Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEGV - READ memory access #5635

Closed
RootUp opened this issue Feb 13, 2020 · 2 comments
Closed

SEGV - READ memory access #5635

RootUp opened this issue Feb 13, 2020 · 2 comments

Comments

@RootUp
Copy link

@RootUp RootUp commented Feb 13, 2020

VIM Version:

$ ./vim --version
VIM - Vi IMproved 8.2 (2019 Dec 12, compiled Feb 13 2020 09:52:57)
Included patches: 1-251
Compiled by dhiraj@s157903
Huge version without GUI.  Features included (+) or not (-):
+acl               -farsi             -mouse_sysmouse    -tag_old_static
+arabic            +file_in_path      +mouse_urxvt       -tag_any_white
+autocmd           +find_in_path      +mouse_xterm       -tcl
+autochdir         +float             +multi_byte        +termguicolors
-autoservername    +folding           +multi_lang        +terminal
-balloon_eval      -footer            -mzscheme          +terminfo
+balloon_eval_term +fork()            +netbeans_intg     +termresponse
-browse            +gettext           +num64             +textobjects
++builtin_terms    -hangul_input      +packages          +textprop
+byte_offset       +iconv             +path_extra        +timers
+channel           +insert_expand     -perl              +title
+cindent           +job               +persistent_undo   -toolbar
+clientserver      +jumplist          +popupwin          +user_commands
+clipboard         +keymap            +postscript        +vartabs
+cmdline_compl     +lambda            +printer           +vertsplit
+cmdline_hist      +langmap           +profile           +virtualedit
+cmdline_info      +libcall           -python            +visual
+comments          +linebreak         -python3           +visualextra
+conceal           +lispindent        +quickfix          +viminfo
+cryptv            +listcmds          +reltime           +vreplace
+cscope            +localmap          +rightleft         +wildignore
+cursorbind        -lua               -ruby              +wildmenu
+cursorshape       +menu              +scrollbind        +windows
+dialog_con        +mksession         +signs             +writebackup
+diff              +modify_fname      +smartindent       +X11
+digraphs          +mouse             -sound             +xfontset
-dnd               -mouseshape        +spell             -xim
-ebcdic            +mouse_dec         +startuptime       -xpm
+emacs_tags        -mouse_gpm         +statusline        +xsmp_interact
+eval              -mouse_jsbterm     -sun_workshop      +xterm_clipboard
+ex_extra          +mouse_netterm     +syntax            -xterm_save
+extra_search      +mouse_sgr         +tag_binary        
   system vimrc file: "$VIM/vimrc"
     user vimrc file: "$HOME/.vimrc"
 2nd user vimrc file: "~/.vim/vimrc"
      user exrc file: "$HOME/.exrc"
       defaults file: "$VIMRUNTIME/defaults.vim"
  fall-back for $VIM: "/usr/local/share/vim"
Compilation: afl-clang-fast -c -I. -Iproto -DHAVE_CONFIG_H     -g -O2 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=1       
Linking: afl-clang-fast   -L/usr/local/lib -Wl,--as-needed -o vim    -lSM -lICE -lXpm -lXt -lX11 -lXdmcp -lSM -lICE  -lm -ltinfo -lelf -lnsl  -ldl

MData:

The application crashed on a simple NULL dereference to data structure that has 
no immediate effect on control of the processor.

GBD BT:

$ gdb -q ./vim
Reading symbols from ./vim...done.
(gdb) r -u NONE -X -Z -e -s -S poc -c ':qa!'
Starting program: /home/dhiraj/vim/src/vim -u NONE -X -Z -e -s -S poc -c ':qa!'
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
hash_find (ht=0xa46480 <func_hashtab>, key=0x0) at hashtab.c:120
120	    return hash_lookup(ht, key, hash_hash(key));
(gdb) bt
#0  hash_find (ht=0xa46480 <func_hashtab>, key=0x0) at hashtab.c:120
#1  0x0000000000713642 in find_func_even_dead (name=0x0, cctx=0x0) at userfunc.c:689
#2  0x00000000007134e3 in find_func (name=0xa46480 <func_hashtab> "\017", cctx=0x0) at userfunc.c:704
#3  0x000000000072fbad in ex_disassemble (eap=0x7fffffffb2b0) at vim9execute.c:1603
#4  0x00000000004bd760 in do_one_cmd (sourcing=<optimized out>, cstack=<optimized out>, cmdlinep=<optimized out>, fgetline=<optimized out>, 
    cookie=<optimized out>) at ex_docmd.c:2491
#5  do_cmdline (cmdline=<optimized out>, fgetline=0x66d970 <getsourceline>, cookie=<optimized out>, flags=7) at ex_docmd.c:978
#6  0x000000000066d643 in do_source (fname=0xa6cde3 "poc", check_other=0, is_vimrc=0, ret_sid=0x0) at scriptfile.c:1362
#7  0x000000000066c922 in cmd_source (fname=0xa6cde3 "poc", eap=<optimized out>) at scriptfile.c:933
#8  0x000000000066c7fc in ex_source (eap=0xd8faaf7abc5a1400) at scriptfile.c:959
#9  0x00000000004bd760 in do_one_cmd (sourcing=<optimized out>, cstack=<optimized out>, cmdlinep=<optimized out>, fgetline=<optimized out>, 
    cookie=<optimized out>) at ex_docmd.c:2491
#10 do_cmdline (cmdline=<optimized out>, fgetline=0x0, cookie=<optimized out>, flags=11) at ex_docmd.c:978
#11 0x00000000004be61c in do_cmdline_cmd (cmd=0xa46480 <func_hashtab> "\017") at ex_docmd.c:589
#12 0x000000000079739d in exe_commands (parmp=<optimized out>) at main.c:3139
#13 vim_main2 () at main.c:795
#14 0x0000000000795316 in main (argc=<optimized out>, argv=<optimized out>) at main.c:444
(gdb) i r
rax            0xd8faaf7abc5a1400	-2811742075658562560
rbx            0xfffffffffffffffc	-4
rcx            0xa49320	10785568
rdx            0xd8faaf7abc5a1400	-2811742075658562560
rsi            0x0	0
rdi            0xa46480	10773632
rbp            0x0	0x0
rsp            0x7fffffffafc0	0x7fffffffafc0
r8             0x7ee1c6	8315334
r9             0x72697571	1919513969
r10            0x7546203a39323145	8450477185247097157
r11            0x6e206e6f6974636e	7935463968216474478
r12            0x80104	524548
r13            0xfffffffffffffffc	-4
r14            0x0	0
r15            0x0	0
rip            0x517a0e	0x517a0e <hash_find+14>
eflags         0x10202	[ IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
(gdb) 

To Reproduce: vim -u NONE -X -Z -e -s -S poc -c ':qa!'

@dpelle

This comment has been minimized.

Copy link

@dpelle dpelle commented Feb 13, 2020

I tried to reproduce with asan or valgrind, but I could not.
Not sure what I was missing.

@dpelle

This comment has been minimized.

Copy link

@dpelle dpelle commented Feb 13, 2020

I can now reproduce the crash. This makes Vim-8.2.251 crash:

$ ./vim --clean -c disassemble
Vim: Caught deadly signal SEGV
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.