Another Vim modeline vulnerability

James Vega jamessan at debian.org
Tue Jun 19 15:18:56 UTC 2007 

On Mon, Jun 18, 2007 at 08:50:11PM +0100, Ciaran McCreesh wrote:
> The attack: A malicious user can make a small spell file that, when
> used, will cause Vim to allocate large (2GBytes is easy) amounts of
> memory. The malicious user can then create a document with a modeline
> that tells Vim to use this spell file.
> 
> The fix: The attached patch bans pathnames for the spelllang option.
> (This affects both modeline and non-modeline settings of the value.)

The patch that Ciaran included doesn't prevent the case where
'spelllang' is set to a filename, no path components, and runs Vim in
the directory of that file.

I've attached a replacement patch that I will be sending to Bram to see
what his thoughts are.  It does not restrict the valid values of
'spelllang' but instead changes the behavior of the function that reads
the spell file to stop reading when it gets to the end of the spell
file.  The memory is then realloced if less memory was required than
initially requested by alloc().

This patch should help for most (all?) Linux systems since they have
Copy On Write memory access.  There will still be an initial request for
a large amount of memory, but it will not be realized unless the
malicious spellfile is very large.  A user could run into similar
scenarios with very large spellfiles.

The behavior of non-Linux systems (both for the actual bug and with this
patch applied) are something that I don't have access to test at the
moment.  Ideally, a solution that works for most common platforms Vim
supports could be developed but for the time being this or Ciaran's
patch will have to suffice.

> I haven't published details of this anywhere, so unless someone else
> has worked it out independently and isn't telling anyone, there's no
> exploit in the wild.

Unfortunately, I wasn't aware of this when talking to Ciaran before he
sent the email so his email went to the public pkg-vim mailing list for
Debian.

James
-- 
GPG Key: 1024D/61326D40 2003-09-02 James Vega <jamessan at debian.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: spell.c_getc-eof.diff
Type: text/x-diff
Size: 914 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-vim-maintainers/attachments/20070619/a2d49ebc/attachment.diff 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-vim-maintainers/attachments/20070619/a2d49ebc/attachment.pgp

More information about the pkg-vim-maintainers mailing list