Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1919213
Summary: | 4-byte-read-heap-buffer-overflow in function ml_append_int() when input craft vimscript file | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | 1vanChen <houyunsong> | ||||||
Component: | vim | Assignee: | Red Hat Product Security <security-response-team> | ||||||
Status: | CLOSED ERRATA | QA Contact: | |||||||
Severity: | high | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | rawhide | CC: | gchamoul, mcascell, zdohnal | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | vim-8.2.2529-1.fc33 vim-8.2.2541-1.fc33 vim-8.2.2541-1.fc32 | Doc Type: | If docs needed, set a value | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2021-02-20 01:25:59 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Hi, thank you for reporting the issue! I'll pass the issue to security team and report it upstream. Created attachment 1750765 [details]
reduced poc file
Simplified sample is provided
Please refer to https://bugzilla.redhat.com/show_bug.cgi?id=1919212#c4. FEDORA-2021-164265f25a has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-164265f25a FEDORA-2021-01b3981cc5 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2021-01b3981cc5 FEDORA-2021-01b3981cc5 has been pushed to the Fedora 32 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-01b3981cc5` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-01b3981cc5 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-164265f25a has been pushed to the Fedora 33 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-164265f25a` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-164265f25a See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-164265f25a has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2021-5be90ab004 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-5be90ab004 FEDORA-2021-fb090f432a has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2021-fb090f432a FEDORA-2021-fb090f432a has been pushed to the Fedora 32 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-fb090f432a` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-fb090f432a See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-5be90ab004 has been pushed to the Fedora 33 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-5be90ab004` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-5be90ab004 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-5be90ab004 has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2021-fb090f432a has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report. |
Created attachment 1749722 [details] poc To Reproduce ```shell vim -u NONE -X -Z -e -s -S poc -c :qa! ``` Debug Info ```shell Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] RAX: 0xffffffff RBX: 0xee925100 RCX: 0xffffffffffff1eb1 RDX: 0x0 RSI: 0xffffffffffff1eb0 RDI: 0xffffffffee9250ff RBP: 0x90253c --> 0xffe RSP: 0x7fffffffa070 --> 0x1 RIP: 0x4cc63b (<ml_append_int+2299>: mov DWORD PTR [r15+rcx*4+0x18],eax) R8 : 0x116daf01 R9 : 0x5 R10: 0x905420 --> 0x0 R11: 0x1 R12: 0xffff1eb1 R13: 0x0 R14: 0xee9250ff R15: 0x902520 --> 0x6460ffffffff EFLAGS: 0x10297 (CARRY PARITY ADJUST zero SIGN trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x4cc630 <ml_append_int+2288>: mov eax,DWORD PTR [r15+rsi*4+0x18] 0x4cc635 <ml_append_int+2293>: sub eax,r11d 0x4cc638 <ml_append_int+2296>: movsxd rcx,r12d => 0x4cc63b <ml_append_int+2299>: mov DWORD PTR [r15+rcx*4+0x18],eax 0x4cc640 <ml_append_int+2304>: mov r12d,esi 0x4cc643 <ml_append_int+2307>: lea rax,[rsi-0x1] 0x4cc647 <ml_append_int+2311>: mov rsi,rax 0x4cc64a <ml_append_int+2314>: cmp rax,rdi [------------------------------------stack-------------------------------------] 0000| 0x7fffffffa070 --> 0x1 0008| 0x7fffffffa078 --> 0x3000000002 0016| 0x7fffffffa080 --> 0x0 0024| 0x7fffffffa088 --> 0x1 0032| 0x7fffffffa090 --> 0x8f3680 --> 0x1ffffffff 0040| 0x7fffffffa098 --> 0x0 0048| 0x7fffffffa0a0 --> 0x65cd71 --> 0x54007055706f5000 ('') 0056| 0x7fffffffa0a8 --> 0x7c00000077 ('w') [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x00000000004cc63b in ml_append_int (buf=<optimized out>, buf@entry=0xffffffff, lnum=<optimized out>, lnum@entry=0x0, line_arg=<optimized out>, line_arg@entry=0x0, len_arg=<optimized out>, len_arg@entry=0x65cd71, flags=flags@entry=0x0) at memline.c:2838 2838 dp->db_index[i + 1] = dp->db_index[i] - len; gdb-peda$ bt #0 0x00000000004cc63b in ml_append_int (buf=<optimized out>, buf@entry=0xffffffff, lnum=<optimized out>, lnum@entry=0x0, line_arg=<optimized out>, line_arg@entry=0x0, len_arg=<optimized out>, len_arg@entry=0x65cd71, flags=flags@entry=0x0) at memline.c:2838 #1 0x00000000004ca81d in ml_append_flush (buf=<optimized out>, lnum=<optimized out>, line=<optimized out>, len=<optimized out>, flags=<optimized out>) at memline.c:3259 #2 ml_append_flags (lnum=<optimized out>, line=<optimized out>, line@entry=0x65cd71 "", len=<optimized out>, len@entry=0x0, flags=<optimized out>) at memline.c:3294 #3 0x00000000004c9c5e in ml_append (lnum=0xffffffffee9250ff, line=0xffffffffffff1eb0 <error: Cannot access memory at address 0xffffffffffff1eb0>, line@entry=0x65cd71 "", len=len@entry=0x0, newfile=newfile@entry=0x0) at memline.c:3281 #4 0x000000000041697d in open_line (dir=<optimized out>, dir@entry=0xffffffff, flags=0x0, second_line_indent=<optimized out>, second_line_indent@entry=0x0) at change.c:2062 #5 0x00000000004e8a2b in n_opencmd (cap=0x7fffffffa320) at normal.c:6421 #6 nv_open (cap=0x7fffffffa320) at normal.c:7523 #7 0x00000000004e3571 in normal_cmd (oap=oap@entry=0x7fffffffa3b8, toplevel=toplevel@entry=0x1) at normal.c:1098 #8 0x0000000000629209 in main_loop (cmdwin=cmdwin@entry=0x0, noexmode=noexmode@entry=0x1) at main.c:1473 #9 0x000000000046dc11 in do_exedit (eap=0x7fffffffa500, old_curwin=<optimized out>) at ex_docmd.c:6646 #10 0x000000000046897a in do_one_cmd (cmdlinep=0x7fffffffa4d8, flags=0x2, cstack=0x7fffffffa6b8, fgetline=0x0, cookie=0x0) at ex_docmd.c:2588 #11 do_cmdline (cmdline=<optimized out>, fgetline=<optimized out>, fgetline@entry=0x0, cookie=<optimized out>, cookie@entry=0x0, flags=flags@entry=0x2) at ex_docmd.c:1003 #12 0x0000000000464303 in global_exe_one (cmd=0x904e17 "vi|zFv|z+vzd33333333233333d733333332333333%3\023\063\023\063\063\063\063\063\063\063\063O333C", '3' <repeats 11 times>, "\037\063\063vzF", lnum=<optimized out>) at ex_cmds.c:4787 #13 global_exe (cmd=cmd@entry=0x904e17 "vi|zFv|z+vzd33333333233333d733333332333333%3\023\063\023\063\063\063\063\063\063\063\063O333C", '3' <repeats 11 times>, "\037\063\063vzF") at ex_cmds.c:4963 #14 0x0000000000464233 in ex_global (eap=0x7fffffffb010) at ex_cmds.c:4924 #15 0x000000000046897a in do_one_cmd (cmdlinep=0x7fffffffafe8, flags=0x7, cstack=0x7fffffffb1c8, fgetline=0x566f30 <getsourceline>, cookie=0x7fffffffb960) at ex_docmd.c:2588 #16 do_cmdline (cmdline=<optimized out>, cmdline@entry=0x904d00 "v9d\200?|9vi|zFv|z+vzd33333333233333d733333332333333%3\023\063\023\063\063\063\063\063\063\063\063O333C", '3' <repeats 11 times>, "\037\063\063vzF", fgetline=<optimized out>, cookie=<optimized out>, cookie@entry=0x7fffffffb960, flags=flags@entry=0x7) at ex_docmd.c:1003 #17 0x0000000000566d15 in do_source (fname=<optimized out>, fname@entry=0x8f8e03 "\377ro pnc", check_other=<optimized out>, check_other@entry=0x0, is_vimrc=is_vimrc@entry=0x0, ret_sid=<optimized out>, ret_sid@entry=0x0) at scriptfile.c:1401 #18 0x0000000000566489 in cmd_source (fname=0x8f8e03 "\377ro pnc", eap=<optimized out>) at scriptfile.c:971 #19 0x000000000046897a in do_one_cmd (cmdlinep=0x7fffffffba58, flags=0xb, cstack=0x7fffffffbc38, fgetline=0x0, cookie=0x0) at ex_docmd.c:2588 #20 do_cmdline (cmdline=<optimized out>, fgetline=<optimized out>, fgetline@entry=0x0, cookie=<optimized out>, cookie@entry=0x0, flags=flags@entry=0xb) at ex_docmd.c:1003 #21 0x00000000004692de in do_cmdline_cmd (cmd=0xffffffffee9250ff <error: Cannot access memory at address 0xffffffffee9250ff>) at ex_docmd.c:592 #22 0x000000000062860d in exe_commands (parmp=<optimized out>) at main.c:3056 #23 vim_main2 () at main.c:760 #24 0x0000000000627772 in main (argc=<optimized out>, argc@entry=0xb, argv=<optimized out>, argv@entry=0x7fffffffe578) at main.c:412 #25 0x00007ffff72f7840 in __libc_start_main (main=0x625f40 <main>, argc=0xb, argv=0x7fffffffe578, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe568) at ../csu/libc-start.c:291 #26 0x0000000000404269 in _start () ``` I think the invalid sign extension of `db_idx` causes integer overflow to be the root cause of this vulnerability ```shell [----------------------------------registers-----------------------------------] RAX: 0x0 RBX: 0xee925100 RCX: 0xf00 RDX: 0x1 RSI: 0x0 RDI: 0xffffffffee9250ff RBP: 0xfff RSP: 0x7fffffffa020 --> 0x1 RIP: 0x4cc503 (<ml_append_int+1987>: mov r8,rsi) R8 : 0x1 R9 : 0x5 R10: 0x9057d0 --> 0x0 R11: 0x1 R12: 0x1 R13: 0x0 R14: 0xee9250ff R15: 0x902620 --> 0xfda00006461 EFLAGS: 0x213 (CARRY parity ADJUST zero sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x4cc4f7 <ml_append_int+1975>: jle 0x4cc64f <ml_append_int+2319> 0x4cc4fd <ml_append_int+1981>: movsxd rsi,eax 0x4cc500 <ml_append_int+1984>: movsxd rdi,r14d => 0x4cc503 <ml_append_int+1987>: mov r8,rsi 0x4cc506 <ml_append_int+1990>: sub r8,rdi 0x4cc509 <ml_append_int+1993>: cmp r8,0x8 0x4cc50d <ml_append_int+1997>: jb 0x4cc630 <ml_append_int+2288> 0x4cc513 <ml_append_int+2003>: mov rcx,rdi [------------------------------------stack-------------------------------------] 0000| 0x7fffffffa020 --> 0x1 0008| 0x7fffffffa028 --> 0x3000000002 0016| 0x7fffffffa030 --> 0x0 0024| 0x7fffffffa038 --> 0x1 0032| 0x7fffffffa040 --> 0x8f3680 --> 0x2 0040| 0x7fffffffa048 --> 0x0 0048| 0x7fffffffa050 --> 0x65cd71 --> 0x54007055706f5000 ('') 0056| 0x7fffffffa058 --> 0x7c00000077 ('w') [------------------------------------------------------------------------------] Legend: code, data, rodata, value 0x00000000004cc503 2837 for (i = line_count - 1; i > db_idx; --i) gdb-peda$ ``` Environment: - version : commit e2edc2ed4a9a229870b1e1811b0ecf045b84e429 - OS: Ubuntu 16.04 Additional context compile argument: ```shell #!/bin/bash -eux export CC="clang-11" export CXX="clang-11++" cd /src/vim/ && ./configure --with-features=huge --enable-gui=none && make ``` Credit: 1vanChen of NSFOCUS Security Team