Created attachment 1749745 [details] 2 pocs are provided To Reproduce ```shell vim -u NONE -X -Z -e -s -S poc -c :qa! ``` Debug Info ```shell /src/vim# gdb --args src/vim -u NONE -X -Z -e -s -S /mnt/disk/out/vim/vim-fuzzer-out/hAmWF0/crashes/id:000051,sig:11,src:059805+047186,op:splice,rep:2 -c :qa! Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] RAX: 0x0 RBX: 0x0 RCX: 0x1ea8 RDX: 0x21 ('!') RSI: 0x8f1090 --> 0x3e8 RDI: 0x92a290 --> 0x3ef RBP: 0x21 ('!') RSP: 0x7fffffffadf0 --> 0x91d680 --> 0x0 RIP: 0x5f9206 (<win_init+38>: add DWORD PTR [rax+0x78],0x1) R8 : 0x7ffff769bc98 --> 0x7ffff769bc88 --> 0x7ffff769bc78 --> 0x7ffff769bc68 --> 0x7ffff769bc58 --> 0x7ffff769bc48 (--> ...) R9 : 0x0 R10: 0x7ffff769bb78 --> 0x92dc60 --> 0x929f90 ("MM,n:>,fb:-") R11: 0x7ffff769bb78 --> 0x92dc60 --> 0x929f90 ("MM,n:>,fb:-") R12: 0x8f1090 --> 0x3e8 R13: 0x92a290 --> 0x3ef R14: 0x8f1090 --> 0x3e8 R15: 0x92a290 --> 0x3ef EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x5f91f7 <win_init+23>: mov rax,QWORD PTR [rsi+0x8] 0x5f91fb <win_init+27>: lea rcx,[rax+0x1ea8] 0x5f9202 <win_init+34>: mov QWORD PTR [rdi+0x20],rcx => 0x5f9206 <win_init+38>: add DWORD PTR [rax+0x78],0x1 0x5f920a <win_init+42>: movups xmm0,XMMWORD PTR [rsi+0x38] 0x5f920e <win_init+46>: movups XMMWORD PTR [rdi+0x38],xmm0 0x5f9212 <win_init+50>: mov DWORD PTR [rdi+0x26c],0x0 0x5f921c <win_init+60>: mov eax,DWORD PTR [rsi+0x48] [------------------------------------stack-------------------------------------] 0000| 0x7fffffffadf0 --> 0x91d680 --> 0x0 0008| 0x7fffffffadf8 --> 0x0 0016| 0x7fffffffae00 --> 0x21 ('!') 0024| 0x7fffffffae08 --> 0x2 0032| 0x7fffffffae10 --> 0x0 0040| 0x7fffffffae18 --> 0x5f7d40 (<win_split_ins+1664>: mov r8,QWORD PTR [rsp+0x8]) 0048| 0x7fffffffae20 --> 0x8f1090 --> 0x3e8 0056| 0x7fffffffae28 --> 0x1c [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV win_init (newp=newp@entry=0x92a290, oldp=0x8f1090, flags=flags@entry=0x21) at window.c:1355 1355 oldp->w_buffer->b_nwindows++; gdb-peda$ bt #0 win_init (newp=newp@entry=0x92a290, oldp=0x8f1090, flags=flags@entry=0x21) at window.c:1355 #1 0x00000000005f7d40 in win_split_ins (size=0x0, size@entry=0x8f61a0, flags=flags@entry=0x0, new_wp=new_wp@entry=0x0, dir=dir@entry=0x0) at window.c:1096 #2 0x00000000005f5f60 in win_split (size=<optimized out>, size@entry=0x0, flags=<optimized out>, flags@entry=0x21) at window.c:817 #3 0x000000000040640f in do_arg_all (count=<optimized out>, forceit=0x1, keep_tabs=<optimized out>) at arglist.c:1089 #4 ex_all (eap=<optimized out>) at arglist.c:1154 #5 0x000000000046897a in do_one_cmd (cmdlinep=0x7fffffffaf88, flags=0x7, cstack=0x7fffffffb168, fgetline=0x566f30 <getsourceline>, cookie=0x7fffffffb900) at ex_docmd.c:2588 #6 do_cmdline (cmdline=<optimized out>, cmdline@entry=0x904e50 "s9d{mct", fgetline=<optimized out>, cookie=<optimized out>, cookie@entry=0x7fffffffb900, flags=flags@entry=0x7) at ex_docmd.c:1003 #7 0x0000000000566d15 in do_source (fname=<optimized out>, fname@entry=0x8f8ef3 "/mnt/disk/out/vim/vim-fuzzer-out/hAmWF0/crashes/id:000051,sig:11,src:059805+047186,op:splice,rep:2", check_other=<optimized out>, check_other@entry=0x0, is_vimrc=is_vimrc@entry=0x0, ret_sid=<optimized out>, ret_sid@entry=0x0) at scriptfile.c:1401 #8 0x0000000000566489 in cmd_source (fname=0x8f8ef3 "/mnt/disk/out/vim/vim-fuzzer-out/hAmWF0/crashes/id:000051,sig:11,src:059805+047186,op:splice,rep:2", eap=<optimized out>) at scriptfile.c:971 #9 0x000000000046897a in do_one_cmd (cmdlinep=0x7fffffffb9f8, flags=0xb, cstack=0x7fffffffbbd8, fgetline=0x0, cookie=0x0) at ex_docmd.c:2588 #10 do_cmdline (cmdline=<optimized out>, fgetline=<optimized out>, fgetline@entry=0x0, cookie=<optimized out>, cookie@entry=0x0, flags=flags@entry=0xb) at ex_docmd.c:1003 #11 0x00000000004692de in do_cmdline_cmd (cmd=0x92a290 "\357\003") at ex_docmd.c:592 #12 0x000000000062860d in exe_commands (parmp=<optimized out>) at main.c:3056 #13 vim_main2 () at main.c:760 #14 0x0000000000627772 in main (argc=<optimized out>, argc@entry=0xb, argv=<optimized out>, argv@entry=0x7fffffffe518) at main.c:412 #15 0x00007ffff72f7840 in __libc_start_main (main=0x625f40 <main>, argc=0xb, argv=0x7fffffffe518, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe508) at ../csu/libc-start.c:291 #16 0x0000000000404269 in _start () ``` Environment: - version : commit e2edc2ed4a9a229870b1e1811b0ecf045b84e429 - OS: Ubuntu 16.04 Additional context compile argument: ```shell #!/bin/bash -eux export CC="clang-11" export CXX="clang-11++" cd /src/vim/ && ./configure --with-features=huge --enable-gui=none && make ``` Credit: 1vanChen of NSFOCUS Security Team
Hi, thank you for reporting the issue! I'll pass the issue to security team and report it upstream.
Created attachment 1750774 [details] reduced poc file Simplified sample is provided
Please refer to https://bugzilla.redhat.com/show_bug.cgi?id=1919212#c4.
FEDORA-2021-164265f25a has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-164265f25a
FEDORA-2021-01b3981cc5 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2021-01b3981cc5
FEDORA-2021-01b3981cc5 has been pushed to the Fedora 32 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-01b3981cc5` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-01b3981cc5 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-164265f25a has been pushed to the Fedora 33 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-164265f25a` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-164265f25a See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-164265f25a has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2021-5be90ab004 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-5be90ab004
FEDORA-2021-fb090f432a has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2021-fb090f432a
FEDORA-2021-fb090f432a has been pushed to the Fedora 32 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-fb090f432a` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-fb090f432a See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-5be90ab004 has been pushed to the Fedora 33 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-5be90ab004` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-5be90ab004 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-5be90ab004 has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2021-fb090f432a has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report.