Description

Null pointer dereference in get_register at register.c:311.
y_current variable is 0 because of name variable.

Version

$ git log
commit 3ea62381c527395ae701715335776f427d22eb7b (HEAD -> master, tag: v9.0.1425, origin/master, origin/HEAD)
Author: Amaan Qureshi <amaanq12@gmail.com>
Date:   Thu Mar 23 15:45:46 2023 +0000

    patch 9.0.1425: "wat" and "wast" files are one filetype
    
    Problem:    "wat" and "wast" files are one filetype.
    Solution:   Add a separate filetype for "wat" files. (Amaan Qureshi,
                closes #12165)

Proof of Concept

$ ./vim -u NONE -i NONE -e -s -S poc -c :qa!
Segmentation fault

poc

GDB

$ gdb -q ./vim
Reading symbols from ./vim...
gdb-peda$ r -u NONE -i NONE -e -s -S poc -c :qa!
Starting program: /home/user/fuzzing_vim/recentvim/vim/src/vim -u NONE -i NONE -e -s -S poc -c :qa!
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
Warning: 'set logging off', an alias for the command 'set logging enabled', is deprecated.
Use 'set logging enabled off'.

Warning: 'set logging on', an alias for the command 'set logging enabled', is deprecated.
Use 'set logging enabled on'.

[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x7fffffff2140 --> 0x7fffffff2bf0 --> 0x6110000034c4 --> 0x80c256306d726f6e 
RCX: 0x0 
RDX: 0x8 
RSI: 0x8 
RDI: 0x6020000083b0 --> 0xbebebebebebebebe 
RBP: 0x7fffffff1d90 --> 0x7fffffff2030 --> 0x7fffffff2050 --> 0x7fffffff2650 --> 0x7fffffff2810 --> 0x7fffffff2830 (--> ...)
RSP: 0x7fffffff1d00 --> 0x0 
RIP: 0x555555dce8b3 (<get_register+515>:	mov    rdi,QWORD PTR [rax])
R8 : 0x7ffff7fb4000 --> 0x555556351f50 (:AsanThreadContext+16>:	0x00005555557b4c30)
R9 : 0x7ffff591d8e8 --> 0x555555e0e0ca (<cmd_source+682>:	jmp    0x555555e0e335 <cmd_source+1301>)
R10: 0x7fffffff1508 --> 0x555555e0e0ca (<cmd_source+682>:	jmp    0x555555e0e335 <cmd_source+1301>)
R11: 0xf0 
R12: 0x7fffffffde28 --> 0x7fffffffe20a ("/home/user/fuzzing_vim/recentvim/vim/src/vim")
R13: 0x55555621f4e0 (<main>:	push   rbp)
R14: 0x555556351a88 --> 0x5555557e36b0 (<asan.module_dtor>:	push   rbp)
R15: 0x7ffff7ffd040 --> 0x7ffff7ffe2e0 --> 0x555555554000 --> 0x10102464c457f
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x555555dce8a6 <get_register+502>:	mov    rdi,QWORD PTR [rbp-0x70]
   0x555555dce8aa <get_register+506>:	call   0x5555557ae9e0 <__asan_report_load8>
   0x555555dce8af <get_register+511>:	mov    rax,QWORD PTR [rbp-0x70]
=> 0x555555dce8b3 <get_register+515>:	mov    rdi,QWORD PTR [rax]
   0x555555dce8b6 <get_register+518>:	call   0x555555ee67d0 <vim_strsave>
   0x555555dce8bb <get_register+523>:	mov    QWORD PTR [rbp-0x80],rax
   0x555555dce8bf <get_register+527>:	mov    rax,QWORD PTR [rbp-0x18]
   0x555555dce8c3 <get_register+531>:	mov    QWORD PTR [rbp-0x78],rax
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff1d00 --> 0x0 
0008| 0x7fffffff1d08 --> 0x50 ('P')
0016| 0x7fffffff1d10 --> 0x0 
0024| 0x7fffffff1d18 --> 0x55c1afcc 
0032| 0x7fffffff1d20 --> 0x0 
0040| 0x7fffffff1d28 --> 0x555556e094e0 --> 0x0 
0048| 0x7fffffff1d30 --> 0x0 
0056| 0x7fffffff1d38 --> 0x603000001608 --> 0x1 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000555555dce8b3 in get_register (name=0x0, copy=0x1) at register.c:311
311			reg->y_array[i] = vim_strsave(y_current->y_array[i]);
gdb-peda$ bt
#0  0x0000555555dce8b3 in get_register (name=0x0, copy=0x1) at register.c:311
#1  0x0000555555c4c015 in nv_put_opt (cap=0x7fffffff2080, fix_indent=0x0) at normal.c:7335
#2  0x0000555555c3a4b7 in nv_put (cap=0x7fffffff2080) at normal.c:7256
#3  0x0000555555c1854e in normal_cmd (oap=0x7fffffff2680, toplevel=0x1) at normal.c:939
#4  0x0000555555a175ad in exec_normal (was_typed=0x0, use_vpeekc=0x0, may_use_terminal_loop=0x0) at ex_docmd.c:8895
#5  0x0000555555a171d4 in exec_normal_cmd (cmd=0x6110000034c8 "0V\302\200PS\003\021P", remap=0x0, silent=0x0) at ex_docmd.c:8858
#6  0x0000555555a16f42 in ex_normal (eap=0x7fffffff2be0) at ex_docmd.c:8776
#7  0x00005555559f2190 in do_one_cmd (cmdlinep=0x7fffffff4080, flags=0x7, cstack=0x7fffffff40a0, fgetline=0x555555e12ea0 <getsourceline>, cookie=0x7fffffff50a0) at ex_docmd.c:2580
#8  0x00005555559e5f55 in do_cmdline (cmdline=0x611000001300 "d", fgetline=0x555555e12ea0 <getsourceline>, cookie=0x7fffffff50a0, flags=0x7) at ex_docmd.c:993
#9  0x0000555555e10c94 in do_source_ext (fname=0x0, check_other=0x0, is_vimrc=0x0, ret_sid=0x0, eap=0x7fffffff5a20, clearvars=0x0) at scriptfile.c:1759
#10 0x0000555555e0e0ca in cmd_source (fname=0x6110000011c2 "", eap=0x7fffffff5a20) at scriptfile.c:1233
#11 0x0000555555e0de0e in ex_source (eap=0x7fffffff5a20) at scriptfile.c:1276
#12 0x00005555559f2190 in do_one_cmd (cmdlinep=0x7fffffff6ec0, flags=0x7, cstack=0x7fffffff6ee0, fgetline=0x555555e12ea0 <getsourceline>, cookie=0x7fffffff7ee0) at ex_docmd.c:2580
#13 0x00005555559e5f55 in do_cmdline (cmdline=0x611000000cc0 "d", fgetline=0x555555e12ea0 <getsourceline>, cookie=0x7fffffff7ee0, flags=0x7) at ex_docmd.c:993
#14 0x0000555555e10c94 in do_source_ext (fname=0x0, check_other=0x0, is_vimrc=0x0, ret_sid=0x0, eap=0x7fffffff8860, clearvars=0x0) at scriptfile.c:1759
#15 0x0000555555e0e0ca in cmd_source (fname=0x611000000b82 "", eap=0x7fffffff8860) at scriptfile.c:1233
#16 0x0000555555e0de0e in ex_source (eap=0x7fffffff8860) at scriptfile.c:1276
#17 0x00005555559f2190 in do_one_cmd (cmdlinep=0x7fffffff9d00, flags=0x7, cstack=0x7fffffff9d20, fgetline=0x555555e12ea0 <getsourceline>, cookie=0x7fffffffad20) at ex_docmd.c:2580
#18 0x00005555559e5f55 in do_cmdline (cmdline=0x611000000540 "d", fgetline=0x555555e12ea0 <getsourceline>, cookie=0x7fffffffad20, flags=0x7) at ex_docmd.c:993
#19 0x0000555555e10c94 in do_source_ext (fname=0x602000006393 "poc", check_other=0x0, is_vimrc=0x0, ret_sid=0x0, eap=0x0, clearvars=0x0) at scriptfile.c:1759
#20 0x0000555555e0e7c1 in do_source (fname=0x602000006393 "poc", check_other=0x0, is_vimrc=0x0, ret_sid=0x0) at scriptfile.c:1905
#21 0x0000555555e0e310 in cmd_source (fname=0x602000006393 "poc", eap=0x7fffffffb6e0) at scriptfile.c:1250
#22 0x0000555555e0de0e in ex_source (eap=0x7fffffffb6e0) at scriptfile.c:1276
#23 0x00005555559f2190 in do_one_cmd (cmdlinep=0x7fffffffcb80, flags=0xb, cstack=0x7fffffffcba0, fgetline=0x0, cookie=0x0) at ex_docmd.c:2580
#24 0x00005555559e5f55 in do_cmdline (cmdline=0x602000002850 "so poc", fgetline=0x0, cookie=0x0, flags=0xb) at ex_docmd.c:993
#25 0x00005555559e9051 in do_cmdline_cmd (cmd=0x602000002850 "so poc") at ex_docmd.c:587
#26 0x000055555622808d in exe_commands (parmp=0x555556e12620 <params>) at main.c:3146
#27 0x0000555556225e8b in vim_main2 () at main.c:782
#28 0x000055555621fa9f in main (argc=0xb, argv=0x7fffffffde28) at main.c:433
#29 0x00007ffff7c29d90 in __libc_start_call_main (main=main@entry=0x55555621f4e0 <main>, argc=argc@entry=0xb, argv=argv@entry=0x7fffffffde28) at ../sysdeps/nptl/libc_start_call_main.h:58
#30 0x00007ffff7c29e40 in __libc_start_main_impl (main=0x55555621f4e0 <main>, argc=0xb, argv=0x7fffffffde28, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffde18)
    at ../csu/libc-start.c:392
#31 0x0000555555723a75 in _start ()