| الوصف | ### Description
Dear developers,
We discovered a Segmentation Fault (SEGV) in the Lobster compiler during the parsing phase. The crash occurs in lobster::Parser::ParseStatements within src/lobster/parser.h:118:34.
Vendor confirmed and fixed this vulnerability in commit (2f45fe8)[https://github.com/aardappel/lobster/commit/2f45fe860d00990e79e13250251c1dde633f1f89].
### Environment
- OS: Linux x86_64
- Complier: Clang
- Build Configuration: Release mode with ASan enabled.
### Vulnerability Details
- Vulnerability Type: SEGV (Segmentation Fault)
- Location: src/lobster/parser.h:118:34
- Function: lobster::Parser::ParseStatements
### Reproduce
1. Build lobster with Release optimization and ASAN enabled.
2. Run with the crashing [file](https://github.com/oneafter/0204/blob/main/lob2/repro.lobster):
```
./bin/lobster repro.lobster
```
<details>
<summary>ASAN report</summary>
```
AddressSanitizer:DEADLYSIGNAL
=================================================================
==79131==ERROR: AddressSanitizer: SEGV on unknown address 0x7f57a5b5ba98 (pc 0x55c04128bc34 bp 0x000000000001 sp 0x7ffea2aefcf0 T0)
==79131==The signal is caused by a READ memory access.
#0 0x55c04128bc34 in lobster::Parser::ParseStatements(lobster::Block*, lobster::TType) /src/lobster/dev/src/lobster/parser.h:118:34
#1 0x55c0412e58b1 in lobster::Parser::ParseBody(lobster::Block*, int) /src/lobster/dev/src/lobster/parser.h:769:20
#2 0x55c0412e58b1 in lobster::Parser::ParseFunction(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>*, bool, bool, bool, bool, lobster::GUDT*, unsigned long) /src/lobster/dev/src/lobster/parser.h:951:13
#3 0x55c0412aee15 in lobster::Parser::ParseNamedFunctionDefinition(bool, bool, lobster::GUDT*) /src/lobster/dev/src/lobster/parser.h:734:20
#4 0x55c041297714 in lobster::Parser::ParseTopExp(lobster::Block*, bool) /src/lobster/dev/src/lobster/parser.h:236:27
#5 0x55c04128b2db in lobster::Parser::ParseStatements(lobster::Block*, lobster::TType) /src/lobster/dev/src/lobster/parser.h:104:21
#6 0x55c0412e58b1 in lobster::Parser::ParseBody(lobster::Block*, int) /src/lobster/dev/src/lobster/parser.h:769:20
#7 0x55c0412e58b1 in lobster::Parser::ParseFunction(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>*, bool, bool, bool, bool, lobster::GUDT*, unsigned long) /src/lobster/dev/src/lobster/parser.h:951:13
#8 0x55c041323753 in lobster::Parser::ParseFunctionCall(lobster::Line, lobster::Function*, lobster::NativeFun*, std::basic_string_view<char, std::char_traits<char>>, lobster::Node*, bool, std::vector<lobster::UnTypeRef, std::allocator<lobster::UnTypeRef>>*)::'lambda'()::operator()() const /src/lobster/dev/src/lobster/parser.h
#9 0x55c04130fd87 in lobster::Parser::ParseFunctionCall(lobster::Line, lobster::Function*, lobster::NativeFun*, std::basic_string_view<char, std::char_traits<char>>, lobster::Node*, bool, std::vector<lobster::UnTypeRef, std::allocator<lobster::UnTypeRef>>*) /src/lobster/dev/src/lobster/parser.h:1312:9
#10 0x55c0413152ef in lobster::Parser::IdentFactor(std::basic_string_view<char, std::char_traits<char>>) /src/lobster/dev/src/lobster/parser.h:1898:20
#11 0x55c041309133 in lobster::Parser::ParseFactor() /src/lobster/dev/src/lobster/parser.h
#12 0x55c0412c4a02 in lobster::Parser::ParseDeref() /src/lobster/dev/src/lobster/parser.h:1413:18
#13 0x55c0412c76f8 in lobster::Parser::ParseOpExp(int) /src/lobster/dev/src/lobster/parser.h:1256:53
#14 0x55c0412c76cc in lobster::Parser::ParseOpExp(int) /src/lobster/dev/src/lobster/parser.h:1256:29
#15 0x55c0412c76cc in lobster::Parser::ParseOpExp(int) /src/lobster/dev/src/lobster/parser.h:1256:29
#16 0x55c0412c76cc in lobster::Parser::ParseOpExp(int) /src/lobster/dev/src/lobster/parser.h:1256:29
#17 0x55c0412c76cc in lobster::Parser::ParseOpExp(int) /src/lobster/dev/src/lobster/parser.h:1256:29
#18 0x55c0412c76cc in lobster::Parser::ParseOpExp(int) /src/lobster/dev/src/lobster/parser.h:1256:29
#19 0x55c0412c76cc in lobster::Parser::ParseOpExp(int) /src/lobster/dev/src/lobster/parser.h:1256:29
#20 0x55c0412b10c7 in lobster::Parser::ParseExp(bool) /src/lobster/dev/src/lobster/parser.h:1229:18
#21 0x55c0412c08a9 in lobster::Parser::ParseExpStat(lobster::Block*) /src/lobster/dev/src/lobster/parser.h:1183:27
#22 0x55c041299628 in lobster::Parser::ParseTopExp(lobster::Block*, bool) /src/lobster/dev/src/lobster/parser.h:408:17
#23 0x55c04128b2db in lobster::Parser::ParseStatements(lobster::Block*, lobster::TType) /src/lobster/dev/src/lobster/parser.h:104:21
#24 0x55c0410c615f in lobster::Parser::Parse() /src/lobster/dev/src/lobster/parser.h:76:9
#25 0x55c0410bff45 in lobster::Compile(lobster::NativeRegistry&, std::basic_string_view<char, std::char_traits<char>>, std::basic_string_view<char, std::char_traits<char>>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>*, bool, int, lobster::Query*, int, bool, bool, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&, bool, std::basic_string_view<char, std::char_traits<char>>) /src/lobster/dev/src/compiler.cpp:565:12
#26 0x55c041478b0d in main /src/lobster/dev/src/main.cpp:241:17
#27 0x7f4fa5fac1c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#28 0x7f4fa5fac28a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#29 0x55c040e81e44 in _start (/src/lobster/bin/lobster+0xa0e44) (BuildId: da4cf67d8898c669d2b638ef6ec3fbd965562c8f)
==79131==Register values:
rax = 0x00000feaf4b6b753 rbx = 0x00007f4fa4802ad8 rcx = 0x00000000ffffffff rdx = 0x00000000000000b0
rdi = 0x00007f57a5b5ba98 rsi = 0x00007f4fa5b5ba98 rbp = 0x0000000000000001 rsp = 0x00007ffea2aefcf0
r8 = 0x0000000000007412 r9 = 0x00000000000000fe r10 = 0x00007f4fa4802390 r11 = 0x000055c041af2320
r12 = 0x00007f4fa5b5ba78 r13 = 0x000055c041af2320 r14 = 0x00000ab80835e464 r15 = 0x00000fe9f490055b
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /src/lobster/dev/src/lobster/parser.h:118:34 in lobster::Parser::ParseStatements(lobster::Block*, lobster::TType)
==79131==ABORTING
```
</details> |
|---|