Lucene search
Janette8895F97DFE-247D-475D-9740-B7ADC71F4C79HistoryAug 16, 2022 - 7:28 a.m.
NULL Pointer Dereference in function generate_loadvar
2022-08-1607:28:02
janette88
www.huntr.dev
9
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1.9 Low
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:N/I:N/A:P
0.0005 Low
EPSS
Percentile
16.5%
Description
NULL Pointer Dereference in function generate_loadvar at vim9compile.c:1165 allows attackers to cause a denial of service (application crash) via a crafted input.
vim version
git log
commit e1f3fd1d02e3f5fe6d2b6d82687c6846b8e500f8 (HEAD -> master, origin/master, origin/HEAD)
Author: Bram Moolenaar <[email protected]>
Date: Mon Aug 15 18:51:32 2022 +0100
Update runtime files
Proof of Concept
vim -u NONE -i NONE -n -m -X -Z -e -s -S /home/fuzz/test/poc1_null.dat -c :qa!
Segmentation fault (core dumped)
gdb debug info
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x0000555555cd8761 in generate_loadvar (cctx=0x7fffffffbda0, dest=dest_local, name=0x602000006270 "l", lvar=0x0, type=0x55555601eb00 <t_any>) at vim9compile.c:1165
1165 if (lvar->lv_from_outer > 0)
[ Legend: Modified register | Code | Heap | Stack | String ]
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā registers āāāā
$rax : 0x0
$rbx : 0x007fffffffb8c0 ā 0x0000000041b58ab3
$rcx : 0x0
$rdx : 0x0
$rsp : 0x007fffffffb840 ā 0x007fffffffb860 ā 0x000000ffffb950 ā 0x0000000000000000
$rbp : 0x007fffffffb870 ā 0x007fffffffb950 ā 0x007fffffffba30 ā 0x007fffffffba80 ā 0x007fffffffc0c0 ā 0x007fffffffc180 ā 0x007fffffffc4f0 ā 0x007fffffffcdf0
$rsi : 0x7
$rdi : 0x007fffffffbda0 ā 0x00614000000440 ā 0x0000000000000000
$rip : 0x00555555cd8761 ā <generate_loadvar+807> mov eax, DWORD PTR [rax+0x14]
$r8 : 0x0055555601eb00 ā <t_any+0> add DWORD PTR [rax], eax
$r9 : 0x0
$r10 : 0x0
$r11 : 0x00555555ed2ee0 ā 0x00000000444e45 ("END"?)
$r12 : 0x007fffffffb920 ā 0x000ffffffff76a ā 0x0000000000000000
$r13 : 0x000ffffffff718 ā 0x0000000000000000
$r14 : 0x007fffffffb9b0 ā 0x0000000041b58ab3
$r15 : 0x007fffffffb8c0 ā 0x0000000041b58ab3
$eflags: [ZERO carry PARITY adjust sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x33 $ss: 0x2b $ds: 0x00 $es: 0x00 $fs: 0x00 $gs: 0x00
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā stack āāāā
0x007fffffffb840ā+0x0000: 0x007fffffffb860 ā 0x000000ffffb950 ā 0x0000000000000000 ā $rsp
0x007fffffffb848ā+0x0008: 0x0055555601eb00 ā <t_any+0> add DWORD PTR [rax], eax
0x007fffffffb850ā+0x0010: 0x0000000000000000
0x007fffffffb858ā+0x0018: 0x00602000006270 ā 0x0000000000006c ("l"?)
0x007fffffffb860ā+0x0020: 0x000000ffffb950 ā 0x0000000000000000
0x007fffffffb868ā+0x0028: 0x007fffffffbda0 ā 0x00614000000440 ā 0x0000000000000000
0x007fffffffb870ā+0x0030: 0x007fffffffb950 ā 0x007fffffffba30 ā 0x007fffffffba80 ā 0x007fffffffc0c0 ā 0x007fffffffc180 ā 0x007fffffffc4f0 ā 0x007fffffffcdf0 ā $rbp
0x007fffffffb878ā+0x0038: 0x00555555cdd36a ā <compile_load_lhs+1697> mov r14d, 0x1
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā code:x86:64 āāāā
0x555555cd8755 <generate_loadvar+795> mov rdi, rax
0x555555cd8758 <generate_loadvar+798> call 0x55555568d260 <__asan_report_load4@plt>
0x555555cd875d <generate_loadvar+803> mov rax, QWORD PTR [rbp-0x20]
ā 0x555555cd8761 <generate_loadvar+807> mov eax, DWORD PTR [rax+0x14]
0x555555cd8764 <generate_loadvar+810> test eax, eax
0x555555cd8766 <generate_loadvar+812> jle 0x555555cd87bc <generate_loadvar+898>
0x555555cd8768 <generate_loadvar+814> mov rax, QWORD PTR [rbp-0x20]
0x555555cd876c <generate_loadvar+818> mov edx, DWORD PTR [rax+0x14]
0x555555cd876f <generate_loadvar+821> mov rax, QWORD PTR [rbp-0x20]
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā source:vim9compile.c+1165 āāāā
1160 break;
1161 case dest_vimvar:
1162 generate_LOADV(cctx, name + 2);
1163 break;
1164 case dest_local:
// lvar=0x007fffffffb850 ā 0x0000000000000000
ā 1165 if (lvar->lv_from_outer > 0)
1166 generate_LOADOUTER(cctx, lvar->lv_idx, lvar->lv_from_outer,
1167 type);
1168 else
1169 generate_LOAD(cctx, ISN_LOAD, lvar->lv_idx, NULL, type);
1170 break;
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā threads āāāā
[#0] Id 1, Name: "vim", stopped 0x555555cd8761 in generate_loadvar (), reason: SIGSEGV
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā trace āāāā
[#0] 0x555555cd8761 ā generate_loadvar(cctx=0x7fffffffbda0, dest=dest_local, name=0x602000006270 "l", lvar=0x0, type=0x55555601eb00 <t_any>)
[#1] 0x555555cdd36a ā compile_load_lhs(lhs=0x7fffffffbe40, var_start=0x602000006290 "l[0]", rhs_type=0x55555601ed00 <t_string>, cctx=0x7fffffffbda0)
[#2] 0x555555cddb2d ā compile_assign_unlet(var_start=0x602000006290 "l[0]", lhs=0x7fffffffbe40, is_assign=0x1, rhs_type=0x55555601ed00 <t_string>, cctx=0x7fffffffbda0)
[#3] 0x555555cd1bde ā compile_redir(line=0x6020000062b0 "redi END", eap=0x7fffffffbca0, cctx=0x7fffffffbda0)
[#4] 0x555555ce58ee ā compile_def_function(ufunc=0x614000000440, check_return_type=0x0, compile_type=CT_NONE, outer_cctx=0x0)
[#5] 0x555555cbc9b3 ā ex_defcompile(eap=0x7fffffffc270)
[#6] 0x555555817444 ā do_one_cmd(cmdlinep=0x7fffffffc5d0, flags=0x7, cstack=0x7fffffffc6f0, fgetline=0x555555b33a24 <getsourceline>, cookie=0x7fffffffcfb0)
[#7] 0x55555580e6e7 ā do_cmdline(cmdline=0x6110000002c0 "def T()", fgetline=0x555555b33a24 <getsourceline>, cookie=0x7fffffffcfb0, flags=0x7)
[#8] 0x555555b3186d ā do_source_ext(fname=0x604000000213 "/home/fuzz/test/poc1_null.dat", check_other=0x0, is_vimrc=0x0, ret_sid=0x0, eap=0x0, clearvars=0x0)
[#9] 0x555555b3299f ā do_source(fname=0x604000000213 "/home/fuzz/test/poc1_null.dat", check_other=0x0, is_vimrc=0x0, ret_sid=0x0)
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
poc download:
<p><a href=āhttps://github.com/Janette88/vim/blob/main/poc1_null.datā>poc1_null.dat</a></p>
Related
redhatcve
redhatcve
CVE-2022-2874
2023-05-04 17:21:23
prion
prion
Null pointer dereference
2022-08-18 16:15:00
ubuntucve
ubuntucve
CVE-2022-2874
2022-08-18 00:00:00
cve
cve
CVE-2022-2874
2022-08-18 16:15:00
cbl_mariner
cbl_mariner
CVE-2022-2874 affecting package vim 9.0.0181-1
2022-09-17 05:56:39
CVE-2022-2874 affecting package vim 9.0.0050-2
2022-09-16 06:05:42
alpinelinux
alpinelinux
CVE-2022-2874
2022-08-18 16:15:00
cnvd
cnvd
Vim code issue vulnerability (CNVD-2022-68091)
2022-08-22 00:00:00
veracode
veracode
Denial Of Service (DoS)
2022-09-01 12:20:14
debiancve
debiancve
CVE-2022-2874
2022-08-18 16:15:00
nessus
nessus
Ubuntu 18.04 ESM / 20.04 LTS / 22.04 LTS : Vim vulnerabilities (USN-6302-1)
2023-08-21 00:00:00
Amazon Linux 2 : vim (ALAS-2023-1975)
2023-03-07 00:00:00
SUSE SLED15 / SLES15 Security Update : vim (SUSE-SU-2022:3229-1)
2022-09-10 00:00:00
cloudfoundry
cloudfoundry
USN-6302-1: Vim vulnerabilities | Cloud Foundry
2023-10-05 00:00:00
osv
osv
vim vulnerabilities
2023-08-21 05:45:06
ubuntu
ubuntu
Vim vulnerabilities
2023-08-21 00:00:00
openvas
openvas
Ubuntu: Security Advisory (USN-6302-1)
2023-08-21 00:00:00
SUSE: Security Advisory (SUSE-SU-2022:3229-1)
2022-09-12 00:00:00
openSUSE: Security Advisory for vim (SUSE-SU-2022:3229-1)
2022-09-10 00:00:00
amazon
amazon
Important: vim
2023-03-02 22:35:00
suse
suse
Security update for vim (important)
2022-09-09 00:00:00
photon
photon
Critical Photon OS Security Update - PHSA-2023-4.0-0380
2023-04-25 00:00:00
Critical Photon OS Security Update - PHSA-2023-3.0-0568
2023-04-19 00:00:00
mageia
mageia
Updated vim packages fix security vulnerability
2022-11-19 01:50:51
gentoo
gentoo
Vim, gVim: Multiple Vulnerabilities
2023-05-03 00:00:00
avleonov
avleonov
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1.9 Low
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:N/I:N/A:P
0.0005 Low
EPSS
Percentile
16.5%
Related for 95F97DFE-247D-475D-9740-B7ADC71F4C79