XXD Large Column Parameter Memory Corruption #17937
Description
Steps to reproduce
XXD Large Column Parameter Memory Corruption Vulnerability
Vulnerability Summary
During fuzzing of the xxd (hex dump) utility, a critical memory corruption vulnerability was discovered in the column parameter processing logic. The vulnerability occurs when xxd processes malformed large column specifications (such as "abc"), leading to segmentation faults due to improper memory management in the memmove operation. This vulnerability can cause program crashes and potential memory corruption.
Technical Details
- Vulnerability Type: Segmentation Fault / Memory Corruption
- Affected Function:
__memmove_avx_unaligned_erms - Source File:
memmove-vec-unaligned-erms.S - Line Number: 317
- Signal: SIGSEGV (11)
Vulnerability Mechanism and Root Cause
This memory corruption vulnerability occurs in xxd's command-line parameter parsing and processing logic. The root cause lies in inadequate validation of the column specification parameter (-c), particularly when handling large or malformed column values.
The vulnerability is triggered when:
- xxd processes the
-c abcparameter along with complex parameter combinations - The program attempts to parse "abc" as a numeric column width
- Due to improper validation, the parsing logic calculates incorrect memory buffer sizes
- A subsequent
memmoveoperation attempts to copy data with invalid parameters - This results in an out-of-bounds memory access at
__memmove_avx_unaligned_erms+317
The memory corruption occurs when xxd tries to format output based on the invalid column specification, leading to unsafe memory operations that access uninitialized or freed memory regions.
Proof of Concept
The vulnerability can be triggered by executing xxd with malformed large column parameters and specific additional flags that cause memory corruption during output formatting.
POC Download: POC_xxd_memmove_large_cols_segfault
Reproduction Steps
- Compile xxd with debugging symbols enabled
- Execute:
./xxd -a -e -c abc -g 256 -l x -l -2147483649 -o 1 -o data.bin POC_xxd_memmove_large_cols_segfault
Credit
- Xudong Cao (UCAS)
- Meng Xu (UW)
Expected behaviour
Segmentation Fault / Memory Corruption
Version of Vim
vim-9.1.0000 and related xxd versions (latest master branch)
Environment
- Compile xxd with debugging symbols enabled
- clang && asan
Logs and stack traces
## GDB Debug Output
=== PROGRAM_EXECUTION_START ===
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
__memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:317
=== PROGRAM_EXECUTION_END ===
=== PRIMARY_CRASH_DETECTION ===
Program status from 'info program':
Using the running image of child Thread 0x7ffff7d81780 (LWP 840523).
Program stopped at 0x7ffff7f247cd.
It stopped with signal SIGSEGV, Segmentation fault.
=== SIGNAL_CRASH_DETECTED ===
Program terminated by signal - this is a genuine crash
=== FRAME_ANALYSIS ===
Valid frame found - program stopped at signal
=== BACKTRACE_ANALYSIS ===
#0 __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:317
#1 0x0000555555561a1d in ?? ()
#2 0x000055555555fdb2 in ?? ()
#3 0x00007ffff7dadd90 in __libc_start_call_main (main=main@entry=0x55555555d0b0, argc=argc@entry=16, argv=argv@entry=0x7fffffffe3a8) at ../sysdeps/nptl/libc_start_call_main.h:58
#4 0x00007ffff7dade40 in __libc_start_main_impl (main=0x55555555d0b0, argc=16, argv=0x7fffffffe3a8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe398) at ../csu/libc-start.c:392
#5 0x00005555555593b5 in ?? ()
=== RECURSION_ANALYSIS ===
Extracted 5 function names from stack trace
=== FINAL_STATUS_DETERMINATION ===
CONCLUSION: Program crashed due to signal
This is a genuine crash requiring investigation
317 ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S: No such file or directory.