Hi Bram,

A few issues were reported on RedHat's bug tracker[0] which have been
assigned CVE-2017-11109.  I took an initial look at them and reduced the
fuzzer-created scripts so they're clearer (especially for POC2).

[0]: https://bugzilla.redhat.com/show_bug.cgi?id=1468492

I've also attached a patch that resolves the issue for POC1.  Below are
the ASAN tracebacks for each issue, all using 8.0.0702.

POC1
----
apply_autocmds_group() performs an OOB access of first_autopat[] and,
when that doesn't crash, gets stuck in a while loop due to a missing
check for '|'.

$ ./src/vim -u NONE -e -s -S ~/tmp/POC1 -c ':qa!'
=================================================================
==19627==ERROR: AddressSanitizer: global-buffer-overflow on address 
0x559affada2f8 at pc 0x559aff3e6300 bp 0x7fff7b7c9f10 sp 0x7fff7b7c9f08
READ of size 8 at 0x559affada2f8 thread T0
    #0 0x559aff3e62ff in apply_autocmds_group 
/home/jamessan/src/github.com/vim/src/fileio.c:9388
    #1 0x559aff3e4303 in do_doautocmd 
/home/jamessan/src/github.com/vim/src/fileio.c:8867
    #2 0x559aff37a8a9 in ex_doautocmd 
/home/jamessan/src/github.com/vim/src/ex_docmd.c:5567
    #3 0x559aff36cf65 in do_one_cmd 
/home/jamessan/src/github.com/vim/src/ex_docmd.c:2951
    #4 0x559aff3652d0 in do_cmdline 
/home/jamessan/src/github.com/vim/src/ex_docmd.c:1089
    #5 0x559aff35f9c5 in do_source 
/home/jamessan/src/github.com/vim/src/ex_cmds2.c:4378
    #6 0x559aff35e566 in cmd_source 
/home/jamessan/src/github.com/vim/src/ex_cmds2.c:3991
    #7 0x559aff35e341 in ex_source 
/home/jamessan/src/github.com/vim/src/ex_cmds2.c:3966
    #8 0x559aff36cf65 in do_one_cmd 
/home/jamessan/src/github.com/vim/src/ex_docmd.c:2951
    #9 0x559aff3652d0 in do_cmdline 
/home/jamessan/src/github.com/vim/src/ex_docmd.c:1089
    #10 0x559aff363e7f in do_cmdline_cmd 
/home/jamessan/src/github.com/vim/src/ex_docmd.c:689
    #11 0x559aff73a06b in exe_commands 
/home/jamessan/src/github.com/vim/src/main.c:2945
    #12 0x559aff734442 in vim_main2 
/home/jamessan/src/github.com/vim/src/main.c:803
    #13 0x559aff733c18 in main /home/jamessan/src/github.com/vim/src/main.c:419
    #14 0x7f67b6b212b0 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #15 0x559aff262ba9 in _start 
(/home/jamessan/src/github.com/vim/src/vim+0xdaba9)

0x559affada2f8 is located 0 bytes to the right of global variable 
'first_autopat' defined in 'fileio.c:7808:17' (0x559affada040) of size 696
0x559affada2f8 is located 40 bytes to the left of global variable 
'active_apc_list' defined in 'fileio.c:7835:20' (0x559affada320) of size 8
SUMMARY: AddressSanitizer: global-buffer-overflow 
/home/jamessan/src/github.com/vim/src/fileio.c:9388 in apply_autocmds_group
Shadow bytes around the buggy address:
  0x0ab3dff53400: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0ab3dff53410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ab3dff53420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ab3dff53430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ab3dff53440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ab3dff53450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[f9]
  0x0ab3dff53460: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0ab3dff53470: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x0ab3dff53480: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x0ab3dff53490: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0ab3dff534a0: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==19627==ABORTING

POC2
----
mb_prevptr(ccline.cmdbuff, p) is being called when ccline.cmdbuff is
NULL.

$ ./src/vim -u NONE -e -s -S ~/tmp/POC2 -c ':qa!'
ASAN:DEADLYSIGNAL
=================================================================
==19695==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 
0x5651836ca9be bp 0x7ffef3a697e0 sp 0x7ffef3a697b0 T0)
    #0 0x5651836ca9bd in utf_head_off 
/home/jamessan/src/github.com/vim/src/mbyte.c:3809
    #1 0x5651836cbfc0 in mb_prevptr 
/home/jamessan/src/github.com/vim/src/mbyte.c:4113
    #2 0x5651835bf12a in getcmdline 
/home/jamessan/src/github.com/vim/src/ex_getln.c:980
    #3 0x5651835c3b34 in getexline 
/home/jamessan/src/github.com/vim/src/ex_getln.c:2305
    #4 0x56518357ccc1 in do_cmdline 
/home/jamessan/src/github.com/vim/src/ex_docmd.c:985
    #5 0x5651836eaa95 in nv_colon 
/home/jamessan/src/github.com/vim/src/normal.c:5403
    #6 0x5651836d3510 in normal_cmd 
/home/jamessan/src/github.com/vim/src/normal.c:1150
    #7 0x5651835a8dfc in exec_normal 
/home/jamessan/src/github.com/vim/src/ex_docmd.c:10412
    #8 0x5651835a8d08 in exec_normal_cmd 
/home/jamessan/src/github.com/vim/src/ex_docmd.c:10395
    #9 0x56518366e7d1 in ex_emenu 
/home/jamessan/src/github.com/vim/src/menu.c:2261
    #10 0x565183584f65 in do_one_cmd 
/home/jamessan/src/github.com/vim/src/ex_docmd.c:2951
    #11 0x56518357d2d0 in do_cmdline 
/home/jamessan/src/github.com/vim/src/ex_docmd.c:1089
    #12 0x5651835779c5 in do_source 
/home/jamessan/src/github.com/vim/src/ex_cmds2.c:4378
    #13 0x565183576566 in cmd_source 
/home/jamessan/src/github.com/vim/src/ex_cmds2.c:3991
    #14 0x565183576341 in ex_source 
/home/jamessan/src/github.com/vim/src/ex_cmds2.c:3966
    #15 0x565183584f65 in do_one_cmd 
/home/jamessan/src/github.com/vim/src/ex_docmd.c:2951
    #16 0x56518357d2d0 in do_cmdline 
/home/jamessan/src/github.com/vim/src/ex_docmd.c:1089
    #17 0x56518357be7f in do_cmdline_cmd 
/home/jamessan/src/github.com/vim/src/ex_docmd.c:689
    #18 0x56518395206b in exe_commands 
/home/jamessan/src/github.com/vim/src/main.c:2945
    #19 0x56518394c442 in vim_main2 
/home/jamessan/src/github.com/vim/src/main.c:803
    #20 0x56518394bc18 in main /home/jamessan/src/github.com/vim/src/main.c:419
    #21 0x7faf86f662b0 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #22 0x56518347aba9 in _start 
(/home/jamessan/src/github.com/vim/src/vim+0xdaba9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV 
/home/jamessan/src/github.com/vim/src/mbyte.c:3809 in utf_head_off
==19695==ABORTING


POC3
----
Attempting to free() the statically allocated buf.b_s:

$ ./src/vim -u NONE -e -s -S ~/tmp/POC3 -c ':qa!'
=================================================================
==19734==ERROR: AddressSanitizer: attempting free on address which was not 
malloc()-ed: 0x62400000d838 in thread T0
    #0 0x7fac1d6829e0 in free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc19e0)
    #1 0x555f8b8c5a5a in vim_free 
/home/jamessan/src/github.com/vim/src/misc2.c:1793
    #2 0x555f8bab3e9e in reset_synblock 
/home/jamessan/src/github.com/vim/src/syntax.c:3659
    #3 0x555f8b6a4a32 in set_curbuf 
/home/jamessan/src/github.com/vim/src/buffer.c:1694
    #4 0x555f8b6a4546 in do_buffer 
/home/jamessan/src/github.com/vim/src/buffer.c:1631
    #5 0x555f8b6a1acb in goto_buffer 
/home/jamessan/src/github.com/vim/src/buffer.c:985
    #6 0x555f8b7b4c37 in ex_buffer 
/home/jamessan/src/github.com/vim/src/ex_docmd.c:5604
    #7 0x555f8b7a6f65 in do_one_cmd 
/home/jamessan/src/github.com/vim/src/ex_docmd.c:2951
    #8 0x555f8b79f2d0 in do_cmdline 
/home/jamessan/src/github.com/vim/src/ex_docmd.c:1089
    #9 0x555f8b82128a in apply_autocmds_group 
/home/jamessan/src/github.com/vim/src/fileio.c:9644
    #10 0x555f8b81fe80 in apply_autocmds 
/home/jamessan/src/github.com/vim/src/fileio.c:9189
    #11 0x555f8b6ba904 in set_buflisted 
/home/jamessan/src/github.com/vim/src/buffer.c:6083
    #12 0x555f8b771ab6 in do_ecmd 
/home/jamessan/src/github.com/vim/src/ex_cmds.c:4038
    #13 0x555f8b79343d in do_argfile 
/home/jamessan/src/github.com/vim/src/ex_cmds2.c:2756
    #14 0x555f8b79375c in ex_next 
/home/jamessan/src/github.com/vim/src/ex_cmds2.c:2793
    #15 0x555f8b7a6f65 in do_one_cmd 
/home/jamessan/src/github.com/vim/src/ex_docmd.c:2951
    #16 0x555f8b79f2d0 in do_cmdline 
/home/jamessan/src/github.com/vim/src/ex_docmd.c:1089
    #17 0x555f8b7999c5 in do_source 
/home/jamessan/src/github.com/vim/src/ex_cmds2.c:4378
    #18 0x555f8b798566 in cmd_source 
/home/jamessan/src/github.com/vim/src/ex_cmds2.c:3991
    #19 0x555f8b798341 in ex_source 
/home/jamessan/src/github.com/vim/src/ex_cmds2.c:3966
    #20 0x555f8b7a6f65 in do_one_cmd 
/home/jamessan/src/github.com/vim/src/ex_docmd.c:2951
    #21 0x555f8b79f2d0 in do_cmdline 
/home/jamessan/src/github.com/vim/src/ex_docmd.c:1089
    #22 0x555f8b79de7f in do_cmdline_cmd 
/home/jamessan/src/github.com/vim/src/ex_docmd.c:689
    #23 0x555f8bb7406b in exe_commands 
/home/jamessan/src/github.com/vim/src/main.c:2945
    #24 0x555f8bb6e442 in vim_main2 
/home/jamessan/src/github.com/vim/src/main.c:803
    #25 0x555f8bb6dc18 in main /home/jamessan/src/github.com/vim/src/main.c:419
    #26 0x7fac1c4d92b0 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #27 0x555f8b69cba9 in _start 
(/home/jamessan/src/github.com/vim/src/vim+0xdaba9)

0x62400000d838 is located 5944 bytes inside of 7192-byte region 
[0x62400000c100,0x62400000dd18)
allocated by thread T0 here:
    #0 0x7fac1d682cf8 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1cf8)
    #1 0x555f8b8c3ba9 in lalloc 
/home/jamessan/src/github.com/vim/src/misc2.c:942
    #2 0x555f8b8c3a98 in alloc_clear 
/home/jamessan/src/github.com/vim/src/misc2.c:864
    #3 0x555f8b6a6040 in buflist_new 
/home/jamessan/src/github.com/vim/src/buffer.c:1995
    #4 0x555f8bb2bd07 in win_alloc_firstwin 
/home/jamessan/src/github.com/vim/src/window.c:3487
    #5 0x555f8bb2ba3e in win_alloc_first 
/home/jamessan/src/github.com/vim/src/window.c:3440
    #6 0x555f8bb6e779 in common_init 
/home/jamessan/src/github.com/vim/src/main.c:1014
    #7 0x555f8bb6d9df in main /home/jamessan/src/github.com/vim/src/main.c:177
    #8 0x7fac1c4d92b0 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

SUMMARY: AddressSanitizer: bad-free 
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc19e0) in free
==19734==ABORTING

Cheers,
-- 
James
GPG Key: 4096R/91BF BF4D 6956 BD5D F7B7  2D23 DFE6 91AE 331B A3DB

-- 
-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

--- 
You received this message because you are subscribed to the Google Groups 
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to vim_dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Attachment: POC.tar.gz
Description: application/gzip

commit f0b3e4fa57387068cbb2a82ad3931d8e1fb84d63
Author: James McCoy <james...@jamessan.com>
Date:   Sat Jul 8 20:37:00 2017 -0400

    Prevent an infinite loop and OOB access when ":do \|" is run
    
    This is POC1 from <https://bugzilla.redhat.com/show_bug.cgi?id=1468492>.

diff --git a/src/fileio.c b/src/fileio.c
index 0f59d809d..0213d2d1a 100644
--- a/src/fileio.c
+++ b/src/fileio.c
@@ -8863,7 +8863,7 @@ do_doautocmd(
     /*
      * Loop over the events.
      */
-    while (*arg && !VIM_ISWHITE(*arg))
+    while (*arg && *arg != '|' && !VIM_ISWHITE(*arg))
 	if (apply_autocmds_group(event_name2nr(arg, &arg),
 				      fname, NULL, TRUE, group, curbuf, NULL))
 	    nothing_done = FALSE;
@@ -9385,7 +9385,8 @@ apply_autocmds_group(
      * Quickly return if there are no autocommands for this event or
      * autocommands are blocked.
      */
-    if (first_autopat[(int)event] == NULL || autocmd_blocked > 0)
+    if (event == NUM_EVENTS || first_autopat[(int)event] == NULL
+	    || autocmd_blocked > 0)
 	goto BYPASS_AU;
 
     /*

Raspunde prin e-mail lui