search

coin-or / Cbc.old

This is a mirror of the subversion repository on COIN-OR
https://projects.coin-or.org/Cbc
Other
86 stars 31 forks source link

[Trac #182] heap-buffer-overflow in CoinMpsCardReader #29

Open s-c-e opened 6 years ago

s-c-e commented 6 years ago

image

Attachment: https://github.com/s-c-e/cbc-trac-migration-attachments/blob/master/trac-ticket-182.zip

Hello.

I found a heap-buffer-overflow in cbc.

Please confirm.

Thanks.

Summary: heap-buffer-overflow

OS: CentOS 7 64bit

Version: Trunk (unstable)

Steps to reproduce:

1.Download the .POC files.

2.Compile the source code with ASan.

3.Execute the following command : ./cbc $POC

ASAN:DEADLYSIGNAL
=================================================================
==27178==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x607000001c00 at pc 0x0000016b9ee8 bp 0x7ffdf1820480 sp 0x7ffdf1820478
READ of size 8 at 0x607000001c00 thread T0
    #0 0x16b9ee7 in CoinMpsCardReader::~CoinMpsCardReader() /home/karas/Cbc/CoinUtils/src/CoinMpsIO.cpp:471:3
    #1 0x16b9ee7 in CoinMpsIO::gutsOfDestructor() /home/karas/Cbc/CoinUtils/src/CoinMpsIO.cpp:5473
    #2 0x16d3aa8 in CoinMpsIO::~CoinMpsIO() /home/karas/Cbc/CoinUtils/src/CoinMpsIO.cpp:5441:3
    #3 0xc2c8ee in OsiClpSolverInterface::readMps(char const*, bool, bool) /home/karas/Cbc/Clp/src/OsiClp/OsiClpSolverInterface.cpp:5846:1
    #4 0x561814 in CbcMain1(int, char const**, CbcModel&, int (*)(CbcModel*, int), CbcSolverUsefulData&) /home/karas/Cbc/Cbc/src/CbcSolver.cpp:7955:53
    #5 0x5254b6 in main /home/karas/Cbc/Cbc/src/CoinSolve.cpp:350:22
    #6 0x7f29364a51c0 in __libc_start_main /build/glibc-CxtIbX/glibc-2.26/csu/../csu/libc-start.c:308
    #7 0x42e049 in _start (/home/karas/Cbc/run/bin/cbc+0x42e049)

0x607000001c00 is located 14 bytes to the right of 66-byte region [0x607000001bb0,0x607000001bf2)
freed by thread T0 here:
    #0 0x521ba0 in operator delete(void*) (/home/karas/Cbc/run/bin/cbc+0x521ba0)
    #1 0x15af88e in __gnu_cxx::new_allocator<char>::deallocate(char*, unsigned long) /usr/bin/../lib/gcc/x86_64-linux-gnu/7.2.0/../../../../include/c++/7.2.0/ext/new_allocator.h:125:2
    #2 0x15af88e in __gnu_cxx::__alloc_traits<std::allocator<char> >::deallocate(std::allocator<char>&, char*, unsigned long) /usr/bin/../lib/gcc/x86_64-linux-gnu/7.2.0/../../../../include/c++/7.2.0/ext/alloc_traits.h:133
    #3 0x15af88e in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_destroy(unsigned long) /usr/bin/../lib/gcc/x86_64-linux-gnu/7.2.0/../../../../include/c++/7.2.0/bits/basic_string.h:226
    #4 0x15af88e in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_dispose() /usr/bin/../lib/gcc/x86_64-linux-gnu/7.2.0/../../../../include/c++/7.2.0/bits/basic_string.h:221
    #5 0x15af88e in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::~basic_string() /usr/bin/../lib/gcc/x86_64-linux-gnu/7.2.0/../../../../include/c++/7.2.0/bits/basic_string.h:647
    #6 0x15af88e in fileCoinReadable(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/karas/Cbc/CoinUtils/src/CoinFileIO.cpp:659
    #7 0x16a127e in CoinMpsIO::dealWithFileName(char const*, char const*, CoinFileInput*&) /home/karas/Cbc/CoinUtils/src/CoinMpsIO.cpp:1483:18
    #8 0x16aa2c3 in CoinMpsIO::readMps(char const*, char const*, int&, CoinSet**&) /home/karas/Cbc/CoinUtils/src/CoinMpsIO.cpp:1566:20
    #9 0xc2a8db in OsiClpSolverInterface::readMps(char const*, bool, bool) /home/karas/Cbc/Clp/src/OsiClp/OsiClpSolverInterface.cpp:5765:24
    #10 0x561814 in CbcMain1(int, char const**, CbcModel&, int (*)(CbcModel*, int), CbcSolverUsefulData&) /home/karas/Cbc/Cbc/src/CbcSolver.cpp:7955:53
    #11 0x5254b6 in main /home/karas/Cbc/Cbc/src/CoinSolve.cpp:350:22
    #12 0x7f29364a51c0 in __libc_start_main /build/glibc-CxtIbX/glibc-2.26/csu/../csu/libc-start.c:308

previously allocated by thread T0 here:
    #0 0x520e30 in operator new(unsigned long) (/home/karas/Cbc/run/bin/cbc+0x520e30)
    #1 0x15af2a2 in void std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_construct<char*>(char*, char*, std::forward_iterator_tag) /usr/bin/../lib/gcc/x86_64-linux-gnu/7.2.0/../../../../include/c++/7.2.0/bits/basic_string.tcc:219:14
    #2 0x15af2a2 in void std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_construct_aux<char*>(char*, char*, std::__false_type) /usr/bin/../lib/gcc/x86_64-linux-gnu/7.2.0/../../../../include/c++/7.2.0/bits/basic_string.h:236
    #3 0x15af2a2 in void std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_construct<char*>(char*, char*) /usr/bin/../lib/gcc/x86_64-linux-gnu/7.2.0/../../../../include/c++/7.2.0/bits/basic_string.h:255
    #4 0x15af2a2 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/7.2.0/../../../../include/c++/7.2.0/bits/basic_string.h:440
    #5 0x15af2a2 in fileCoinReadable(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/karas/Cbc/CoinUtils/src/CoinFileIO.cpp:643
    #6 0x16a127e in CoinMpsIO::dealWithFileName(char const*, char const*, CoinFileInput*&) /home/karas/Cbc/CoinUtils/src/CoinMpsIO.cpp:1483:18
    #7 0x16aa2c3 in CoinMpsIO::readMps(char const*, char const*, int&, CoinSet**&) /home/karas/Cbc/CoinUtils/src/CoinMpsIO.cpp:1566:20
    #8 0xc2a8db in OsiClpSolverInterface::readMps(char const*, bool, bool) /home/karas/Cbc/Clp/src/OsiClp/OsiClpSolverInterface.cpp:5765:24
    #9 0x561814 in CbcMain1(int, char const**, CbcModel&, int (*)(CbcModel*, int), CbcSolverUsefulData&) /home/karas/Cbc/Cbc/src/CbcSolver.cpp:7955:53
    #10 0x5254b6 in main /home/karas/Cbc/Cbc/src/CoinSolve.cpp:350:22
    #11 0x7f29364a51c0 in __libc_start_main /build/glibc-CxtIbX/glibc-2.26/csu/../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/karas/Cbc/CoinUtils/src/CoinMpsIO.cpp:471:3 in CoinMpsCardReader::~CoinMpsCardReader()
Shadow bytes around the buggy address:
  0x0c0e7fff8330: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fd fd
  0x0c0e7fff8340: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x0c0e7fff8350: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd
  0x0c0e7fff8360: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0e7fff8370: fd fa fa fa fa fa fd fd fd fd fd fd fd fd fd fa
=>0x0c0e7fff8380:[fa]fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa
  0x0c0e7fff8390: fa fa 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c0e7fff83a0: 00 00 00 00 00 00 00 00 04 fa fa fa fa fa fa fa
  0x0c0e7fff83b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff83c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff83d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==27178==ABORTING

==========

[Acknowledgement]

This work was supported by ICT R&D program of MSIP/IITP. [R7518-16-1001,

Innovation hub for high Performance Computing]

h-g-s commented 6 years ago

can you attach the mps file ?