2017-02-28 23:30 GMT+03:00 Vekktone Official <[email protected]>:
> On Tuesday, February 7, 2017 at 9:36:20 PM UTC-6, shqking wrote:
>> Hi all.
>>
>> Suspicious integer overflow is found in
>> src/spellfile.c:1607.(https://github.com/vim/vim/blob/master/src/spellfile.c#L1607)
>>
>> Signed integer overflow might occur for len * sizeof(int) at line 1607, if
>> len can hold a value whose range is (0xffff ffff / 4, 0x7fff ffff].
>>
>> Assume that len is 0x4000 0001. len * sizeof(int) would overflow to 0x4,
>> which is much smaller than the expected result, i.e. 0x1 0000 0004.
>> As a result, smaller memory space is allocated at line 1607 and buffer
>> overflow would occur at line 1613.
>>
>> Note that len is read for a file fd.
>> Since I'm not very familiar with the source code of vim, I'm not sure
>> whether the concrete values of len can be controlled by adversaries or not.
>> If so, this issue is a critical bug. If not, it's a false positive and
>> please ignore it.
>>
>> Attached please find one possible patch.
>> Thanks a lot.
>
> Hey there, my name is Riley and I am an undergraduate student studying
> computer science at the University of Texas at San Antonio. Right now I am
> conducting an investigation on buffer overflow, and came across this post. I
> was wondering if you might be able to give me some instructions on how to
> replicate this bug. Although numerous patches have been released since this
> bug was found, I need to replicate the issue for my project. So far I have
> downloaded the source code from github on my machine and edited the version.c
> (src/version.c) file, commenting out the patches until I hit 321 (patches
> 322+ fixes the bug). I am not the most experienced at editing source code, so
> I was wondering if this change would allow me to recreate the bug, or if that
> file actually does anything beyond referencing/adding each patch to an array.
> I also went into the spellfile (src/spellfile.c) and looked at the changes
> made there, but I have not determined whether I should delete the three lines
> that were added to fix this bug (1598-1600) or just change the code somehow.
> The variable len is what can cause the overflow to occur (if len = 0x4000
> 0001 as you said), and len is read from a file fd. So how can I get the size
> of len to cause the overflow from a file? IS there some sort of command I
> need to run with vim to cause this to happen? Thank you for any help on this
> and I find all of this very interesting.
If you want version without this patch, you do not comment anything
out (which is also useless, patch list is there primary because some
linux distributions merge in only security and bug fix patches,
entirely skipping patches which add features: patch list is needed so
that one could check which patches were included exactly from a VimL
script; list is informational and not directional) or edit any source
code. You just ask git to check out version without the patch.
If I am not mistaking to get a problem after you get the correct
version you need to create a file `spell/en.utf-8.spl` assuming `set
spelllang=en spell encoding=utf-8` somewhere in `&runtimepath`
(normally `~/.vim/spell/en.utf-8.spl` or
`~/vimfiles/spell/en.utf-8.spl`). E.g. with
echo $'VIMspell\x32\x0F\xFF\xFF\xFF\xFF' > ~/.vim/spell/en.utf-8.spl
vim -u NONE -i NONE -N --cmd 'set encoding=utf-8 spelllang=en
spell' --cmd cq
, on a patched version this should give `E758` and quit, on unpatched
this should yield something different.
>
> --
> --
> You received this message from the "vim_dev" maillist.
> Do not top-post! Type your reply below the text you are replying to.
> For more information, visit http://www.vim.org/maillist.php
>
> ---
> You received this message because you are subscribed to the Google Groups
> "vim_dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
