Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
huntrSoaarony2C2D85A7-1171-4014-BF7F-A2451745861F
HistoryOct 10, 2023 - 12:01 p.m.

heap-use-after-free in function editing_arg_idx

2023-10-1012:01:26
soaarony
www.huntr.dev
18
vim
version
heap-use-after-free
addresssanitizer
memory-corruption
security-vulnerability

EPSS

0.001

Percentile

19.1%

JSON

Description

heap-use-after-free in function editing_arg_idx at arglist.c:516

Vim Version

git log
commit 54844857fd6933fa4f6678e47610c4b9c9f7a091 (HEAD -> master, tag: v9.0.2009, origin/master, origin/HEAD)

Proof of Concept

./vim -u NONE -i NONE -n -m -X -Z -e -s -S editing_arg_idx_POC_2 -c :qa!
=================================================================
==567275==ERROR: AddressSanitizer: heap-use-after-free on address 0x6250000119b8 at pc 0x56077f582b56 bp 0x7ffdb5a9d130 sp 0x7ffdb5a9d120
READ of size 4 at 0x6250000119b8 thread T0
    #0 0x56077f582b55 in editing_arg_idx /home/limweicheng/Desktop/Fuzz/vim/src/arglist.c:516
    #1 0x56077f582da6 in check_arg_idx /home/limweicheng/Desktop/Fuzz/vim/src/arglist.c:530
    #2 0x56077f584027 in alist_check_arg_idx /home/limweicheng/Desktop/Fuzz/vim/src/arglist.c:339
    #3 0x56077f584027 in do_arglist /home/limweicheng/Desktop/Fuzz/vim/src/arglist.c:494
    #4 0x56077f58906e in ex_next /home/limweicheng/Desktop/Fuzz/vim/src/arglist.c:766
    #5 0x56077f94acbc in do_one_cmd /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:2582
    #6 0x56077f94acbc in do_cmdline /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:994
    #7 0x560780032ea5 in do_source_ext /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1762
    #8 0x5607800395f0 in do_source /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1908
    #9 0x5607800395f0 in cmd_source /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1253
    #10 0x56077f94acbc in do_one_cmd /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:2582
    #11 0x56077f94acbc in do_cmdline /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:994
    #12 0x5607806b58e1 in exe_commands /home/limweicheng/Desktop/Fuzz/vim/src/main.c:3173
    #13 0x5607806b58e1 in vim_main2 /home/limweicheng/Desktop/Fuzz/vim/src/main.c:790
    #14 0x56077f5728c5 in main /home/limweicheng/Desktop/Fuzz/vim/src/main.c:441
    #15 0x7f2adb010d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #16 0x7f2adb010e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #17 0x56077f5795e4 in _start (/home/limweicheng/Desktop/Fuzz/vim/src/vim+0x1a45e4)

0x6250000119b8 is located 184 bytes inside of 9424-byte region [0x625000011900,0x625000013dd0)
freed by thread T0 here:
    #0 0x7f2adbaaa517 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
    #1 0x56077f57a88f in vim_free /home/limweicheng/Desktop/Fuzz/vim/src/alloc.c:616

previously allocated by thread T0 here:
    #0 0x7f2adbaaa867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x56077f579b3a in lalloc /home/limweicheng/Desktop/Fuzz/vim/src/alloc.c:246

SUMMARY: AddressSanitizer: heap-use-after-free /home/limweicheng/Desktop/Fuzz/vim/src/arglist.c:516 in editing_arg_idx
Shadow bytes around the buggy address:
  0x0c4a7fffa2e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fffa2f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fffa300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fffa310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fffa320: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c4a7fffa330: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
  0x0c4a7fffa340: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffa350: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffa360: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffa370: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffa380: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==567275==ABORTING

Related

nessus 31
veracode 1
openvas 22
alpinelinux 1
ubuntucve 1
nvd 1
cve 1
slackware 1
prion 1
vulnrichment 1
debiancve 1
cvelist 1
cbl_mariner 1
redhatcve 1
amazon 2
mageia 1
fedora 3
photon 3
redos 1
ubuntu 1
osv 1
cloudfoundry 1
ibm 2
nessus
nessus
Slackware Linux 15.0 / current vim Vulnerability (SSA:2023-297-02)
2023-10-24 00:00:00
CBL Mariner 2.0 Security Update: vim (CVE-2023-5535)
2024-07-13 00:00:00
Vim < 9.0.2010 Use-After-Free
2023-10-19 00:00:00
veracode
veracode
Use After Free
2023-10-19 04:10:13
openvas
openvas
Slackware: Security Advisory (SSA:2023-297-02)
2023-10-25 00:00:00
Fedora: Security Advisory for vim (FEDORA-2023-6c84e57fab)
2023-10-24 00:00:00
Mageia: Security Advisory (MGASA-2023-0305)
2023-10-30 00:00:00
alpinelinux
alpinelinux
CVE-2023-5535
2023-10-11 20:15:10
ubuntucve
ubuntucve
CVE-2023-5535
2023-10-11 00:00:00
nvd
nvd
CVE-2023-5535
2023-10-11 20:15:10
cve
cve
CVE-2023-5535
2023-10-11 20:15:10
slackware
slackware
[slackware-security] vim
2023-10-24 22:27:40
prion
prion
Design/Logic Flaw
2023-10-11 20:15:00
vulnrichment
vulnrichment
CVE-2023-5535 Use After Free in vim/vim
2023-10-11 19:12:21
debiancve
debiancve
CVE-2023-5535
2023-10-11 20:15:10
cvelist
cvelist
CVE-2023-5535 Use After Free in vim/vim
2023-10-11 19:12:21
cbl_mariner
cbl_mariner
CVE-2023-5535 affecting package vim for versions less than 9.0.2010-1
2023-10-18 16:17:06
redhatcve
redhatcve
CVE-2023-5535
2023-10-13 23:34:22
amazon
amazon
Low: vim
2023-10-30 23:59:00
Medium: vim
2023-11-29 23:18:00
mageia
mageia
Updated vim packages fix security vulnerabilities
2023-10-28 00:49:40
fedora
fedora
[SECURITY] Fedora 37 Update: vim-9.0.2048-1.fc37
2023-10-23 01:25:43
[SECURITY] Fedora 38 Update: vim-9.0.2048-1.fc38
2023-10-23 03:00:16
[SECURITY] Fedora 39 Update: vim-9.0.2048-1.fc39
2023-11-03 19:01:57
photon
photon
Important Photon OS Security Update - PHSA-2023-3.0-0671
2023-10-20 00:00:00
Important Photon OS Security Update - PHSA-2023-4.0-0492
2023-10-18 00:00:00
Important Photon OS Security Update - PHSA-2023-5.0-0119
2023-10-17 00:00:00
redos
redos
ROS-20240329-16
2024-03-29 00:00:00
ubuntu
ubuntu
Vim vulnerabilities
2023-10-25 00:00:00
osv
osv
vim vulnerabilities
2023-10-25 16:47:19
cloudfoundry
cloudfoundry
USN-6452-1: Vim vulnerabilities | Cloud Foundry
2023-12-04 00:00:00
ibm
ibm
Security Bulletin: IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities
2024-02-20 11:21:59
Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to multiple Vim-minimal Package Issues (3)
2024-08-01 17:24:14

EPSS

0.001

Percentile

19.1%

JSON
Related for 2C2D85A7-1171-4014-BF7F-A2451745861F
nessus31veracode1openvas22alpinelinux1ubuntucve1nvd1cve1slackware1prion1vulnrichment1debiancve1cvelist1cbl_mariner1redhatcve1amazon2mageia1fedora3photon3redos1ubuntu1osv1cloudfoundry1ibm2