Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-2923: NULL Pointer Dereference in function sug_filltree in vim

NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0239.

CVE
#linux#dos#git

Description

NULL Pointer Dereference in function sug_filltree at vim/src/spellfile.c:5600.

vim version

git log
commit 4875d6ab068f09df88d24d81de40dcd8d56e243d (grafted, HEAD -> master, tag: v9.0.0224, origin/master, origin/HEAD)

Proof of Concept

./vim -u NONE -X -Z -e -s -S /home/fuzz/test/poc2_null.dat -c :qa!
Segmentation fault (core dumped)

gdb debug info

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x0000555555b9f3f0 in sug_filltree (spin=0x7fffffff95c0, slang=0x62100001f500) at spellfile.c:5600
5600        if (curi[depth] > byts[arridx[depth]])

[ Legend: Modified register | Code | Heap | Stack | String ]
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax   : 0x0               
$rbx   : 0x007fffffff93b0  →  0x007fffffff9950  →  0x007fffffff99a0  →  0x0000000041b58ab3
$rcx   : 0x0               
$rdx   : 0x0               
$rsp   : 0x007fffffff8340  →  0x0062100001f500  →  0x0000000000000000
$rbp   : 0x007fffffff93d0  →  0x007fffffff9410  →  0x007fffffff9970  →  0x007fffffff9a40  →  0x007fffffff9db0  →  0x007fffffffa6b0  →  0x007fffffffa6d0  →  0x007fffffffa880
$rsi   : 0x1               
$rdi   : 0x0               
$rip   : 0x00555555b9f3f0  →  <sug_filltree+1115> movzx eax, BYTE PTR [rcx]
$r8    : 0x0               
$r9    : 0x000c507fff9020  →  0x0000000000000000
$r10   : 0x0               
$r11   : 0x108             
$r12   : 0x000ffffffff06e  →  0x0000000000000000
$r13   : 0x007fffffff8370  →  0x0000000041b58ab3
$r14   : 0x007fffffff8370  →  0x0000000041b58ab3
$r15   : 0x007fffffff9ae0  →  0x0000000041b58ab3
$eflags: [ZERO carry PARITY adjust sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x33 $ss: 0x2b $ds: 0x00 $es: 0x00 $fs: 0x00 $gs: 0x00 
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x007fffffff8340│+0x0000: 0x0062100001f500  →  0x0000000000000000    ← $rsp
0x007fffffff8348│+0x0008: 0x007fffffff95c0  →  0x00628000008110  →  0x0000000000000000
0x007fffffff8350│+0x0010: 0xffffffff00000000
0x007fffffff8358│+0x0018: 0x0000000000000000
0x007fffffff8360│+0x0020: 0x0000000000000000
0x007fffffff8368│+0x0028: 0x0000000000000000
0x007fffffff8370│+0x0030: 0x0000000041b58ab3     ← $r13, $r14
0x007fffffff8378│+0x0038: 0x00555555eaeaa0  →  "5 32 1016 11 arridx:5569 1184 1016 9 curi:5570 233[...]"
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
   0x555555b9f3e6 <sug_filltree+1105> je     0x555555b9f3f0 <sug_filltree+1115>
   0x555555b9f3e8 <sug_filltree+1107> mov    rdi, rax
   0x555555b9f3eb <sug_filltree+1110> call   0x55555568dba0 <__asan_report_load1@plt>
 → 0x555555b9f3f0 <sug_filltree+1115> movzx  eax, BYTE PTR [rcx]
   0x555555b9f3f3 <sug_filltree+1118> movzx  eax, al
   0x555555b9f3f6 <sug_filltree+1121> cmp    esi, eax
   0x555555b9f3f8 <sug_filltree+1123> jle    0x555555b9f599 <sug_filltree+1540>
   0x555555b9f3fe <sug_filltree+1129> mov    eax, DWORD PTR [rbp-0x1080]
   0x555555b9f404 <sug_filltree+1135> cdqe   
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── source:spellfile.c+5600 ────
   5595      wordcount[0] = 0;
   5596  
   5597      depth = 0;
   5598      while (depth >= 0 && !got_int)
   5599      {
          // byts=0x007fffffff8360  →  0x0000000000000000, depth=0x0, arridx=0x007fffffff8390  →  0x0000000000000000, curi=0x007fffffff8810  →  0x0000000000000001
 → 5600     if (curi[depth] > byts[arridx[depth]])
   5601     {
   5602         // Done all bytes at this node, go up one level.
   5603         idxs[arridx[depth]] = wordcount[depth];
   5604         if (depth > 0)
   5605         wordcount[depth - 1] += wordcount[depth];
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "vim", stopped 0x555555b9f3f0 in sug_filltree (), reason: SIGSEGV
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x555555b9f3f0 → sug_filltree(spin=0x7fffffff95c0, slang=0x62100001f500)
[#1] 0x555555b9ed48 → spell_make_sugfile(spin=0x7fffffff95c0, wfname=0x621000017d00 "Xtest.utf-8.spl")
[#2] 0x555555ba2799 → mkspell(fcount=0x1, fnames=0x611000000400, ascii=0x0, over_write=0x1, added_word=0x0)
[#3] 0x555555b9ea0c → ex_mkspell(eap=0x7fffffff9b30)
[#4] 0x555555817454 → do_one_cmd(cmdlinep=0x7fffffff9e90, flags=0xb, cstack=0x7fffffff9fb0, fgetline=0x0, cookie=0x0)
[#5] 0x55555580e6f7 → do_cmdline(cmdline=0x602000006050 "mksp! Xtest", fgetline=0x0, cookie=0x0, flags=0xb)
[#6] 0x55555580ca91 → do_cmdline_cmd(cmd=0x602000006050 "mksp! Xtest")
[#7] 0x5555557b2730 → execute_common(argvars=0x7fffffffadd0, rettv=0x7fffffffc0c0, arg_off=0x0)
[#8] 0x5555557b2cc2 → f_execute(argvars=0x7fffffffadd0, rettv=0x7fffffffc0c0)
[#9] 0x5555557ad280 → call_internal_func(name=0x602000006070 "execute", argcount=0x1, argvars=0x7fffffffadd0, rettv=0x7fffffffc0c0)
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

poc download: <p><a href="https://github.com/Janette88/vim/blob/main/poc2_null.dat">poc2_null.dat</a></p>

Impact

NULL Pointer Dereference in function generate_loadvar allows attackers to cause a denial of service (application crash) via a crafted input.

Related news

Gentoo Linux Security Advisory 202305-16

Gentoo Linux Security Advisory 202305-16 - Multiple vulnerabilities have been found in Vim, the worst of which could result in denial of service. Versions less than 9.0.1157 are affected.

Ubuntu Security Notice USN-5995-1

Ubuntu Security Notice 5995-1 - It was discovered that Vim incorrectly handled memory when opening certain files. If an attacker could trick a user into opening a specially crafted file, it could cause Vim to crash, or possible execute arbitrary code. This issue only affected Ubuntu 14.04 ESM, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.

CVE-2022-46756: DSA-2022-335: Dell VxRail Security Update for Multiple Third-Party Component Vulnerabilities

Dell VxRail, versions prior to 7.0.410, contain a Container Escape Vulnerability. A local high-privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the container's underlying OS. Exploitation may lead to a system take over by an attacker.

Scanvus now supports Vulners and Vulns.io VM Linux vulnerability detection APIs

Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907