FondxdA9FAD77E-F245-4CE9-BA15-C7D4C86C4612Access violation near NULL on destination operand eval.c:2603:37 in segmentation fault
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1.9 Low
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
21.6%
Description
Access violation near NULL on destination operand eval.c:2603:37 in segmentation fault
Proof of Concept
Faulting Frame:
eval1 @ 0x0000000000d9e9d2: in /root/vim/src/vim
Disassembly:
0x0000000000d9e9bd: mov rax,r14
0x0000000000d9e9c0: shr rax,0x3
0x0000000000d9e9c4: mov al,BYTE PTR [rax+0x7fff8000]
0x0000000000d9e9ca: test al,al
0x0000000000d9e9cc: jne 0xda0bf6 <eval1+32998>
=> 0x0000000000d9e9d2: cmp BYTE PTR [r14],0x20
0x0000000000d9e9d6: jne 0xd9ea35 <eval1+24357>
0x0000000000d9e9d8: mov eax,0x520bcac
0x0000000000d9e9dd: shr rax,0x3
0x0000000000d9e9e1: mov al,BYTE PTR [rax+0x7fff8000]
Stack Head (34 entries):
eval1 @ 0x0000000000d9e9d2: in /root/vim/src/vim
eval_list @ 0x0000000001b3231b: in /root/vim/src/vim
eval9 @ 0x0000000000e8e4a9: in /root/vim/src/vim
eval8 @ 0x0000000000ebbada: in /root/vim/src/vim
eval7 @ 0x0000000000eb5b12: in /root/vim/src/vim
eval6 @ 0x0000000000eac89b: in /root/vim/src/vim
eval5 @ 0x0000000000ea7cdd: in /root/vim/src/vim
eval4 @ 0x0000000000ea31f2: in /root/vim/src/vim
eval3 @ 0x0000000000e9e13c: in /root/vim/src/vim
eval2 @ 0x0000000000d98d08: in /root/vim/src/vim
eval1 @ 0x0000000000d98d08: in /root/vim/src/vim
eval0_retarg @ 0x0000000000e146d1: in /root/vim/src/vim
eval0 @ 0x0000000000d90a18: in /root/vim/src/vim
ex_eval @ 0x0000000001407723: in /root/vim/src/vim
do_one_cmd @ 0x000000000127576c: in /root/vim/src/vim
do_cmdline @ 0x00000000012391da: in /root/vim/src/vim
Registers:
rax=0x0000000000000000 rbx=0x00007fff915c0760 rcx=0x0000000000000000 rdx=0x000000000000003f
rsi=0x0000000000000000 rdi=0x00007fff915c03a1 rbp=0x00007fff915c0a70 rsp=0x00007fff915c04e0
r8=0x00007fff915bf720 r9=0x0000000000000001 r10=0x0000000004a7eb73 r11=0x0000000000000206
r12=0x0000000000000000 r13=0x00007fff915c2d80 r14=0x0000000000000001 r15=0x0000000000a3b213
rip=0x0000000000d9e9d2 efl=0x0000000000010246 cs=0x0000000000000033 ss=0x000000000000002b
ds=0x0000000000000000 es=0x0000000000000000 fs=0x0000000000000000 gs=0x0000000000000000
Download poc
https://github.com/fondxd/fuzzing-poc/blob/main/poc2
Related
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1.9 Low
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
21.6%