Lucene search
Abysslab2F08363A-47A2-422D-A7DE-CE96A89AD08EHistoryJul 15, 2022 - 6:15 a.m.
Undefined behavior in diff_write_buffer()
2022-07-1506:15:10
abysslab
www.huntr.dev
9
0.001 Low
EPSS
Percentile
35.0%
Description
Undefined behavior.
(commit hash: 99af91e5820c78a196c9272cd8ce5aa5be7bf374)
It may occur heap-buffer-overflow.
Proof of Concept
Download POC file
POC
GDB
gdb-peda$ r -u NONE -i NONE -n -m -X -Z -e -s -S undefined_poc -c :qa!
0000089bd31 in diff_write_buffer (buf=0x62500000f100, din=<optimized out>)
at diff.c:755
#3 diff_write (buf=0x62500000f100, din=0x7fffffff9000) at diff.c:827
#4 0x000000000085f358 in diff_try_update (dio=0x7fffffff9000, idx_orig=0x0, eap=0x0)
at diff.c:888
#5 0x0000000000859daa in ex_diffupdate (eap=0x0) at diff.c:991
#6 0x000000000084f327 in diff_check (wp=0x625000014100, lnum=0x1) at diff.c:1923
#7 0x000000000083cc97 in diff_redraw (dofold=<optimized out>) at diff.c:690
#8 0x000000000088fc47 in ex_diffgetput (eap=0x7fffffff9468) at diff.c:2991
#9 0x00000000008851fd in nv_diffgetput (put=<optimized out>, count=0x0) at diff.c:2642
#10 0x000000000149a452 in normal_cmd (oap=0x7fffffff97e0, toplevel=0x1) at normal.c:939
#11 0x0000000000d2f445 in exec_normal (was_typed=<optimized out>, use_vpeekc=0x0,
may_use_terminal_loop=0x0) at ex_docmd.c:8794
#12 0x0000000000d2ac98 in exec_normal_cmd (cmd=<optimized out>, remap=<optimized out>,
silent=0x0) at ex_docmd.c:8777
#13 ex_normal (eap=0x7fffffff9c70) at ex_docmd.c:8695
#14 0x0000000000c7d2be in do_one_cmd (cmdlinep=<optimized out>, flags=0x7,
cstack=<optimized out>, fgetline=<optimized out>, cookie=<optimized out>)
at ex_docmd.c:2570
#15 do_cmdline (cmdline=<optimized out>, fgetline=<optimized out>,
cookie=<optimized out>, flags=0x7) at ex_docmd.c:992
#16 0x0000000001c8046e in do_source_ext (
fname=0x6080000004a3 "out/fuzz02/crashes/id:000025,sig:11,src:024149,time:211790218,execs:3659384,op:havoc,rep:8", check_other=0xffffab90, is_vimrc=0x680, ret_sid=0x0,
eap=<optimized out>, clearvars=0x0) at scriptfile.c:1674
#17 0x0000000001c7a1ac in do_source (fname=<optimized out>, check_other=0x0,
is_vimrc=0x0, ret_sid=0x606000000f20) at scriptfile.c:1801
#18 cmd_source (
fname=0x6080000004a3 "out/fuzz02/crashes/id:000025,sig:11,src:024149,time:211790218,execs:3659384,op:havoc,rep:8", eap=0x7fffffffae10) at scriptfile.c:1174
#19 0x0000000000c7d2be in do_one_cmd (cmdlinep=<optimized out>, flags=0xb,
cstack=<optimized out>, fgetline=<optimized out>, cookie=<optimized out>)
at ex_docmd.c:2570
#20 do_cmdline (cmdline=<optimized out>, fgetline=<optimized out>,
cookie=<optimized out>, flags=0xb) at ex_docmd.c:992
#21 0x0000000002a4b348 in exe_commands (parmp=<optimized out>) at main.c:3133
#22 vim_main2 () at main.c:780
#23 0x0000000002a409c9 in main (argc=0x2, argc@entry=0xf, argv=<optimized out>,
argv@entry=0x7fffffffe428) at main.c:432
#24 0x00007ffff6bf8bf7 in __libc_start_main (main=0x2a34a40 <main>, argc=0xf,
argv=0x7fffffffe428, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7fffffffe418) at ../csu/libc-start.c:310
#25 0x000000000041c2aa in _start ()
Valgrind
valgrind src/vim -u NONE -i NONE -n -m -X -Z -e -s -S undefined_poc -c :qa!
==19670== Conditional jump or move depends on uninitialised value(s)
==19670== at 0x554E31: check_string_option (optionstr.c:324)
==19670== by 0x52BF96: check_winopt (option.c:5773)
==19670== by 0x551EEA: check_win_options (option.c:5726)
==19670== by 0x551EEA: set_init_1 (option.c:341)
==19670== by 0x9AE63E: common_init (main.c:990)
==19670== by 0x15E4D4: main (main.c:185)
==19670==
==19670== Conditional jump or move depends on uninitialised value(s)
==19670== at 0x554E31: check_string_option (optionstr.c:324)
==19670== by 0x52BFA2: check_winopt (option.c:5774)
==19670== by 0x551EEA: check_win_options (option.c:5726)
==19670== by 0x551EEA: set_init_1 (option.c:341)
==19670== by 0x9AE63E: common_init (main.c:990)
==19670== by 0x15E4D4: main (main.c:185)
==19670==
==19670==
==19670== More than 1000 different errors detected. I'm not reporting any more.
==19670== Final error counts will be inaccurate. Go fix your program!
==19670== Rerun with --error-limit=no to disable this cutoff. Note
==19670== that errors may occur in your program without prior warning from
==19670== Valgrind, because errors are no longer being displayed.
==19670==
debug= define=^\s*#\s*define dictionary= diffexpr= diffopt=internal,filler,closeoff directory=.,~/tmp,/var/tmp,/tmp display=
==19670==
==19670== Process terminating with default action of signal 11 (SIGSEGV)
==19670== at 0x4A593DB: kill (syscall-template.S:78)
==19670== by 0x5635D2: may_core_dump (os_unix.c:3519)
==19670== by 0x56C179: mch_exit (os_unix.c:3485)
==19670== by 0x9B12BE: getout (main.c:1737)
==19670== by 0x4A5908F: ??? (in /usr/lib/x86_64-linux-gnu/libc-2.31.so)
==19670== by 0x483EF45: strlen (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==19670== by 0x200084: diff_write_buffer (diff.c:755)
==19670== by 0x200084: diff_write (diff.c:827)
==19670== by 0x2018E7: diff_try_update (diff.c:888)
==19670== by 0x20CABD: ex_diffupdate (diff.c:991)
==19670== by 0x20D08A: diff_check (diff.c:1923)
==19670== by 0x20A063: diff_redraw (diff.c:690)
==19670== by 0x214066: ex_diffgetput (diff.c:2991)
==19670==
==19670== HEAP SUMMARY:
==19670== in use at exit: 2,287,429 bytes in 983 blocks
==19670== total heap usage: 6,946 allocs, 5,963 frees, 7,398,161 bytes allocated
==19670==
==19670== LEAK SUMMARY:
==19670== definitely lost: 5,664 bytes in 4 blocks
==19670== indirectly lost: 0 bytes in 0 blocks
==19670== possibly lost: 0 bytes in 0 blocks
==19670== still reachable: 2,281,765 bytes in 979 blocks
==19670== suppressed: 0 bytes in 0 blocks
==19670== Rerun with --leak-check=full to see details of leaked memory
==19670==
==19670== Use --track-origins=yes to see where uninitialised values come from
==19670== For lists of detected and suppressed errors, rerun with: -s
==19670== ERROR SUMMARY: 28632 errors from 1000 contexts (suppressed: 0 from 0)
Segmentation fault (core dumped)
Related
alpinelinux
alpinelinux
CVE-2022-2598
2022-08-01 15:15:09
cbl_mariner
cbl_mariner
CVE-2022-2598 affecting package vim for versions less than 9.0.0325-1
2022-09-16 06:05:42
CVE-2022-2598 affecting package vim 9.0.0050-1
2022-08-24 22:05:06
cve
cve
CVE-2022-2598
2022-08-01 15:15:09
redhatcve
redhatcve
CVE-2022-2598
2022-08-09 13:37:44
prion
prion
Cross site scripting
2022-08-01 15:15:00
veracode
veracode
Denial Of Service (DoS)
2022-08-11 06:30:47
debiancve
debiancve
CVE-2022-2598
2022-08-01 15:15:09
nvd
nvd
CVE-2022-2598
2022-08-01 15:15:09
cnvd
cnvd
vim diff_write_buffer function buffer overflow vulnerability
2022-08-04 00:00:00
ubuntucve
ubuntucve
CVE-2022-2598
2022-08-01 00:00:00
cvelist
cvelist
CVE-2022-2598 Out-of-bounds Write to API in vim/vim
2022-08-01 00:00:00
openvas
openvas
Huawei EulerOS: Security Advisory for vim (EulerOS-SA-2022-2949)
2022-12-30 00:00:00
Huawei EulerOS: Security Advisory for vim (EulerOS-SA-2022-2923)
2022-12-30 00:00:00
Huawei EulerOS: Security Advisory for vim (EulerOS-SA-2022-2671)
2022-11-03 00:00:00
nessus
nessus
EulerOS 2.0 SP10 : vim (EulerOS-SA-2022-2671)
2022-11-02 00:00:00
EulerOS Virtualization 2.10.1 : vim (EulerOS-SA-2022-2949)
2022-12-28 00:00:00
EulerOS 2.0 SP10 : vim (EulerOS-SA-2022-2703)
2022-11-02 00:00:00
cloudfoundry
cloudfoundry
USN-6302-1: Vim vulnerabilities | Cloud Foundry
2023-10-05 00:00:00
ubuntu
ubuntu
Vim vulnerabilities
2023-08-21 00:00:00
osv
osv
vim vulnerabilities
2023-08-21 05:45:06
vim - security update
2022-11-08 00:00:00
suse
suse
Security update for vim (important)
2022-09-09 00:00:00
debian
debian
[SECURITY] [DLA 3182-1] vim security update
2022-11-08 14:54:53
photon
photon
Critical Photon OS Security Update - PHSA-2023-4.0-0380
2023-04-25 00:00:00
Critical Photon OS Security Update - PHSA-2023-3.0-0568
2023-04-19 00:00:00
mageia
mageia
Updated vim packages fix security vulnerability
2022-11-19 01:50:51
avleonov
avleonov