Integer Overflow or Wraparound in vim/vim

Vulnerability

An integer overflow or wraparound vulnerability exists in the fullcommand() function of Vim prior to version 9.0.1846. The issue occurs when the function receives an integer argument that is not a valid string pointer, leading to a memory safety violation. This was addressed in commit 4c6fe2e which replaced the direct access to argvars[0].vval.v_string with a call to tv_get_string() that properly handles non-string types [2]. The vulnerability is reachable when Vim parses a specially crafted file, as noted in Apple's security advisory [1].

Exploitation

An attacker can exploit this vulnerability by convincing a target to open a malicious file in Vim. No special network position or authentication is required, as the attack vector relies on user interaction. The crafted file triggers the code path in f_fullcommand(), causing the integer to be treated as a pointer, which leads to a read from an invalid memory address. The provided test case fullcommand(10) demonstrates that passing a non-string argument like the integer 10 triggers the crash [2].

Impact

Successful exploitation can lead to an unexpected application termination (crash) or arbitrary code execution with the privileges of the Vim process. Apple's advisory describes the impact as "parsing a file may lead to an unexpected app termination or arbitrary code execution" [1]. An attacker could potentially execute arbitrary commands on the affected system.

Mitigation

Users should update to Vim version 9.0.1846 or later, which contains the fix [2]. Apple has also addressed this vulnerability in macOS Sonoma 14.1, released on October 25, 2023, by removing the vulnerable code [1]. No workarounds are available, and users are strongly advised to apply the latest patches.