Created attachment 1749747 [details] poc To Reproduce ```shell vim -u NONE -X -Z -e -s -S poc -c :qa! ``` Debug Info ```shell /src/vim# gdb --args src/vim -u NONE -X -Z -e -s -S /mnt/disk/out/vim/vim-fuzzer-out/QGDTRY/crashes/id:000075,sig:11,src:053762+053495,op:splice,rep:4 -c :qa! Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] RAX: 0x0 RBX: 0x0 RCX: 0x0 RDX: 0x0 RSI: 0x0 RDI: 0x47 ('G') RBP: 0x0 RSP: 0x7fffffff9fe0 --> 0x0 RIP: 0x408650 (<apply_autocmds_group+656>: mov r14d,DWORD PTR [rbx+0xc8]) R8 : 0xfffffffd R9 : 0x0 R10: 0x0 R11: 0x0 R12: 0x47 ('G') R13: 0x0 R14: 0x91c9c0 --> 0x7ffff769bb00 --> 0x7ffff735cea0 (<memalign_hook_ini>: push r12) R15: 0x0 EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x40863f <apply_autocmds_group+639>: mov eax,DWORD PTR [rip+0x4d699b] # 0x8defe0 <autocmd_nested> 0x408645 <apply_autocmds_group+645>: mov DWORD PTR [rsp+0x38],eax 0x408649 <apply_autocmds_group+649>: mov rbx,QWORD PTR [rip+0x4dfe48] # 0x8e8498 <curbuf> => 0x408650 <apply_autocmds_group+656>: mov r14d,DWORD PTR [rbx+0xc8] 0x408657 <apply_autocmds_group+663>: mov rdi,QWORD PTR [rsp+0x20] 0x40865c <apply_autocmds_group+668>: test rdi,rdi 0x40865f <apply_autocmds_group+671>: je 0x40866f <apply_autocmds_group+687> 0x408661 <apply_autocmds_group+673>: mov QWORD PTR [rip+0x4e0028],rdi # 0x8e8690 <autocmd_fname> [------------------------------------stack-------------------------------------] 0000| 0x7fffffff9fe0 --> 0x0 0008| 0x7fffffff9fe8 --> 0x0 0016| 0x7fffffff9ff0 --> 0x0 0024| 0x7fffffff9ff8 --> 0xfffffffd 0032| 0x7fffffffa000 --> 0x0 0040| 0x7fffffffa008 --> 0x47 ('G') 0048| 0x7fffffffa010 --> 0x0 0056| 0x7fffffffa018 --> 0x0 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x0000000000408650 in apply_autocmds_group (event=<optimized out>, event@entry=EVENT_SAFESTATE, fname=fname@entry=0x0, fname_io=fname_io@entry=0x0, force=<optimized out>, force@entry=0x0, group=group@entry=0xfffffffd, buf=0x0, eap=0x0) at autocmd.c:1901 1901 save_changed = curbuf->b_changed; gdb-peda$ bt #0 0x0000000000408650 in apply_autocmds_group (event=<optimized out>, event@entry=EVENT_SAFESTATE, fname=fname@entry=0x0, fname_io=fname_io@entry=0x0, force=<optimized out>, force@entry=0x0, group=group@entry=0xfffffffd, buf=0x0, eap=0x0) at autocmd.c:1901 #1 0x0000000000409287 in apply_autocmds (event=event@entry=EVENT_SAFESTATE, fname=fname@entry=0x0, fname_io=fname_io@entry=0x0, force=force@entry=0x0, buf=0x0) at autocmd.c:1621 #2 0x000000000062933c in may_trigger_safestate (safe=<optimized out>) at main.c:1048 #3 0x000000000047515c in getcmdline_int (firstc=<optimized out>, count=<optimized out>, indent=<optimized out>, clear_ccline=<optimized out>) at ex_getln.c:1730 #4 0x00000000004666bb in do_cmdline (cmdline=<optimized out>, cmdline@entry=0x0, fgetline=<optimized out>, cookie=<optimized out>, cookie@entry=0x0, flags=0x0) at ex_docmd.c:886 #5 0x00000000004e7741 in nv_colon (cap=0x7fffffffad50) at normal.c:3380 #6 0x00000000004e3571 in normal_cmd (oap=oap@entry=0x7fffffffade8, toplevel=toplevel@entry=0x1) at normal.c:1098 #7 0x000000000046eaed in exec_normal (was_typed=was_typed@entry=0x0, use_vpeekc=use_vpeekc@entry=0x0, may_use_terminal_loop=may_use_terminal_loop@entry=0x0) at ex_docmd.c:8281 #8 0x000000000046e9b2 in exec_normal_cmd (cmd=<optimized out>, remap=<optimized out>, silent=0x0) at ex_docmd.c:8265 #9 ex_normal (eap=0x7fffffffafb0) at ex_docmd.c:8183 #10 0x000000000046897a in do_one_cmd (cmdlinep=0x7fffffffaf88, flags=0x7, cstack=0x7fffffffb168, fgetline=0x566f30 <getsourceline>, cookie=0x7fffffffb900) at ex_docmd.c:2588 #11 do_cmdline (cmdline=<optimized out>, cmdline@entry=0x904e50 "", fgetline=<optimized out>, cookie=<optimized out>, cookie@entry=0x7fffffffb900, flags=flags@entry=0x7) at ex_docmd.c:1003 #12 0x0000000000566d15 in do_source (fname=<optimized out>, fname@entry=0x8f8ef3 "/mnt/disk/out/vim/vim-fuzzer-out/QGDTRY/crashes/id:000075,sig:11,src:053762+053495,op:splice,rep:4", check_other=<optimized out>, check_other@entry=0x0, is_vimrc=is_vimrc@entry=0x0, ret_sid=<optimized out>, ret_sid@entry=0x0) at scriptfile.c:1401 #13 0x0000000000566489 in cmd_source (fname=0x8f8ef3 "/mnt/disk/out/vim/vim-fuzzer-out/QGDTRY/crashes/id:000075,sig:11,src:053762+053495,op:splice,rep:4", eap=<optimized out>) at scriptfile.c:971 #14 0x000000000046897a in do_one_cmd (cmdlinep=0x7fffffffb9f8, flags=0xb, cstack=0x7fffffffbbd8, fgetline=0x0, cookie=0x0) at ex_docmd.c:2588 #15 do_cmdline (cmdline=<optimized out>, fgetline=<optimized out>, fgetline@entry=0x0, cookie=<optimized out>, cookie@entry=0x0, flags=flags@entry=0xb) at ex_docmd.c:1003 #16 0x00000000004692de in do_cmdline_cmd (cmd=0x47 <error: Cannot access memory at address 0x47>) at ex_docmd.c:592 #17 0x000000000062860d in exe_commands (parmp=<optimized out>) at main.c:3056 #18 vim_main2 () at main.c:760 #19 0x0000000000627772 in main (argc=<optimized out>, argc@entry=0xb, argv=<optimized out>, argv@entry=0x7fffffffe518) at main.c:412 #20 0x00007ffff72f7840 in __libc_start_main (main=0x625f40 <main>, argc=0xb, argv=0x7fffffffe518, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe508) at ../csu/libc-start.c:291 #21 0x0000000000404269 in _start () ``` Environment: - version : commit e2edc2ed4a9a229870b1e1811b0ecf045b84e429 - OS: Ubuntu 16.04 Additional context compile argument: ```shell #!/bin/bash -eux export CC="clang-11" export CXX="clang-11++" cd /src/vim/ && ./configure --with-features=huge --enable-gui=none && make ``` Credit: 1vanChen of NSFOCUS Security Team
Hi, thank you for reporting the issue! I'll pass the issue to security team and report it upstream.
Created attachment 1750775 [details] reduced poc file Simplified sample is provided
Please refer to https://bugzilla.redhat.com/show_bug.cgi?id=1919212#c4.
FEDORA-2021-164265f25a has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-164265f25a
FEDORA-2021-01b3981cc5 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2021-01b3981cc5
FEDORA-2021-01b3981cc5 has been pushed to the Fedora 32 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-01b3981cc5` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-01b3981cc5 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-164265f25a has been pushed to the Fedora 33 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-164265f25a` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-164265f25a See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-164265f25a has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2021-5be90ab004 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-5be90ab004
FEDORA-2021-fb090f432a has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2021-fb090f432a
FEDORA-2021-fb090f432a has been pushed to the Fedora 32 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-fb090f432a` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-fb090f432a See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-5be90ab004 has been pushed to the Fedora 33 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-5be90ab004` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-5be90ab004 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-5be90ab004 has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2021-fb090f432a has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report.