Hi, On Mon, Dec 18, 2017 at 4:19 PM, gy741 <[email protected]> wrote: > Hello. > > I found a heap-use-after-free bug in vim. > > Please confirm. > > Thanks. > > Summary: heap-use-after-free > OS: CentOS 7 64bit > Version: b254af3 > PoC Download: free_ex_cbuffer.zip >
When I uncompress this file, the resulting file contains some undecipherable data. Can you attach a sample Vim script to reproduce this problem? Thanks, Yegappan > > Steps to reproduce: > 1.Download the .POC files. > 2.Compile the source code with ASan. > 3.Execute the following command > : ./vim -u NONE -Z -X -e -s -S $POC -c :qa! > > ================================================================= > ==22864==ERROR: AddressSanitizer: heap-use-after-free on address > 0x61a00001b088 at pc 0x000000ee0956 bp 0x7ffe1d926970 sp 0x7ffe1d926968 > READ of size 4 at 0x61a00001b088 thread T0 > #0 0xee0955 in ex_cbuffer /home/karas/vim/src/quickfix.c:5569:32 > #1 0x847da1 in do_one_cmd /home/karas/vim/src/ex_docmd.c:2908:2 > #2 0x82727d in do_cmdline /home/karas/vim/src/ex_docmd.c:1071:17 > #3 0x813fb7 in do_source /home/karas/vim/src/ex_cmds2.c:4411:5 > #4 0x810477 in cmd_source /home/karas/vim/src/ex_cmds2.c:4024:14 > #5 0x810596 in ex_source /home/karas/vim/src/ex_cmds2.c:3999:2 > #6 0x847da1 in do_one_cmd /home/karas/vim/src/ex_docmd.c:2908:2 > #7 0x82727d in do_cmdline /home/karas/vim/src/ex_docmd.c:1071:17 > #8 0x82c835 in do_cmdline_cmd /home/karas/vim/src/ex_docmd.c:671:12 > #9 0x1658084 in exe_commands /home/karas/vim/src/main.c:2953:2 > #10 0x1651bc6 in vim_main2 /home/karas/vim/src/main.c:800:2 > #11 0x1642d2d in main /home/karas/vim/src/main.c:429:12 > #12 0x7f24abc4282f in __libc_start_main > /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291 > #13 0x41aaa8 in _start (/home/karas/vim/src/vim+0x41aaa8) > > 0x61a00001b088 is located 8 bytes inside of 1216-byte region > [0x61a00001b080,0x61a00001b540) > freed by thread T0 here: > #0 0x4baa50 in __interceptor_cfree.localalias.0 > (/home/karas/vim/src/vim+0x4baa50) > #1 0xbf0b8b in vim_free /home/karas/vim/src/misc2.c:1801:2 > #2 0xe96e04 in ll_free_all /home/karas/vim/src/quickfix.c:1419:2 > #3 0xe967ba in qf_free_all /home/karas/vim/src/quickfix.c:1432:2 > #4 0x148f76a in win_free /home/karas/vim/src/window.c:4692:5 > #5 0x14abdf4 in win_free_mem /home/karas/vim/src/window.c:2572:5 > #6 0x1475d99 in win_close /home/karas/vim/src/window.c:2413:10 > #7 0x5062cf in do_buffer /home/karas/vim/src/buffer.c:1456:10 > #8 0x50d85f in do_bufdel /home/karas/vim/src/buffer.c:1133:8 > #9 0x89ad33 in ex_bunload /home/karas/vim/src/ex_docmd.c:5535:19 > #10 0x847da1 in do_one_cmd /home/karas/vim/src/ex_docmd.c:2908:2 > #11 0x82727d in do_cmdline /home/karas/vim/src/ex_docmd.c:1071:17 > #12 0x9bc1d0 in apply_autocmds_group /home/karas/vim/src/fileio.c:9719:2 > #13 0x983745 in apply_autocmds /home/karas/vim/src/fileio.c:9253:12 > #14 0xedf37b in ex_cbuffer /home/karas/vim/src/quickfix.c:5530:28 > #15 0x847da1 in do_one_cmd /home/karas/vim/src/ex_docmd.c:2908:2 > #16 0x82727d in do_cmdline /home/karas/vim/src/ex_docmd.c:1071:17 > #17 0x813fb7 in do_source /home/karas/vim/src/ex_cmds2.c:4411:5 > #18 0x810477 in cmd_source /home/karas/vim/src/ex_cmds2.c:4024:14 > #19 0x810596 in ex_source /home/karas/vim/src/ex_cmds2.c:3999:2 > #20 0x847da1 in do_one_cmd /home/karas/vim/src/ex_docmd.c:2908:2 > #21 0x82727d in do_cmdline /home/karas/vim/src/ex_docmd.c:1071:17 > #22 0x82c835 in do_cmdline_cmd /home/karas/vim/src/ex_docmd.c:671:12 > #23 0x1658084 in exe_commands /home/karas/vim/src/main.c:2953:2 > #24 0x1651bc6 in vim_main2 /home/karas/vim/src/main.c:800:2 > #25 0x1642d2d in main /home/karas/vim/src/main.c:429:12 > #26 0x7f24abc4282f in __libc_start_main > /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291 > > previously allocated by thread T0 here: > #0 0x4babd8 in malloc (/home/karas/vim/src/vim+0x4babd8) > #1 0xbece08 in lalloc /home/karas/vim/src/misc2.c:954:21 > #2 0xbecd57 in alloc /home/karas/vim/src/misc2.c:852:13 > #3 0xe9b711 in ll_new_list /home/karas/vim/src/quickfix.c:1536:23 > #4 0xe9200f in ll_get_or_alloc_list > /home/karas/vim/src/quickfix.c:1564:16 > #5 0xedefb6 in ex_cbuffer /home/karas/vim/src/quickfix.c:5514:7 > #6 0x847da1 in do_one_cmd /home/karas/vim/src/ex_docmd.c:2908:2 > #7 0x82727d in do_cmdline /home/karas/vim/src/ex_docmd.c:1071:17 > #8 0x813fb7 in do_source /home/karas/vim/src/ex_cmds2.c:4411:5 > #9 0x810477 in cmd_source /home/karas/vim/src/ex_cmds2.c:4024:14 > #10 0x810596 in ex_source /home/karas/vim/src/ex_cmds2.c:3999:2 > #11 0x847da1 in do_one_cmd /home/karas/vim/src/ex_docmd.c:2908:2 > #12 0x82727d in do_cmdline /home/karas/vim/src/ex_docmd.c:1071:17 > #13 0x82c835 in do_cmdline_cmd /home/karas/vim/src/ex_docmd.c:671:12 > #14 0x1658084 in exe_commands /home/karas/vim/src/main.c:2953:2 > #15 0x1651bc6 in vim_main2 /home/karas/vim/src/main.c:800:2 > #16 0x1642d2d in main /home/karas/vim/src/main.c:429:12 > #17 0x7f24abc4282f in __libc_start_main > /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291 > > SUMMARY: AddressSanitizer: heap-use-after-free > /home/karas/vim/src/quickfix.c:5569:32 in ex_cbuffer > Shadow bytes around the buggy address: > 0x0c347fffb5c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c347fffb5d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c347fffb5e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c347fffb5f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c347fffb600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > =>0x0c347fffb610: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x0c347fffb620: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x0c347fffb630: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x0c347fffb640: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x0c347fffb650: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x0c347fffb660: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Heap right redzone: fb > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack partial redzone: f4 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone: cb > ==22864==ABORTING > > ================= > [Acknowledgement] > This work was supported by ICT R&D program of MSIP/IITP. [R7518-16-1001, > Innovation hub for high Performance Computing] > -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
