Headline
CVE-2022-2923: NULL Pointer Dereference in function sug_filltree in vim
NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0239.
Description
NULL Pointer Dereference in function sug_filltree at vim/src/spellfile.c:5600.
vim version
git log
commit 4875d6ab068f09df88d24d81de40dcd8d56e243d (grafted, HEAD -> master, tag: v9.0.0224, origin/master, origin/HEAD)
Proof of Concept
./vim -u NONE -X -Z -e -s -S /home/fuzz/test/poc2_null.dat -c :qa!
Segmentation fault (core dumped)
gdb debug info
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x0000555555b9f3f0 in sug_filltree (spin=0x7fffffff95c0, slang=0x62100001f500) at spellfile.c:5600
5600 if (curi[depth] > byts[arridx[depth]])
[ Legend: Modified register | Code | Heap | Stack | String ]
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax : 0x0
$rbx : 0x007fffffff93b0 → 0x007fffffff9950 → 0x007fffffff99a0 → 0x0000000041b58ab3
$rcx : 0x0
$rdx : 0x0
$rsp : 0x007fffffff8340 → 0x0062100001f500 → 0x0000000000000000
$rbp : 0x007fffffff93d0 → 0x007fffffff9410 → 0x007fffffff9970 → 0x007fffffff9a40 → 0x007fffffff9db0 → 0x007fffffffa6b0 → 0x007fffffffa6d0 → 0x007fffffffa880
$rsi : 0x1
$rdi : 0x0
$rip : 0x00555555b9f3f0 → <sug_filltree+1115> movzx eax, BYTE PTR [rcx]
$r8 : 0x0
$r9 : 0x000c507fff9020 → 0x0000000000000000
$r10 : 0x0
$r11 : 0x108
$r12 : 0x000ffffffff06e → 0x0000000000000000
$r13 : 0x007fffffff8370 → 0x0000000041b58ab3
$r14 : 0x007fffffff8370 → 0x0000000041b58ab3
$r15 : 0x007fffffff9ae0 → 0x0000000041b58ab3
$eflags: [ZERO carry PARITY adjust sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x33 $ss: 0x2b $ds: 0x00 $es: 0x00 $fs: 0x00 $gs: 0x00
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x007fffffff8340│+0x0000: 0x0062100001f500 → 0x0000000000000000 ← $rsp
0x007fffffff8348│+0x0008: 0x007fffffff95c0 → 0x00628000008110 → 0x0000000000000000
0x007fffffff8350│+0x0010: 0xffffffff00000000
0x007fffffff8358│+0x0018: 0x0000000000000000
0x007fffffff8360│+0x0020: 0x0000000000000000
0x007fffffff8368│+0x0028: 0x0000000000000000
0x007fffffff8370│+0x0030: 0x0000000041b58ab3 ← $r13, $r14
0x007fffffff8378│+0x0038: 0x00555555eaeaa0 → "5 32 1016 11 arridx:5569 1184 1016 9 curi:5570 233[...]"
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
0x555555b9f3e6 <sug_filltree+1105> je 0x555555b9f3f0 <sug_filltree+1115>
0x555555b9f3e8 <sug_filltree+1107> mov rdi, rax
0x555555b9f3eb <sug_filltree+1110> call 0x55555568dba0 <__asan_report_load1@plt>
→ 0x555555b9f3f0 <sug_filltree+1115> movzx eax, BYTE PTR [rcx]
0x555555b9f3f3 <sug_filltree+1118> movzx eax, al
0x555555b9f3f6 <sug_filltree+1121> cmp esi, eax
0x555555b9f3f8 <sug_filltree+1123> jle 0x555555b9f599 <sug_filltree+1540>
0x555555b9f3fe <sug_filltree+1129> mov eax, DWORD PTR [rbp-0x1080]
0x555555b9f404 <sug_filltree+1135> cdqe
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── source:spellfile.c+5600 ────
5595 wordcount[0] = 0;
5596
5597 depth = 0;
5598 while (depth >= 0 && !got_int)
5599 {
// byts=0x007fffffff8360 → 0x0000000000000000, depth=0x0, arridx=0x007fffffff8390 → 0x0000000000000000, curi=0x007fffffff8810 → 0x0000000000000001
→ 5600 if (curi[depth] > byts[arridx[depth]])
5601 {
5602 // Done all bytes at this node, go up one level.
5603 idxs[arridx[depth]] = wordcount[depth];
5604 if (depth > 0)
5605 wordcount[depth - 1] += wordcount[depth];
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "vim", stopped 0x555555b9f3f0 in sug_filltree (), reason: SIGSEGV
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x555555b9f3f0 → sug_filltree(spin=0x7fffffff95c0, slang=0x62100001f500)
[#1] 0x555555b9ed48 → spell_make_sugfile(spin=0x7fffffff95c0, wfname=0x621000017d00 "Xtest.utf-8.spl")
[#2] 0x555555ba2799 → mkspell(fcount=0x1, fnames=0x611000000400, ascii=0x0, over_write=0x1, added_word=0x0)
[#3] 0x555555b9ea0c → ex_mkspell(eap=0x7fffffff9b30)
[#4] 0x555555817454 → do_one_cmd(cmdlinep=0x7fffffff9e90, flags=0xb, cstack=0x7fffffff9fb0, fgetline=0x0, cookie=0x0)
[#5] 0x55555580e6f7 → do_cmdline(cmdline=0x602000006050 "mksp! Xtest", fgetline=0x0, cookie=0x0, flags=0xb)
[#6] 0x55555580ca91 → do_cmdline_cmd(cmd=0x602000006050 "mksp! Xtest")
[#7] 0x5555557b2730 → execute_common(argvars=0x7fffffffadd0, rettv=0x7fffffffc0c0, arg_off=0x0)
[#8] 0x5555557b2cc2 → f_execute(argvars=0x7fffffffadd0, rettv=0x7fffffffc0c0)
[#9] 0x5555557ad280 → call_internal_func(name=0x602000006070 "execute", argcount=0x1, argvars=0x7fffffffadd0, rettv=0x7fffffffc0c0)
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
poc download: <p><a href="https://github.com/Janette88/vim/blob/main/poc2_null.dat">poc2_null.dat</a></p>
Impact
NULL Pointer Dereference in function generate_loadvar allows attackers to cause a denial of service (application crash) via a crafted input.
Related news
Gentoo Linux Security Advisory 202305-16 - Multiple vulnerabilities have been found in Vim, the worst of which could result in denial of service. Versions less than 9.0.1157 are affected.
Ubuntu Security Notice 5995-1 - It was discovered that Vim incorrectly handled memory when opening certain files. If an attacker could trick a user into opening a specially crafted file, it could cause Vim to crash, or possible execute arbitrary code. This issue only affected Ubuntu 14.04 ESM, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.
Dell VxRail, versions prior to 7.0.410, contain a Container Escape Vulnerability. A local high-privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the container's underlying OS. Exploitation may lead to a system take over by an attacker.
Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]