Bug 2014661 (CVE-2021-3875)
| Summary: | CVE-2021-3875 vim: heap-based buffer overflow | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Nobody <nobody> |
| Status: | NEW --- | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | bdettelb, caswilli, fjansen, gchamoul, gparvin, jburrell, jwong, karsten, kaycoth, pahickey, psegedy, stcannon, vkumar, vmugicag, zdohnal |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | vim 8.2.3489 | Doc Type: | If docs needed, set a value |
| Doc Text: |
There's an out-of-bounds read flaw in Vim's ex_docmd.c. An attacker who is capable of tricking a user into opening a specially crafted file could trigger an out-of-bounds read on a memmove operation, potentially causing an impact to application availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2014662, 2015193, 2015194 | ||
| Bug Blocks: | 2014663 | ||
|
Description
Guilherme de Almeida Suckevicz
2021-10-15 18:28:04 UTC
Created vim tracking bugs for this issue: Affects: fedora-all [bug 2014662] marking hosted services affected (low) / delegated solely for presence of affected code. Flaw summary:
In vim's undo.c, u_save_line() looks like:
u_save_line(undoline_T *ul, linenr_T lnum)
{
char_u *line = ml_get(lnum);
if (curbuf->b_ml.ml_line_len == 0)
{
ul->ul_len = 1;
ul->ul_line = vim_strsave((char_u *)"");
}
else
{
// This uses the length in the memline, thus text properties are
// included.
ul->ul_len = curbuf->b_ml.ml_line_len;
ul->ul_line = vim_memsave(line, ul->ul_len);
}
return ul->ul_line == NULL ? FAIL : OK;
}
This flaw involves the line ul->ul_line = vim_memsave(line, ul->ul_len); . Specifically, ul->ul_len can be an incorrect length of `line` if `lnum` is out of range. This causes an out-of-bounds read in vim_memsave() -> mch_memmove() because although the new allocation size is ok, the memory read operation can be an out-of-bounds read of memory pointed to by `p` in:
vim_memsave(char_u *p, size_t len)
{
char_u *ret = alloc(len);
if (ret != NULL)
mch_memmove(ret, p, len);
return ret;
}
because the `len` parameter (ul->ul_len) doesn't match the proper `len` for `lnum`.
This does not reproduce, nor does it affect versions of vim shipped in any Red Hat Enterprise Linux version because the vulnerable code was introduced in a newer version of vim than those shipped.
|