Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-1620: NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 in vim

NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 in GitHub repository vim/vim prior to 8.2.4901. NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 allows attackers to cause a denial of service (application crash) via a crafted input.

CVE
#linux#dos#git

Description

NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 allows attackers to cause a denial of service (application crash) via a crafted input.

POC

./vim -u NONE -X -Z -e -s -S ./poc_n.dat -c :qa!
Segmentation fault

poc_n.dat

GDB

─── Output/messages ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x0000000000d21602 in vim_regexec_string (rmp=0x7fffffff8aa0, line=0x606000003bc0 "/home/fuzz/fuzz-vim/vim-master/src/3\312) 00cmd\217brea\340\353", <incomplete sequence \373>, col=0, nl=0) at regexp.c:2729
2729        if (rmp->regprog->re_in_use)
─── Assembly ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 0x0000000000d215e7  vim_regexec_string+567 cmp    %cl,%al
 0x0000000000d215e9  vim_regexec_string+569 jl     0xd215fb <vim_regexec_string+587>
 0x0000000000d215ef  vim_regexec_string+575 mov    0x118(%rbx),%rdi
 0x0000000000d215f6  vim_regexec_string+582 callq  0x4a1350 <__asan_report_load4>
 0x0000000000d215fb  vim_regexec_string+587 mov    0x118(%rbx),%rax
 0x0000000000d21602  vim_regexec_string+594 cmpl   $0x0,(%rax)
 0x0000000000d21605  vim_regexec_string+597 je     0xd2166c <vim_regexec_string+700>
 0x0000000000d2160b  vim_regexec_string+603 mov    0x175ed04,%ecx
 0x0000000000d21612  vim_regexec_string+610 mov    $0x17259e0,%rax
 0x0000000000d21619  vim_regexec_string+617 mov    (%rax),%rax
─── Breakpoints ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
─── Expressions ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
─── History ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
─── Memory ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
─── Registers ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    rax 0x0000000000000014     rbx 0x00007fffffff87a0     rcx 0x0000000000000000    rdx 0x0000000000000000    rsi 0x0000606000003bc0    rdi 0x00007fffffff8aa0    rbp 0x00007fffffff89a0    rsp 0x00007fffffff86a0        r8 0x000000000205be00
     r9 0x000000000000e4bc     r10 0x000000000000e404     r11 0x000000000000e400    r12 0x000000000041fe30    r13 0x00007fffffffe500    r14 0x0000000000005604    r15 0x0000000000005600    rip 0x0000000000d21602    eflags [ PF ZF IF RF ]
     cs 0x00000033              ss 0x0000002b              ds 0x00000000             es 0x00000000             fs 0x00000000             gs 0x00000000
─── Source ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 2724      int        result;
 2725      regexec_T    rex_save;
 2726      int        rex_in_use_save = rex_in_use;
 2727
 2728      // Cannot use the same prog recursively, it contains state.
 2729      if (rmp->regprog->re_in_use)
 2730      {
 2731      emsg(_(e_cannot_use_pattern_recursively));
 2732      return FALSE;
 2733      }
─── Stack ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
[0] from 0x0000000000d21602 in vim_regexec_string+594 at regexp.c:2729
[1] from 0x0000000000d220ba in vim_regexec+90 at regexp.c:2812
[2] from 0x000000000053f2ae in fname_match+622 at buffer.c:2964
[3] from 0x000000000051afd4 in buflist_match+324 at buffer.c:2936
[4] from 0x0000000000515835 in buflist_findpat+4053 at buffer.c:2656
[5] from 0x00000000007f739e in do_one_cmd+50910 at ex_docmd.c:2532
[6] from 0x00000000007e49a6 in do_cmdline+14134 at ex_docmd.c:992
[7] from 0x0000000000e88e0d in do_source_ext+13725 at scriptfile.c:1674
[8] from 0x0000000000e85867 in do_source+103 at scriptfile.c:1801
[9] from 0x0000000000e8519d in cmd_source+2317 at scriptfile.c:1174
[+]
─── Threads ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
[1] id 2521650 name vim from 0x0000000000d21602 in vim_regexec_string+594 at regexp.c:2729
─── Variables ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
arg rmp = 0x7fffffff8aa0: {regprog = 0x0,startp = {[0] = 0x7fffffff8e28 "\025", [1] = 0x6110000007e5 …, line = 0x606000003bc0 "/home/fuzz/fuzz-vim/vim-master/src/3\312) 00cmd\217brea\340\353", <incomplete sequen…, col = 0, nl = 0
loc result = 32767, rex_save = {reg_match = 0x619000001c78,reg_mmatch = 0x100ff7a00,reg_startp = 0x619000001c78,reg_endp = 0x2ffff7…, rex_in_use_save = 0
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
>>> p rmp->regprog
$1 = (regprog_T *) 0x0

Impact

NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 allows attackers to cause a denial of service (application crash) via a crafted input.

Related news

Gentoo Linux Security Advisory 202305-16

Gentoo Linux Security Advisory 202305-16 - Multiple vulnerabilities have been found in Vim, the worst of which could result in denial of service. Versions less than 9.0.1157 are affected.

CVE-2022-46756: DSA-2022-335: Dell VxRail Security Update for Multiple Third-Party Component Vulnerabilities

Dell VxRail, versions prior to 7.0.410, contain a Container Escape Vulnerability. A local high-privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the container's underlying OS. Exploitation may lead to a system take over by an attacker.

Scanvus now supports Vulners and Vulns.io VM Linux vulnerability detection APIs

Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]

CVE-2022-26730: About the security content of macOS Ventura 13

A memory corruption issue existed in the processing of ICC profiles. This issue was addressed with improved input validation. This issue is fixed in macOS Ventura 13. Processing a maliciously crafted image may lead to arbitrary code execution.

Ubuntu Security Notice USN-5613-2

Ubuntu Security Notice 5613-2 - USN-5613-1 fixed vulnerabilities in Vim. Unfortunately that update failed to include binary packages for some architectures. This update fixes that regression. It was discovered that Vim was not properly performing bounds checks when executing spell suggestion commands. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. It was discovered that Vim was using freed memory when dealing with regular expressions through its old regular expression engine. If a user were tricked into opening a specially crafted file, an attacker could crash the application, leading to a denial of service, or possibly achieve code execution. It was discovered that Vim was not properly performing checks on name of lambda functions. An attacker could possibly use this issue to cause a denial of service. This issue affected only Ubuntu 22.04 LTS. It was discovered that Vim was incorrectly performing bounds checks when processing invalid...

Ubuntu Security Notice USN-5613-1

Ubuntu Security Notice 5613-1 - It was discovered that Vim was not properly performing bounds checks when executing spell suggestion commands. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. It was discovered that Vim was using freed memory when dealing with regular expressions through its old regular expression engine. If a user were tricked into opening a specially crafted file, an attacker could crash the application, leading to a denial of service, or possibly achieve code execution.

Gentoo Linux Security Advisory 202208-32

Gentoo Linux Security Advisory 202208-32 - Multiple vulnerabilities have been discovered in Vim, the worst of which could result in denial of service. Versions less than 9.0.0060 are affected.

Ubuntu Security Notice USN-5460-1

Ubuntu Security Notice 5460-1 - It was discovered that Vim was incorrectly processing Vim buffers. An attacker could possibly use this issue to perform illegal memory access and expose sensitive information. It was discovered that Vim was not properly performing bounds checks for column numbers when replacing tabs with spaces or spaces with tabs, which could cause a heap buffer overflow. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907