Description

segmentation fault in function f_fullcommand at ex_docmd.c:4101

Proof of Concept

valgrind ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc_seg -c :qa!

==14662== Memcheck, a memory error detector
==14662== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==14662== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==14662== Command: ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc_seg -c :qa!
==14662==

==14662== Invalid read of size 1
==14662==    at 0x730244: f_fullcommand (ex_docmd.c:4101)
==14662==    by 0x67C4F4: call_internal_func (evalfunc.c:3110)
==14662==    by 0x1127074: call_func (userfunc.c:3852)
==14662==    by 0x11277C7: get_func_tv (userfunc.c:1943)
==14662==    by 0x5FFD4C: eval_func (eval.c:2368)
==14662==    by 0x620DD7: eval9 (eval.c:4273)
==14662==    by 0x627BB7: eval8 (eval.c:3833)
==14662==    by 0x627BB7: eval7 (eval.c:3637)
==14662==    by 0x627BB7: eval6 (eval.c:3416)
==14662==    by 0x627BB7: eval5 (eval.c:3305)
==14662==    by 0x627BB7: eval4 (eval.c:3156)
==14662==    by 0x62A015: eval3 (eval.c:3017)
==14662==    by 0x62A015: eval2 (eval.c:2891)
==14662==    by 0x62A015: eval1 (eval.c:2737)
==14662==    by 0x62CF15: eval0_retarg (eval.c:2646)
==14662==    by 0x63232A: eval0 (eval.c:2581)
==14662==    by 0x63232A: eval_to_string_eap (eval.c:621)
==14662==    by 0xD95656: get_expr_line (register.c:154)
==14662==    by 0x7947F3: cmdline_handle_ctrl_bsl (ex_getln.c:849)
==14662==    by 0x7947F3: getcmdline_int (ex_getln.c:1924)
==14662==  Address 0xa is not stack'd, malloc'd or (recently) free'd
==14662==
==14662==
==14662== Process terminating with default action of signal 11 (SIGSEGV)
==14662==    at 0x59CC657: kill (in /usr/lib64/libc-2.17.so)
==14662==    by 0xBB86A4: may_core_dump (os_unix.c:3587)
==14662==    by 0xBB86A4: mch_exit (os_unix.c:3553)
==14662==    by 0x13FD30A: getout (main.c:1777)
==14662==    by 0xBB1522: deathtrap (os_unix.c:1234)
==14662==    by 0x59CC3FF: ??? (in /usr/lib64/libc-2.17.so)
==14662==    by 0x730243: f_fullcommand (ex_docmd.c:4101)
==14662==    by 0x67C4F4: call_internal_func (evalfunc.c:3110)
==14662==    by 0x1127074: call_func (userfunc.c:3852)
==14662==    by 0x11277C7: get_func_tv (userfunc.c:1943)
==14662==    by 0x5FFD4C: eval_func (eval.c:2368)
==14662==    by 0x620DD7: eval9 (eval.c:4273)
==14662==    by 0x627BB7: eval8 (eval.c:3833)
==14662==    by 0x627BB7: eval7 (eval.c:3637)
==14662==    by 0x627BB7: eval6 (eval.c:3416)
==14662==    by 0x627BB7: eval5 (eval.c:3305)
==14662==    by 0x627BB7: eval4 (eval.c:3156)
==14662==
==14662== HEAP SUMMARY:
==14662==     in use at exit: 98,341 bytes in 407 blocks
==14662==   total heap usage: 1,868 allocs, 1,461 frees, 4,667,955 bytes allocated
==14662==
==14662== LEAK SUMMARY:
==14662==    definitely lost: 0 bytes in 0 blocks
==14662==    indirectly lost: 0 bytes in 0 blocks
==14662==      possibly lost: 0 bytes in 0 blocks
==14662==    still reachable: 98,341 bytes in 407 blocks
==14662==         suppressed: 0 bytes in 0 blocks
==14662== Rerun with --leak-check=full to see details of leaked memory
==14662==
==14662== For lists of detected and suppressed errors, rerun with: -s
==14662== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

the version of vim is 9.0.1672
here is poc : https://github.com/fizz-is-on-the-way/poc_vim/blob/main/poc_seg?raw=true

Impact

This vulnerability is capable of crashing software, modify memory, and possible remote execution.