NULL Pointer Dereference in function utfc_ptr2len in vim/vim

Valid

Reported on

Feb 9th 2023


Description

NULL Pointer Dereference in function utfc_ptr2len at mbyte.c.c:2145 allows attackers to cause a denial of service (application crash) via a crafted input.

vim version

commit 0caaf1e46511f7a92e036f05e6aa9d5992540117 (HEAD -> master, tag: v9.0.1293, origin/master, origin/HEAD)
Author: Yegappan Lakshmanan <yegappan@yahoo.com>
Date:   Thu Feb 9 12:23:17 2023 +0000

    patch 9.0.1293: the set_num_option() is too long

    Problem:    The set_num_option() is too long.
    Solution:   Move code to separate functions. (Yegappan Lakshmanan,
                closes #11954)

Proof of Concept

➜  src git:(master) ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc.dat -c :qa!
[1]    29650 segmentation fault  ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc.dat -c :qa!

Debug info

pwndbg> r -u NONE -i NONE -n -m -X -Z -e -s -S ../../poc -c :qa!
Starting program: /root/test/vim/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ../../poc -c :qa!
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x0000555555699519 in utfc_ptr2len (p=0x0) at mbyte.c:2145
2145        int     b0 = *p;
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
──────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]───────────────────────────────────────────────────────────────────────────────────────────────
 RAX  0x0
*RBX  0x55555595ad70 ◂— 0x5
 RCX  0x0
 RDX  0x0
 RDI  0x0
*RSI  0x1
*R8   0x20f5d46a556c2
*R9   0x7fffffffb314 ◂— 0x5587847b00007fff
*R10  0x7fffffffb340 ◂— 0x63e4e959
 R11  0x0
*R12  0x7fffffffe3f8 —▸ 0x7fffffffe6ea ◂— '/root/test/vim/src/vim'
*R13  0x5555558878e6 (main) ◂— endbr64
*R14  0x555555902038 (__do_global_dtors_aux_fini_array_entry) —▸ 0x55555558aac0 (__do_global_dtors_aux) ◂— endbr64
*R15  0x7ffff7ffd040 (_rtld_global) —▸ 0x7ffff7ffe2e0 —▸ 0x555555554000 ◂— 0x10102464c457f
*RBP  0x7fffffffb470 —▸ 0x7fffffffb480 —▸ 0x7fffffffb540 —▸ 0x7fffffffb5a0 —▸ 0x7fffffffb5c0 ◂— ...
*RSP  0x7fffffffb450 —▸ 0x7fffffffb460 —▸ 0x7fffffffb480 —▸ 0x7fffffffb540 —▸ 0x7fffffffb5a0 ◂— ...
*RIP  0x555555699519 (utfc_ptr2len+20) ◂— movzx eax, byte ptr [rax]
───────────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]────────────────────────────────────────────────────────────────────────────────────────────────────────
 ► 0x555555699519 <utfc_ptr2len+20>    movzx  eax, byte ptr [rax]
   0x55555569951c <utfc_ptr2len+23>    movzx  eax, al
   0x55555569951f <utfc_ptr2len+26>    mov    dword ptr [rbp - 4], eax
   0x555555699522 <utfc_ptr2len+29>    cmp    dword ptr [rbp - 4], 0
   0x555555699526 <utfc_ptr2len+33>    jne    utfc_ptr2len+45                <utfc_ptr2len+45>
    ↓
   0x555555699532 <utfc_ptr2len+45>    cmp    dword ptr [rbp - 4], 0x7f
   0x555555699536 <utfc_ptr2len+49>    jg     utfc_ptr2len+76                <utfc_ptr2len+76>
    ↓
   0x555555699551 <utfc_ptr2len+76>    mov    rax, qword ptr [rbp - 0x18]
   0x555555699555 <utfc_ptr2len+80>    mov    rdi, rax
   0x555555699558 <utfc_ptr2len+83>    call   utf_ptr2len                <utf_ptr2len>

   0x55555569955d <utfc_ptr2len+88>    mov    dword ptr [rbp - 0xc], eax
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]─────────────────────────────────────────────────────────────────────────────────────────────────────────────────
In file: /root/test/vim/src/mbyte.c
   2140  */
   2141     int
   2142 utfc_ptr2len(char_u *p)
   2143 {
   2144     int                len;2145     int                b0 = *p;
   2146 #ifdef FEAT_ARABIC
   2147     int                prevlen;
   2148 #endif
   2149
   2150     if (b0 == NUL)
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
00:0000rsp 0x7fffffffb450 —▸ 0x7fffffffb460 —▸ 0x7fffffffb480 —▸ 0x7fffffffb540 —▸ 0x7fffffffb5a0 ◂— ...
01:00080x7fffffffb458 ◂— 0x0
02:00100x7fffffffb460 —▸ 0x7fffffffb480 —▸ 0x7fffffffb540 —▸ 0x7fffffffb5a0 —▸ 0x7fffffffb5c0 ◂— ...
03:00180x7fffffffb468 —▸ 0x555555638c90 (putcmdline+100) ◂— mov eax, dword ptr [rbp - 4]
04:0020rbp 0x7fffffffb470 —▸ 0x7fffffffb480 —▸ 0x7fffffffb540 —▸ 0x7fffffffb5a0 —▸ 0x7fffffffb5c0 ◂— ...
05:00280x7fffffffb478 —▸ 0x555555638d0c (unputcmdline+101) ◂— mov edx, eax
06:00300x7fffffffb480 —▸ 0x7fffffffb540 —▸ 0x7fffffffb5a0 —▸ 0x7fffffffb5c0 —▸ 0x7fffffffb5f0 ◂— ...
07:00380x7fffffffb488 —▸ 0x55555565e74b (vgetorpeek+3187) ◂— jmp 0x55555565e752
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 ► f 0   0x555555699519 utfc_ptr2len+20
   f 1   0x555555638d0c unputcmdline+101
   f 2   0x55555565e74b vgetorpeek+3187
   f 3   0x55555565b8a6 vgetc+250
   f 4   0x55555565bf9e safe_vgetc+17
   f 5   0x5555556aec0f get_number+126
   f 6   0x5555556aedd7 prompt_for_number+115
   f 7   0x55555578f2b8 spell_suggest+2101

Poc

https://raw.githubusercontent.com/khoanguyenxuan/testing/main/poc.dat

Impact

NULL Pointer Dereference in function utfc_ptr2len allows attackers to cause a denial of service (application crash) via a crafted input.

We are processing your report and will contact the vim team within 24 hours. a year ago
We have contacted a member of the vim team and are waiting to hear back a year ago
Khoa
a year ago

Researcher


This issue still exists in the latest version. Thanks.

Bram Moolenaar validated this vulnerability a year ago

I can reproduce the crash.

khoanguyenxuan has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Bram Moolenaar marked this as fixed in 9.0.1392 with commit 7ac502 a year ago
Bram Moolenaar has been awarded the fix bounty
This vulnerability has now been published a year ago
to join this conversation