Bug 1919220
| Summary: | heap-use-after-free in alist_add() when input craft vimscript file | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | 1vanChen <houyunsong> | ||||||
| Component: | vim | Assignee: | Red Hat Product Security <security-response-team> | ||||||
| Status: | CLOSED NOTABUG | QA Contact: | |||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | rawhide | CC: | gchamoul, mcascell, zdohnal | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | vim-8.2.2529-1.fc33 vim-8.2.2541-1.fc33 vim-8.2.2541-1.fc32 | Doc Type: | If docs needed, set a value | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2021-02-20 01:26:06 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
Hi, thank you for reporting the issue! I'll pass the issue to security team and report it upstream. Created attachment 1750769 [details]
reduced poc file
Simplified sample is provided
Please refer to https://bugzilla.redhat.com/show_bug.cgi?id=1919212#c4. FEDORA-2021-164265f25a has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-164265f25a FEDORA-2021-01b3981cc5 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2021-01b3981cc5 FEDORA-2021-01b3981cc5 has been pushed to the Fedora 32 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-01b3981cc5` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-01b3981cc5 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-164265f25a has been pushed to the Fedora 33 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-164265f25a` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-164265f25a See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-164265f25a has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2021-5be90ab004 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-5be90ab004 FEDORA-2021-fb090f432a has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2021-fb090f432a FEDORA-2021-fb090f432a has been pushed to the Fedora 32 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-fb090f432a` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-fb090f432a See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-5be90ab004 has been pushed to the Fedora 33 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-5be90ab004` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-5be90ab004 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-5be90ab004 has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2021-fb090f432a has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report. |
Created attachment 1749738 [details] poc To Reproduce ```shell vim -u NONE -X -Z -e -s -S poc -c :qa! ``` Debug Info ```shell /src/vim# ASAN_OPTIONS=alloc_dealloc_mismatch=0:allocator_may_return_null=1:allocator_release_to_os_interval_ms=500:check_malloc_usable_size=0:detect_container_overflow=1:detect_odr_violation=0:detect_leaks=1:detect_stack_use_after_return=1:fast_unwind_on_fatal=0:handle_abort=1:handle_segv=1:handle_sigill=1:max_uar_stack_size_log=16:print_scariness=1:quarantine_size_mb=10:strict_memcmp=1:strict_string_check=1:strip_path_prefix=/workspace/:symbolize=1:use_sigaltstack=1 src/vim_asan -u NONE -X -Z -e -s -S /mnt/disk/out/vim/vim-fuzzer-out/lRxoJb/crashes/id:000074,sig:11,src:057734,op:havoc,rep:4 -c :qa! ================================================================= ==18605==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000001190 at pc 0x0000004c7f17 bp 0x7fffffffd720 sp 0x7fffffffd718 READ of size 8 at 0x603000001190 thread T0 SCARINESS: 51 (8-byte-read-heap-use-after-free) #0 0x4c7f16 in alist_add /src/vim/src/arglist.c:187:2 #1 0x4c7cb0 in alist_set /src/vim/src/arglist.c:157:6 #2 0x4c8aa0 in do_arglist /src/vim/src/arglist.c:458:6 #3 0x4c8251 in set_arglist /src/vim/src/arglist.c:472:5 #4 0x5c6c4f in ex_drop /src/vim/src/ex_cmds.c:5155:5 #5 0x5d277b in do_one_cmd /src/vim/src/ex_docmd.c:2588:2 #6 0x5cc8b8 in do_cmdline /src/vim/src/ex_docmd.c:1003:17 #7 0x7ec3ee in do_source /src/vim/src/scriptfile.c:1401:5 #8 0x7eb03d in cmd_source /src/vim/src/scriptfile.c:971:14 #9 0x7eaf1e in ex_source /src/vim/src/scriptfile.c:997:2 #10 0x5d277b in do_one_cmd /src/vim/src/ex_docmd.c:2588:2 #11 0x5cc8b8 in do_cmdline /src/vim/src/ex_docmd.c:1003:17 #12 0x5cf181 in do_cmdline_cmd /src/vim/src/ex_docmd.c:592:12 #13 0x9c0df7 in exe_commands /src/vim/src/main.c:3056:2 #14 0x9bfc44 in vim_main2 /src/vim/src/main.c:760:2 #15 0x9bd071 in main /src/vim/src/main.c:412:12 #16 0x7ffff6cba83f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291 #17 0x41d768 in _start (/src/vim/src/vim_asan+0x41d768) 0x603000001190 is located 16 bytes inside of 32-byte region [0x603000001180,0x6030000011a0) freed by thread T0 here: #0 0x49733d in free (/src/vim/src/vim_asan+0x49733d) #1 0x6cfd9b in vim_free /src/vim/src/misc2.c:1807:2 #2 0x4c7a03 in alist_unlink /src/vim/src/arglist.c:51:2 #3 0x4c9424 in ex_args /src/vim/src/arglist.c:534:2 #4 0x5d277b in do_one_cmd /src/vim/src/ex_docmd.c:2588:2 #5 0x5cc8b8 in do_cmdline /src/vim/src/ex_docmd.c:1003:17 #6 0x4d14d2 in apply_autocmds_group /src/vim/src/autocmd.c:2109:2 #7 0x4d363d in apply_autocmds /src/vim/src/autocmd.c:1621:12 #8 0x4de4c9 in buflist_new /src/vim/src/buffer.c:2215:6 #9 0x4e5012 in buflist_add /src/vim/src/buffer.c:3501:11 #10 0x4c7e54 in alist_add /src/vim/src/arglist.c:188:6 #11 0x4c7cb0 in alist_set /src/vim/src/arglist.c:157:6 #12 0x4c8aa0 in do_arglist /src/vim/src/arglist.c:458:6 #13 0x4c8251 in set_arglist /src/vim/src/arglist.c:472:5 #14 0x5c6c4f in ex_drop /src/vim/src/ex_cmds.c:5155:5 #15 0x5d277b in do_one_cmd /src/vim/src/ex_docmd.c:2588:2 #16 0x5cc8b8 in do_cmdline /src/vim/src/ex_docmd.c:1003:17 #17 0x7ec3ee in do_source /src/vim/src/scriptfile.c:1401:5 #18 0x7eb03d in cmd_source /src/vim/src/scriptfile.c:971:14 #19 0x7eaf1e in ex_source /src/vim/src/scriptfile.c:997:2 #20 0x5d277b in do_one_cmd /src/vim/src/ex_docmd.c:2588:2 #21 0x5cc8b8 in do_cmdline /src/vim/src/ex_docmd.c:1003:17 #22 0x5cf181 in do_cmdline_cmd /src/vim/src/ex_docmd.c:592:12 #23 0x9c0df7 in exe_commands /src/vim/src/main.c:3056:2 #24 0x9bfc44 in vim_main2 /src/vim/src/main.c:760:2 #25 0x9bd071 in main /src/vim/src/main.c:412:12 #26 0x7ffff6cba83f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291 previously allocated by thread T0 here: #0 0x4975bd in malloc (/src/vim/src/vim_asan+0x4975bd) #1 0x6ce307 in lalloc /src/vim/src/misc2.c:925:11 #2 0x6ce2dd in alloc /src/vim/src/misc2.c:828:12 #3 0x4c7a2d in alist_new /src/vim/src/arglist.c:61:23 #4 0x4c947c in ex_args /src/vim/src/arglist.c:538:6 #5 0x5d277b in do_one_cmd /src/vim/src/ex_docmd.c:2588:2 #6 0x5cc8b8 in do_cmdline /src/vim/src/ex_docmd.c:1003:17 #7 0x4d14d2 in apply_autocmds_group /src/vim/src/autocmd.c:2109:2 #8 0x4d36fa in apply_autocmds_retval /src/vim/src/autocmd.c:1664:15 #9 0x4d8158 in open_buffer /src/vim/src/buffer.c:370:6 #10 0x5be594 in do_ecmd /src/vim/src/ex_cmds.c:2995:23 #11 0x4ca0a2 in do_argfile /src/vim/src/arglist.c:692:6 #12 0x4c9c1d in ex_next /src/vim/src/arglist.c:727:2 #13 0x4c94b5 in ex_args /src/vim/src/arglist.c:545:2 #14 0x5d277b in do_one_cmd /src/vim/src/ex_docmd.c:2588:2 #15 0x5cc8b8 in do_cmdline /src/vim/src/ex_docmd.c:1003:17 #16 0x7ec3ee in do_source /src/vim/src/scriptfile.c:1401:5 #17 0x7eb03d in cmd_source /src/vim/src/scriptfile.c:971:14 #18 0x7eaf1e in ex_source /src/vim/src/scriptfile.c:997:2 #19 0x5d277b in do_one_cmd /src/vim/src/ex_docmd.c:2588:2 #20 0x5cc8b8 in do_cmdline /src/vim/src/ex_docmd.c:1003:17 #21 0x5cf181 in do_cmdline_cmd /src/vim/src/ex_docmd.c:592:12 #22 0x9c0df7 in exe_commands /src/vim/src/main.c:3056:2 #23 0x9bfc44 in vim_main2 /src/vim/src/main.c:760:2 #24 0x9bd071 in main /src/vim/src/main.c:412:12 #25 0x7ffff6cba83f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291 SUMMARY: AddressSanitizer: heap-use-after-free /src/vim/src/arglist.c:187:2 in alist_add Shadow bytes around the buggy address: 0x0c067fff81e0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd 0x0c067fff81f0: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa 0x0c067fff8200: 00 00 00 fa fa fa 00 00 00 fa fa fa fd fd fd fd 0x0c067fff8210: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa fd fd 0x0c067fff8220: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa =>0x0c067fff8230: fd fd[fd]fd fa fa fd fd fd fd fa fa 00 00 00 fa 0x0c067fff8240: fa fa 00 00 00 fa fa fa 00 00 07 fa fa fa 00 00 0x0c067fff8250: 00 03 fa fa 00 00 00 04 fa fa 00 00 03 fa fa fa 0x0c067fff8260: fd fd fd fa fa fa 00 00 04 fa fa fa 00 00 00 03 0x0c067fff8270: fa fa fd fd fd fa fa fa fd fd fd fd fa fa fd fd 0x0c067fff8280: fd fd fa fa fd fd fd fd fa fa 00 00 00 00 fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==18605==ABORTING ``` Environment: - version : commit e2edc2ed4a9a229870b1e1811b0ecf045b84e429 - OS: Ubuntu 16.04 Additional context compile argument: ```shell #!/bin/bash -eux export CC="clang-11" export CXX="clang-11++" export LDFLAGS="-fsanitize=address" export CFLAGS="-O1 -g -fsanitize=address -fno-omit-frame-pointer" export CXXFLAGS="-O1 -g -fsanitize=address -fno-omit-frame-pointer" cd /src/vim/ && ./configure --with-features=huge --enable-gui=none && make ``` Credit: 1vanChen of NSFOCUS Security Team