[patch] fixed access to invalid memory when parsing :autocommand

Dominique Pellé Sat, 25 Jul 2015 21:40:31 -0700

Hi

Asan (address sanitizer) detects use of invalid
memory with vim-7.4.796 on Linux x86_64 when doing:


$ vim -u NONE -c 'au CursorHoldI ,~'

=================================================================
==31962== ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6062000168ff at pc 0x55c7fa bp 0x7ffd361811c0 sp 0x7ffd361811b8
READ of size 1 at 0x6062000168ff thread T0
    #0 0x55c7f9 in do_autocmd_event /home/dope/sb/vim/src/fileio.c:8517:0
    #1 0x55c1f5 in do_autocmd /home/dope/sb/vim/src/fileio.c:8413:0
    #2 0x5051b7 in ex_autocmd /home/dope/sb/vim/src/ex_docmd.c:5440:0
    #3 0x4f7e92 in do_one_cmd /home/dope/sb/vim/src/ex_docmd.c:2940:0
    #4 0x4eec56 in do_cmdline /home/dope/sb/vim/src/ex_docmd.c:1133:0
    #5 0x4ea664 in do_source /home/dope/sb/vim/src/ex_cmds2.c:3353:0
    #6 0x4e9302 in cmd_source /home/dope/sb/vim/src/ex_cmds2.c:2962:0
    #7 0x4e914e in ex_source /home/dope/sb/vim/src/ex_cmds2.c:2935:0
    #8 0x4f7e92 in do_one_cmd /home/dope/sb/vim/src/ex_docmd.c:2940:0
    #9 0x4eec56 in do_cmdline /home/dope/sb/vim/src/ex_docmd.c:1133:0
    #10 0x4edc1b in do_cmdline_cmd /home/dope/sb/vim/src/ex_docmd.c:738:0
    #11 0x85084f in exe_commands /home/dope/sb/vim/src/main.c:2926:0
    #12 0x84a9f9 in main /home/dope/sb/vim/src/main.c:961:0
    #13 0x7f6a473e6ec4 in __libc_start_main
/build/buildd/eglibc-2.19/csu/libc-start.c:287:0
    #14 0x405a28 in _start ??:0:0
0x6062000168ff is located 1 bytes to the left of 4096-byte region
[0x606200016900,0x606200017900)
allocated by thread T0 here:
    #0 0x7f6a48ec341a in malloc ??:0:0
    #1 0x605a4f in lalloc /home/dope/sb/vim/src/misc2.c:921:0
    #2 0x605859 in alloc /home/dope/sb/vim/src/misc2.c:820:0
    #3 0x5e73e1 in expand_env_save_opt /home/dope/sb/vim/src/misc1.c:3926:0
    #4 0x5e73c6 in expand_env_save /home/dope/sb/vim/src/misc1.c:3912:0
    #5 0x55bf0a in do_autocmd /home/dope/sb/vim/src/fileio.c:8358:0
    #6 0x5051b7 in ex_autocmd /home/dope/sb/vim/src/ex_docmd.c:5440:0
    #7 0x4f7e92 in do_one_cmd /home/dope/sb/vim/src/ex_docmd.c:2940:0
    #8 0x4eec56 in do_cmdline /home/dope/sb/vim/src/ex_docmd.c:1133:0
    #9 0x4ea664 in do_source /home/dope/sb/vim/src/ex_cmds2.c:3353:0
    #10 0x4e9302 in cmd_source /home/dope/sb/vim/src/ex_cmds2.c:2962:0
    #11 0x4e914e in ex_source /home/dope/sb/vim/src/ex_cmds2.c:2935:0
    #12 0x4f7e92 in do_one_cmd /home/dope/sb/vim/src/ex_docmd.c:2940:0
    #13 0x4eec56 in do_cmdline /home/dope/sb/vim/src/ex_docmd.c:1133:0
    #14 0x4edc1b in do_cmdline_cmd /home/dope/sb/vim/src/ex_docmd.c:738:0
    #15 0x85084f in exe_commands /home/dope/sb/vim/src/main.c:2926:0
    #16 0x84a9f9 in main /home/dope/sb/vim/src/main.c:961:0
    #17 0x7f6a473e6ec4 in __libc_start_main
/build/buildd/eglibc-2.19/csu/libc-start.c:287:0
Shadow bytes around the buggy address:
  0x0c0cbfffacc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0cbfffacd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0cbffface0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0cbfffacf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0cbfffad00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0cbfffad10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x0c0cbfffad20:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0cbfffad30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0cbfffad40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0cbfffad50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0cbfffad60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==31962== ABORTING

Attached patch fixes it.
Bug was found using afl-fuzz + asan.

Regards
Dominique

-- 
-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

--- 
You received this message because you are subscribed to the Google Groups 
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

diff -r 8840c1ae3b50 src/fileio.c
--- a/src/fileio.c	Wed Jul 22 22:46:14 2015 +0200
+++ b/src/fileio.c	Sun Jul 26 06:34:09 2015 +0200
@@ -8514,7 +8514,7 @@
 	 */
 	brace_level = 0;
 	for (endpat = pat; *endpat && (*endpat != ',' || brace_level
-					     || endpat[-1] == '\\'); ++endpat)
+		     || (pat != endpat && endpat[-1] == '\\')); ++endpat)
 	{
 	    if (*endpat == '{')
 		brace_level++;

[patch] fixed access to invalid memory when parsing :autocommand

Raspunde prin e-mail lui