NULL Pointer Dereference in function do_mouse

2022-08-2202:50:50

janette88

www.huntr.dev

vim

security

segmentation_fault

gdb

pointer_dereference

source_code

thread_debugging

proof_of_concept

version_control

commit

segmentation_fault

stack trace

instruction_pointer

code_injection

EPSS

0.001

Percentile

39.7%

JSON

Description

NULL Pointer Dereference in function do_mouse at vim/src/mouse.c:496 .

vim version

git log
commit 171c683237149262665135c7d5841a89bb156f53 (HEAD -&gt; master, tag: v9.0.0242, origin/master, origin/HEAD)

Proof of Concept

./vim -u NONE -X -Z -e -s -S /home/fuzz/test/poc3_null.dat -c :qa!
Segmentation fault (core dumped)

gdb log

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x000055555598dee4 in do_mouse (oap=0x7fffffffbf30, c=0xffffd303, dir=0xffffffff, count=0x1, fixindent=0x0) at mouse.c:496
496		    c1 = TabPageIdxs[mouse_col];

[ Legend: Modified register | Code | Heap | Stack | String ]
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax   : 0x0               
$rbx   : 0x007fffffffbd20  →  0x0000000000000000
$rcx   : 0x0               
$rdx   : 0x0               
$rsp   : 0x007fffffffbba0  →  0x0000000000000000
$rbp   : 0x007fffffffbd50  →  0x007fffffffbd70  →  0x007fffffffbed0  →  0x007fffffffc040  →  0x007fffffffc060  →  0x007fffffffc200  →  0x007fffffffc570  →  0x007fffffffce70
$rsi   : 0x0               
$rdi   : 0x1               
$rip   : 0x0055555598dee4  →  &lt;do_mouse+4540&gt; movzx eax, WORD PTR [rcx]
$r8    : 0x0               
$r9    : 0x007fffffffbde0  →  0x00007fff00000000
$r10   : 0x007ffff65a3000  →  0x007ffff7fb8000  →  0x007ffff7709398  →  0x007ffff76a16e0  →  &lt;__sanitizer::ThreadContextBase::OnDead()+0&gt; endbr64 
$r11   : 0xd0              
$r12   : 0x000ffffffff784  →  0x0000000000000000
$r13   : 0x007fffffffbc20  →  0x0000000041b58ab3
$r14   : 0x007fffffffbdb0  →  0x0000000041b58ab3
$r15   : 0x007fffffffbc20  →  0x0000000041b58ab3
$eflags: [ZERO carry PARITY adjust sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x33 $ss: 0x2b $ds: 0x00 $es: 0x00 $fs: 0x00 $gs: 0x00 
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x007fffffffbba0│+0x0000: 0x0000000000000000	 ← $rsp
0x007fffffffbba8│+0x0008: 0x0000000000000001
0x007fffffffbbb0│+0x0010: 0xffffd303ffffffff
0x007fffffffbbb8│+0x0018: 0x007fffffffbf30  →  0x0000000000000000
0x007fffffffbbc0│+0x0020: 0x00555555df3590  →  &lt;init_chartabsize_arg+0&gt; endbr64 
0x007fffffffbbc8│+0x0028: 0x0000000000000000
0x007fffffffbbd0│+0x0030: 0x0a24026c97468bed
0x007fffffffbbd8│+0x0038: 0x0000000000000000
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
   0x55555598deda &lt;do_mouse+4530&gt;  je     0x55555598dee4 &lt;do_mouse+4540&gt;
   0x55555598dedc &lt;do_mouse+4532&gt;  mov    rdi, rax
   0x55555598dedf &lt;do_mouse+4535&gt;  call   0x55555568d980 &lt;__asan_report_load2@plt&gt;
 → 0x55555598dee4 &lt;do_mouse+4540&gt;  movzx  eax, WORD PTR [rcx]
   0x55555598dee7 &lt;do_mouse+4543&gt;  cwde   
   0x55555598dee8 &lt;do_mouse+4544&gt;  mov    DWORD PTR [rbp-0x180], eax
   0x55555598deee &lt;do_mouse+4550&gt;  cmp    DWORD PTR [rbp-0x180], 0x0
   0x55555598def5 &lt;do_mouse+4557&gt;  js     0x55555598dfc1 &lt;do_mouse+4761&gt;
   0x55555598defb &lt;do_mouse+4563&gt;  lea    rax, [rip+0x6e337e]        # 0x555556071280 &lt;mod_mask&gt;
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── source:mouse.c+496 ────
    491	 		&& cmdwin_type == 0
    492	 # endif
    493	 		&& mouse_col &lt; Columns)
    494	 	{
    495	 	    in_tab_line = TRUE;
              // c1=-0x68b97413
 →  496	 	    c1 = TabPageIdxs[mouse_col];
    497	 	    if (c1 &gt;= 0)
    498	 	    {
    499	 		if ((mod_mask & MOD_MASK_MULTI_CLICK) == MOD_MASK_2CLICK)
    500	 		{
    501	 		    // double click opens new page
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "vim", stopped 0x55555598dee4 in do_mouse (), reason: SIGSEGV
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x55555598dee4 → do_mouse(oap=0x7fffffffbf30, c=0xffffd303, dir=0xffffffff, count=0x1, fixindent=0x0)
[#1] 0x5555559989af → nv_mouse(cap=0x7fffffffbe20)
[#2] 0x5555559b8641 → normal_cmd(oap=0x7fffffffbf30, toplevel=0x1)
[#3] 0x55555583b6de → exec_normal(was_typed=0x0, use_vpeekc=0x0, may_use_terminal_loop=0x0)
[#4] 0x55555583b49d → exec_normal_cmd(cmd=0x611000000b84 "&lt;", remap=0x0, silent=0x0)
[#5] 0x55555583ad41 → ex_normal(eap=0x7fffffffc2f0)
[#6] 0x555555817569 → do_one_cmd(cmdlinep=0x7fffffffc650, flags=0x7, cstack=0x7fffffffc770, fgetline=0x555555b33f8b &lt;getsourceline&gt;, cookie=0x7fffffffd030)
[#7] 0x55555580e80c → do_cmdline(cmdline=0x6110000002c0 "tabnew", fgetline=0x555555b33f8b &lt;getsourceline&gt;, cookie=0x7fffffffd030, flags=0x7)
[#8] 0x555555b31dd4 → do_source_ext(fname=0x604000000213 "/home/fuzz/test/poc3_null.dat", check_other=0x0, is_vimrc=0x0, ret_sid=0x0, eap=0x0, clearvars=0x0)
[#9] 0x555555b32f06 → do_source(fname=0x604000000213 "/home/fuzz/test/poc3_null.dat", check_other=0x0, is_vimrc=0x0, ret_sid=0x0)
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
gef➤  p TabPageIdxs[mouse_col]
Cannot access memory at address 0x0
gef➤