[Cbc-tickets] [COIN-OR Branch-and-Cut MIP Solver] #182: heap-buffer-overflow in CoinMpsCardReader
COIN-OR Branch-and-Cut MIP Solver
coin-trac at coin-or.org
Thu Jan 4 23:14:20 EST 2018
#182: heap-buffer-overflow in CoinMpsCardReader
----------------------+-----------------
Reporter: gy741.kim | Owner: tkr
Type: defect | Status: new
Priority: major | Component: Cbc
Version: trunk | Keywords:
----------------------+-----------------
Hello.
I found a heap-buffer-overflow in cbc.
Please confirm.
Thanks.
Summary: heap-buffer-overflow
OS: CentOS 7 64bit
Version: Trunk (unstable)
Steps to reproduce:
1.Download the .POC files.
2.Compile the source code with ASan.
3.Execute the following command : ./cbc $POC
{{{
ASAN:DEADLYSIGNAL
=================================================================
==27178==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x607000001c00 at pc 0x0000016b9ee8 bp 0x7ffdf1820480 sp 0x7ffdf1820478
READ of size 8 at 0x607000001c00 thread T0
#0 0x16b9ee7 in CoinMpsCardReader::~CoinMpsCardReader()
/home/karas/Cbc/CoinUtils/src/CoinMpsIO.cpp:471:3
#1 0x16b9ee7 in CoinMpsIO::gutsOfDestructor()
/home/karas/Cbc/CoinUtils/src/CoinMpsIO.cpp:5473
#2 0x16d3aa8 in CoinMpsIO::~CoinMpsIO()
/home/karas/Cbc/CoinUtils/src/CoinMpsIO.cpp:5441:3
#3 0xc2c8ee in OsiClpSolverInterface::readMps(char const*, bool, bool)
/home/karas/Cbc/Clp/src/OsiClp/OsiClpSolverInterface.cpp:5846:1
#4 0x561814 in CbcMain1(int, char const**, CbcModel&, int
(*)(CbcModel*, int), CbcSolverUsefulData&)
/home/karas/Cbc/Cbc/src/CbcSolver.cpp:7955:53
#5 0x5254b6 in main /home/karas/Cbc/Cbc/src/CoinSolve.cpp:350:22
#6 0x7f29364a51c0 in __libc_start_main /build/glibc-
CxtIbX/glibc-2.26/csu/../csu/libc-start.c:308
#7 0x42e049 in _start (/home/karas/Cbc/run/bin/cbc+0x42e049)
0x607000001c00 is located 14 bytes to the right of 66-byte region
[0x607000001bb0,0x607000001bf2)
freed by thread T0 here:
#0 0x521ba0 in operator delete(void*)
(/home/karas/Cbc/run/bin/cbc+0x521ba0)
#1 0x15af88e in __gnu_cxx::new_allocator<char>::deallocate(char*,
unsigned long) /usr/bin/../lib/gcc/x86_64-linux-
gnu/7.2.0/../../../../include/c++/7.2.0/ext/new_allocator.h:125:2
#2 0x15af88e in __gnu_cxx::__alloc_traits<std::allocator<char>
>::deallocate(std::allocator<char>&, char*, unsigned long)
/usr/bin/../lib/gcc/x86_64-linux-
gnu/7.2.0/../../../../include/c++/7.2.0/ext/alloc_traits.h:133
#3 0x15af88e in std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> >::_M_destroy(unsigned long)
/usr/bin/../lib/gcc/x86_64-linux-
gnu/7.2.0/../../../../include/c++/7.2.0/bits/basic_string.h:226
#4 0x15af88e in std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> >::_M_dispose()
/usr/bin/../lib/gcc/x86_64-linux-
gnu/7.2.0/../../../../include/c++/7.2.0/bits/basic_string.h:221
#5 0x15af88e in std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> >::~basic_string()
/usr/bin/../lib/gcc/x86_64-linux-
gnu/7.2.0/../../../../include/c++/7.2.0/bits/basic_string.h:647
#6 0x15af88e in fileCoinReadable(std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> >&,
std::__cxx11::basic_string<char, std::char_traits<char>,
std::allocator<char> > const&)
/home/karas/Cbc/CoinUtils/src/CoinFileIO.cpp:659
#7 0x16a127e in CoinMpsIO::dealWithFileName(char const*, char const*,
CoinFileInput*&) /home/karas/Cbc/CoinUtils/src/CoinMpsIO.cpp:1483:18
#8 0x16aa2c3 in CoinMpsIO::readMps(char const*, char const*, int&,
CoinSet**&) /home/karas/Cbc/CoinUtils/src/CoinMpsIO.cpp:1566:20
#9 0xc2a8db in OsiClpSolverInterface::readMps(char const*, bool, bool)
/home/karas/Cbc/Clp/src/OsiClp/OsiClpSolverInterface.cpp:5765:24
#10 0x561814 in CbcMain1(int, char const**, CbcModel&, int
(*)(CbcModel*, int), CbcSolverUsefulData&)
/home/karas/Cbc/Cbc/src/CbcSolver.cpp:7955:53
#11 0x5254b6 in main /home/karas/Cbc/Cbc/src/CoinSolve.cpp:350:22
#12 0x7f29364a51c0 in __libc_start_main /build/glibc-
CxtIbX/glibc-2.26/csu/../csu/libc-start.c:308
previously allocated by thread T0 here:
#0 0x520e30 in operator new(unsigned long)
(/home/karas/Cbc/run/bin/cbc+0x520e30)
#1 0x15af2a2 in void std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> >::_M_construct<char*>(char*,
char*, std::forward_iterator_tag) /usr/bin/../lib/gcc/x86_64-linux-
gnu/7.2.0/../../../../include/c++/7.2.0/bits/basic_string.tcc:219:14
#2 0x15af2a2 in void std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char>
>::_M_construct_aux<char*>(char*, char*, std::__false_type)
/usr/bin/../lib/gcc/x86_64-linux-
gnu/7.2.0/../../../../include/c++/7.2.0/bits/basic_string.h:236
#3 0x15af2a2 in void std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> >::_M_construct<char*>(char*,
char*) /usr/bin/../lib/gcc/x86_64-linux-
gnu/7.2.0/../../../../include/c++/7.2.0/bits/basic_string.h:255
#4 0x15af2a2 in std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char>
>::basic_string(std::__cxx11::basic_string<char, std::char_traits<char>,
std::allocator<char> > const&) /usr/bin/../lib/gcc/x86_64-linux-
gnu/7.2.0/../../../../include/c++/7.2.0/bits/basic_string.h:440
#5 0x15af2a2 in fileCoinReadable(std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> >&,
std::__cxx11::basic_string<char, std::char_traits<char>,
std::allocator<char> > const&)
/home/karas/Cbc/CoinUtils/src/CoinFileIO.cpp:643
#6 0x16a127e in CoinMpsIO::dealWithFileName(char const*, char const*,
CoinFileInput*&) /home/karas/Cbc/CoinUtils/src/CoinMpsIO.cpp:1483:18
#7 0x16aa2c3 in CoinMpsIO::readMps(char const*, char const*, int&,
CoinSet**&) /home/karas/Cbc/CoinUtils/src/CoinMpsIO.cpp:1566:20
#8 0xc2a8db in OsiClpSolverInterface::readMps(char const*, bool, bool)
/home/karas/Cbc/Clp/src/OsiClp/OsiClpSolverInterface.cpp:5765:24
#9 0x561814 in CbcMain1(int, char const**, CbcModel&, int
(*)(CbcModel*, int), CbcSolverUsefulData&)
/home/karas/Cbc/Cbc/src/CbcSolver.cpp:7955:53
#10 0x5254b6 in main /home/karas/Cbc/Cbc/src/CoinSolve.cpp:350:22
#11 0x7f29364a51c0 in __libc_start_main /build/glibc-
CxtIbX/glibc-2.26/csu/../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/karas/Cbc/CoinUtils/src/CoinMpsIO.cpp:471:3 in
CoinMpsCardReader::~CoinMpsCardReader()
Shadow bytes around the buggy address:
0x0c0e7fff8330: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fd fd
0x0c0e7fff8340: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
0x0c0e7fff8350: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd
0x0c0e7fff8360: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0e7fff8370: fd fa fa fa fa fa fd fd fd fd fd fd fd fd fd fa
=>0x0c0e7fff8380:[fa]fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa
0x0c0e7fff8390: fa fa 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
0x0c0e7fff83a0: 00 00 00 00 00 00 00 00 04 fa fa fa fa fa fa fa
0x0c0e7fff83b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff83c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff83d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==27178==ABORTING
}}}
==========
[Acknowledgement]
This work was supported by ICT R&D program of MSIP/IITP. [R7518-16-1001,
Innovation hub for high Performance Computing]
--
Ticket URL: <https://projects.coin-or.org/Cbc/ticket/182>
COIN-OR Branch-and-Cut MIP Solver <http://projects.coin-or.org/Cbc>
An LP-based branch-and-cut MIP solver.
More information about the Cbc-tickets
mailing list