Bug 1919230

Summary: 8-byte-read-heap-use-after-free in qflist_valid() when input craft vimscript file
Product: [Fedora] Fedora Reporter: 1vanChen <houyunsong>
Component: vimAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: unspecified    
Version: rawhideCC: gchamoul, mcascell, zdohnal
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: vim-8.2.2529-1.fc33 vim-8.2.2541-1.fc33 vim-8.2.2541-1.fc32 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-20 01:26:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
4 pocs
none
reduced poc file none

Description 1vanChen 2021-01-22 12:23:22 UTC 
Created attachment 1749740 [details]
4 pocs

To Reproduce

```shell
vim -u NONE -X -Z -e -s -S poc -c :qa!
```

Debug Info

```shell
/src/vim# ASAN_OPTIONS=alloc_dealloc_mismatch=0:allocator_may_return_null=1:allocator_release_to_os_interval_ms=500:check_malloc_usable_size=0:detect_container_overflow=1:detect_odr_violation=0:detect_leaks=1:detect_stack_use_after_return=1:fast_unwind_on_fatal=0:handle_abort=1:handle_segv=1:handle_sigill=1:max_uar_stack_size_log=16:print_scariness=1:quarantine_size_mb=10:strict_memcmp=1:strict_string_check=1:strip_path_prefix=/workspace/:symbolize=1:use_sigaltstack=1 src/vim_asan -u NONE -X -Z -e -s -S /mnt/disk/out/vim/vim-fuzzer-out/bV7emu/crashes/id:000034,sig:11,src:050273+030641,op:splice,rep:2 -c :qa!
=================================================================
==23875==ERROR: AddressSanitizer: heap-use-after-free on address 0x625000023108 at pc 0x00000077b68c bp 0x7fffffffd7f0 sp 0x7fffffffd7e8
READ of size 8 at 0x625000023108 thread T0
SCARINESS: 51 (8-byte-read-heap-use-after-free)
    #0 0x77b68b in qflist_valid /src/vim/src/quickfix.c:2606:7
    #1 0x77f37c in ex_cbuffer /src/vim/src/quickfix.c:7807:9
    #2 0x5d277b in do_one_cmd /src/vim/src/ex_docmd.c:2588:2
    #3 0x5cc8b8 in do_cmdline /src/vim/src/ex_docmd.c:1003:17
    #4 0x7ec3ee in do_source /src/vim/src/scriptfile.c:1401:5
    #5 0x7eb03d in cmd_source /src/vim/src/scriptfile.c:971:14
    #6 0x7eaf1e in ex_source /src/vim/src/scriptfile.c:997:2
    #7 0x5d277b in do_one_cmd /src/vim/src/ex_docmd.c:2588:2
    #8 0x5cc8b8 in do_cmdline /src/vim/src/ex_docmd.c:1003:17
    #9 0x5cf181 in do_cmdline_cmd /src/vim/src/ex_docmd.c:592:12
    #10 0x9c0df7 in exe_commands /src/vim/src/main.c:3056:2
    #11 0x9bfc44 in vim_main2 /src/vim/src/main.c:760:2
    #12 0x9bd071 in main /src/vim/src/main.c:412:12
    #13 0x7ffff6cba83f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291
    #14 0x41d768 in _start (/src/vim/src/vim_asan+0x41d768)

0x625000023108 is located 8 bytes inside of 8736-byte region [0x625000023100,0x625000025320)
freed by thread T0 here:
    #0 0x49733d in free (/src/vim/src/vim_asan+0x49733d)
    #1 0x6cfd9b in vim_free /src/vim/src/misc2.c:1807:2
    #2 0x4d1815 in apply_autocmds_group /src/vim/src/autocmd.c:2172:6
    #3 0x4d363d in apply_autocmds /src/vim/src/autocmd.c:1621:12
    #4 0x77f2f3 in ex_cbuffer /src/vim/src/quickfix.c:7796:2
    #5 0x5d277b in do_one_cmd /src/vim/src/ex_docmd.c:2588:2
    #6 0x5cc8b8 in do_cmdline /src/vim/src/ex_docmd.c:1003:17
    #7 0x7ec3ee in do_source /src/vim/src/scriptfile.c:1401:5
    #8 0x7eb03d in cmd_source /src/vim/src/scriptfile.c:971:14
    #9 0x7eaf1e in ex_source /src/vim/src/scriptfile.c:997:2
    #10 0x5d277b in do_one_cmd /src/vim/src/ex_docmd.c:2588:2
    #11 0x5cc8b8 in do_cmdline /src/vim/src/ex_docmd.c:1003:17
    #12 0x5cf181 in do_cmdline_cmd /src/vim/src/ex_docmd.c:592:12
    #13 0x9c0df7 in exe_commands /src/vim/src/main.c:3056:2
    #14 0x9bfc44 in vim_main2 /src/vim/src/main.c:760:2
    #15 0x9bd071 in main /src/vim/src/main.c:412:12
    #16 0x7ffff6cba83f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291

previously allocated by thread T0 here:
    #0 0x4975bd in malloc (/src/vim/src/vim_asan+0x4975bd)
    #1 0x6ce307 in lalloc /src/vim/src/misc2.c:925:11
    #2 0x6ce423 in alloc_clear /src/vim/src/misc2.c:852:9
    #3 0x94efa9 in win_alloc /src/vim/src/window.c:4892:14
    #4 0x94cdac in win_split_ins /src/vim/src/window.c
    #5 0x949216 in win_split /src/vim/src/window.c:817:12
    #6 0x4dca33 in do_buffer /src/vim/src/buffer.c:1640:6
    #7 0x4dbb77 in goto_buffer /src/vim/src/buffer.c:1063:11
    #8 0x5e615e in ex_buffer /src/vim/src/ex_docmd.c
    #9 0x5d277b in do_one_cmd /src/vim/src/ex_docmd.c:2588:2
    #10 0x5cc8b8 in do_cmdline /src/vim/src/ex_docmd.c:1003:17
    #11 0x4d14d2 in apply_autocmds_group /src/vim/src/autocmd.c:2109:2
    #12 0x4d363d in apply_autocmds /src/vim/src/autocmd.c:1621:12
    #13 0x77efdd in ex_cbuffer /src/vim/src/quickfix.c:7748:28
    #14 0x5d277b in do_one_cmd /src/vim/src/ex_docmd.c:2588:2
    #15 0x5cc8b8 in do_cmdline /src/vim/src/ex_docmd.c:1003:17
    #16 0x7ec3ee in do_source /src/vim/src/scriptfile.c:1401:5
    #17 0x7eb03d in cmd_source /src/vim/src/scriptfile.c:971:14
    #18 0x7eaf1e in ex_source /src/vim/src/scriptfile.c:997:2
    #19 0x5d277b in do_one_cmd /src/vim/src/ex_docmd.c:2588:2
    #20 0x5cc8b8 in do_cmdline /src/vim/src/ex_docmd.c:1003:17
    #21 0x5cf181 in do_cmdline_cmd /src/vim/src/ex_docmd.c:592:12
    #22 0x9c0df7 in exe_commands /src/vim/src/main.c:3056:2
    #23 0x9bfc44 in vim_main2 /src/vim/src/main.c:760:2
    #24 0x9bd071 in main /src/vim/src/main.c:412:12
    #25 0x7ffff6cba83f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-use-after-free /src/vim/src/quickfix.c:2606:7 in qflist_valid
Shadow bytes around the buggy address:
  0x0c4a7fffc5d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fffc5e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fffc5f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fffc600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fffc610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4a7fffc620: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffc630: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffc640: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffc650: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffc660: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffc670: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==23875==ABORTING
```



Environment:

- version : commit e2edc2ed4a9a229870b1e1811b0ecf045b84e429
- OS: Ubuntu 16.04



Additional context

compile argument:

```shell
#!/bin/bash -eux
export CC="clang-11"
export CXX="clang-11++"
export LDFLAGS="-fsanitize=address"
export CFLAGS="-O1 -g -fsanitize=address -fno-omit-frame-pointer"
export CXXFLAGS="-O1 -g -fsanitize=address -fno-omit-frame-pointer"
cd /src/vim/ && ./configure --with-features=huge --enable-gui=none && make
```

4 pocs are provided, with the same crash point but different stack tracebacks, not sure wether they are the same vulnerability point

Credit: 1vanChen of NSFOCUS Security Team
Comment 1 Zdenek Dohnal 2021-01-25 06:03:56 UTC 
Hi,

thank you for reporting the issue!

I'll pass the issue to security team and report it upstream.
Comment 3 1vanChen 2021-01-26 06:22:17 UTC 
Created attachment 1750771 [details]
reduced poc file

Simplified sample is provided
Comment 4 Mauro Matteo Cascella 2021-02-15 19:07:07 UTC 
Please refer to https://bugzilla.redhat.com/show_bug.cgi?id=1919212#c4.
Comment 5 Fedora Update System 2021-02-18 09:33:50 UTC 
FEDORA-2021-164265f25a has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-164265f25a
Comment 6 Fedora Update System 2021-02-18 09:34:38 UTC 
FEDORA-2021-01b3981cc5 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2021-01b3981cc5
Comment 7 Fedora Update System 2021-02-19 01:59:59 UTC 
FEDORA-2021-01b3981cc5 has been pushed to the Fedora 32 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-01b3981cc5`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-01b3981cc5

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 8 Fedora Update System 2021-02-19 02:03:55 UTC 
FEDORA-2021-164265f25a has been pushed to the Fedora 33 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-164265f25a`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-164265f25a

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 9 Fedora Update System 2021-02-20 01:26:10 UTC 
FEDORA-2021-164265f25a has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 10 Fedora Update System 2021-02-22 07:45:30 UTC 
FEDORA-2021-5be90ab004 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-5be90ab004
Comment 11 Fedora Update System 2021-02-22 08:02:56 UTC 
FEDORA-2021-fb090f432a has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2021-fb090f432a
Comment 12 Fedora Update System 2021-02-24 21:39:55 UTC 
FEDORA-2021-fb090f432a has been pushed to the Fedora 32 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-fb090f432a`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-fb090f432a

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 13 Fedora Update System 2021-02-24 21:55:16 UTC 
FEDORA-2021-5be90ab004 has been pushed to the Fedora 33 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-5be90ab004`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-5be90ab004

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 14 Fedora Update System 2021-02-26 01:09:15 UTC 
FEDORA-2021-5be90ab004 has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 15 Fedora Update System 2021-03-08 20:14:00 UTC 
FEDORA-2021-fb090f432a has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.