Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NULL pointer dereference in #98

Open
svigerske opened this issue Mar 3, 2019 · 3 comments
Open

NULL pointer dereference in #98

svigerske opened this issue Mar 3, 2019 · 3 comments

Comments

@svigerske
Copy link
Member

Issue created by migration from Trac.

Original creator: gy741.kim

Original creation time: 2018-01-05 04:06:19

Assignee: @tkralphs

Hello.

I found a NULL pointer dereference in cbc.

Please confirm.

Thanks.

Summary: NULL pointer dereference

OS: CentOS 7 64bit

Version: Trunk (unstable)

Steps to reproduce:

1.Download the .POC files.

2.Compile the source code with ASan.

3.Execute the following command : ./cbc $POC

ASAN:DEADLYSIGNAL
=================================================================
==23114==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x000001697a01 bp 0x7ffe6bd33f10 sp 0x7ffe6bd33d40 T0)
==23114==The signal is caused by a READ memory access.
==23114==Hint: address points to the zero page.
    #0 0x1697a00 in CoinMpsCardReader::cleanCard() /home/karas/Cbc/CoinUtils/src/CoinMpsIO.cpp:280:19
    #1 0x16995b0 in CoinMpsCardReader::nextField() /home/karas/Cbc/CoinUtils/src/CoinMpsIO.cpp:516:10
    #2 0x16aab30 in CoinMpsIO::readMps(int&, CoinSet**&) /home/karas/Cbc/CoinUtils/src/CoinMpsIO.cpp:1633:18
    #3 0x16aa43f in CoinMpsIO::readMps(char const*, char const*, int&, CoinSet**&) /home/karas/Cbc/CoinUtils/src/CoinMpsIO.cpp:1573:10
    #4 0xc2a8db in OsiClpSolverInterface::readMps(char const*, bool, bool) /home/karas/Cbc/Clp/src/OsiClp/OsiClpSolverInterface.cpp:5765:24
    #5 0x561814 in CbcMain1(int, char const**, CbcModel&, int (*)(CbcModel*, int), CbcSolverUsefulData&) /home/karas/Cbc/Cbc/src/CbcSolver.cpp:7955:53
    #6 0x5254b6 in main /home/karas/Cbc/Cbc/src/CoinSolve.cpp:350:22
    #7 0x7fd8c61b21c0 in __libc_start_main /build/glibc-CxtIbX/glibc-2.26/csu/../csu/libc-start.c:308
    #8 0x42e049 in _start (/home/karas/Cbc/run/bin/cbc+0x42e049)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/karas/Cbc/CoinUtils/src/CoinMpsIO.cpp:280:19 in CoinMpsCardReader::cleanCard()
==23114==ABORTING

==========

[Acknowledgement]

This work was supported by ICT R&D program of MSIP/IITP. [R7518-16-1001,

Innovation hub for high Performance Computing]
@svigerske
Copy link
Member Author

Attachment null_CoinMpsCardReader__cleanCard by gy741.kim created at 2018-01-05 04:07:18

POC

@svigerske
Copy link
Member Author

Comment by gy741.kim created at 2018-01-05 04:08:20

NULL pointer dereference in CoinMpsCardReader::cleanCard

@svigerske
Copy link
Member Author

Also valgrind complains with current Cbc/master:

Welcome to the CBC MILP Solver 
Version: Trunk (unstable) 
Build Date: Mar 12 2019 
Revision Number: 2526 

command line - ./bin/cbc null_CoinMpsCardReader__cleanCard (default strategy 1)
At line 1 BASIS00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
==22084== Invalid read of size 8
==22084==    at 0x6B742F: CoinMpsCardReader::cleanCard() (CoinMpsIO.cpp:278)
==22084==    by 0x6B7FB5: CoinMpsCardReader::nextField() (CoinMpsIO.cpp:509)
==22084==    by 0x6BB250: CoinMpsIO::readMps(int&, CoinSet**&) (CoinMpsIO.cpp:1610)
==22084==    by 0x6BADCA: CoinMpsIO::readMps(char const*, char const*, int&, CoinSet**&) (CoinMpsIO.cpp:1550)
==22084==    by 0x41013A: OsiClpSolverInterface::readMps(char const*, bool, bool) (OsiClpSolverInterface.cpp:5701)
==22084==    by 0x15E547: CbcMain1(int, char const**, CbcModel&, int (*)(CbcModel*, int), CbcSolverUsefulData&) (CbcSolver.cpp:8186)
==22084==    by 0x135DA9: main (CoinSolve.cpp:354)
==22084==  Address 0x6effe00 is 4,016 bytes inside a block of size 4,096 free'd
==22084==    at 0x48389AB: free (vg_replace_malloc.c:530)
==22084==    by 0x6977B53: _IO_setb (in /usr/lib/libc-2.28.so)
==22084==    by 0x697616F: _IO_file_close_it@@GLIBC_2.2.5 (in /usr/lib/libc-2.28.so)
==22084==    by 0x696998E: fclose@@GLIBC_2.2.5 (in /usr/lib/libc-2.28.so)
==22084==    by 0x66F23A: CoinFileInput::create(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (CoinFileIO.cpp:332)
==22084==    by 0x6BA8CA: CoinMpsIO::dealWithFileName(char const*, char const*, CoinFileInput*&) (CoinMpsIO.cpp:1465)
==22084==    by 0x6BAD4D: CoinMpsIO::readMps(char const*, char const*, int&, CoinSet**&) (CoinMpsIO.cpp:1543)
==22084==    by 0x41013A: OsiClpSolverInterface::readMps(char const*, bool, bool) (OsiClpSolverInterface.cpp:5701)
==22084==    by 0x15E547: CbcMain1(int, char const**, CbcModel&, int (*)(CbcModel*, int), CbcSolverUsefulData&) (CbcSolver.cpp:8186)
==22084==    by 0x135DA9: main (CoinSolve.cpp:354)
==22084==  Block was alloc'd at
==22084==    at 0x483777F: malloc (vg_replace_malloc.c:299)
==22084==    by 0x6969790: _IO_file_doallocate (in /usr/lib/libc-2.28.so)
==22084==    by 0x6977BBF: _IO_doallocbuf (in /usr/lib/libc-2.28.so)
==22084==    by 0x6975C14: _IO_file_xsgetn (in /usr/lib/libc-2.28.so)
==22084==    by 0x696A77A: fread (in /usr/lib/libc-2.28.so)
==22084==    by 0x66F224: CoinFileInput::create(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (CoinFileIO.cpp:331)
==22084==    by 0x6BA8CA: CoinMpsIO::dealWithFileName(char const*, char const*, CoinFileInput*&) (CoinMpsIO.cpp:1465)
==22084==    by 0x6BAD4D: CoinMpsIO::readMps(char const*, char const*, int&, CoinSet**&) (CoinMpsIO.cpp:1543)
==22084==    by 0x41013A: OsiClpSolverInterface::readMps(char const*, bool, bool) (OsiClpSolverInterface.cpp:5701)
==22084==    by 0x15E547: CbcMain1(int, char const**, CbcModel&, int (*)(CbcModel*, int), CbcSolverUsefulData&) (CbcSolver.cpp:8186)
==22084==    by 0x135DA9: main (CoinSolve.cpp:354)
==22084== 
==22084== Invalid read of size 8
==22084==    at 0x6B7436: CoinMpsCardReader::cleanCard() (CoinMpsIO.cpp:278)
==22084==    by 0x6B7FB5: CoinMpsCardReader::nextField() (CoinMpsIO.cpp:509)
==22084==    by 0x6BB250: CoinMpsIO::readMps(int&, CoinSet**&) (CoinMpsIO.cpp:1610)
==22084==    by 0x6BADCA: CoinMpsIO::readMps(char const*, char const*, int&, CoinSet**&) (CoinMpsIO.cpp:1550)
==22084==    by 0x41013A: OsiClpSolverInterface::readMps(char const*, bool, bool) (OsiClpSolverInterface.cpp:5701)
==22084==    by 0x15E547: CbcMain1(int, char const**, CbcModel&, int (*)(CbcModel*, int), CbcSolverUsefulData&) (CbcSolver.cpp:8186)
==22084==    by 0x135DA9: main (CoinSolve.cpp:354)
==22084==  Address 0x18 is not stack'd, malloc'd or (recently) free'd
==22084== 
==22084== 
==22084== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==22084==  Access not within mapped region at address 0x18
==22084==    at 0x6B7436: CoinMpsCardReader::cleanCard() (CoinMpsIO.cpp:278)
==22084==    by 0x6B7FB5: CoinMpsCardReader::nextField() (CoinMpsIO.cpp:509)
==22084==    by 0x6BB250: CoinMpsIO::readMps(int&, CoinSet**&) (CoinMpsIO.cpp:1610)
==22084==    by 0x6BADCA: CoinMpsIO::readMps(char const*, char const*, int&, CoinSet**&) (CoinMpsIO.cpp:1550)
==22084==    by 0x41013A: OsiClpSolverInterface::readMps(char const*, bool, bool) (OsiClpSolverInterface.cpp:5701)
==22084==    by 0x15E547: CbcMain1(int, char const**, CbcModel&, int (*)(CbcModel*, int), CbcSolverUsefulData&) (CbcSolver.cpp:8186)
==22084==    by 0x135DA9: main (CoinSolve.cpp:354)
==22084==  If you believe this happened as a result of a stack
==22084==  overflow in your program's main thread (unlikely but
==22084==  possible), you can try to increase the size of the
==22084==  main thread stack using the --main-stacksize= flag.
==22084==  The main thread stack size used in this run was 8388608.
==22084== 
==22084== HEAP SUMMARY:
==22084==     in use at exit: 333,899 bytes in 1,170 blocks
==22084==   total heap usage: 3,285 allocs, 2,115 frees, 945,033 bytes allocated
==22084== 
==22084== LEAK SUMMARY:
==22084==    definitely lost: 0 bytes in 0 blocks
==22084==    indirectly lost: 0 bytes in 0 blocks
==22084==      possibly lost: 0 bytes in 0 blocks
==22084==    still reachable: 333,899 bytes in 1,170 blocks
==22084==                       of which reachable via heuristic:
==22084==                         multipleinheritance: 1,048 bytes in 1 blocks
==22084==         suppressed: 0 bytes in 0 blocks
==22084== Rerun with --leak-check=full to see details of leaked memory
==22084== 
==22084== For counts of detected and suppressed errors, rerun with: -v
==22084== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)
Segmentation fault (core dumped)

@svigerske svigerske transferred this issue from coin-or/Cbc Mar 13, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@svigerske