Lucene search
Janette880A9BD71E-66B8-4EB1-9566-7DFD9B097E59HistoryAug 12, 2022 - 1:49 p.m.
Heap-based Buffer Overflow in function compile_lock_unlock in vim/vim
2022-08-1213:49:23
janette88
www.huntr.dev
10
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.4 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
21.8%
Description
Heap-based Buffer Overflow in function compile_lock_unlock at vim/src/vim9cmds.c:196
#vim version
git log
commit 326c5d36e7cb8526330565109c17b4a13ff790ae (grafted, HEAD -> master, tag: v9.0.0194, origin/master, origin/HEAD)
Proof of Concept
./vim -u NONE -X -Z -e -s -S poc2_hbo_M.dat -c :qa!
=================================================================
==47794==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000061b6 at pc 0x5571726b8dac bp 0x7ffcc9cd79d0 sp 0x7ffcc9cd79c0
READ of size 1 at 0x6020000061b6 thread T0
#0 0x5571726b8dab in compile_lock_unlock /home/fuzz/vim/src/vim9cmds.c:196
#1 0x5571721cc5c1 in ex_unletlock /home/fuzz/vim/src/evalvars.c:1935
#2 0x5571726b944a in compile_unletlock /home/fuzz/vim/src/vim9cmds.c:263
#3 0x5571726d7cf3 in compile_def_function /home/fuzz/vim/src/vim9compile.c:3172
#4 0x5571726af7f9 in ex_defcompile /home/fuzz/vim/src/userfunc.c:5098
#5 0x55717220a640 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2570
#6 0x5571722018e3 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:992
#7 0x557172524865 in do_source_ext /home/fuzz/vim/src/scriptfile.c:1674
#8 0x557172525997 in do_source /home/fuzz/vim/src/scriptfile.c:1801
#9 0x557172522526 in cmd_source /home/fuzz/vim/src/scriptfile.c:1174
#10 0x55717252258b in ex_source /home/fuzz/vim/src/scriptfile.c:1200
#11 0x55717220a640 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2570
#12 0x5571722018e3 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:992
#13 0x5571721ffc7d in do_cmdline_cmd /home/fuzz/vim/src/ex_docmd.c:586
#14 0x5571727fba30 in exe_commands /home/fuzz/vim/src/main.c:3133
#15 0x5571727f4b9e in vim_main2 /home/fuzz/vim/src/main.c:780
#16 0x5571727f4456 in main /home/fuzz/vim/src/main.c:432
#17 0x7f5407af7082 in __libc_start_main ../csu/libc-start.c:308
#18 0x557172081e4d in _start (/home/fuzz/vim/src/vim+0x139e4d)
0x6020000061b6 is located 0 bytes to the right of 6-byte region [0x6020000061b0,0x6020000061b6)
allocated by thread T0 here:
#0 0x7f5407f8e808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
#1 0x55717208228a in lalloc /home/fuzz/vim/src/alloc.c:246
#2 0x55717208207b in alloc /home/fuzz/vim/src/alloc.c:151
#3 0x5571725b754d in vim_strsave /home/fuzz/vim/src/strings.c:27
#4 0x5571726d609c in compile_def_function /home/fuzz/vim/src/vim9compile.c:2889
#5 0x5571726af7f9 in ex_defcompile /home/fuzz/vim/src/userfunc.c:5098
#6 0x55717220a640 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2570
#7 0x5571722018e3 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:992
#8 0x557172524865 in do_source_ext /home/fuzz/vim/src/scriptfile.c:1674
#9 0x557172525997 in do_source /home/fuzz/vim/src/scriptfile.c:1801
#10 0x557172522526 in cmd_source /home/fuzz/vim/src/scriptfile.c:1174
#11 0x55717252258b in ex_source /home/fuzz/vim/src/scriptfile.c:1200
#12 0x55717220a640 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2570
#13 0x5571722018e3 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:992
#14 0x5571721ffc7d in do_cmdline_cmd /home/fuzz/vim/src/ex_docmd.c:586
#15 0x5571727fba30 in exe_commands /home/fuzz/vim/src/main.c:3133
#16 0x5571727f4b9e in vim_main2 /home/fuzz/vim/src/main.c:780
#17 0x5571727f4456 in main /home/fuzz/vim/src/main.c:432
#18 0x7f5407af7082 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fuzz/vim/src/vim9cmds.c:196 in compile_lock_unlock
Shadow bytes around the buggy address:
0x0c047fff8be0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8bf0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8c00: fa fa 00 00 fa fa 00 00 fa fa 05 fa fa fa fd fa
0x0c047fff8c10: fa fa fd fa fa fa 00 05 fa fa 06 fa fa fa 02 fa
0x0c047fff8c20: fa fa 00 05 fa fa fd fa fa fa 02 fa fa fa fd fa
=>0x0c047fff8c30: fa fa 02 fa fa fa[06]fa fa fa fa fa fa fa fa fa
0x0c047fff8c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==47794==ABORTING
<p><a href=“https://github.com/Janette88/vim/blob/main/poc2_hbo_M.dat”>poc2_hbo_M.dat</a></p>
Related
cbl_mariner
cbl_mariner
CVE-2022-2819 affecting package vim 9.0.0181-1
2022-09-17 05:56:39
CVE-2022-2819 affecting package vim for versions less than 9.0.0325-1
2022-09-16 06:05:42
alpinelinux
alpinelinux
CVE-2022-2819
2022-08-15 11:21:00
prion
prion
Heap overflow
2022-08-15 11:21:00
ubuntucve
ubuntucve
CVE-2022-2819
2022-08-15 00:00:00
veracode
veracode
Heap-based Buffer Overflow
2022-08-19 16:46:17
redhatcve
redhatcve
CVE-2022-2819
2022-08-16 09:08:12
debiancve
debiancve
CVE-2022-2819
2022-08-15 11:21:00
cve
cve
CVE-2022-2819
2022-08-15 11:21:00
osv
osv
CVE-2022-2819
2022-08-15 11:21:00
vim vulnerabilities
2023-08-21 05:45:06
slackware
slackware
[slackware-security] vim
2022-08-17 20:47:32
nessus
nessus
Ubuntu 18.04 ESM / 20.04 LTS / 22.04 LTS : Vim vulnerabilities (USN-6302-1)
2023-08-21 00:00:00
Amazon Linux AMI : vim (ALAS-2022-1639)
2022-10-21 00:00:00
fedora
fedora
[SECURITY] Fedora 35 Update: vim-9.0.213-1.fc35
2022-08-23 14:45:29
openvas
openvas
Slackware: Security Advisory (SSA:2022-229-01)
2022-08-18 00:00:00
Fedora: Security Advisory for vim (FEDORA-2022-6f5e420e52)
2022-08-24 00:00:00
Ubuntu: Security Advisory (USN-6302-1)
2023-08-21 00:00:00
photon
photon
Critical Photon OS Security Update - PHSA-2023-4.0-0359
2023-03-20 00:00:00
Critical Photon OS Security Update - PHSA-2023-3.0-0554
2023-03-21 00:00:00
cloudfoundry
cloudfoundry
USN-6302-1: Vim vulnerabilities | Cloud Foundry
2023-10-05 00:00:00
ubuntu
ubuntu
Vim vulnerabilities
2023-08-21 00:00:00
suse
suse
Security update for vim (important)
2022-09-09 00:00:00
mageia
mageia
Updated vim packages fix security vulnerability
2022-11-19 01:50:51
gentoo
gentoo
Vim, gVim: Multiple Vulnerabilities
2023-05-03 00:00:00
avleonov
avleonov
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.4 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
21.8%
Related for 0A9BD71E-66B8-4EB1-9566-7DFD9B097E59