Pageviews

Fuzzing VIM

Hi Internet,

Summary: 
I started fuzzing VIM v8.0.1773 and observed an issue Out-Of-Bound and while source code review  we got Denial Of Service both the issues where reported to Bram Moolenaar. Apparently no CVE was assign to this issue.

Let's get started!
After reporting the issue, Out-Of-Bound it went false positive, I manually tested it using memory checker i.e valgrind.

Denial Of Service actual took me a long time to figure out because I did source code review of 10,000 lines for the very first time, and I suck in coding but what I observed over here (https://github.com/vim/vim/blob/master/src/fileio.c) was readfile() is always reading 64 kbyte at a time and then copying it, what was already read.

Testcase:
I can simply pass larger buffer in readfile() to cause a Denial Of Service #Bingo.
For testcase I  generated an 25 MB of file which contains `AAAAA` in a single line and tried opening it VIM and this causes a hang in VIM *HiFi*

Thanks to Bram who released the patch quickly and this has been patched in VIM v8.0.1774 and above.

Snip Vulnerable Code:
       
* The amount is limited by the fact that read() only can read
* The amount is limited by the fact that read() only can read
* upto max_unsigned characters (and other things).
* upto max_unsigned characters (and other things).
*/
*/
-#if VIM_SIZEOF_INT <= 2
+ if (!skip_read)
- if (linerest >= 0x7ff0)
  {
  {
-     ++split;
-     *ptr = NL;      /* split line by inserting a NL */
-     size = 1;
- }
- else
-#endif
- {
-     if (!skip_read)
-     {
 #if VIM_SIZEOF_INT > 2
 #if VIM_SIZEOF_INT > 2
 # if defined(SSIZE_MAX) && (SSIZE_MAX < 0x10000L)
 # if defined(SSIZE_MAX) && (SSIZE_MAX < 0x10000L)
   size = SSIZE_MAX;      /* use max I/O size, 52K */
   size = SSIZE_MAX;      /* use max I/O size, 52K */
 # else
 # else
-  size = 0x10000L;      /* use buffer >= 64K */
       
 
Src: https://github.com/vim/vim/commit/13d3b05ed2cf9a54b18b4e8236f0af2c5386200c

Request for CVE:
MITRE replied - We typically cannot provide a CVE ID for an issue that results in slow performance by a desktop or command-line program. However, thank you for your effort in finding this VIM bug.

Hope you like the read, PS: Hardik Mehta & Zubin


Regards
Dhiraj

No comments:

Post a Comment