Open lovasoa opened 3 years ago
Here is a C program to make the reproduction easier :
#include <coin/Cbc_C_Interface.h>
#include <stdio.h>
int main(int argc,char* argv[])
{
if (argc <2)return 1;
double low_bound;
sscanf(argv[1],"%le", &low_bound);
Cbc_Model* m =Cbc_newModel();
int numcols =1;
int numrows =0;
int start[] = {0};
int *index =0;
double *value =0;
double collb[] = {low_bound};
double *colub =0;
double obj[] = {1.0};
double *rowlb =0;
double *rowub =0;
Cbc_loadProblem(m,
numcols, numrows,
start,index,
value,
collb, colub,
obj,
rowlb, rowub);
Cbc_solve(m);
Cbc_deleteModel(m);
return 0;
}
$ gcc cbc_bug.c -lCbcSolver
$ ./a.out -1e27
Optimal - objective value -1e+27
Optimal objective -1e+27 - 0 iterations time 0.002
$ ./a.out -1e28
Dual infeasible - objective value 0
DualInfeasible objective 0 - 0 iterations time 0.002
free(): invalid pointer
Abandon (core dumped)
Edit: fixed C code
Unable to reproduce error.
Code does not seem to be very recent. When I run I get a message
Welcome to the CBC MILP Solver Version: devel Build Date: Mar 4 2021
Starting solution of the Linear programming problem using Primal Simplex
Maybe you missed that out to save space. But when I run the code (stupidly) puts out 50 or so lines before saying dual infeasible.
On 04/03/2021 17:06, Ophir LOJKINE wrote:
Here is a C program to make the reproduction easier :
include <coin/Cbc_C_Interface.h>
include
int main(int argc,char* argv[]) { if (argc <2)return 1; double low_bound; sscanf(argv[1],"%le", &low_bound);
Cbc_Model* m =Cbc_newModel(); int numcols =1; int numrows =0; int start[] = {0}; int *index =0; double *value =0; double collb[] = {low_bound}; double *colub =0; double obj[] = {1.0}; double *rowlb =0; double *rowub =0; Cbc_loadProblem(m, numcols, numrows, start,index, value, collb, colub, obj, rowlb, rowub); Cbc_solve(m); Cbc_deleteModel(m); return 0;
}
|$ gcc cbc_bug.c -lCbcSolver $ ./a.out -1e27 Optimal - objective value -1e+27 Optimal objective -1e+27 - 0 iterations time 0.002 $ ./a.out -1e28 Dual infeasible - objective value 0 DualInfeasible objective 0 - 0 iterations time 0.002 free(): invalid pointer Abandon (core dumped) |
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/coin-or/Cbc/issues/367#issuecomment-790773172, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABWJYHBRY3KACGSYO367XV3TB642DANCNFSM4YTQAQLA.
What do you mean by "code does not seem to be very recent" ? I wrote it today. The error is reproducible with the latest libcbc from the ubuntu repository.
Here is a git repository where the issue is reproduced: https://github.com/lovasoa/libcbc-bug
https://github.com/lovasoa/libcbc-bug/runs/2033955168?check_suite_focus=true
The version @lovasoa is testing with on Ubuntu appears to be 2.10.5
and @jjhforrest is testing with master
. I guess this is not an issue in master
. It may be a while before master
is pushed out to release and then the Ubuntu package repo is updated.
This is a security vulnerability. It should probably not wait until a new release is published...
Yes, security is something I would love to address and I would be surprised if there weren't more such vulnerabilities. It would be great if someone with the ability to do it and who cares about deploying Cbc in environments where security is an issue would come along and provide the resources to do a serious audit of the code. Unfortunately, I think this is something that would require manpower beyond what our tiny volunteer army can muster right now. Sponsorship is needed and I keep trying to get the word out. Given available bandwidth, pouring our efforts into pushing the current master version out seems the best strategy.
Thank you for the efforts you already make !
The example code is incorrect - it should be
int start[2] = {0} the length of column is start[1]-start[0] so all sorts of errors could occur.
Here is a C program to make the reproduction easier :
include <coin/Cbc_C_Interface.h>
include
int main(int argc,char* argv[]) { if (argc <2)return 1; double low_bound; sscanf(argv[1],"%le", &low_bound);
Cbc_Model* m =Cbc_newModel(); int numcols =1; int numrows =0; int start[] = {0}; int *index =0; double *value =0; double collb[] = {low_bound}; double *colub =0; double obj[] = {1.0}; double *rowlb =0; double *rowub =0; Cbc_loadProblem(m, numcols, numrows, start,index, value, collb, colub, obj, rowlb, rowub); Cbc_solve(m); Cbc_deleteModel(m); return 0;
} On 04/03/2021 19:08, Ophir LOJKINE wrote: Here is a git repository where the issue is reproduced: https://github.com/lovasoa/libcbc-bug
https://github.com/lovasoa/libcbc-bug/runs/2033955168?check_suite_focus=true
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/coin-or/Cbc/issues/367#issuecomment-790857738, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABWJYHG75JXVBRN6VWS6EZDTB7LCRANCNFSM4YTQAQLA.
Yes you're right, my mistake !
Was a CVE ever assigned for this issue?
I reported it to ubuntu, and never got any response back. I don't think so.
Hah ok, I am on the Ubuntu Security Team - I'll see if we can allocate a CVE for this.
Oh, sorry, I didn't realize that. Thank you !
Hello,
When using cbc through it's rust binding, and trying to solve the very simple unbounded problem that follows, cbc tries to free invalid memory (
free(): invalid pointer
).The problem is defined in rust with
Stack trace :
Initially reported in https://github.com/KardinalAI/coin_cbc/issues/9
Using libcbc
2.10.5+ds1-1 amd64
(from the ubuntu repository), with ubuntu 20.10.