7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.4 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
28.3%
Use After Free in function do_cmdline at vim/src/ex_docmd.c:1076.
git log
commit 5d09a401ec393dc930e1104ceb38eab34681de64 (HEAD -> master, tag: v9.0.0343, origin/master, origin/HEAD)
./vim -u NONE -i NONE -n -m -X -Z -e -s -S /home/fuzz/test/poc7_huaf.dat -c :qa!
Segmentation fault (core dumped)
gdb log:
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x00005555558102eb in do_cmdline (cmdline=0x6110000002c0 " mksession! Xtest_mks.out", fgetline=0x555555b36a51 <getsourceline>, cookie=0x7fffffffd0b0, flags=0x7) at ex_docmd.c:1076
1076 ((wcmd_T *)lines_ga.ga_data)[current_line].lnum-1);
[ Legend: Modified register | Code | Heap | Stack | String ]
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā registers āāāā
$rax : 0x0
$rbx : 0x007fffffffcec0 ā 0x007fffffffcef0 ā 0x007fffffffd180 ā 0x007fffffffd1b0 ā 0x007fffffffd1e0 ā 0x007fffffffd200 ā 0x007fffffffd570 ā 0x007fffffffde70
$rcx : 0x0
$rdx : 0x8
$rsp : 0x007fffffffc600 ā 0x000007ff7ff000 ā 0x0000000000000000
$rbp : 0x007fffffffcef0 ā 0x007fffffffd180 ā 0x007fffffffd1b0 ā 0x007fffffffd1e0 ā 0x007fffffffd200 ā 0x007fffffffd570 ā 0x007fffffffde70 ā 0x007fffffffde90
$rsi : 0x0
$rdi : 0x3
$rip : 0x005555558102eb ā <do_cmdline+9057> mov rax, QWORD PTR [rax+0x8]
$r8 : 0x007ffff65a30e0 ā 0x0000000000000000
$r9 : 0x0
$r10 : 0x007ffff65a3000 ā 0x007ffff7fb8000 ā 0x007ffff7709398 ā 0x007ffff76a16e0 ā <__sanitizer::ThreadContextBase::OnDead()+0> endbr64
$r11 : 0x007ffff4591120 ā 0x0000000000000000
$r12 : 0x000ffffffff8d4 ā 0x0000000000000000
$r13 : 0x007fffffffc6a0 ā 0x0000000041b58ab3
$r14 : 0x007fffffffc6a0 ā 0x0000000041b58ab3
$r15 : 0x007fffffffd2a0 ā 0x0000000041b58ab3
$eflags: [ZERO carry PARITY adjust sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x33 $ss: 0x2b $ds: 0x00 $es: 0x00 $fs: 0x00 $gs: 0x00
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā stack āāāā
0x007fffffffc600ā+0x0000: 0x000007ff7ff000 ā 0x0000000000000000 ā $rsp
0x007fffffffc608ā+0x0008: 0x007fffffffd0b0 ā 0x00615000000a80 ā 0xbebebebefbad2488
0x007fffffffc610ā+0x0010: 0x00555555b36a51 ā <getsourceline+0> endbr64
0x007fffffffc618ā+0x0018: 0x006110000002c0 ā " mksession! Xtest_mks.out"
0x007fffffffc620ā+0x0020: 0x007fffffffc630 ā 0x0000000000000008
0x007fffffffc628ā+0x0028: 0x0000000000000001
0x007fffffffc630ā+0x0030: 0x0000000000000008
0x007fffffffc638ā+0x0038: 0x0000000000000001
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā code:x86:64 āāāā
0x5555558102e1 <do_cmdline+9047> je 0x5555558102eb <do_cmdline+9057>
0x5555558102e3 <do_cmdline+9049> mov rdi, rdx
0x5555558102e6 <do_cmdline+9052> call 0x55555568e0e0 <__asan_report_load8@plt>
ā 0x5555558102eb <do_cmdline+9057> mov rax, QWORD PTR [rax+0x8]
0x5555558102ef <do_cmdline+9061> lea r15, [rax-0x1]
0x5555558102f3 <do_cmdline+9065> mov rcx, QWORD PTR [rbp-0x8e8]
0x5555558102fa <do_cmdline+9072> mov rax, QWORD PTR [rbp-0x8e0]
0x555555810301 <do_cmdline+9079> lea rdx, [rip+0x326749] # 0x555555b36a51 <getsourceline>
0x555555810308 <do_cmdline+9086> mov rsi, rcx
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā source:ex_docmd.c+1076 āāāā
1071 if (breakpoint != NULL)
1072 {
1073 *breakpoint = dbg_find_breakpoint(
1074 getline_equal(fgetline, cookie, getsourceline),
1075 fname,
// current_line=0x0
ā 1076 ((wcmd_T *)lines_ga.ga_data)[current_line].lnum-1);
1077 *dbg_tick = debug_tick;
1078 }
1079 }
1080 else
1081 {
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā threads āāāā
[#0] Id 1, Name: "vim", stopped 0x5555558102eb in do_cmdline (), reason: SIGSEGV
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā trace āāāā
[#0] 0x5555558102eb ā do_cmdline(cmdline=0x6110000002c0 " mksession! Xtest_mks.out", fgetline=0x555555b36a51 <getsourceline>, cookie=0x7fffffffd0b0, flags=0x7)
[#1] 0x555555b33ab5 ā do_source_ext(fname=0x604000000213 "/home/fuzz/test/poc7_huaf.dat", check_other=0x0, is_vimrc=0x0, ret_sid=0x0, eap=0x0, clearvars=0x0)
[#2] 0x555555b34cea ā do_source(fname=0x604000000213 "/home/fuzz/test/poc7_huaf.dat", check_other=0x0, is_vimrc=0x0, ret_sid=0x0)
[#3] 0x555555b317a8 ā cmd_source(fname=0x604000000213 "/home/fuzz/test/poc7_huaf.dat", eap=0x7fffffffd2f0)
[#4] 0x555555b3180d ā ex_source(eap=0x7fffffffd2f0)
[#5] 0x55555581891e ā do_one_cmd(cmdlinep=0x7fffffffd650, flags=0xb, cstack=0x7fffffffd770, fgetline=0x0, cookie=0x0)
[#6] 0x55555580fbc1 ā do_cmdline(cmdline=0x6040000000d0 "so /home/fuzz/test/poc7_huaf.dat", fgetline=0x0, cookie=0x0, flags=0xb)
[#7] 0x55555580df5b ā do_cmdline_cmd(cmd=0x6040000000d0 "so /home/fuzz/test/poc7_huaf.dat")
[#8] 0x555555e0ce82 ā exe_commands(parmp=0x555556079fe0 <params>)
[#9] 0x555555e05ff0 ā vim_main2()
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
poc download url: https://github.com/Janette88/vim/blob/main/poc7_huaf.dat
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.4 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
28.3%