Lucene search
CoolkingcoleB54CBDF5-3E85-458D-BB38-9EA2C0B669F2HistoryOct 01, 2023 - 6:08 p.m.
CWE-476 leads to potential OOB Read
2023-10-0118:08:29
coolkingcole
www.huntr.dev
10
debian gnu/linux
addresssanitizer
oob read
null pointer dereference
semi-controllable
zero page
signal propagation
bug bounty
0.0004 Low
EPSS
Percentile
10.2%
Environment
Distributor ID: Debian
Description: Debian GNU/Linux bookworm/sid
Version
I checked against the master branch as of 09/25 at commitf109bf93c9402e4e3122a7ae7846e6feae4fa222 .
Description
This AddressSanitizer output is indicating a OOB read that is semi-controllable, but is relative to the zero page, so this is mostly a CWE-476: NULL Pointer Dereference. LineOffset can be NULL in the file vim/src/screen.c at line 497 and will be accessed at the index of the variable row. The variable Rows limits the size of the variable row. If there is a scenario that Rows is controllable, this could be an arbitrary read from 0 to INTMAX. NOTE: My local vim is modified from this commit to not catch signals so that the faults propagate to aflplusplus. I can provide the diff if someone wants.
Snippet
off_to = LineOffset[row] + coloff;
POC
./vim -u NONE -i NONE -n -m -X -Z -e -s -S crash1 -c :qa!
ASAN
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2281401==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x555555e69412 bp 0x000000000000 sp 0x7fffffff73e0 T0)
==2281401==The signal is caused by a READ memory access.
==2281401==Hint: address points to the zero page.
#0 0x555555e69412 in screen_line /path/vim/src/screen.c:497:14
#1 0x55555594568c in draw_screen_line /path/vim/src/drawline.c:956:5
#2 0x55555593ca56 in win_line /path/vim/src/drawline.c:3736:3
#3 0x55555594c24e in win_update /path/vim/src/drawscreen.c:2506:9
#4 0x55555595713a in updateWindow /path/vim/src/drawscreen.c:2930:5
#5 0x5555561db223 in gui_do_scroll /path/vim/src/gui.c:4491:2
#6 0x555555977e7d in ins_scroll /path/vim/src/edit.c:4510:9
#7 0x55555596acd2 in edit /path/vim/src/edit.c:1086:6
#8 0x555555ca49db in invoke_edit /path/vim/src/normal.c:7086:9
#9 0x555555ca49db in n_opencmd /path/vim/src/normal.c:6316:2
#10 0x555555ca49db in nv_open /path/vim/src/normal.c:7477:2
#11 0x555555c83c63 in normal_cmd /path/vim/src/normal.c:949:5
#12 0x555555a6b524 in exec_normal /path/vim/src/ex_docmd.c
#13 0x555555a6a877 in exec_normal_cmd /path/vim/src/ex_docmd.c:8875:5
#14 0x555555a6a877 in ex_normal /path/vim/src/ex_docmd.c:8793:6
#15 0x555555a42678 in do_one_cmd /path/vim/src/ex_docmd.c:2582:2
#16 0x555555a42678 in do_cmdline /path/vim/src/ex_docmd.c:994:17
#17 0x555555e9b79a in do_source_ext /path/vim/src/scriptfile.c:1762:5
#18 0x555555e9950b in do_source /path/vim/src/scriptfile.c:1908:12
#19 0x555555e9950b in cmd_source /path/vim/src/scriptfile.c:1253:14
#20 0x555555a42678 in do_one_cmd /path/vim/src/ex_docmd.c:2582:2
#21 0x555555a42678 in do_cmdline /path/vim/src/ex_docmd.c:994:17
#22 0x5555562f06d3 in exe_commands /path/vim/src/main.c:3177:2
#23 0x5555562f06d3 in vim_main2 /path/vim/src/main.c:790:2
#24 0x5555562ecda3 in main /path/vim/src/main.c:441:12
#25 0x7ffff6bde1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#26 0x7ffff6bde284 in __libc_start_main csu/../csu/libc-start.c:360:3
#27 0x555555772290 in _start (/path/vim/src/vim+0x21e290) (BuildId: 35c8e3fde8659b75419975e4d0d0f90f327b40e2)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /path/vim/src/screen.c:497:14 in screen_line
==2281401==ABORTING
Related
redhatcve
redhatcve
CVE-2023-5441
2023-10-09 18:54:25
prion
prion
Null pointer dereference
2023-10-05 21:15:00
nvd
nvd
CVE-2023-5441
2023-10-05 21:15:11
debiancve
debiancve
CVE-2023-5441
2023-10-05 21:15:11
cvelist
cvelist
CVE-2023-5441 NULL Pointer Dereference in vim/vim
2023-10-05 20:30:09
veracode
veracode
Denial Of Service (DoS)
2023-10-19 03:40:23
alpinelinux
alpinelinux
CVE-2023-5441
2023-10-05 21:15:11
nessus
nessus
CBL Mariner 2.0 Security Update: vim (CVE-2023-5441)
2023-10-30 00:00:00
Vim < 9.0.1992 NULL Pointer Dereference
2023-10-25 00:00:00
Fedora 38 : vim (2023-6c84e57fab)
2023-10-23 00:00:00
cve
cve
CVE-2023-5441
2023-10-05 21:15:11
cbl_mariner
cbl_mariner
CVE-2023-5441 affecting package vim for versions less than 9.0.2010-1
2023-10-18 16:17:06
ubuntucve
ubuntucve
CVE-2023-5441
2023-10-05 00:00:00
openvas
openvas
Mageia: Security Advisory (MGASA-2023-0305)
2023-10-30 00:00:00
Fedora: Security Advisory for vim (FEDORA-2023-6c84e57fab)
2023-10-24 00:00:00
Fedora: Security Advisory for vim (FEDORA-2023-e9c71abc95)
2023-10-24 00:00:00
fedora
fedora
[SECURITY] Fedora 37 Update: vim-9.0.2048-1.fc37
2023-10-23 01:25:43
[SECURITY] Fedora 38 Update: vim-9.0.2048-1.fc38
2023-10-23 03:00:16
[SECURITY] Fedora 39 Update: vim-9.0.2048-1.fc39
2023-11-03 19:01:57
mageia
mageia
Updated vim packages fix security vulnerabilities
2023-10-28 00:49:40
amazon
amazon
Low: vim
2023-10-30 23:59:00
Medium: vim
2023-11-29 23:18:00
cloudlinux
cloudlinux
vim: Fix of 2 CVEs
2023-10-26 20:27:47
photon
photon
Important Photon OS Security Update - PHSA-2023-4.0-0492
2023-10-18 00:00:00
Important Photon OS Security Update - PHSA-2023-5.0-0119
2023-10-17 00:00:00
Important Photon OS Security Update - PHSA-2023-3.0-0671
2023-10-20 00:00:00
redos
redos
ROS-20240329-16
2024-03-29 00:00:00
ubuntu
ubuntu
Vim vulnerabilities
2023-10-25 00:00:00
cloudfoundry
cloudfoundry
USN-6452-1: Vim vulnerabilities | Cloud Foundry
2023-12-04 00:00:00
osv
osv
vim vulnerabilities
2023-10-25 16:47:19