Opened 16 months ago

Closed 7 weeks ago

#182 closed defect (migrated)

heap-buffer-overflow in CoinMpsCardReader

Reported by: gy741.kim Owned by: tkr
Priority: major Component: Cbc
Version: trunk Keywords:
Cc:

Description

Hello.

I found a heap-buffer-overflow in cbc.

Please confirm.

Thanks.

Summary: heap-buffer-overflow

OS: CentOS 7 64bit

Version: Trunk (unstable)

Steps to reproduce:

1.Download the .POC files.

2.Compile the source code with ASan.

3.Execute the following command : ./cbc $POC

ASAN:DEADLYSIGNAL
=================================================================
==27178==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x607000001c00 at pc 0x0000016b9ee8 bp 0x7ffdf1820480 sp 0x7ffdf1820478
READ of size 8 at 0x607000001c00 thread T0
    #0 0x16b9ee7 in CoinMpsCardReader::~CoinMpsCardReader() /home/karas/Cbc/CoinUtils/src/CoinMpsIO.cpp:471:3
    #1 0x16b9ee7 in CoinMpsIO::gutsOfDestructor() /home/karas/Cbc/CoinUtils/src/CoinMpsIO.cpp:5473
    #2 0x16d3aa8 in CoinMpsIO::~CoinMpsIO() /home/karas/Cbc/CoinUtils/src/CoinMpsIO.cpp:5441:3
    #3 0xc2c8ee in OsiClpSolverInterface::readMps(char const*, bool, bool) /home/karas/Cbc/Clp/src/OsiClp/OsiClpSolverInterface.cpp:5846:1
    #4 0x561814 in CbcMain1(int, char const**, CbcModel&, int (*)(CbcModel*, int), CbcSolverUsefulData&) /home/karas/Cbc/Cbc/src/CbcSolver.cpp:7955:53
    #5 0x5254b6 in main /home/karas/Cbc/Cbc/src/CoinSolve.cpp:350:22
    #6 0x7f29364a51c0 in __libc_start_main /build/glibc-CxtIbX/glibc-2.26/csu/../csu/libc-start.c:308
    #7 0x42e049 in _start (/home/karas/Cbc/run/bin/cbc+0x42e049)

0x607000001c00 is located 14 bytes to the right of 66-byte region [0x607000001bb0,0x607000001bf2)
freed by thread T0 here:
    #0 0x521ba0 in operator delete(void*) (/home/karas/Cbc/run/bin/cbc+0x521ba0)
    #1 0x15af88e in __gnu_cxx::new_allocator<char>::deallocate(char*, unsigned long) /usr/bin/../lib/gcc/x86_64-linux-gnu/7.2.0/../../../../include/c++/7.2.0/ext/new_allocator.h:125:2
    #2 0x15af88e in __gnu_cxx::__alloc_traits<std::allocator<char> >::deallocate(std::allocator<char>&, char*, unsigned long) /usr/bin/../lib/gcc/x86_64-linux-gnu/7.2.0/../../../../include/c++/7.2.0/ext/alloc_traits.h:133
    #3 0x15af88e in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_destroy(unsigned long) /usr/bin/../lib/gcc/x86_64-linux-gnu/7.2.0/../../../../include/c++/7.2.0/bits/basic_string.h:226
    #4 0x15af88e in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_dispose() /usr/bin/../lib/gcc/x86_64-linux-gnu/7.2.0/../../../../include/c++/7.2.0/bits/basic_string.h:221
    #5 0x15af88e in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::~basic_string() /usr/bin/../lib/gcc/x86_64-linux-gnu/7.2.0/../../../../include/c++/7.2.0/bits/basic_string.h:647
    #6 0x15af88e in fileCoinReadable(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/karas/Cbc/CoinUtils/src/CoinFileIO.cpp:659
    #7 0x16a127e in CoinMpsIO::dealWithFileName(char const*, char const*, CoinFileInput*&) /home/karas/Cbc/CoinUtils/src/CoinMpsIO.cpp:1483:18
    #8 0x16aa2c3 in CoinMpsIO::readMps(char const*, char const*, int&, CoinSet**&) /home/karas/Cbc/CoinUtils/src/CoinMpsIO.cpp:1566:20
    #9 0xc2a8db in OsiClpSolverInterface::readMps(char const*, bool, bool) /home/karas/Cbc/Clp/src/OsiClp/OsiClpSolverInterface.cpp:5765:24
    #10 0x561814 in CbcMain1(int, char const**, CbcModel&, int (*)(CbcModel*, int), CbcSolverUsefulData&) /home/karas/Cbc/Cbc/src/CbcSolver.cpp:7955:53
    #11 0x5254b6 in main /home/karas/Cbc/Cbc/src/CoinSolve.cpp:350:22
    #12 0x7f29364a51c0 in __libc_start_main /build/glibc-CxtIbX/glibc-2.26/csu/../csu/libc-start.c:308

previously allocated by thread T0 here:
    #0 0x520e30 in operator new(unsigned long) (/home/karas/Cbc/run/bin/cbc+0x520e30)
    #1 0x15af2a2 in void std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_construct<char*>(char*, char*, std::forward_iterator_tag) /usr/bin/../lib/gcc/x86_64-linux-gnu/7.2.0/../../../../include/c++/7.2.0/bits/basic_string.tcc:219:14
    #2 0x15af2a2 in void std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_construct_aux<char*>(char*, char*, std::__false_type) /usr/bin/../lib/gcc/x86_64-linux-gnu/7.2.0/../../../../include/c++/7.2.0/bits/basic_string.h:236
    #3 0x15af2a2 in void std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_construct<char*>(char*, char*) /usr/bin/../lib/gcc/x86_64-linux-gnu/7.2.0/../../../../include/c++/7.2.0/bits/basic_string.h:255
    #4 0x15af2a2 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/7.2.0/../../../../include/c++/7.2.0/bits/basic_string.h:440
    #5 0x15af2a2 in fileCoinReadable(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/karas/Cbc/CoinUtils/src/CoinFileIO.cpp:643
    #6 0x16a127e in CoinMpsIO::dealWithFileName(char const*, char const*, CoinFileInput*&) /home/karas/Cbc/CoinUtils/src/CoinMpsIO.cpp:1483:18
    #7 0x16aa2c3 in CoinMpsIO::readMps(char const*, char const*, int&, CoinSet**&) /home/karas/Cbc/CoinUtils/src/CoinMpsIO.cpp:1566:20
    #8 0xc2a8db in OsiClpSolverInterface::readMps(char const*, bool, bool) /home/karas/Cbc/Clp/src/OsiClp/OsiClpSolverInterface.cpp:5765:24
    #9 0x561814 in CbcMain1(int, char const**, CbcModel&, int (*)(CbcModel*, int), CbcSolverUsefulData&) /home/karas/Cbc/Cbc/src/CbcSolver.cpp:7955:53
    #10 0x5254b6 in main /home/karas/Cbc/Cbc/src/CoinSolve.cpp:350:22
    #11 0x7f29364a51c0 in __libc_start_main /build/glibc-CxtIbX/glibc-2.26/csu/../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/karas/Cbc/CoinUtils/src/CoinMpsIO.cpp:471:3 in CoinMpsCardReader::~CoinMpsCardReader()
Shadow bytes around the buggy address:
  0x0c0e7fff8330: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fd fd
  0x0c0e7fff8340: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x0c0e7fff8350: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd
  0x0c0e7fff8360: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0e7fff8370: fd fa fa fa fa fa fd fd fd fd fd fd fd fd fd fa
=>0x0c0e7fff8380:[fa]fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa
  0x0c0e7fff8390: fa fa 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c0e7fff83a0: 00 00 00 00 00 00 00 00 04 fa fa fa fa fa fa fa
  0x0c0e7fff83b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff83c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff83d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==27178==ABORTING

==========

[Acknowledgement]

This work was supported by ICT R&D program of MSIP/IITP. [R7518-16-1001,

Innovation hub for high Performance Computing]

Attachments (1)

OV_CoinMpsCardReader (1.0 KB) - added by gy741.kim 16 months ago.

Download all attachments as: .zip

Change History (2)

Changed 16 months ago by gy741.kim

comment:1 Changed 7 weeks ago by stefan

  • Resolution set to migrated
  • Status changed from new to closed

This ticket has been migrated to GitHub and will be resolved there: https://github.com/coin-or/Cbc/issues/182

Note: See TracTickets for help on using tickets.