提交 #755026: aardappel lobster c8a6042 Uncontrolled Recursion信息

标题	aardappel lobster c8a6042 Uncontrolled Recursion
描述	### Description Dear developers, We discovered a stack-overflow bug in the Lobster compiler. The crash is caused by infinite recursion between lobster::TypeName, lobster::FormatArg, and lobster::Signature within src/lobster/idents.h. Vendor confirmed and fixed this vulnerability in commit [8ba49f9](https://github.com/aardappel/lobster/commit/8ba49f98ccfc9734ef352146806433a41d9f9aa6). ### Environment - OS: Linux x86_64 - Complier: Clang - Build Configuration: Release mode with ASan enabled. ### Vulnerability Details - Vulnerability Type: stack-overflow (CWE-674: Uncontrolled Recursion) - Location: src/lobster/idents.h (around lines 1466, 1519, and 1570) ### Reproduce 1. Build lobster with Release optimization and ASAN enabled. 2. Run with the crashing [file](https://github.com/oneafter/0204/blob/main/lob3/repro.lobster): ``` ./bin/lobster repro.lobster ``` <details> <summary>ASAN report</summary> ``` AddressSanitizer:DEADLYSIGNAL ================================================================= ==11819==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd28ab5e28 (pc 0x55719039471a bp 0x7ffd28ab6670 sp 0x7ffd28ab5e30 T0) #0 0x55719039471a in __asan_memcpy (/src/lobster/bin/lobster+0x13e71a) (BuildId: da4cf67d8898c669d2b638ef6ec3fbd965562c8f) #1 0x5571905ceb75 in std::char_traits<char>::copy(char, char const, unsigned long) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/char_traits.h:435:33 #2 0x5571905ceb75 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>::_S_copy(char, char const, unsigned long) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/basic_string.h:430:4 #3 0x5571905ceb75 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>::_S_copy_chars(char, char, char) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/basic_string.h:478:9 #4 0x5571905ceb75 in void std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>::_M_construct<char>(char, char, std::forward_iterator_tag) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/basic_string.tcc:247:2 #5 0x5571905ceb75 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>::basic_string(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/basic_string.h:551:2 #6 0x5571905ceb75 in lobster::Signature[abi:cxx11](lobster::SubFunction const&) /src/lobster/dev/src/lobster/idents.h:1508:16 #7 0x55719043c6df in lobster::TypeName[abi:cxx11](lobster::UnTypeRef, bool) /src/lobster/dev/src/lobster/idents.h:1570:19 #8 0x5571905d4e0f in lobster::FormatArg(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&, std::basic_string_view<char, std::char_traits<char>>, unsigned long, lobster::UnTypeRef) /src/lobster/dev/src/lobster/idents.h:1466:14 #9 0x5571905cf02e in lobster::Signature[abi:cxx11](lobster::SubFunction const&) /src/lobster/dev/src/lobster/idents.h:1519:9 #10 0x55719043c6df in lobster::TypeName[abi:cxx11](lobster::UnTypeRef, bool) /src/lobster/dev/src/lobster/idents.h:1570:19 #11 0x5571905d4e0f in lobster::FormatArg(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&, std::basic_string_view<char, std::char_traits<char>>, unsigned long, lobster::UnTypeRef) /src/lobster/dev/src/lobster/idents.h:1466:14 #12 0x5571905cf02e in lobster::Signature[abi:cxx11](lobster::SubFunction const&) /src/lobster/dev/src/lobster/idents.h:1519:9 #13 0x55719043c6df in lobster::TypeName[abi:cxx11](lobster::UnTypeRef, bool) /src/lobster/dev/src/lobster/idents.h:1570:19 #14 0x5571905d4e0f in lobster::FormatArg(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&, std::basic_string_view<char, std::char_traits<char>>, unsigned long, lobster::UnTypeRef) /src/lobster/dev/src/lobster/idents.h:1466:14 #15 0x5571905cf02e in lobster::Signature[abi:cxx11](lobster::SubFunction const&) /src/lobster/dev/src/lobster/idents.h:1519:9 #16 0x55719043c6df in lobster::TypeName[abi:cxx11](lobster::UnTypeRef, bool) /src/lobster/dev/src/lobster/idents.h:1570:19 #17 0x5571905d4e0f in lobster::FormatArg(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&, std::basic_string_view<char, std::char_traits<char>>, unsigned long, lobster::UnTypeRef) /src/lobster/dev/src/lobster/idents.h:1466:14 #18 0x5571905cf02e in lobster::Signature[abi:cxx11](lobster::SubFunction const&) /src/lobster/dev/src/lobster/idents.h:1519:9 #19 0x55719043c6df in lobster::TypeName[abi:cxx11](lobster::UnTypeRef, bool) /src/lobster/dev/src/lobster/idents.h:1570:19 #20 0x5571905d4e0f in lobster::FormatArg(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&, std::basic_string_view<char, std::char_traits<char>>, unsigned long, lobster::UnTypeRef) /src/lobster/dev/src/lobster/idents.h:1466:14 #21 0x5571905cf02e in lobster::Signature[abi:cxx11](lobster::SubFunction const&) /src/lobster/dev/src/lobster/idents.h:1519:9 #22 0x55719043c6df in lobster::TypeName[abi:cxx11](lobster::UnTypeRef, bool) /src/lobster/dev/src/lobster/idents.h:1570:19 #23 0x5571905d4e0f in lobster::FormatArg(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&, std::basic_string_view<char, std::char_traits<char>>, unsigned long, lobster::UnTypeRef) /src/lobster/dev/src/lobster/idents.h:1466:14 #24 0x5571905cf02e in lobster::Signature[abi:cxx11](lobster::SubFunction const&) /src/lobster/dev/src/lobster/idents.h:1519:9 #25 0x55719043c6df in lobster::TypeName[abi:cxx11](lobster::UnTypeRef, bool) /src/lobster/dev/src/lobster/idents.h:1570:19 #26 0x5571905d4e0f in lobster::FormatArg(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&, std::basic_string_view<char, std::char_traits<char>>, unsigned long, lobster::UnTypeRef) /src/lobster/dev/src/lobster/idents.h:1466:14 #27 0x5571905cf02e in lobster::Signature[abi:cxx11](lobster::SubFunction const&) /src/lobster/dev/src/lobster/idents.h:1519:9 #28 0x55719043c6df in lobster::TypeName[abi:cxx11](lobster::UnTypeRef, bool) /src/lobster/dev/src/lobster/idents.h:1570:19 #29 0x5571905d4e0f in lobster::FormatArg(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&, std::basic_string_view<char, std::char_traits<char>>, unsigned long, lobster::UnTypeRef) /src/lobster/dev/src/lobster/idents.h:1466:14 #30 0x5571905cf02e in lobster::Signature[abi:cxx11](lobster::SubFunction const&) /src/lobster/dev/src/lobster/idents.h:1519:9 #31 0x55719043c6df in lobster::TypeName[abi:cxx11](lobster::UnTypeRef, bool) /src/lobster/dev/src/lobster/idents.h:1570:19 #32 0x5571905d4e0f in lobster::FormatArg(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&, std::basic_string_view<char, std::char_traits<char>>, unsigned long, lobster::UnTypeRef) /src/lobster/dev/src/lobster/idents.h:1466:14 #33 0x5571905cf02e in lobster::Signature[abi:cxx11](lobster::SubFunction const&) /src/lobster/dev/src/lobster/idents.h:1519:9 #34 0x55719043c6df in lobster::TypeName[abi:cxx11](lobster::UnTypeRef, bool) /src/lobster/dev/src/lobster/idents.h:1570:19 #35 0x5571905d4e0f in lobster::FormatArg(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&, std::basic_string_view<char, std::char_traits<char>>, unsigned long, lobster::UnTypeRef) /src/lobster/dev/src/lobster/idents.h:1466:14 #36 0x5571905cf02e in lobster::Signature[abi:cxx11](lobster::SubFunction const&) /src/lobster/dev/src/lobster/idents.h:1519:9 #37 0x55719043c6df in lobster::TypeName[abi:cxx11](lobster::UnTypeRef, bool) /src/lobster/dev/src/lobster/idents.h:1570:19 #38 0x5571905d4e0f in lobster::FormatArg(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&, std::basic_string_view<char, std::char_traits<char>>, unsigned long, lobster::UnTypeRef) /src/lobster/dev/src/lobster/idents.h:1466:14 #39 0x5571905cf02e in lobster::Signature[abi:cxx11](lobster::SubFunction const&) /src/lobster/dev/src/lobster/idents.h:1519:9 #40 0x55719043c6df in lobster::TypeName[abi:cxx11](lobster::UnTypeRef, bool) /src/lobster/dev/src/lobster/idents.h:1570:19 #41 0x5571905d4e0f in lobster::FormatArg(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&, std::basic_string_view<char, std::char_traits<char>>, unsigned long, lobster::UnTypeRef) /src/lobster/dev/src/lobster/idents.h:1466:14 #42 0x5571905cf02e in lobster::Signature[abi:cxx11](lobster::SubFunction const&) /src/lobster/dev/src/lobster/idents.h:1519:9 #43 0x55719043c6df in lobster::TypeName[abi:cxx11](lobster::UnTypeRef, bool) /src/lobster/dev/src/lobster/idents.h:1570:19 #44 0x5571905d4e0f in lobster::FormatArg(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&, std::basic_string_view<char, std::char_traits<char>>, unsigned long, lobster::UnTypeRef) /src/lobster/dev/src/lobster/idents.h:1466:14 #45 0x5571905cf02e in lobster::Signature[abi:cxx11](lobster::SubFunction const&) /src/lobster/dev/src/lobster/idents.h:1519:9 #46 0x55719043c6df in lobster::TypeName[abi:cxx11](lobster::UnTypeRef, bool) /src/lobster/dev/src/lobster/idents.h:1570:19 #47 0x5571905d4e0f in lobster::FormatArg(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&, std::basic_string_view<char, std::char_traits<char>>, unsigned long, lobster::UnTypeRef) /src/lobster/dev/src/lobster/idents.h:1466:14 #48 0x5571905cf02e in lobster::Signature[abi:cxx11](lobster::SubFunction const&) /src/lobster/dev/src/lobster/idents.h:1519:9 #49 0x55719043c6df in lobster::TypeName[abi:cxx11](lobster::UnTypeRef, boo
来源	⚠️ https://github.com/aardappel/lobster/issues/397
用户	Oneafter (UID 92781)
提交	2026-02-10 02時57分 (3 月前)
管理	2026-02-20 18時07分 (11 days later)
状态	已接受
VulDB条目	347181 [aardappel lobster 直到 2025.4 dev/src/lobster/idents.h lobster::TypeName 拒绝服务]
积分	20

◂ 上一步一览下一步 ▸

Want to know what is going to be exploited?

We predict KEV entries!