Re: [bug] use of free memory with 'formatexpr'

[Bram Moolenaar]

Dominique Pellé wrote:

> afl-fuzz found a use of free memory in Vim-7.4.2321
> and older. The script contains errors, but it should not
> cause vim to access freed memory:
> 
> $ cat bug.vim
> func Foo()
>  let l = getli|e()
> endfunc
> set formatexpr=Foo()
> norm gqG
> 
> $ valgrind --num-callers=50 vim -u NONE -S bug.vim -c q 2>log
> 
> And log contains:
> 
> ==5251== Memcheck, a memory error detector
> ==5251== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
> ==5251== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright 
> info
> ==5251== Command: ./vim -u NONE -S bug.vim -c q
> ==5251==
> ==5251== Invalid read of size 1
> ==5251==    at 0x415972: skipwhite (charset.c:1522)
> ==5251==    by 0x5D1CE8: get_func_tv (userfunc.c:471)
> ==5251==    by 0x436B7B: eval7 (eval.c:4343)
> ==5251==    by 0x4363B6: eval6 (eval.c:3977)
> ==5251==    by 0x435E99: eval5 (eval.c:3793)
> ==5251==    by 0x43515D: eval4 (eval.c:3492)
> ==5251==    by 0x434F9B: eval3 (eval.c:3409)
> ==5251==    by 0x434E14: eval2 (eval.c:3341)
> ==5251==    by 0x434C4B: eval1 (eval.c:3269)
> ==5251==    by 0x42FF64: eval_to_number (eval.c:803)
> ==5251==    by 0x50F737: fex_format (ops.c:4758)
> ==5251==    by 0x50F6A4: op_formatexpr (ops.c:4729)
> ==5251==    by 0x4F9488: do_pending_operator (normal.c:1982)
> ==5251==    by 0x4F7C2D: normal_cmd (normal.c:1182)
> ==5251==    by 0x47DF5C: exec_normal (ex_docmd.c:10250)
> ==5251==    by 0x47DF1B: exec_normal_cmd (ex_docmd.c:10233)
> ==5251==    by 0x47DD2D: ex_normal (ex_docmd.c:10142)
> ==5251==    by 0x4718D4: do_one_cmd (ex_docmd.c:2962)
> ==5251==    by 0x46E355: do_cmdline (ex_docmd.c:1110)
> ==5251==    by 0x46C017: do_source (ex_cmds2.c:4097)
> ==5251==    by 0x46B629: cmd_source (ex_cmds2.c:3710)
> ==5251==    by 0x46B57B: ex_source (ex_cmds2.c:3685)
> ==5251==    by 0x4718D4: do_one_cmd (ex_docmd.c:2962)
> ==5251==    by 0x46E355: do_cmdline (ex_docmd.c:1110)
> ==5251==    by 0x46D991: do_cmdline_cmd (ex_docmd.c:715)
> ==5251==    by 0x5FA0F2: exe_commands (main.c:2896)
> ==5251==    by 0x5F74D7: vim_main2 (main.c:781)
> ==5251==    by 0x5F6E81: main (main.c:415)
> ==5251==  Address 0x76c0eb5 is 5 bytes inside a block of size 6 free'd
> ==5251==    at 0x4C2BCEF: free (vg_replace_malloc.c:530)
> ==5251==    by 0x4E787B: vim_free (misc2.c:1705)
> ==5251==    by 0x51929E: clear_string_option (option.c:5573)
> ==5251==    by 0x40988B: free_buf_options (buffer.c:2112)
> ==5251==    by 0x522B3A: buf_copy_options (option.c:10732)
> ==5251==    by 0x409469: buflist_new (buffer.c:1974)
> ==5251==    by 0x45C9F1: do_ecmd (ex_cmds.c:3855)
> ==5251==    by 0x47B720: do_exedit (ex_docmd.c:8591)
> ==5251==    by 0x47B3B6: ex_edit (ex_docmd.c:8487)
> ==5251==    by 0x4718D4: do_one_cmd (ex_docmd.c:2962)
> ==5251==    by 0x46E355: do_cmdline (ex_docmd.c:1110)
> ==5251==    by 0x5D2D5B: call_user_func (userfunc.c:893)
> ==5251==    by 0x5D3E05: call_func (userfunc.c:1353)
> ==5251==    by 0x5D1C4E: get_func_tv (userfunc.c:455)
> ==5251==    by 0x436B7B: eval7 (eval.c:4343)
> ==5251==    by 0x4363B6: eval6 (eval.c:3977)
> ==5251==    by 0x435E99: eval5 (eval.c:3793)
> ==5251==    by 0x43515D: eval4 (eval.c:3492)
> ==5251==    by 0x434F9B: eval3 (eval.c:3409)
> ==5251==    by 0x434E14: eval2 (eval.c:3341)
> ==5251==    by 0x434C4B: eval1 (eval.c:3269)
> ==5251==    by 0x42FF64: eval_to_number (eval.c:803)
> ==5251==    by 0x50F737: fex_format (ops.c:4758)
> ==5251==    by 0x50F6A4: op_formatexpr (ops.c:4729)
> ==5251==    by 0x4F9488: do_pending_operator (normal.c:1982)
> ==5251==    by 0x4F7C2D: normal_cmd (normal.c:1182)
> ==5251==    by 0x47DF5C: exec_normal (ex_docmd.c:10250)
> ==5251==    by 0x47DF1B: exec_normal_cmd (ex_docmd.c:10233)
> ==5251==    by 0x47DD2D: ex_normal (ex_docmd.c:10142)
> ==5251==    by 0x4718D4: do_one_cmd (ex_docmd.c:2962)
> ==5251==    by 0x46E355: do_cmdline (ex_docmd.c:1110)
> ==5251==    by 0x46C017: do_source (ex_cmds2.c:4097)
> ==5251==    by 0x46B629: cmd_source (ex_cmds2.c:3710)
> ==5251==    by 0x46B57B: ex_source (ex_cmds2.c:3685)
> ==5251==    by 0x4718D4: do_one_cmd (ex_docmd.c:2962)
> ==5251==    by 0x46E355: do_cmdline (ex_docmd.c:1110)
> ==5251==    by 0x46D991: do_cmdline_cmd (ex_docmd.c:715)
> ==5251==    by 0x5FA0F2: exe_commands (main.c:2896)
> ==5251==    by 0x5F74D7: vim_main2 (main.c:781)
> ==5251==    by 0x5F6E81: main (main.c:415)
> ==5251==  Block was alloc'd at
> ==5251==    at 0x4C2ABF5: malloc (vg_replace_malloc.c:299)
> ==5251==    by 0x4E699B: lalloc (misc2.c:920)
> ==5251==    by 0x4E6868: alloc (misc2.c:818)
> ==5251==    by 0x517883: do_set (option.c:4772)
> ==5251==    by 0x480F81: ex_set (ex_docmd.c:12037)
> ==5251==    by 0x4718D4: do_one_cmd (ex_docmd.c:2962)
> ==5251==    by 0x46E355: do_cmdline (ex_docmd.c:1110)
> ==5251==    by 0x46C017: do_source (ex_cmds2.c:4097)
> ==5251==    by 0x46B629: cmd_source (ex_cmds2.c:3710)
> ==5251==    by 0x46B57B: ex_source (ex_cmds2.c:3685)
> ==5251==    by 0x4718D4: do_one_cmd (ex_docmd.c:2962)
> ==5251==    by 0x46E355: do_cmdline (ex_docmd.c:1110)
> ==5251==    by 0x46D991: do_cmdline_cmd (ex_docmd.c:715)
> ==5251==    by 0x5FA0F2: exe_commands (main.c:2896)
> ==5251==    by 0x5F74D7: vim_main2 (main.c:781)
> ==5251==    by 0x5F6E81: main (main.c:415)
> (...snip many other errors...)
> 
> It's an old bug: at least vim-7.4.52 that comes with
> xubuntu-14.04 was already affected. I did not try
> older versions.
> 
> No patch and I find it hard to see what's going here.

Thanks.  It's because the option is freed while executing the function.
In this case by editing another buffer.  Could also happen when
explicitly setting 'formatexpr' in the function.  I'll fix it and add
tests.

-- 
Send $25.00 for handy leaflet on how to make money by selling leaflets

 /// Bram Moolenaar -- b...@moolenaar.net -- http://www.Moolenaar.net   \\\
///        sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\  an exciting new programming language -- http://www.Zimbu.org        ///
 \\\            help me help AIDS victims -- http://ICCF-Holland.org    ///

-- 
-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

--- 
You received this message because you are subscribed to the Google Groups 
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to vim_dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.