Hi Bram, A few issues were reported on RedHat's bug tracker[0] which have been assigned CVE-2017-11109. I took an initial look at them and reduced the fuzzer-created scripts so they're clearer (especially for POC2).
[0]: https://bugzilla.redhat.com/show_bug.cgi?id=1468492 I've also attached a patch that resolves the issue for POC1. Below are the ASAN tracebacks for each issue, all using 8.0.0702. POC1 ---- apply_autocmds_group() performs an OOB access of first_autopat[] and, when that doesn't crash, gets stuck in a while loop due to a missing check for '|'. $ ./src/vim -u NONE -e -s -S ~/tmp/POC1 -c ':qa!' ================================================================= ==19627==ERROR: AddressSanitizer: global-buffer-overflow on address 0x559affada2f8 at pc 0x559aff3e6300 bp 0x7fff7b7c9f10 sp 0x7fff7b7c9f08 READ of size 8 at 0x559affada2f8 thread T0 #0 0x559aff3e62ff in apply_autocmds_group /home/jamessan/src/github.com/vim/src/fileio.c:9388 #1 0x559aff3e4303 in do_doautocmd /home/jamessan/src/github.com/vim/src/fileio.c:8867 #2 0x559aff37a8a9 in ex_doautocmd /home/jamessan/src/github.com/vim/src/ex_docmd.c:5567 #3 0x559aff36cf65 in do_one_cmd /home/jamessan/src/github.com/vim/src/ex_docmd.c:2951 #4 0x559aff3652d0 in do_cmdline /home/jamessan/src/github.com/vim/src/ex_docmd.c:1089 #5 0x559aff35f9c5 in do_source /home/jamessan/src/github.com/vim/src/ex_cmds2.c:4378 #6 0x559aff35e566 in cmd_source /home/jamessan/src/github.com/vim/src/ex_cmds2.c:3991 #7 0x559aff35e341 in ex_source /home/jamessan/src/github.com/vim/src/ex_cmds2.c:3966 #8 0x559aff36cf65 in do_one_cmd /home/jamessan/src/github.com/vim/src/ex_docmd.c:2951 #9 0x559aff3652d0 in do_cmdline /home/jamessan/src/github.com/vim/src/ex_docmd.c:1089 #10 0x559aff363e7f in do_cmdline_cmd /home/jamessan/src/github.com/vim/src/ex_docmd.c:689 #11 0x559aff73a06b in exe_commands /home/jamessan/src/github.com/vim/src/main.c:2945 #12 0x559aff734442 in vim_main2 /home/jamessan/src/github.com/vim/src/main.c:803 #13 0x559aff733c18 in main /home/jamessan/src/github.com/vim/src/main.c:419 #14 0x7f67b6b212b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) #15 0x559aff262ba9 in _start (/home/jamessan/src/github.com/vim/src/vim+0xdaba9) 0x559affada2f8 is located 0 bytes to the right of global variable 'first_autopat' defined in 'fileio.c:7808:17' (0x559affada040) of size 696 0x559affada2f8 is located 40 bytes to the left of global variable 'active_apc_list' defined in 'fileio.c:7835:20' (0x559affada320) of size 8 SUMMARY: AddressSanitizer: global-buffer-overflow /home/jamessan/src/github.com/vim/src/fileio.c:9388 in apply_autocmds_group Shadow bytes around the buggy address: 0x0ab3dff53400: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00 0x0ab3dff53410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ab3dff53420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ab3dff53430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ab3dff53440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0ab3dff53450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[f9] 0x0ab3dff53460: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 0x0ab3dff53470: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 0x0ab3dff53480: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 0x0ab3dff53490: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 0x0ab3dff534a0: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==19627==ABORTING POC2 ---- mb_prevptr(ccline.cmdbuff, p) is being called when ccline.cmdbuff is NULL. $ ./src/vim -u NONE -e -s -S ~/tmp/POC2 -c ':qa!' ASAN:DEADLYSIGNAL ================================================================= ==19695==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x5651836ca9be bp 0x7ffef3a697e0 sp 0x7ffef3a697b0 T0) #0 0x5651836ca9bd in utf_head_off /home/jamessan/src/github.com/vim/src/mbyte.c:3809 #1 0x5651836cbfc0 in mb_prevptr /home/jamessan/src/github.com/vim/src/mbyte.c:4113 #2 0x5651835bf12a in getcmdline /home/jamessan/src/github.com/vim/src/ex_getln.c:980 #3 0x5651835c3b34 in getexline /home/jamessan/src/github.com/vim/src/ex_getln.c:2305 #4 0x56518357ccc1 in do_cmdline /home/jamessan/src/github.com/vim/src/ex_docmd.c:985 #5 0x5651836eaa95 in nv_colon /home/jamessan/src/github.com/vim/src/normal.c:5403 #6 0x5651836d3510 in normal_cmd /home/jamessan/src/github.com/vim/src/normal.c:1150 #7 0x5651835a8dfc in exec_normal /home/jamessan/src/github.com/vim/src/ex_docmd.c:10412 #8 0x5651835a8d08 in exec_normal_cmd /home/jamessan/src/github.com/vim/src/ex_docmd.c:10395 #9 0x56518366e7d1 in ex_emenu /home/jamessan/src/github.com/vim/src/menu.c:2261 #10 0x565183584f65 in do_one_cmd /home/jamessan/src/github.com/vim/src/ex_docmd.c:2951 #11 0x56518357d2d0 in do_cmdline /home/jamessan/src/github.com/vim/src/ex_docmd.c:1089 #12 0x5651835779c5 in do_source /home/jamessan/src/github.com/vim/src/ex_cmds2.c:4378 #13 0x565183576566 in cmd_source /home/jamessan/src/github.com/vim/src/ex_cmds2.c:3991 #14 0x565183576341 in ex_source /home/jamessan/src/github.com/vim/src/ex_cmds2.c:3966 #15 0x565183584f65 in do_one_cmd /home/jamessan/src/github.com/vim/src/ex_docmd.c:2951 #16 0x56518357d2d0 in do_cmdline /home/jamessan/src/github.com/vim/src/ex_docmd.c:1089 #17 0x56518357be7f in do_cmdline_cmd /home/jamessan/src/github.com/vim/src/ex_docmd.c:689 #18 0x56518395206b in exe_commands /home/jamessan/src/github.com/vim/src/main.c:2945 #19 0x56518394c442 in vim_main2 /home/jamessan/src/github.com/vim/src/main.c:803 #20 0x56518394bc18 in main /home/jamessan/src/github.com/vim/src/main.c:419 #21 0x7faf86f662b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) #22 0x56518347aba9 in _start (/home/jamessan/src/github.com/vim/src/vim+0xdaba9) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/jamessan/src/github.com/vim/src/mbyte.c:3809 in utf_head_off ==19695==ABORTING POC3 ---- Attempting to free() the statically allocated buf.b_s: $ ./src/vim -u NONE -e -s -S ~/tmp/POC3 -c ':qa!' ================================================================= ==19734==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x62400000d838 in thread T0 #0 0x7fac1d6829e0 in free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc19e0) #1 0x555f8b8c5a5a in vim_free /home/jamessan/src/github.com/vim/src/misc2.c:1793 #2 0x555f8bab3e9e in reset_synblock /home/jamessan/src/github.com/vim/src/syntax.c:3659 #3 0x555f8b6a4a32 in set_curbuf /home/jamessan/src/github.com/vim/src/buffer.c:1694 #4 0x555f8b6a4546 in do_buffer /home/jamessan/src/github.com/vim/src/buffer.c:1631 #5 0x555f8b6a1acb in goto_buffer /home/jamessan/src/github.com/vim/src/buffer.c:985 #6 0x555f8b7b4c37 in ex_buffer /home/jamessan/src/github.com/vim/src/ex_docmd.c:5604 #7 0x555f8b7a6f65 in do_one_cmd /home/jamessan/src/github.com/vim/src/ex_docmd.c:2951 #8 0x555f8b79f2d0 in do_cmdline /home/jamessan/src/github.com/vim/src/ex_docmd.c:1089 #9 0x555f8b82128a in apply_autocmds_group /home/jamessan/src/github.com/vim/src/fileio.c:9644 #10 0x555f8b81fe80 in apply_autocmds /home/jamessan/src/github.com/vim/src/fileio.c:9189 #11 0x555f8b6ba904 in set_buflisted /home/jamessan/src/github.com/vim/src/buffer.c:6083 #12 0x555f8b771ab6 in do_ecmd /home/jamessan/src/github.com/vim/src/ex_cmds.c:4038 #13 0x555f8b79343d in do_argfile /home/jamessan/src/github.com/vim/src/ex_cmds2.c:2756 #14 0x555f8b79375c in ex_next /home/jamessan/src/github.com/vim/src/ex_cmds2.c:2793 #15 0x555f8b7a6f65 in do_one_cmd /home/jamessan/src/github.com/vim/src/ex_docmd.c:2951 #16 0x555f8b79f2d0 in do_cmdline /home/jamessan/src/github.com/vim/src/ex_docmd.c:1089 #17 0x555f8b7999c5 in do_source /home/jamessan/src/github.com/vim/src/ex_cmds2.c:4378 #18 0x555f8b798566 in cmd_source /home/jamessan/src/github.com/vim/src/ex_cmds2.c:3991 #19 0x555f8b798341 in ex_source /home/jamessan/src/github.com/vim/src/ex_cmds2.c:3966 #20 0x555f8b7a6f65 in do_one_cmd /home/jamessan/src/github.com/vim/src/ex_docmd.c:2951 #21 0x555f8b79f2d0 in do_cmdline /home/jamessan/src/github.com/vim/src/ex_docmd.c:1089 #22 0x555f8b79de7f in do_cmdline_cmd /home/jamessan/src/github.com/vim/src/ex_docmd.c:689 #23 0x555f8bb7406b in exe_commands /home/jamessan/src/github.com/vim/src/main.c:2945 #24 0x555f8bb6e442 in vim_main2 /home/jamessan/src/github.com/vim/src/main.c:803 #25 0x555f8bb6dc18 in main /home/jamessan/src/github.com/vim/src/main.c:419 #26 0x7fac1c4d92b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) #27 0x555f8b69cba9 in _start (/home/jamessan/src/github.com/vim/src/vim+0xdaba9) 0x62400000d838 is located 5944 bytes inside of 7192-byte region [0x62400000c100,0x62400000dd18) allocated by thread T0 here: #0 0x7fac1d682cf8 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1cf8) #1 0x555f8b8c3ba9 in lalloc /home/jamessan/src/github.com/vim/src/misc2.c:942 #2 0x555f8b8c3a98 in alloc_clear /home/jamessan/src/github.com/vim/src/misc2.c:864 #3 0x555f8b6a6040 in buflist_new /home/jamessan/src/github.com/vim/src/buffer.c:1995 #4 0x555f8bb2bd07 in win_alloc_firstwin /home/jamessan/src/github.com/vim/src/window.c:3487 #5 0x555f8bb2ba3e in win_alloc_first /home/jamessan/src/github.com/vim/src/window.c:3440 #6 0x555f8bb6e779 in common_init /home/jamessan/src/github.com/vim/src/main.c:1014 #7 0x555f8bb6d9df in main /home/jamessan/src/github.com/vim/src/main.c:177 #8 0x7fac1c4d92b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) SUMMARY: AddressSanitizer: bad-free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc19e0) in free ==19734==ABORTING Cheers, -- James GPG Key: 4096R/91BF BF4D 6956 BD5D F7B7 2D23 DFE6 91AE 331B A3DB -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
POC.tar.gz
Description: application/gzip
commit f0b3e4fa57387068cbb2a82ad3931d8e1fb84d63 Author: James McCoy <james...@jamessan.com> Date: Sat Jul 8 20:37:00 2017 -0400 Prevent an infinite loop and OOB access when ":do \|" is run This is POC1 from <https://bugzilla.redhat.com/show_bug.cgi?id=1468492>. diff --git a/src/fileio.c b/src/fileio.c index 0f59d809d..0213d2d1a 100644 --- a/src/fileio.c +++ b/src/fileio.c @@ -8863,7 +8863,7 @@ do_doautocmd( /* * Loop over the events. */ - while (*arg && !VIM_ISWHITE(*arg)) + while (*arg && *arg != '|' && !VIM_ISWHITE(*arg)) if (apply_autocmds_group(event_name2nr(arg, &arg), fname, NULL, TRUE, group, curbuf, NULL)) nothing_done = FALSE; @@ -9385,7 +9385,8 @@ apply_autocmds_group( * Quickly return if there are no autocommands for this event or * autocommands are blocked. */ - if (first_autopat[(int)event] == NULL || autocmd_blocked > 0) + if (event == NUM_EVENTS || first_autopat[(int)event] == NULL + || autocmd_blocked > 0) goto BYPASS_AU; /*