15 0x7a25ec in ex_source /home/henices/tests/vim/src/scriptfile.c:1279 | |
| #16 0x559dd1 in do_one_cmd /home/henices/tests/vim/src/ex_docmd.c:2582 | |
| #17 0x559dd1 in do_cmdline /home/henices/tests/vim/src/ex_docmd.c:994 | |
| #18 0x55edd6 in do_cmdline_cmd /home/henices/tests/vim/src/ex_docmd.c:588 | |
| #19 0x9d95b7 in exe_commands /home/henices/tests/vim/src/main.c:3173 | |
| #20 0x9d95b7 in vim_main2 /home/henices/tests/vim/src/main.c:790 | |
| #21 0x9dc30f in main /home/henices/tests/vim/src/main.c:441 | |
| #22 0x7fe661b24149 in __libc_start_call_main (/lib64/libc.so.6+0x28149) (BuildId: 4fdf4b58ec1880e064d0d3fe13f1bb3e8ed1c420) | |
| #23 0x7fe661b2420a in __libc_start_main_impl (/lib64/libc.so.6+0x2820a) (BuildId: 4fdf4b58ec1880e064d0d3fe13f1bb3e8ed1c420) | |
| #24 0x4074d4 in _start (/home/henices/tests/vim/src/vim+0x4074d4) (BuildId: 4a7ed82142f08ed1905e10bbba5070b990273631) | |
| previously allocated by thread T0 here: | |
| #0 0x7fe6620d92ef in malloc (/lib64/libasan.so.8+0xd92ef) (BuildId: 6f17f87dc4c1aa9f9dde7c4856604c3a25ba4872) | |
| #1 0x40776f in lalloc /home/henices/tests/vim/src/alloc.c:246 | |
| #2 0x40789f in alloc_clear /home/henices/tests/vim/src/alloc.c:177 | |
| #3 0x95b949 in win_alloc /home/henices/tests/vim/src/window.c:5516 | |
| #4 0x96731e in win_split_ins /home/henices/tests/vim/src/window.c:1187 | |
| #5 0x96ac7a in win_split /home/henices/tests/vim/src/window.c:922 | |
| #6 0x40c061 in do_argfile /home/henices/tests/vim/src/arglist.c:708 | |
| #7 0x40c701 in ex_rewind /home/henices/tests/vim/src/arglist.c:649 | |
| #8 0x537008 in ex_drop /home/henices/tests/vim/src/ex_cmds.c:5514 | |
| #9 0x559dd1 in do_one_cmd /home/henices/tests/vim/src/ex_docmd.c:2582 | |
| #10 0x559dd1 in do_cmdline /home/henices/tests/vim/src/ex_docmd.c:994 | |
| #11 0x79ed0e in do_source_ext /home/henices/tests/vim/src/scriptfile.c:1761 | |
| #12 0x7a1565 in do_source /home/henices/tests/vim/src/scriptfile.c:1907 | |
| #13 0x7a259e in cmd_source /home/henices/tests/vim/src/scriptfile.c:1253 | |
| #14 0x7a25ec in ex_source /home/henices/tests/vim/src/scriptfile.c:1279 | |
| #15 0x559dd1 in do_one_cmd /home/henices/tests/vim/src/ex_docmd.c:2582 | |
| #16 0x559dd1 in do_cmdline /home/henices/tests/vim/src/ex_docmd.c:994 | |
| #17 0x55edd6 in do_cmdline_cmd /home/henices/tests/vim/src/ex_docmd.c:588 | |
| #18 0x9d95b7 in exe_commands /home/henices/tests/vim/src/main.c:3173 | |
| #19 0x9d95b7 in vim_main2 /home/henices/tests/vim/src/main.c:790 | |
| #20 0x9dc30f in main /home/henices/tests/vim/src/main.c:441 | |
| #21 0x7fe661b24149 in __libc_start_call_main (/lib64/libc.so.6+0x28149) (BuildId: 4fdf4b58ec1880e064d0d3fe13f1bb3e8ed1c420) | |
| #22 0x7fe661b2420a in __libc_start_main_impl (/lib64/libc.so.6+0x2820a) (BuildId: 4fdf4b58ec1880e064d0d3fe13f1bb3e8ed1c420) | |
| #23 0x4074d4 in _start (/home/henices/tests/vim/src/vim+0x4074d4) (BuildId: 4a7ed82142f08ed1905e10bbba5070b990273631) | |
| SUMMARY: AddressSanitizer: heap-use-after-free /home/henices/tests/vim/src/window.c:5346 in win_enter_ext | |
| Shadow bytes around the buggy address: | |
| 0x625000011680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | |
| 0x625000011700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | |
| 0x625000011780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | |
| 0x625000011800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | |
| 0x625000011880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | |
| =>0x625000011900: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd | |
| 0x625000011980: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd | |
| 0x625000011a00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd | |
| 0x625000011a80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd | |
| 0x625000011b00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd | |
| 0x625000011b80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd | |
| Shadow byte legend (one shadow byte represents 8 application bytes): | |
| Addressable: 00 | |
| Partially addressable: 01 02 03 04 05 06 07 | |
| Heap left redzone: fa | |
| Freed heap region: fd | |
| Stack left redzone: f1 | |
| Stack mid redzone: f2 | |
| Stack right redzone: f3 | |
| Stack after return: f5 | |
| Stack use after scope: f8 | |
| Global redzone: f9 | |
| Global init order: f6 | |
| Poisoned by user: f7 | |
| Container overflow: fc | |
| Array cookie: ac | |
| Intra object redzone: bb | |
| ASan internal: fe | |
| Left alloca redzone: ca | |
| Right alloca redzone: cb | |
| ==41112==ABORTING | |
| [Reporter] | |
| Zhen Zhou of NSFOCUS Tianji Lab | |
| [Solution] | |
| Update vim to 9.0.2140 or newer version. | |
| [References] | |
| http://www.vim.org/ | |
| https://github.com/vim/vim/commit/eec0c2b3a4cfab93dd8d4adaa60638d47a2bbc8a | |
| [Disclosure Timeline] | |
| 2023/11/28 - Issue reported to vendor | |
| 2023-12-02 - Vendor fix the issues | |
| 2024-01-29 - CVE Team RESERVED CVE-2024-22668 for this issue | |
| 2021-02-04 - Public Release |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment