NULL Pointer Dereference Affecting vim/vim package, versions [,8.2.5163)
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about NULL Pointer Dereference vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-UNMANAGED-VIMVIM-2937793
- published30 Jun 2022
- disclosed27 Jun 2022
- creditxikhud
Introduced: 27 Jun 2022
CVE-2022-2208 (opens in a new tab)How to fix?
Upgrade vim/vim to version 8.2.5163 or higher.
Overview
Affected versions of this package are vulnerable to NULL Pointer Dereference via in function diff_check.
PoC:
guest@elk:~/trung/vim2/src$ valgrind ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /home/guest/trung/poc/poc22 -c :qa!
==4357== Memcheck, a memory error detector
==4357== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==4357== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==4357== Command: ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /home/guest/trung/poc/poc22 -c :qa!
==4357==
debug= define=^\s*#\s*define dictionary= diffexpr= diffopt=internal,filler,closeoff directory=.,~/tmp,/var/tmp,/tmp display=
==4357== Invalid read of size 8
==4357== at 0x16CA0B: diff_check (diff.c:1923)
==4357== by 0x16BE02: diff_redraw (diff.c:684)
==4357== by 0x16C832: ex_diffupdate (diff.c:1001)
==4357== by 0x16CA46: diff_check (diff.c:1917)
==4357== by 0x16BE02: diff_redraw (diff.c:684)
==4357== by 0x16BF9D: diff_buf_delete (diff.c:122)
==4357== by 0x149DF3: buf_freeall (buffer.c:851)
==4357== by 0x14B9C7: close_buffer (buffer.c:676)
==4357== by 0x266C0C: wipe_qf_buffer (quickfix.c:1972)
==4357== by 0x266C0C: ll_free_all (quickfix.c:2005)
==4357== by 0x26B233: qf_free_all (quickfix.c:2025)
==4357== by 0x34E7AF: win_free (window.c:5252)
==4357== by 0x35108A: win_free_mem (window.c:2941)
==4357== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==4357==
==4357==
==4357== Process terminating with default action of signal 11 (SIGSEGV)
==4357== at 0x5851177: kill (syscall-template.S:78)
==4357== by 0x254A47: may_core_dump (os_unix.c:3448)
==4357== by 0x254A47: mch_exit (os_unix.c:3484)
==4357== by 0x37FD2A: getout (main.c:1737)
==4357== by 0x5850F0F: ??? (in /lib/x86_64-linux-gnu/libc-2.27.so)
==4357== by 0x16CA0A: diff_check (diff.c:1923)
==4357== by 0x16BE02: diff_redraw (diff.c:684)
==4357== by 0x16C832: ex_diffupdate (diff.c:1001)
==4357== by 0x16CA46: diff_check (diff.c:1917)
==4357== by 0x16BE02: diff_redraw (diff.c:684)
==4357== by 0x16BF9D: diff_buf_delete (diff.c:122)
==4357== by 0x149DF3: buf_freeall (buffer.c:851)
==4357== by 0x14B9C7: close_buffer (buffer.c:676)
==4357==
==4357== HEAP SUMMARY:
==4357== in use at exit: 424,339 bytes in 1,303 blocks
==4357== total heap usage: 8,647 allocs, 7,344 frees, 5,819,314 bytes allocated
==4357==
==4357== LEAK SUMMARY:
==4357== definitely lost: 18,224 bytes in 13 blocks
==4357== indirectly lost: 0 bytes in 0 blocks
==4357== possibly lost: 0 bytes in 0 blocks
==4357== still reachable: 406,115 bytes in 1,290 blocks
==4357== suppressed: 0 bytes in 0 blocks
==4357== Rerun with --leak-check=full to see details of leaked memory
==4357==
==4357== For counts of detected and suppressed errors, rerun with: -v
==4357== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault