[patch] fixed use of free memory in do_one_cmd(...) in ex_docmd.c

Dominique Pellé Sun, 26 Jul 2015 05:43:25 -0700

Hi

Vim-7.4.797 uses free memory when doing:


  $ vim -u NONE -S crash.vim

... where crash.vim is the attached file.

=================================================================
==4903==ERROR: AddressSanitizer: heap-use-after-free on address
0x602000015490 at pc 0x528f70 bp 0x7ffddfc709a0 sp 0x7ffddfc70998
READ of size 1 at 0x602000015490 thread T0
    #0 0x528f6f in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2381
    #1 0x523378 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1133
    #2 0x51d886 in do_source /home/pel/sb/vim/src/ex_cmds2.c:3353
    #3 0x51c3d6 in cmd_source /home/pel/sb/vim/src/ex_cmds2.c:2962
    #4 0x51c1ae in ex_source /home/pel/sb/vim/src/ex_cmds2.c:2935
    #5 0x52af9f in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2940
    #6 0x523378 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1133
    #7 0x521f5c in do_cmdline_cmd /home/pel/sb/vim/src/ex_docmd.c:738
    #8 0x944237 in exe_commands /home/pel/sb/vim/src/main.c:2926
    #9 0x93db0d in main /home/pel/sb/vim/src/main.c:961
    #10 0x7fa872e1eec4 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #11 0x40ea18 (/home/pel/sb/vim/src/vim+0x40ea18)

0x602000015490 is located 0 bytes inside of 2-byte region
[0x602000015490,0x602000015492)
freed by thread T0 here:
    #0 0x7fa875bef5c7 in __interceptor_free
(/usr/lib/x86_64-linux-gnu/libasan.so.1+0x545c7)
    #1 0x666c79 in vim_free /home/pel/sb/vim/src/misc2.c:1707
    #2 0x528ed6 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2367
    #3 0x523378 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1133
    #4 0x51d886 in do_source /home/pel/sb/vim/src/ex_cmds2.c:3353
    #5 0x51c3d6 in cmd_source /home/pel/sb/vim/src/ex_cmds2.c:2962
    #6 0x51c1ae in ex_source /home/pel/sb/vim/src/ex_cmds2.c:2935
    #7 0x52af9f in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2940
    #8 0x523378 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1133
    #9 0x521f5c in do_cmdline_cmd /home/pel/sb/vim/src/ex_docmd.c:738
    #10 0x944237 in exe_commands /home/pel/sb/vim/src/main.c:2926
    #11 0x93db0d in main /home/pel/sb/vim/src/main.c:961
    #12 0x7fa872e1eec4 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)

previously allocated by thread T0 here:
    #0 0x7fa875bef7df in __interceptor_malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.1+0x547df)
    #1 0x66442c in lalloc /home/pel/sb/vim/src/misc2.c:921
    #2 0x664210 in alloc /home/pel/sb/vim/src/misc2.c:820
    #3 0x664ded in vim_strnsave /home/pel/sb/vim/src/misc2.c:1265
    #4 0x528e94 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2365
    #5 0x523378 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1133
    #6 0x51d886 in do_source /home/pel/sb/vim/src/ex_cmds2.c:3353
    #7 0x51c3d6 in cmd_source /home/pel/sb/vim/src/ex_cmds2.c:2962
    #8 0x51c1ae in ex_source /home/pel/sb/vim/src/ex_cmds2.c:2935
    #9 0x52af9f in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2940
    #10 0x523378 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1133
    #11 0x521f5c in do_cmdline_cmd /home/pel/sb/vim/src/ex_docmd.c:738
    #12 0x944237 in exe_commands /home/pel/sb/vim/src/main.c:2926
    #13 0x93db0d in main /home/pel/sb/vim/src/main.c:961
    #14 0x7fa872e1eec4 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)

SUMMARY: AddressSanitizer: heap-use-after-free
/home/pel/sb/vim/src/ex_docmd.c:2381 do_one_cmd
Shadow bytes around the buggy address:
  0x0c047fffaa40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffaa50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffaa60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffaa70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffaa80: fa fa fa fa fa fa fa fa fa fa fd fa fa fa fd fa
=>0x0c047fffaa90: fa fa[fd]fa fa fa 00 02 fa fa 07 fa fa fa fd fa
  0x0c047fffaaa0: fa fa 05 fa fa fa 00 02 fa fa 07 fa fa fa fd fa
  0x0c047fffaab0: fa fa 05 fa fa fa 00 02 fa fa 07 fa fa fa fd fa
  0x0c047fffaac0: fa fa 05 fa fa fa 00 02 fa fa 07 fa fa fa fd fa
  0x0c047fffaad0: fa fa 05 fa fa fa 00 02 fa fa 07 fa fa fa fd fa
  0x0c047fffaae0: fa fa 05 fa fa fa 00 02 fa fa 07 fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==4903==ABORTING


Attached patch fixes it.
Bug was found using afl-fuzz + asan on Linux x86_64.

Regards
Dominique

-- 
-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

--- 
You received this message because you are subscribed to the Google Groups 
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

crash.vim
Description: Binary data

diff -r b5cdc4f295ac src/ex_docmd.c
--- a/src/ex_docmd.c	Sat Jul 25 22:53:00 2015 +0200
+++ b/src/ex_docmd.c	Sun Jul 26 14:37:24 2015 +0200
@@ -2365,8 +2365,7 @@
 	p = vim_strnsave(ea.cmd, (int)(p - ea.cmd));
 	ret = apply_autocmds(EVENT_CMDUNDEFINED, p, p, TRUE, NULL);
 	vim_free(p);
-	if (ret && !aborting())
-	    p = find_command(&ea, NULL);
+	p = (ret && !aborting()) ? find_command(&ea, NULL) : NULL;
     }
 #endif

[patch] fixed use of free memory in do_one_cmd(...) in ex_docmd.c

Raspunde prin e-mail lui