Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-3236: Lack of verification of wp->w_buffer causes null pointer references in ex_buffer_all() · Issue #7674 · vim/vim

vim 8.2.2348 is affected by null pointer dereference, allows local attackers to cause a denial of service (DoS) via the ex_buffer_all method.

CVE
#windows#ubuntu#dos#c++

To Reproduce

vim -u NONE -X -Z -e -s -S poc -c :qa!

Debug Info

Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] RAX: 0x935c60 --> 0x3f3 RBX: 0x1 RCX: 0x0 RDX: 0x3000 (‘’) RSI: 0x62 (‘b’) RDI: 0x0 RBP: 0x921600 --> 0x3f7 RSP: 0x7fffffff81e0 --> 0x7c (‘|’) RIP: 0x412ec8 (<ex_buffer_all+168>: cmp DWORD PTR [rcx+0x78],0x1) R8 : 0x0 R9 : 0x1 R10: 0x7ffff741d080 (<__strncmp_sse42+1328>: pslldq xmm2,0xb) R11: 0x0 R12: 0x501 R13: 0x8f1ed0 --> 0x6c62006162 (‘ba’) R14: 0x0 R15: 0x90cbd0 --> 0x3e9 EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x412ebd <ex_buffer_all+157>: nop DWORD PTR [rax] 0x412ec0 <ex_buffer_all+160>: mov rcx,QWORD PTR [rbp+0x8] 0x412ec4 <ex_buffer_all+164>: mov r15,QWORD PTR [rbp+0x18] => 0x412ec8 <ex_buffer_all+168>: cmp DWORD PTR [rcx+0x78],0x1 0x412ecc <ex_buffer_all+172>: jg 0x412f40 <ex_buffer_all+288> 0x412ece <ex_buffer_all+174>: test BYTE PTR [rip+0x4d5cf7],0x2 # 0x8e8bcc <cmdmod+4> 0x412ed5 <ex_buffer_all+181>: jne 0x412ef0 <ex_buffer_all+208> 0x412ed7 <ex_buffer_all+183>: movsxd rcx,DWORD PTR [rbp+0xc8] [------------------------------------stack-------------------------------------] 0000| 0x7fffffff81e0 --> 0x7c (‘|’) 0008| 0x7fffffff81e8 --> 0x270f 0016| 0x7fffffff81f0 --> 0x7f0100000000 0024| 0x7fffffff81f8 --> 0x4d6709 (<del_trailing_spaces+9>: add rax,rbx) 0032| 0x7fffffff8200 --> 0x8f1ed2 --> 0xbb980000006c6200 0040| 0x7fffffff8208 --> 0x0 0048| 0x7fffffff8210 --> 0x501 0056| 0x7fffffff8218 --> 0x8f1ed0 --> 0x6c62006162 (‘ba’) [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV ex_buffer_all (eap=<optimized out>) at buffer.c:5161 5161 if ((wp->w_buffer->b_nwindows > 1 gdb-peda$

stacktrace :

#0 ex_buffer_all (eap=<optimized out>) at buffer.c:5161 #1 0x00000000004684ba in do_one_cmd (cmdlinep=0x7fffffff8258, flags=0x7, cstack=0x7fffffff8438, fgetline=0x409430 <getnextac>, cookie=0x7fffffff8bf0) at ex_docmd.c:2588 #2 do_cmdline (cmdline=<optimized out>, cmdline@entry=0x0, fgetline=<optimized out>, cookie=<optimized out>, cookie@entry=0x7fffffff8bf0, flags=flags@entry=0x7) at ex_docmd.c:1003 #3 0x00000000004089d5 in apply_autocmds_group (event=event@entry=EVENT_BUFUNLOAD, fname=0x8f1e90 "/mnt/disk/out/vim_bak/vim-fuzzer-out/\261’\377\177", fname_io=<optimized out>, force=<optimized out>, force@entry=0x0, group=group@entry=0xfffffffd, buf=buf@entry=0x92f650, eap=0x0) at autocmd.c:2109 #4 0x0000000000409287 in apply_autocmds (event=EVENT_BUFADD, event@entry=EVENT_BUFUNLOAD, fname=0x62 <error: Cannot access memory at address 0x62>, fname_io=0x3000 <error: Cannot access memory at address 0x3000>, force=force@entry=0x0, buf=0x1, buf@entry=0x92f650) at autocmd.c:1621 #5 0x000000000040ba68 in buf_freeall (buf=0x92f650, flags=flags@entry=0x4) at buffer.c:803 #6 0x00000000004612b8 in do_ecmd (fnum=<optimized out>, fnum@entry=0x0, ffname=<optimized out>, ffname@entry=0x8f1591 "", sfname=<optimized out>, sfname@entry=0x0, eap=<optimized out>, eap@entry=0x7fffffffaf50, newlnum=newlnum@entry=0x1, flags=<optimized out>, oldwin=<optimized out>) at ex_cmds.c:2897 #7 0x000000000046d8ab in do_exedit (eap=eap@entry=0x7fffffffaf50, old_curwin=old_curwin@entry=0x0) at ex_docmd.c:6691 #8 0x000000000046fff7 in ex_open (eap=0x7fffffffaf50) at ex_docmd.c:6581 #9 0x00000000004684ba in do_one_cmd (cmdlinep=0x7fffffffaf28, flags=0x7, cstack=0x7fffffffb108, fgetline=0x5668a0 <getsourceline>, cookie=0x7fffffffb8a0) at ex_docmd.c:2588 #10 do_cmdline (cmdline=<optimized out>, cmdline@entry=0x903de0 "\223?", fgetline=<optimized out>, cookie=<optimized out>, cookie@entry=0x7fffffffb8a0, flags=flags@entry=0x7) at ex_docmd.c:1003 #11 0x0000000000566685 in do_source (fname=<optimized out>, fname@entry=0x8f7e93 "tEBgHp/crashes/id:000002,sig:11,src:016627+022923,op:splice,rep:2", check_other=<optimized out>, check_other@entry=0x0, is_vimrc=is_vimrc@entry=0x0, ret_sid=<optimized out>, ret_sid@entry=0x0) at scriptfile.c:1401 #12 0x0000000000565df9 in cmd_source (fname=0x8f7e93 "tEBgHp/crashes/id:000002,sig:11,src:016627+022923,op:splice,rep:2", eap=<optimized out>) at scriptfile.c:971 #13 0x00000000004684ba in do_one_cmd (cmdlinep=0x7fffffffb998, flags=0xb, cstack=0x7fffffffbb78, fgetline=0x0, cookie=0x0) at ex_docmd.c:2588 #14 do_cmdline (cmdline=<optimized out>, fgetline=<optimized out>, fgetline@entry=0x0, cookie=<optimized out>, cookie@entry=0x0, flags=flags@entry=0xb) at ex_docmd.c:1003 #15 0x0000000000468e1e in do_cmdline_cmd (cmd=0x0) at ex_docmd.c:592 #16 0x0000000000627a6d in exe_commands (parmp=<optimized out>) at main.c:3056 #17 vim_main2 () at main.c:760 #18 0x0000000000626bd2 in main (argc=<optimized out>, argc@entry=0xb, argv=<optimized out>, argv@entry=0x7fffffffe4b8) at main.c:412 #19 0x00007ffff72f7840 in __libc_start_main (main=0x6253a0 <main>, argc=0xb, argv=0x7fffffffe4b8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe4a8) at …/csu/libc-start.c:291 #20 0x0000000000404269 in _start ()

Environment (please complete the following information):

  • Vim version : commit 9567efa
  • OS: Ubuntu 16.04

Additional context

compile argument:

#!/bin/bash -eux export CC="clang-11" export CXX="clang-11++" cd /src/vim/ && ./configure --with-features=huge --enable-gui=none && make

poc:
poc.gz

Credit: 1vanChen of NSFOCUS Security Team

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907