| Título | FascinatedBox lily main-branch Heap-based Buffer Overflow |
|---|
| Descrição | ### Description
We discovered a Heap-buffer-overflow vulnerability in the Lily interpreter. The crash occurs in clear_storages when the emitter cleans up the scope upon leaving a lambda block (lily_emit_leave_lambda_block).
The ASAN report indicates a READ violation of size 8, occurring exactly at the boundary (0 bytes after) of a 128-byte allocated region. This strongly suggests an off-by-one error during the storage cleanup iteration.
### Environment
- OS: Linux x86_64
- Complier: Clang
- Build Configuration: Release mode with ASan enabled.
### Vulnerability Details
- Target: Lily (jcowgar/lily)
- Vulnerability Type: CWE-125: Out-of-bounds Read
- Function: clear_storages
- Location: src/lily_emitter.c:476 (called via lily_emit_leave_scope_block at line 917)
- Root Cause Analysis: The function clear_storages iterates over a set of storage slots to release them. The allocation stack shows grow_storages -> get_storage -> make_empty_list_or_hash. This suggests the buffer holds temporary storages for complex types. The crash happens at the exact end of the buffer:
```
0x50c0000003c0 is located 0 bytes after 128-byte region
```
This implies that the loop in clear_storages is iterating one step too far, accessing index size instead of stopping at size - 1, or the counter tracking the number of active storages within the lambda scope is desynchronized from the actual allocated capacity.
### Reproduce
1. Build lily with Release optimization and ASAN enabled.
2. Run with the crashing [file](https://github.com/oneafter/0122/blob/main/i383/repro.lily):
```
./build/lily repro.lily
```
<details>
<summary>ASAN report</summary>
```
==54413==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x50c0000003c0 at pc 0x557a73305f1a bp 0x7ffcdae6d4a0 sp 0x7ffcdae6d498
READ of size 8 at 0x50c0000003c0 thread T0
#0 0x557a73305f19 in clear_storages /src/lily/src/lily_emitter.c:476:9
#1 0x557a73305f19 in lily_emit_leave_scope_block /src/lily/src/lily_emitter.c:917:5
#2 0x557a73305f19 in lily_emit_leave_lambda_block /src/lily/src/lily_emitter.c:909:5
#3 0x557a73363388 in lily_parser_lambda_eval /src/lily/src/lily_parser.c:3450:5
#4 0x557a7330fcf7 in eval_lambda_to_parse /src/lily/src/lily_emitter.c:3002:31
#5 0x557a7330fcf7 in eval_tree /src/lily/src/lily_emitter.c:4878:9
#6 0x557a7332549d in eval_call_arg /src/lily/src/lily_emitter.c:4014:5
#7 0x557a7331ee54 in run_call /src/lily/src/lily_emitter.c:4161:13
#8 0x557a7331ee54 in eval_call /src/lily/src/lily_emitter.c:4377:5
#9 0x557a7330ae46 in eval_tree /src/lily/src/lily_emitter.c
#10 0x557a73309ce6 in lily_eval_expr /src/lily/src/lily_emitter.c:4906:5
#11 0x557a7336d339 in parser_loop /src/lily/src/lily_parser.c:5950:17
#12 0x557a7336bbe9 in lily_parse_content /src/lily/src/lily_parser.c:6562:9
#13 0x557a732dc37e in main /src/lily/run/lily.c:103:18
#14 0x7f987687b1c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#15 0x7f987687b28a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#16 0x557a731fa624 in _start (/src/lily/build_afl/lily+0x4f624) (BuildId: ec5f784cf13dad836217a07e33a2c98d8b7f8bb4)
0x50c0000003c0 is located 0 bytes after 128-byte region [0x50c000000340,0x50c0000003c0)
allocated by thread T0 here:
#0 0x557a7329a870 in realloc (/src/lily/build_afl/lily+0xef870) (BuildId: ec5f784cf13dad836217a07e33a2c98d8b7f8bb4)
#1 0x557a732de5e5 in lily_realloc /src/lily/src/lily_alloc.c:14:20
#2 0x557a732f7008 in grow_storages /src/lily/src/lily_emitter.c:455:31
#3 0x557a732f7008 in get_storage /src/lily/src/lily_emitter.c:501:17
#4 0x557a7332e200 in make_empty_list_or_hash /src/lily/src/lily_emitter.c:3684:23
#5 0x557a7330be9c in eval_build_list /src/lily/src/lily_emitter.c:3770:9
#6 0x557a7330be9c in eval_tree /src/lily/src/lily_emitter.c:4862:9
#7 0x557a73326120 in eval_assign_global /src/lily/src/lily_emitter.c:2753:5
#8 0x557a73326120 in eval_assign /src/lily/src/lily_emitter.c:2934:9
#9 0x557a73309eb3 in eval_binary_op /src/lily/src/lily_emitter.c:2635:13
#10 0x557a73309eb3 in eval_tree /src/lily/src/lily_emitter.c:4852:9
#11 0x557a73309ce6 in lily_eval_expr /src/lily/src/lily_emitter.c:4906:5
#12 0x557a7338d2bd in keyword_var /src/lily/src/lily_parser.c:3644:9
#13 0x557a7336defb in parser_loop /src/lily/src/lily_parser.c:5946:17
#14 0x557a7336bbe9 in lily_parse_content /src/lily/src/lily_parser.c:6562:9
#15 0x557a732dc37e in main /src/lily/run/lily.c:103:18
#16 0x7f987687b1c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#17 0x7f987687b28a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#18 0x557a731fa624 in _start (/src/lily/build_afl/lily+0x4f624) (BuildId: ec5f784cf13dad836217a07e33a2c98d8b7f8bb4)
SUMMARY: AddressSanitizer: heap-buffer-overflow /src/lily/src/lily_emitter.c:476:9 in clear_storages
Shadow bytes around the buggy address:
0x50c000000100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x50c000000180: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x50c000000200: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x50c000000280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x50c000000300: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x50c000000380: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
0x50c000000400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x50c000000480: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x50c000000500: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x50c000000580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x50c000000600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==54413==ABORTING
```
</details> |
|---|
| Fonte | ⚠️ https://github.com/FascinatedBox/lily/issues/383 |
|---|
| Utilizador | Oneafter (UID 92781) |
|---|
| Submissão | 18/02/2026 14h57 (há 2 meses) |
|---|
| Moderação | 28/02/2026 18h03 (10 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 348277 [FascinatedBox lily até 2.3 src/lily_emitter.c clear_storages Divulgação de Informação] |
|---|
| Pontos | 20 |
|---|