Отправить #630898: vim xxd vim-9.1.0000 and related xxd versions (latest master branch) Memory CorruptionИнформация

Названиеvim xxd vim-9.1.0000 and related xxd versions (latest master branch) Memory Corruption
Описание# XXD Simple Autoskip Memory Corruption Vulnerability ## Vulnerability Summary During fuzzing of the xxd (hex dump) utility, a critical memory corruption vulnerability was discovered in the autoskip mode processing logic. The vulnerability occurs when xxd processes specific input files with the autoskip flag (`-a`) enabled, leading to segmentation faults due to improper memory management during null-line detection and replacement operations. ## Technical Details - **Vulnerability Type**: Segmentation Fault / Memory Corruption - **Affected Function**: `__memmove_avx_unaligned_erms` - **Source File**: `memmove-vec-unaligned-erms.S` - **Line Number**: 317 - **Signal**: SIGSEGV (11) ## Vulnerability Mechanism and Root Cause This memory corruption vulnerability occurs in xxd's autoskip functionality when processing files with specific byte patterns. The root cause lies in improper boundary checking during null-line detection and the subsequent asterisk ('*') replacement operation. The vulnerability is triggered when: 1. xxd processes input file with `-a` (autoskip) flag enabled 2. The program encounters specific byte sequences that trigger the null-line detection algorithm 3. During the autoskip processing, the program attempts to replace consecutive null lines with a single '*' character 4. Due to improper buffer boundary validation, the replacement operation calculates incorrect memory offsets 5. A subsequent `memmove` operation attempts to copy data with invalid source/destination parameters 6. This results in an out-of-bounds memory access at `__memmove_avx_unaligned_erms+317` The memory corruption occurs when xxd tries to perform the asterisk replacement while managing the output buffer, leading to unsafe memory operations that access beyond allocated boundaries. ## GDB Debug Output ``` === PROGRAM_EXECUTION_START === [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:317 === PROGRAM_EXECUTION_END === === PRIMARY_CRASH_DETECTION === Program status from 'info program': Using the running image of child Thread 0x7ffff7d81780 (LWP 841673). Program stopped at 0x7ffff7f247cd. It stopped with signal SIGSEGV, Segmentation fault. === SIGNAL_CRASH_DETECTED === Program terminated by signal - this is a genuine crash === FRAME_ANALYSIS === Valid frame found - program stopped at signal === BACKTRACE_ANALYSIS === #0 __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:317 #1 0x0000555555561a1d in ?? () #2 0x000055555555fdb2 in ?? () #3 0x00007ffff7dadd90 in __libc_start_call_main (main=main@entry=0x55555555d0b0, argc=argc@entry=3, argv=argv@entry=0x7fffffffe448) at ../sysdeps/nptl/libc_start_call_main.h:58 #4 0x00007ffff7dade40 in __libc_start_main_impl (main=0x55555555d0b0, argc=3, argv=0x7fffffffe448, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe438) at ../csu/libc-start.c:392 #5 0x00005555555593b5 in ?? () === RECURSION_ANALYSIS === Extracted 5 function names from stack trace === FINAL_STATUS_DETERMINATION === CONCLUSION: Program crashed due to signal This is a genuine crash requiring investigation 317 ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S: No such file or directory. ``` ## Proof of Concept The vulnerability can be triggered by executing xxd with autoskip mode on input files containing specific byte patterns that trigger the null-line detection vulnerability. **POC Download**: [POC_xxd_autoskip_segfault](https://drive.google.com/file/d/1iFbTpW79vqBPkFjWYzGYIh_E6esPhYVY/view?usp=sharing) ## Reproduction Steps 1. Compile xxd with debugging symbols enabled 2. Execute: `./xxd -a POC_xxd_autoskip_segfault` 3. The program will crash with a segmentation fault in memmove operation ## Affected Versions vim-9.1.0000 and related xxd versions (latest master branch) **Credit** - Xudong Cao (UCAS) - Meng Xu (UW)
Источник⚠️ https://github.com/vim/vim/issues/17940
Пользователь
 Anonymous User
Представление08.08.2025 20:04 (11 месяцы назад)
Модерация23.08.2025 17:24 (15 days later)
Статуспринято
Запись VulDB321222 [vim 9.1.0000 memmove-vec-unaligned-erms.S __memmove_avx_unaligned_erms повреждение памяти]
Баллы20

Interested in the pricing of exploits?

See the underground prices here!