Null pointer dereference in function skipwhite

2022-06-2617:26:11

acquykhud

www.huntr.dev

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

0.001 Low

EPSS

Percentile

23.3%

JSON

Description

Null pointer dereference in function skipwhite at charset.c:1428

Version

commit c101abff4c6756db4f5e740fde289decb9452efa (HEAD -&gt; master, tag: v8.2.5164)

Proof of Concept

guest@elk:~/trung$ valgrind ./vim_latest/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc/poc40min -c :qa!
==32519== Memcheck, a memory error detector
==32519== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==32519== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==32519== Command: ./vim_latest/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc/poc40min -c :qa!
==32519== 
==32519== Invalid read of size 1
==32519==    at 0x37B490: skipwhite (charset.c:1428)
==32519==    by 0x18AC60: eval0_retarg (eval.c:2391)
==32519==    by 0x1BDED8: ex_eval (ex_eval.c:951)
==32519==    by 0x1BB2CD: do_one_cmd (ex_docmd.c:2570)
==32519==    by 0x1BB2CD: do_cmdline (ex_docmd.c:992)
==32519==    by 0x2ABF50: do_source_ext (scriptfile.c:1674)
==32519==    by 0x1BB2CD: do_one_cmd (ex_docmd.c:2570)
==32519==    by 0x1BB2CD: do_cmdline (ex_docmd.c:992)
==32519==    by 0x2ABF50: do_source_ext (scriptfile.c:1674)
==32519==    by 0x1BB2CD: do_one_cmd (ex_docmd.c:2570)
==32519==    by 0x1BB2CD: do_cmdline (ex_docmd.c:992)
==32519==    by 0x2ABF50: do_source_ext (scriptfile.c:1674)
==32519==    by 0x1BB2CD: do_one_cmd (ex_docmd.c:2570)
==32519==    by 0x1BB2CD: do_cmdline (ex_docmd.c:992)
==32519==    by 0x2ABF50: do_source_ext (scriptfile.c:1674)
==32519==    by 0x1BB2CD: do_one_cmd (ex_docmd.c:2570)
==32519==    by 0x1BB2CD: do_cmdline (ex_docmd.c:992)
==32519==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==32519== 
==32519== 
==32519== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==32519==    at 0x5851177: kill (syscall-template.S:78)
==32519==    by 0x254A97: may_core_dump (os_unix.c:3449)
==32519==    by 0x254A97: mch_exit (os_unix.c:3485)
==32519==    by 0x37FDAA: getout (main.c:1737)
==32519==    by 0x5850F0F: ??? (in /lib/x86_64-linux-gnu/libc-2.27.so)
==32519==    by 0x37B48F: ??? (charset.c:1418)
==32519==    by 0x18AC60: eval0_retarg (eval.c:2391)
==32519==    by 0x1BDED8: ex_eval (ex_eval.c:951)
==32519==    by 0x1BB2CD: do_one_cmd (ex_docmd.c:2570)
==32519==    by 0x1BB2CD: do_cmdline (ex_docmd.c:992)
==32519==    by 0x2ABF50: do_source_ext (scriptfile.c:1674)
==32519==    by 0x1BB2CD: do_one_cmd (ex_docmd.c:2570)
==32519==    by 0x1BB2CD: do_cmdline (ex_docmd.c:992)
==32519==    by 0x2ABF50: do_source_ext (scriptfile.c:1674)
==32519==    by 0x1BB2CD: do_one_cmd (ex_docmd.c:2570)
==32519==    by 0x1BB2CD: do_cmdline (ex_docmd.c:992)
==32519== 
==32519== HEAP SUMMARY:
==32519==     in use at exit: 370,167 bytes in 2,757 blocks
==32519==   total heap usage: 4,952 allocs, 2,195 frees, 1,646,883 bytes allocated
==32519== 
==32519== LEAK SUMMARY:
==32519==    definitely lost: 2,849 bytes in 3 blocks
==32519==    indirectly lost: 0 bytes in 0 blocks
==32519==      possibly lost: 0 bytes in 0 blocks
==32519==    still reachable: 367,318 bytes in 2,754 blocks
==32519==         suppressed: 0 bytes in 0 blocks
==32519== Rerun with --leak-check=full to see details of leaked memory
==32519== 
==32519== For counts of detected and suppressed errors, rerun with: -v
==32519== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault