Improper Validation of Specified Quantity in Input in vim/vim

Vulnerability

The vulnerability resides in the display_dollar function in edit.c of Vim prior to version 9.0.0218. The function accepts a col parameter of type colnr_T and uses it directly to access the current line, without first checking whether the value is negative. This missing validation means that if a caller passes a negative column number, the function can read memory before the start of the line buffer. The issue was introduced through an incomplete refactor or coding error [1].

Exploitation

An attacker who can supply crafted input that triggers display_dollar with a negative column value can exploit this flaw. According to the reference, the test case Test_cmdwin_virtual_edit triggers the condition by setting 'virtualedit' to all and using a command-line window operation (normal q/s), which causes the negative column to be passed. No special privileges beyond normal Vim editing capabilities are required, but the attacker must be able to open a file and execute commands that lead to the vulnerable code path [1].

Impact

Successful exploitation results in an out-of-bounds read from memory preceding the start of the line buffer. This can lead to information disclosure (reading adjacent or unrelated memory) or a crash (denial of service). In some configurations, this may be leveraged for further exploitation, though the primary impact is a denial of service or leak of sensitive data [1].

Mitigation

A fix was introduced in Vim version 9.0.0218, released on 2022-08-17. The patch in commit e98c88c44c308edaea5994b8ad4363e65030968c adds a bounds check: col = col_arg < 0 ? 0 : col_arg; to ensure the column number is non-negative. Users should upgrade to Vim 9.0.0218 or later. For users of Gentoo Linux, the advisory GLSA 202305-16 (referenced in [4]) provides updates to versions 9.0.1157 for Vim, gVim, and vim-core. No workaround is available for unpatched versions [1][4].