Lucene search
Janette88FD3A3AB8-AB0F-452F-AFEA-8C613E283FD2HistoryAug 18, 2022 - 6:18 a.m.
NULL Pointer Dereference in function sug_filltree
2022-08-1806:18:48
janette88
www.huntr.dev
11
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1.9 Low
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:N/I:N/A:P
0.0005 Low
EPSS
Percentile
15.8%
Description
NULL Pointer Dereference in function sug_filltree at vim/src/spellfile.c:5600.
vim version
git log
commit 4875d6ab068f09df88d24d81de40dcd8d56e243d (grafted, HEAD -> master, tag: v9.0.0224, origin/master, origin/HEAD)
Proof of Concept
./vim -u NONE -X -Z -e -s -S /home/fuzz/test/poc2_null.dat -c :qa!
Segmentation fault (core dumped)
gdb debug info
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x0000555555b9f3f0 in sug_filltree (spin=0x7fffffff95c0, slang=0x62100001f500) at spellfile.c:5600
5600 if (curi[depth] > byts[arridx[depth]])
[ Legend: Modified register | Code | Heap | Stack | String ]
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā registers āāāā
$rax : 0x0
$rbx : 0x007fffffff93b0 ā 0x007fffffff9950 ā 0x007fffffff99a0 ā 0x0000000041b58ab3
$rcx : 0x0
$rdx : 0x0
$rsp : 0x007fffffff8340 ā 0x0062100001f500 ā 0x0000000000000000
$rbp : 0x007fffffff93d0 ā 0x007fffffff9410 ā 0x007fffffff9970 ā 0x007fffffff9a40 ā 0x007fffffff9db0 ā 0x007fffffffa6b0 ā 0x007fffffffa6d0 ā 0x007fffffffa880
$rsi : 0x1
$rdi : 0x0
$rip : 0x00555555b9f3f0 ā <sug_filltree+1115> movzx eax, BYTE PTR [rcx]
$r8 : 0x0
$r9 : 0x000c507fff9020 ā 0x0000000000000000
$r10 : 0x0
$r11 : 0x108
$r12 : 0x000ffffffff06e ā 0x0000000000000000
$r13 : 0x007fffffff8370 ā 0x0000000041b58ab3
$r14 : 0x007fffffff8370 ā 0x0000000041b58ab3
$r15 : 0x007fffffff9ae0 ā 0x0000000041b58ab3
$eflags: [ZERO carry PARITY adjust sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x33 $ss: 0x2b $ds: 0x00 $es: 0x00 $fs: 0x00 $gs: 0x00
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā stack āāāā
0x007fffffff8340ā+0x0000: 0x0062100001f500 ā 0x0000000000000000 ā $rsp
0x007fffffff8348ā+0x0008: 0x007fffffff95c0 ā 0x00628000008110 ā 0x0000000000000000
0x007fffffff8350ā+0x0010: 0xffffffff00000000
0x007fffffff8358ā+0x0018: 0x0000000000000000
0x007fffffff8360ā+0x0020: 0x0000000000000000
0x007fffffff8368ā+0x0028: 0x0000000000000000
0x007fffffff8370ā+0x0030: 0x0000000041b58ab3 ā $r13, $r14
0x007fffffff8378ā+0x0038: 0x00555555eaeaa0 ā "5 32 1016 11 arridx:5569 1184 1016 9 curi:5570 233[...]"
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā code:x86:64 āāāā
0x555555b9f3e6 <sug_filltree+1105> je 0x555555b9f3f0 <sug_filltree+1115>
0x555555b9f3e8 <sug_filltree+1107> mov rdi, rax
0x555555b9f3eb <sug_filltree+1110> call 0x55555568dba0 <__asan_report_load1@plt>
ā 0x555555b9f3f0 <sug_filltree+1115> movzx eax, BYTE PTR [rcx]
0x555555b9f3f3 <sug_filltree+1118> movzx eax, al
0x555555b9f3f6 <sug_filltree+1121> cmp esi, eax
0x555555b9f3f8 <sug_filltree+1123> jle 0x555555b9f599 <sug_filltree+1540>
0x555555b9f3fe <sug_filltree+1129> mov eax, DWORD PTR [rbp-0x1080]
0x555555b9f404 <sug_filltree+1135> cdqe
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā source:spellfile.c+5600 āāāā
5595 wordcount[0] = 0;
5596
5597 depth = 0;
5598 while (depth >= 0 && !got_int)
5599 {
// byts=0x007fffffff8360 ā 0x0000000000000000, depth=0x0, arridx=0x007fffffff8390 ā 0x0000000000000000, curi=0x007fffffff8810 ā 0x0000000000000001
ā 5600 if (curi[depth] > byts[arridx[depth]])
5601 {
5602 // Done all bytes at this node, go up one level.
5603 idxs[arridx[depth]] = wordcount[depth];
5604 if (depth > 0)
5605 wordcount[depth - 1] += wordcount[depth];
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā threads āāāā
[#0] Id 1, Name: "vim", stopped 0x555555b9f3f0 in sug_filltree (), reason: SIGSEGV
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā trace āāāā
[#0] 0x555555b9f3f0 ā sug_filltree(spin=0x7fffffff95c0, slang=0x62100001f500)
[#1] 0x555555b9ed48 ā spell_make_sugfile(spin=0x7fffffff95c0, wfname=0x621000017d00 "Xtest.utf-8.spl")
[#2] 0x555555ba2799 ā mkspell(fcount=0x1, fnames=0x611000000400, ascii=0x0, over_write=0x1, added_word=0x0)
[#3] 0x555555b9ea0c ā ex_mkspell(eap=0x7fffffff9b30)
[#4] 0x555555817454 ā do_one_cmd(cmdlinep=0x7fffffff9e90, flags=0xb, cstack=0x7fffffff9fb0, fgetline=0x0, cookie=0x0)
[#5] 0x55555580e6f7 ā do_cmdline(cmdline=0x602000006050 "mksp! Xtest", fgetline=0x0, cookie=0x0, flags=0xb)
[#6] 0x55555580ca91 ā do_cmdline_cmd(cmd=0x602000006050 "mksp! Xtest")
[#7] 0x5555557b2730 ā execute_common(argvars=0x7fffffffadd0, rettv=0x7fffffffc0c0, arg_off=0x0)
[#8] 0x5555557b2cc2 ā f_execute(argvars=0x7fffffffadd0, rettv=0x7fffffffc0c0)
[#9] 0x5555557ad280 ā call_internal_func(name=0x602000006070 "execute", argcount=0x1, argvars=0x7fffffffadd0, rettv=0x7fffffffc0c0)
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
poc download: <p><a href=āhttps://github.com/Janette88/vim/blob/main/poc2_null.datā>poc2_null.dat</a></p>
Related
veracode
veracode
Denial Of Service (DoS)
2022-08-30 00:18:22
ubuntucve
ubuntucve
CVE-2022-2923
2022-08-22 00:00:00
alpinelinux
alpinelinux
CVE-2022-2923
2022-08-22 21:15:00
debiancve
debiancve
CVE-2022-2923
2022-08-22 21:15:00
cnvd
cnvd
Vim code issue vulnerability (CNVD-2022-59199)
2022-08-24 00:00:00
redhatcve
redhatcve
CVE-2022-2923
2022-08-24 09:51:47
cbl_mariner
cbl_mariner
CVE-2022-2923 affecting package vim 9.0.0181-1
2022-09-17 05:56:39
CVE-2022-2923 affecting package vim for versions less than 9.0.0325-1
2022-09-16 06:05:42
osv
osv
CVE-2022-2923
2022-08-22 21:15:00
vim vulnerabilities
2023-04-04 08:58:38
prion
prion
Null pointer dereference
2022-08-22 21:15:00
cve
cve
CVE-2022-2923
2022-08-22 21:15:00
openvas
openvas
Slackware: Security Advisory (SSA:2022-237-01)
2022-08-26 00:00:00
Fedora: Security Advisory for vim (FEDORA-2022-3b33d04743)
2022-09-03 00:00:00
Huawei EulerOS: Security Advisory for vim (EulerOS-SA-2022-2923)
2022-12-30 00:00:00
slackware
slackware
[slackware-security] vim
2022-08-26 04:17:25
nessus
nessus
EulerOS Virtualization 2.10.0 : vim (EulerOS-SA-2022-2923)
2022-12-28 00:00:00
EulerOS 2.0 SP8 : vim (EulerOS-SA-2022-2810)
2022-12-08 00:00:00
fedora
fedora
[SECURITY] Fedora 35 Update: vim-9.0.246-1.fc35
2022-09-01 09:56:13
redos
redos
ROS-20220909-01
2022-09-09 00:00:00
amazon
amazon
Low: vim
2022-10-17 21:46:00
cloudfoundry
cloudfoundry
USN-5995-1: Vim vulnerabilities | Cloud Foundry
2023-04-24 00:00:00
ubuntu
ubuntu
Vim vulnerabilities
2023-04-04 00:00:00
suse
suse
Security update for vim (important)
2022-09-09 00:00:00
photon
photon
Critical Photon OS Security Update - PHSA-2023-4.0-0380
2023-04-25 00:00:00
Critical Photon OS Security Update - PHSA-2023-3.0-0568
2023-04-19 00:00:00
mageia
mageia
Updated vim packages fix security vulnerability
2022-11-19 01:50:51
ibm
ibm
gentoo
gentoo
Vim, gVim: Multiple Vulnerabilities
2023-05-03 00:00:00
avleonov
avleonov
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1.9 Low
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:N/I:N/A:P
0.0005 Low
EPSS
Percentile
15.8%
Related for FD3A3AB8-AB0F-452F-AFEA-8C613E283FD2