Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-1674: NULL Pointer Dereference in function vim_regexec_string at regexp.c:2733 in vim

NULL Pointer Dereference in function vim_regexec_string at regexp.c:2733 in GitHub repository vim/vim prior to 8.2.4938. NULL Pointer Dereference in function vim_regexec_string at regexp.c:2733 allows attackers to cause a denial of service (application crash) via a crafted input.

CVE
#linux#dos#git

Description

NULL Pointer Dereference in function vim_regexec_string at regexp.c:2733 allows attackers to cause a denial of service (application crash) via a crafted input.

vim version

git log
commit b370771bffc8395204f53209b69e35dff95a9237 (HEAD -> master, tag: v8.2.4922, origin/master, origin/HEAD)

POC

./vim -u NONE -X -Z -e -s -S ./poc_n2_s.dat -c :qa!
Segmentation fault

poc_n2_s.dat

GDB

─── Output/messages ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x0000000000d24622 in vim_regexec_string (rmp=0x7fffffff8900, line=0x606000002d20 "/home/fuzz/vim/vim/src/0000000", '\265' <repeats 17 times>, "s000", col=0, nl=0) at regexp.c:2733
2733        if (rmp->regprog->re_in_use)
─── Assembly ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 0x0000000000d24607  vim_regexec_string+567 cmp    %cl,%al
 0x0000000000d24609  vim_regexec_string+569 jl     0xd2461b <vim_regexec_string+587>
 0x0000000000d2460f  vim_regexec_string+575 mov    0x118(%rbx),%rdi
 0x0000000000d24616  vim_regexec_string+582 callq  0x4a1350 <__asan_report_load4>
 0x0000000000d2461b  vim_regexec_string+587 mov    0x118(%rbx),%rax
 0x0000000000d24622  vim_regexec_string+594 cmpl   $0x0,(%rax)
 0x0000000000d24625  vim_regexec_string+597 je     0xd2468c <vim_regexec_string+700>
 0x0000000000d2462b  vim_regexec_string+603 mov    0x1764630,%ecx
 0x0000000000d24632  vim_regexec_string+610 mov    $0x172b120,%rax
 0x0000000000d24639  vim_regexec_string+617 mov    (%rax),%rax
─── Breakpoints ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
─── Expressions ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
─── History ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
─── Memory ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
─── Registers ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
     rax 0x0000000000000014      rbx 0x00007fffffff8600      rcx 0x0000000000000000      rdx 0x0000000000000000     rsi 0x0000606000002d20        rdi 0x00007fffffff8900
     rbp 0x00007fffffff87f0      rsp 0x00007fffffff8500       r8 0x0000000002061840       r9 0x000000000000e537     r10 0x000000000000e512        r11 0x000000000000e500
     r12 0x000000000041fe30      r13 0x00007fffffffe370      r14 0x0000000000005605      r15 0x0000000000005600     rip 0x0000000000d24622     eflags [ PF ZF IF RF ]
      cs 0x00000033               ss 0x0000002b               ds 0x00000000               es 0x00000000              fs 0x00000000                 gs 0x00000000
─── Source ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 2728      int        result;
 2729      regexec_T    rex_save;
 2730      int        rex_in_use_save = rex_in_use;
 2731
 2732      // Cannot use the same prog recursively, it contains state.
 2733      if (rmp->regprog->re_in_use)
 2734      {
 2735      emsg(_(e_cannot_use_pattern_recursively));
 2736      return FALSE;
 2737      }
─── Stack ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
[0] from 0x0000000000d24622 in vim_regexec_string+594 at regexp.c:2733
[1] from 0x0000000000d250da in vim_regexec+90 at regexp.c:2816
[2] from 0x000000000053f206 in fname_match+454 at buffer.c:2958
[3] from 0x000000000051afd4 in buflist_match+324 at buffer.c:2936
[4] from 0x0000000000515835 in buflist_findpat+4053 at buffer.c:2656
[5] from 0x00000000007f7eee in do_one_cmd+50910 at ex_docmd.c:2532
[6] from 0x00000000007e54f6 in do_cmdline+14134 at ex_docmd.c:992
[7] from 0x0000000000e8be2d in do_source_ext+13725 at scriptfile.c:1674
[8] from 0x0000000000e88887 in do_source+103 at scriptfile.c:1801
[9] from 0x0000000000e881bd in cmd_source+2317 at scriptfile.c:1174
[+]
─── Threads ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
[1] id 579181 name vim from 0x0000000000d24622 in vim_regexec_string+594 at regexp.c:2733
─── Variables ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
arg rmp = 0x7fffffff8900: {regprog = 0x0,startp = {[0] = 0x7fffffff8c88 "\025", [1] = 0x6110000007d1 …, line = 0x606000002d20 "/home/fuzz/vim/vim/src/0000000", '\265' <repeats 17 times>, "s000": 47 '/', col = 0, nl = 0
loc result = -1, rex_save = {reg_match = 0x618000002f00,reg_mmatch = 0x100ff7860,reg_startp = 0x618000002f00,reg_endp = 0x2ffff7…, rex_in_use_save = 0
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
>>> p rmp->regprog
$1 = (regprog_T *) 0x0
>>>

Impact

NULL Pointer Dereference in function vim_regexec_string at regexp.c:2733 allows attackers to cause a denial of service (application crash) via a crafted input.

Related news

Gentoo Linux Security Advisory 202305-16

Gentoo Linux Security Advisory 202305-16 - Multiple vulnerabilities have been found in Vim, the worst of which could result in denial of service. Versions less than 9.0.1157 are affected.

Ubuntu Security Notice USN-5995-1

Ubuntu Security Notice 5995-1 - It was discovered that Vim incorrectly handled memory when opening certain files. If an attacker could trick a user into opening a specially crafted file, it could cause Vim to crash, or possible execute arbitrary code. This issue only affected Ubuntu 14.04 ESM, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.

Scanvus now supports Vulners and Vulns.io VM Linux vulnerability detection APIs

Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]

CVE-2022-26730: About the security content of macOS Ventura 13

A memory corruption issue existed in the processing of ICC profiles. This issue was addressed with improved input validation. This issue is fixed in macOS Ventura 13. Processing a maliciously crafted image may lead to arbitrary code execution.

Gentoo Linux Security Advisory 202208-32

Gentoo Linux Security Advisory 202208-32 - Multiple vulnerabilities have been discovered in Vim, the worst of which could result in denial of service. Versions less than 9.0.0060 are affected.

CVE-2022-1674: NULL Pointer Dereference in function vim_regexec_string at regexp.c:2733 in vim

NULL Pointer Dereference in function vim_regexec_string at regexp.c:2733 in GitHub repository vim/vim prior to 8.2.4938. NULL Pointer Dereference in function vim_regexec_string at regexp.c:2733 allows attackers to cause a denial of service (application crash) via a crafted input.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907