Untrusted Pointer Dereference in vim/vim


Reported on

Dec 21st 2021


Untrusted Pointer Dereference leading to a segmentation fault Segmentation fault in vim_regexec_multi () at regexp.c:2896

Proof of Concept

./vim -u NONE -X -Z -e -s -S POC1 -c ':qa!



Program received signal SIGSEGV, Segmentation fault.
RAX: 0x14 
RBX: 0x7fffffff8520 --> 0x9 ('\t')
RCX: 0x14 
RDX: 0x2 
RSI: 0x10007fff7000 --> 0x0 
RDI: 0x7fffffff87e0 --> 0x0 
RBP: 0x7fffffff87a0 --> 0x7fffffff8b70 --> 0x7fffffffa0d0 --> 0x7fffffffb150 --> 0x7fffffffb980 --> 0x7fffffffb9f0 (--> ...)
RSP: 0x7fffffff8420 --> 0x41b58ab3 
RIP: 0xa54c3b (<vim_regexec_multi+635>: cmp    DWORD PTR [rax],0x0)
R8 : 0x625000002900 --> 0x3e8 
R9 : 0x625000005100 --> 0x9 ('\t')
R10: 0x4 
R11: 0x0 
R12: 0x0 
R13: 0xffffffff0fc --> 0x0 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
   0xa54c28 <vim_regexec_multi+616>:    mov    rdi,QWORD PTR [rbx+0x148]
   0xa54c2f <vim_regexec_multi+623>:    call   0x49c430 <__asan_report_load4>
   0xa54c34 <vim_regexec_multi+628>:    mov    rax,QWORD PTR [rbx+0x148]
=> 0xa54c3b <vim_regexec_multi+635>:    cmp    DWORD PTR [rax],0x0
   0xa54c3e <vim_regexec_multi+638>:    je     0xa54c75 <vim_regexec_multi+693>
   0xa54c44 <vim_regexec_multi+644>:    movabs rdi,0x1172840
   0xa54c4e <vim_regexec_multi+654>:    call   0x41d310 <gettext@plt>
   0xa54c53 <vim_regexec_multi+659>:    mov    rdi,rax
0000| 0x7fffffff8420 --> 0x41b58ab3 
0008| 0x7fffffff8428 --> 0x100b3cb ("1 32 160 13 rex_save:2892")
0016| 0x7fffffff8430 --> 0xa549c0 (<vim_regexec_multi>: push   rbp)
0024| 0x7fffffff8438 --> 0x7fffffffb180 --> 0x615000000d00 --> 0xbebebebefbad2488 
0032| 0x7fffffff8440 --> 0x7fffffff8480 --> 0x7fffffff8980 --> 0x7fffffff8b70 --> 0x7fffffffa0d0 --> 0x7fffffffb150 (--> ...)
0040| 0x7fffffff8448 --> 0x4c5d0e (<lalloc+174>:    mov    QWORD PTR [rbp-0x20],rax)
0048| 0x7fffffff8450 --> 0x614000000840 --> 0x619024800004 --> 0x0 
0056| 0x7fffffff8458 --> 0xfffffc4300000001 
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000000000a54c3b in vim_regexec_multi (rmp=0x7fffffff87e0, win=0x625000002900, buf=0x625000005100, lnum=0x4, col=0x0, tm=0x0, timed_out=0x0) at regexp.c:2896
2896        if (rmp->regprog->re_in_use)
gdb-peda$ bt
#0  0x0000000000a54c3b in vim_regexec_multi (rmp=0x7fffffff87e0, win=0x625000002900, buf=0x625000005100, lnum=0x4, col=0x0, tm=0x0, timed_out=0x0) at regexp.c:2896
#1  0x00000000006b45ab in ex_global (eap=0x7fffffff8bc0) at ex_cmds.c:4976
#2  0x00000000006cdd66 in do_one_cmd (cmdlinep=0x7fffffffa100, flags=0x7, cstack=0x7fffffffa120, fgetline=0xb26990 <getsourceline>, cookie=0x7fffffffb180) at ex_docmd.c:2572
#3  0x00000000006c0a9d in do_cmdline (cmdline=0x611000000680 "", fgetline=0xb26990 <getsourceline>, cookie=0x7fffffffb180, flags=0x7) at ex_docmd.c:994
#4  0x0000000000b25523 in do_source (fname=0x60b000000ca3 "../../../CVE_testing/result/vim/afl-out-d1/crashes/id:000003,sig:11,src:004713+005102,op:splice,rep:2", check_other=0x0, 
    is_vimrc=0x0, ret_sid=0x0) at scriptfile.c:1420
#5  0x0000000000b228eb in cmd_source (fname=0x60b000000ca3 "../../../CVE_testing/result/vim/afl-out-d1/crashes/id:000003,sig:11,src:004713+005102,op:splice,rep:2", eap=0x7fffffffba60)
    at scriptfile.c:985
#6  0x0000000000b22641 in ex_source (eap=0x7fffffffba60) at scriptfile.c:1011
#7  0x00000000006cdd66 in do_one_cmd (cmdlinep=0x7fffffffcfa0, flags=0xb, cstack=0x7fffffffcfc0, fgetline=0x0, cookie=0x0) at ex_docmd.c:2572
#8  0x00000000006c0a9d in do_cmdline (cmdline=0x60b000000a90 "so ../../../CVE_testing/result/vim/afl-out-d1/crashes/id:000003,sig:11,src:004713+005102,op:splice,rep:2", fgetline=0x0, 
    cookie=0x0, flags=0xb) at ex_docmd.c:994
#9  0x00000000006c40b4 in do_cmdline_cmd (cmd=0x60b000000a90 "so ../../../CVE_testing/result/vim/afl-out-d1/crashes/id:000003,sig:11,src:004713+005102,op:splice,rep:2")
    at ex_docmd.c:588
#10 0x0000000000f39719 in exe_commands (parmp=0x1a99e80 <params>) at main.c:3080
#11 0x0000000000f36873 in vim_main2 () at main.c:774
#12 0x0000000000f2f64d in main (argc=0xb, argv=0x7fffffffe2d8) at main.c:426
#13 0x00007ffff7be10b3 in __libc_start_main (main=0xf2ee20 <main>, argc=0xb, argv=0x7fffffffe2d8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, 
    stack_end=0x7fffffffe2c8) at ../csu/libc-start.c:308
#14 0x000000000041da9e in _start ()


This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution

We are processing your report and will contact the vim team within 24 hours. 2 years ago
We have contacted a member of the vim team and are waiting to hear back 2 years ago
Bram Moolenaar
2 years ago

The POC is mostly garbage. Please reduce it to the minimum to reproduce the issue.

2 years ago


Minimum poc is here,URL. Thank you.

Bram Moolenaar
2 years ago

I can reproduce the crash now. The regexp pattern is recompiled, which fails, and the the NULL pointer is used.

Bram Moolenaar validated this vulnerability 2 years ago
zfeixq has been awarded the disclosure bounty
The fix bounty is now up for grabs
Bram Moolenaar
2 years ago

I made a fix in Patch 8.2.3883 Unfortunately I have not been able the turn the POC into a test that fails without the fix. But I can see that the fix works for the POC.

Bram Moolenaar marked this as fixed in 8.2 with commit 5937c7 2 years ago
Bram Moolenaar has been awarded the fix bounty
to join this conversation