| 标题 | vim xxd vim-9.1.0000 and related xxd versions (latest master branch) Memory Corruption |
|---|
| 描述 | # XXD Simple Autoskip Memory Corruption Vulnerability
## Vulnerability Summary
During fuzzing of the xxd (hex dump) utility, a critical memory corruption vulnerability was discovered in the autoskip mode processing logic. The vulnerability occurs when xxd processes specific input files with the autoskip flag (`-a`) enabled, leading to segmentation faults due to improper memory management during null-line detection and replacement operations.
## Technical Details
- **Vulnerability Type**: Segmentation Fault / Memory Corruption
- **Affected Function**: `__memmove_avx_unaligned_erms`
- **Source File**: `memmove-vec-unaligned-erms.S`
- **Line Number**: 317
- **Signal**: SIGSEGV (11)
## Vulnerability Mechanism and Root Cause
This memory corruption vulnerability occurs in xxd's autoskip functionality when processing files with specific byte patterns. The root cause lies in improper boundary checking during null-line detection and the subsequent asterisk ('*') replacement operation.
The vulnerability is triggered when:
1. xxd processes input file with `-a` (autoskip) flag enabled
2. The program encounters specific byte sequences that trigger the null-line detection algorithm
3. During the autoskip processing, the program attempts to replace consecutive null lines with a single '*' character
4. Due to improper buffer boundary validation, the replacement operation calculates incorrect memory offsets
5. A subsequent `memmove` operation attempts to copy data with invalid source/destination parameters
6. This results in an out-of-bounds memory access at `__memmove_avx_unaligned_erms+317`
The memory corruption occurs when xxd tries to perform the asterisk replacement while managing the output buffer, leading to unsafe memory operations that access beyond allocated boundaries.
## GDB Debug Output
```
=== PROGRAM_EXECUTION_START ===
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
__memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:317
=== PROGRAM_EXECUTION_END ===
=== PRIMARY_CRASH_DETECTION ===
Program status from 'info program':
Using the running image of child Thread 0x7ffff7d81780 (LWP 841673).
Program stopped at 0x7ffff7f247cd.
It stopped with signal SIGSEGV, Segmentation fault.
=== SIGNAL_CRASH_DETECTED ===
Program terminated by signal - this is a genuine crash
=== FRAME_ANALYSIS ===
Valid frame found - program stopped at signal
=== BACKTRACE_ANALYSIS ===
#0 __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:317
#1 0x0000555555561a1d in ?? ()
#2 0x000055555555fdb2 in ?? ()
#3 0x00007ffff7dadd90 in __libc_start_call_main (main=main@entry=0x55555555d0b0, argc=argc@entry=3, argv=argv@entry=0x7fffffffe448) at ../sysdeps/nptl/libc_start_call_main.h:58
#4 0x00007ffff7dade40 in __libc_start_main_impl (main=0x55555555d0b0, argc=3, argv=0x7fffffffe448, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe438) at ../csu/libc-start.c:392
#5 0x00005555555593b5 in ?? ()
=== RECURSION_ANALYSIS ===
Extracted 5 function names from stack trace
=== FINAL_STATUS_DETERMINATION ===
CONCLUSION: Program crashed due to signal
This is a genuine crash requiring investigation
317 ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S: No such file or directory.
```
## Proof of Concept
The vulnerability can be triggered by executing xxd with autoskip mode on input files containing specific byte patterns that trigger the null-line detection vulnerability.
**POC Download**: [POC_xxd_autoskip_segfault](https://drive.google.com/file/d/1iFbTpW79vqBPkFjWYzGYIh_E6esPhYVY/view?usp=sharing)
## Reproduction Steps
1. Compile xxd with debugging symbols enabled
2. Execute: `./xxd -a POC_xxd_autoskip_segfault`
3. The program will crash with a segmentation fault in memmove operation
## Affected Versions
vim-9.1.0000 and related xxd versions (latest master branch)
**Credit**
- Xudong Cao (UCAS)
- Meng Xu (UW) |
|---|
| 来源 | ⚠️ https://github.com/vim/vim/issues/17940 |
|---|
| 用户 | Anonymous User |
|---|
| 提交 | 2025-08-08 20時04分 (11 月前) |
|---|
| 管理 | 2025-08-23 17時24分 (15 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 321222 [vim 9.1.0000 memmove-vec-unaligned-erms.S __memmove_avx_unaligned_erms 内存损坏] |
|---|
| 积分 | 20 |
|---|