| Título | aardappel lobster 2f45fe8 Return of Stack Variable Address |
|---|
| Descripción | ### Description
Dear developers,
We discovered a stack-use-after-return bug in the WaveFunctionCollapse template function within src/lobster/wfc.h:52:17.
Vendor confirmed and fixed this vulnerability in commit (c2047a3
)[https://github.com/aardappel/lobster/commit/c2047a33e1ac2c42ab7e8704b33f7ea518a11ffd].
### Environment
- OS: Linux x86_64
- Complier: Clang
- Build Configuration: Release mode with ASan enabled.
### Vulnerability Details
- Vulnerability Type: stack-use-after-return (READ of size 4)
- Location: src/lobster/wfc.h:52:17
- Context: The program attempts to read a stack address (0x7f2804a857c0) that belongs to a function frame that has already returned. This is confirmed by the ASAN shadow bytes f5 (Stack after return).
### Reproduce
1. Build lobster with Release optimization and ASAN enabled.
2. Run with the crashing [file](https://github.com/oneafter/0204/blob/main/lob1/repro.lobster):
```
./bin/lobster repro.lobster
```
<details>
<summary>ASAN report</summary>
```
==6565==ERROR: AddressSanitizer: stack-use-after-return on address 0x7f2804a857c0 at pc 0x558134840051 bp 0x7ffde9fbb7f0 sp 0x7ffde9fbb7e8
READ of size 4 at 0x7f2804a857c0 thread T0
#0 0x558134840050 in bool WaveFunctionCollapse<Xoshiro256SS>(geom::vec<int, 2> const&, char const**, geom::vec<int, 2> const&, char**, RandomNumberGenerator<Xoshiro256SS>&, int&) /src/lobster/dev/src/lobster/wfc.h:52:17
#1 0x558134839c3c in lobster::AddBuiltins(lobster::NativeRegistry&)::$_149::operator()(lobster::Value*&, lobster::VM&) const /src/lobster/dev/src/builtins.cpp:1369:19
#2 0x558134839c3c in lobster::AddBuiltins(lobster::NativeRegistry&)::$_149::__invoke(lobster::Value*&, lobster::VM&) /src/lobster/dev/src/builtins.cpp:1350:5
#3 0x558134d67692 in lobster::U_BCALLRETV(lobster::VM&, lobster::Value*, int, int) /src/lobster/dev/src/lobster/vmops.h:275:5
#4 0x558134d67692 in CVM_BCALLRETV /src/lobster/dev/src/vm.cpp:1007:1
#5 0x527000004b36 (<unknown module>)
Address 0x7f2804a857c0 is located in stack of thread T0 at offset 1984 in frame
#0 0x55813507cd5f in add_init_array_defines /src/lobster/dev/external/libtcc/tccelf.c:1519
This frame has 1 object(s):
[32, 1056) 'buf' (line 1522) <== Memory access at offset 1984 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-return /src/lobster/dev/src/lobster/wfc.h:52:17 in bool WaveFunctionCollapse<Xoshiro256SS>(geom::vec<int, 2> const&, char const**, geom::vec<int, 2> const&, char**, RandomNumberGenerator<Xoshiro256SS>&, int&)
Shadow bytes around the buggy address:
0x7f2804a85500: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
0x7f2804a85580: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
0x7f2804a85600: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
0x7f2804a85680: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
0x7f2804a85700: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
=>0x7f2804a85780: f5 f5 f5 f5 f5 f5 f5 f5[f5]f5 f5 f5 f5 f5 f5 f5
0x7f2804a85800: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00
0x7f2804a85880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7f2804a85900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7f2804a85980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7f2804a85a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==6565==ABORTING
```
</details> |
|---|
| Fuente | ⚠️ https://github.com/aardappel/lobster/issues/395 |
|---|
| Usuario | Oneafter (UID 92781) |
|---|
| Sumisión | 2026-02-06 04:38 (hace 4 meses) |
|---|
| Moderación | 2026-02-09 17:54 (4 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 345005 [aardappel lobster hasta 2025.4 dev/src/lobster/wfc.h WaveFunctionCollapse desbordamiento de búfer] |
|---|
| Puntos | 20 |
|---|