Lucene search
Jieyongma7A4C59F3-FCC0-4496-995D-5CA6ACD2DA51HistoryApr 28, 2022 - 2:42 a.m.
NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729
2022-04-2802:42:11
jieyongma
www.huntr.dev
14
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.003 Low
EPSS
Percentile
65.4%
Description
NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 allows attackers to cause a denial of service (application crash) via a crafted input.
POC
./vim -u NONE -X -Z -e -s -S ./poc_n.dat -c :qa!
Segmentation fault
GDB
─── Output/messages ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x0000000000d21602 in vim_regexec_string (rmp=0x7fffffff8aa0, line=0x606000003bc0 "/home/fuzz/fuzz-vim/vim-master/src/3\312) 00cmd\217brea\340\353", <incomplete sequence \373>, col=0, nl=0) at regexp.c:2729
2729 if (rmp->regprog->re_in_use)
─── Assembly ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
0x0000000000d215e7 vim_regexec_string+567 cmp %cl,%al
0x0000000000d215e9 vim_regexec_string+569 jl 0xd215fb <vim_regexec_string+587>
0x0000000000d215ef vim_regexec_string+575 mov 0x118(%rbx),%rdi
0x0000000000d215f6 vim_regexec_string+582 callq 0x4a1350 <__asan_report_load4>
0x0000000000d215fb vim_regexec_string+587 mov 0x118(%rbx),%rax
0x0000000000d21602 vim_regexec_string+594 cmpl $0x0,(%rax)
0x0000000000d21605 vim_regexec_string+597 je 0xd2166c <vim_regexec_string+700>
0x0000000000d2160b vim_regexec_string+603 mov 0x175ed04,%ecx
0x0000000000d21612 vim_regexec_string+610 mov $0x17259e0,%rax
0x0000000000d21619 vim_regexec_string+617 mov (%rax),%rax
─── Breakpoints ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
─── Expressions ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
─── History ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
─── Memory ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
─── Registers ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
rax 0x0000000000000014 rbx 0x00007fffffff87a0 rcx 0x0000000000000000 rdx 0x0000000000000000 rsi 0x0000606000003bc0 rdi 0x00007fffffff8aa0 rbp 0x00007fffffff89a0 rsp 0x00007fffffff86a0 r8 0x000000000205be00
r9 0x000000000000e4bc r10 0x000000000000e404 r11 0x000000000000e400 r12 0x000000000041fe30 r13 0x00007fffffffe500 r14 0x0000000000005604 r15 0x0000000000005600 rip 0x0000000000d21602 eflags [ PF ZF IF RF ]
cs 0x00000033 ss 0x0000002b ds 0x00000000 es 0x00000000 fs 0x00000000 gs 0x00000000
─── Source ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
2724 int result;
2725 regexec_T rex_save;
2726 int rex_in_use_save = rex_in_use;
2727
2728 // Cannot use the same prog recursively, it contains state.
2729 if (rmp->regprog->re_in_use)
2730 {
2731 emsg(_(e_cannot_use_pattern_recursively));
2732 return FALSE;
2733 }
─── Stack ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
[0] from 0x0000000000d21602 in vim_regexec_string+594 at regexp.c:2729
[1] from 0x0000000000d220ba in vim_regexec+90 at regexp.c:2812
[2] from 0x000000000053f2ae in fname_match+622 at buffer.c:2964
[3] from 0x000000000051afd4 in buflist_match+324 at buffer.c:2936
[4] from 0x0000000000515835 in buflist_findpat+4053 at buffer.c:2656
[5] from 0x00000000007f739e in do_one_cmd+50910 at ex_docmd.c:2532
[6] from 0x00000000007e49a6 in do_cmdline+14134 at ex_docmd.c:992
[7] from 0x0000000000e88e0d in do_source_ext+13725 at scriptfile.c:1674
[8] from 0x0000000000e85867 in do_source+103 at scriptfile.c:1801
[9] from 0x0000000000e8519d in cmd_source+2317 at scriptfile.c:1174
[+]
─── Threads ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
[1] id 2521650 name vim from 0x0000000000d21602 in vim_regexec_string+594 at regexp.c:2729
─── Variables ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
arg rmp = 0x7fffffff8aa0: {regprog = 0x0,startp = {[0] = 0x7fffffff8e28 "\025", [1] = 0x6110000007e5 …, line = 0x606000003bc0 "/home/fuzz/fuzz-vim/vim-master/src/3\312) 00cmd\217brea\340\353", <incomplete sequen…, col = 0, nl = 0
loc result = 32767, rex_save = {reg_match = 0x619000001c78,reg_mmatch = 0x100ff7a00,reg_startp = 0x619000001c78,reg_endp = 0x2ffff7…, rex_in_use_save = 0
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
>>> p rmp->regprog
$1 = (regprog_T *) 0x0
Related
ubuntucve
ubuntucve
CVE-2022-1620
2022-05-08 00:00:00
debiancve
debiancve
CVE-2022-1620
2022-05-08 11:15:00
cbl_mariner
cbl_mariner
CVE-2022-1620 affecting package vim 8.2.4774-1
2022-06-15 17:03:10
CVE-2022-1620 affecting package vim for versions less than 8.2.4925-1
2022-06-03 17:54:02
cve
cve
CVE-2022-1620
2022-05-08 11:15:00
veracode
veracode
Denial Of Service (DoS)
2022-05-20 08:43:20
osv
osv
CVE-2022-1620
2022-05-08 11:15:00
vim vulnerabilities
2022-09-15 11:04:50
vim regression
2022-09-19 12:53:35
alpinelinux
alpinelinux
CVE-2022-1620
2022-05-08 11:15:00
nessus
nessus
CBL Mariner 2.0 Security Update: vim (CVE-2022-1620)
2023-03-28 00:00:00
Ubuntu 20.04 LTS : Vim regression (USN-5613-2)
2022-09-19 00:00:00
Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS : Vim vulnerabilities (USN-5613-1)
2022-09-15 00:00:00
prion
prion
Null pointer dereference
2022-05-08 11:15:00
redhatcve
redhatcve
CVE-2022-1620
2022-05-09 06:44:23
redos
redos
ROS-20220516-11
2022-05-16 00:00:00
fedora
fedora
[SECURITY] Fedora 36 Update: vim-8.2.4927-1.fc36
2022-05-11 01:22:58
[SECURITY] Fedora 35 Update: vim-8.2.4927-1.fc35
2022-05-11 01:27:18
[SECURITY] Fedora 34 Update: vim-8.2.4927-1.fc34
2022-05-18 01:25:20
openvas
openvas
Fedora: Security Advisory for vim (FEDORA-2022-e92c3ce170)
2022-05-12 00:00:00
Fedora: Security Advisory for vim (FEDORA-2022-f0db3943d9)
2022-05-12 00:00:00
Fedora: Security Advisory for vim (FEDORA-2022-8df66cdbef)
2022-05-18 00:00:00
cloudlinux
cloudlinux
photon
photon
Important Photon OS Security Update - PHSA-2022-0397
2022-05-26 00:00:00
Important Photon OS Security Update - PHSA-2022-3.0-0397
2022-05-26 00:00:00
Important Photon OS Security Update - PHSA-2022-0478
2022-05-27 00:00:00
cloudfoundry
cloudfoundry
USN-5613-1: Vim vulnerabilities | Cloud Foundry
2022-09-29 00:00:00
ubuntu
ubuntu
Vim vulnerabilities
2022-09-15 00:00:00
Vim regression
2022-09-19 00:00:00
Vim vulnerabilities
2022-06-06 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 9 package vim version 4:8.2.5019-alt1
2022-06-02 00:00:00
Security fix for the ALT Linux 10 package vim version 4:8.2.5019-alt1
2022-05-31 00:00:00
mageia
mageia
Updated vim packages fix security vulnerability
2022-05-25 21:46:18
amazon
amazon
Medium: vim
2022-07-19 01:26:00
Medium: vim
2022-07-28 20:41:00
suse
suse
Security update for vim (important)
2022-06-16 00:00:00
gentoo
gentoo
Vim, gVim: Multiple Vulnerabilities
2023-05-03 00:00:00
Vim, gVim: Multiple Vulnerabilities
2022-08-21 00:00:00
apple
apple
About the security content of macOS Ventura 13
2022-10-24 00:00:00
avleonov
avleonov
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.003 Low
EPSS
Percentile
65.4%
Related for 7A4C59F3-FCC0-4496-995D-5CA6ACD2DA51