Lucene search

K
huntrGreatergoodestFAA74175-5317-4B71-A363-DFC39094ECBB
HistoryMay 16, 2022 - 12:53 p.m.

Infinite recursive function calls result in stack overflow

2022-05-1612:53:39
greatergoodest
www.huntr.dev
29
stack overflow
recursive function
sigsegv

EPSS

0.001

Percentile

46.9%

Description

When providing certain input, the program will enter an infinite loop where it continually calls:

get_expr_register ->

cmdline_handle_backslash_key ->

getcmdline ->

getcmdline_int ->

cmdline_handle_backslash_key ->

get_expr_register ->

etc.

GDB

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00005555556284c5 in getcmdline_int (firstc=61, count=0, indent=0, clear_ccline=1) at ex_getln.c:1618
1618            save_cmdline(&save_ccline);
#0  0x00005555556284c5 in getcmdline_int (firstc=61, count=0, indent=0, clear_ccline=1) at ex_getln.c:1618
#1  0x000055555562842d in getcmdline (firstc=61, count=0, indent=0, do_concat=GETLINE_NONE) at ex_getln.c:1574
#2  0x000055555572ef97 in get_expr_register () at register.c:104
#3  0x00005555556270cc in cmdline_handle_backslash_key (c=101, gotesc=0x7fffff7ff408) at ex_getln.c:850
#4  0x0000555555628c8f in getcmdline_int (firstc=61, count=0, indent=0, clear_ccline=1) at ex_getln.c:1925
#5  0x000055555562842d in getcmdline (firstc=61, count=0, indent=0, do_concat=GETLINE_NONE) at ex_getln.c:1574
#6  0x000055555572ef97 in get_expr_register () at register.c:104
#7  0x00005555556270cc in cmdline_handle_backslash_key (c=101, gotesc=0x7fffff7ff688) at ex_getln.c:850
#8  0x0000555555628c8f in getcmdline_int (firstc=61, count=0, indent=0, clear_ccline=1) at ex_getln.c:1925
#9  0x000055555562842d in getcmdline (firstc=61, count=0, indent=0, do_concat=GETLINE_NONE) at ex_getln.c:1574
#10 0x000055555572ef97 in get_expr_register () at register.c:104

#2052 0x000055555572ef97 in get_expr_register () at register.c:104                                                                  
#2053 0x00005555556270cc in cmdline_handle_backslash_key (c=101, gotesc=0x7fffff84f138) at ex_getln.c:850                           
#2054 0x0000555555628c8f in getcmdline_int (firstc=61, count=0, indent=0, clear_ccline=1) at ex_getln.c:1925                        
#2055 0x000055555562842d in getcmdline (firstc=61, count=0, indent=0, do_concat=GETLINE_NONE) at ex_getln.c:1574                    
#2056 0x000055555572ef97 in get_expr_register () at register.c:104                                                                  
#2057 0x00005555556270cc in cmdline_handle_backslash_key (c=101, gotesc=0x7fffff84f3b8) at ex_getln.c:850                           
#2058 0x0000555555628c8f in getcmdline_int (firstc=61, count=0, indent=0, clear_ccline=1) at ex_getln.c:1925                        
#2059 0x000055555562842d in getcmdline (firstc=61, count=0, indent=0, do_concat=GETLINE_NONE) at ex_getln.c:1574                    
#2060 0x000055555572ef97 in get_expr_register () at register.c:104                                                                  
#2061 0x00005555556270cc in cmdline_handle_backslash_key (c=101, gotesc=0x7fffff84f638) at ex_getln.c:850                           
#2062 0x0000555555628c8f in getcmdline_int (firstc=61, count=0, indent=0, clear_ccline=1) at ex_getln.c:1925                        
#2063 0x000055555562842d in getcmdline (firstc=61, count=0, indent=0, do_concat=GETLINE_NONE) at ex_getln.c:1574                    
#2064 0x000055555572ef97 in get_expr_register () at register.c:104                                                                  
#2065 0x00005555556270cc in cmdline_handle_backslash_key (c=101, gotesc=0x7fffff84f8b8) at ex_getln.c:850                           
#2066 0x0000555555628c8f in getcmdline_int (firstc=61, count=0, indent=0, clear_ccline=1) at ex_getln.c:1925                        
#2067 0x000055555562842d in getcmdline (firstc=61, count=0, indent=0, do_concat=GETLINE_NONE) at ex_getln.c:1574                    
#2068 0x000055555572ef97 in get_expr_register () at register.c:104                                                                  
#2069 0x00005555556270cc in cmdline_handle_backslash_key (c=101, gotesc=0x7fffff84fb38) at ex_getln.c:850                           
#2070 0x0000555555628c8f in getcmdline_int (firstc=61, count=0, indent=0, clear_ccline=1) at ex_getln.c:1925                        
#2071 0x000055555562842d in getcmdline (firstc=61, count=0, indent=0, do_concat=GETLINE_NONE) at ex_getln.c:1574                    
#2072 0x000055555572ef97 in get_expr_register () at register.c:104                                            

Valgrind

==99366== Memcheck, a memory error detector
==99366== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==99366== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
==99366== Command: ./vim -u NONE -X -Z -e -s -S id:000000,sig:11,src:013242+022204,time:17320933,execs:2959795,op:splice,rep:2 -c :qa!
==99366== 
==99366== Stack overflow in thread #1: can't grow stack to 0x1ffe801000
==99366== 
==99366== Process terminating with default action of signal 11 (SIGSEGV)
==99366==    at 0x4E31A97: kill (syscall-template.S:78)
==99366==    by 0x28B7C9: may_core_dump (os_unix.c:3529)
==99366==    by 0x28B781: mch_exit (os_unix.c:3495)
==99366==    by 0x3FADEC: getout (main.c:1726)
==99366==    by 0x24F54D: preserve_exit (misc1.c:2217)
==99366==    by 0x289482: deathtrap (os_unix.c:1175)
==99366==    by 0x4E3183F: ??? (in /usr/lib/x86_64-linux-gnu/libc-2.28.so)
==99366==    by 0x483573D: malloc (vg_replace_malloc.c:299)

Proof of Concept

./vim -u NONE -e -s -S crash_input
Segmentation fault

https://github.com/GreaterGoodest/vim-pocs/blob/master/crash_input