free() invalid pointer

[lovasoa]

Hello,

When using cbc through it's rust binding, and trying to solve the very simple unbounded problem that follows, cbc tries to free invalid memory (free(): invalid pointer).

The problem is defined in rust with

        let mut m = Model::default();
        let z = m.add_col();
        m.set_obj_coeff(z, 1.);
        m.set_col_lower(z, -1e100);
        m.set_obj_sense(Sense::Minimize);
        m.solve();

Stack trace :

Thread 15 "test::unbounded" received signal SIGABRT, Aborted.
[Switching to Thread 0x7ffff4eb0640 (LWP 83151)]
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:49
49      ../sysdeps/unix/sysv/linux/raise.c: Aucun fichier ou dossier de ce type.
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:49
#1  0x00007ffff7b4a864 in __GI_abort () at abort.c:79
#2  0x00007ffff7badaf6 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7cd5128 "%s\n") at ../sysdeps/posix/libc_fatal.c:155
#3  0x00007ffff7bb646c in malloc_printerr (str=str@entry=0x7ffff7cd330f "free(): invalid pointer") at malloc.c:5389
#4  0x00007ffff7bb7e84 in _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at malloc.c:4201
#5  0x00007ffff7870bb8 in ClpModel::gutsOfDelete(int) () from /usr/lib/x86_64-linux-gnu/libClp.so.1
#6  0x00007ffff787ac9b in ClpModel::~ClpModel() () from /usr/lib/x86_64-linux-gnu/libClp.so.1
#7  0x00007ffff79e6a35 in OsiClpSolverInterface::~OsiClpSolverInterface() () from /usr/lib/x86_64-linux-gnu/libOsiClp.so.1
#8  0x00007ffff79e6c9d in OsiClpSolverInterface::~OsiClpSolverInterface() () from /usr/lib/x86_64-linux-gnu/libOsiClp.so.1
#9  0x00007ffff75b2de2 in CbcModel::~CbcModel() () from /usr/lib/x86_64-linux-gnu/libCbc.so.3
#10 0x00007ffff75b2dfd in CbcModel::~CbcModel() () from /usr/lib/x86_64-linux-gnu/libCbc.so.3
#11 0x00007ffff7ede924 in Cbc_deleteModel () from /usr/lib/x86_64-linux-gnu/libCbcSolver.so.3
#12 0x00005555555945de in <coin_cbc::raw::Model as core::ops::drop::Drop>::drop (self=0x7ffff4eaf5a8) at /home/ophir/Developpement/coin_cbc/src/raw.rs:390
#13 0x000055555559302e in core::ptr::drop_in_place () at /home/ophir/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:179
#14 0x000055555559227e in core::ptr::drop_in_place () at /home/ophir/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:179
#15 0x00005555555a94d1 in coin_cbc::test::unbounded () at /home/ophir/Developpement/coin_cbc/src/lib.rs:408
#16 0x000055555558995a in coin_cbc::test::unbounded::{{closure}} () at /home/ophir/Developpement/coin_cbc/src/lib.rs:401

Initially reported in KardinalAI/coin_cbc#9

Using libcbc 2.10.5+ds1-1 amd64 (from the ubuntu repository), with ubuntu 20.10.

[lovasoa]

Here is a C program to make the reproduction easier :

 #include  <coin/Cbc_C_Interface.h>
 #include  <stdio.h>

 int  main(int  argc,char* argv[])
 {
      if  (argc <2)return  1;
      double  low_bound;
      sscanf(argv[1],"%le", &low_bound);

      Cbc_Model* m =Cbc_newModel();
      int  numcols =1;
      int  numrows =0;
      int  start[] = {0};
      int  *index  =0;
      double  *value =0;
      double  collb[] = {low_bound};
      double  *colub =0;
      double  obj[] = {1.0};
      double  *rowlb =0;
      double  *rowub =0;
      Cbc_loadProblem(m,
          numcols, numrows,
          start,index,
          value,
          collb, colub,
          obj,
          rowlb, rowub);
      Cbc_solve(m);
      Cbc_deleteModel(m);
      return  0;
 }

$ gcc cbc_bug.c -lCbcSolver

$ ./a.out -1e27
Optimal - objective value -1e+27
Optimal objective -1e+27 - 0 iterations time 0.002

$ ./a.out -1e28
Dual infeasible - objective value 0
DualInfeasible objective 0 - 0 iterations time 0.002
free(): invalid pointer
Abandon (core dumped)

Edit: fixed C code

[jjhforrest]

Unable to reproduce error. Code does not seem to be very recent. When I run I get a message Welcome to the CBC MILP Solver Version: devel Build Date: Mar 4 2021 Starting solution of the Linear programming problem using Primal Simplex Maybe you missed that out to save space. But when I run the code (stupidly) puts out 50 or so lines before saying dual infeasible.

…

On 04/03/2021 17:06, Ophir LOJKINE wrote: Here is a C program to make the reproduction easier : #include <coin/Cbc_C_Interface.h> #include <stdio.h> int main(int argc,char* argv[]) { if (argc <2)return 1; double low_bound; sscanf(argv[1],"%le", &low_bound); Cbc_Model* m =Cbc_newModel(); int numcols =1; int numrows =0; int start[] = {0}; int *index =0; double *value =0; double collb[] = {low_bound}; double *colub =0; double obj[] = {1.0}; double *rowlb =0; double *rowub =0; Cbc_loadProblem(m, numcols, numrows, start,index, value, collb, colub, obj, rowlb, rowub); Cbc_solve(m); Cbc_deleteModel(m); return 0; } |$ gcc cbc_bug.c -lCbcSolver $ ./a.out -1e27 Optimal - objective value -1e+27 Optimal objective -1e+27 - 0 iterations time 0.002 $ ./a.out -1e28 Dual infeasible - objective value 0 DualInfeasible objective 0 - 0 iterations time 0.002 free(): invalid pointer Abandon (core dumped) | — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#367 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABWJYHBRY3KACGSYO367XV3TB642DANCNFSM4YTQAQLA>.

[lovasoa]

What do you mean by "code does not seem to be very recent" ? I wrote it today.
The error is reproducible with the latest libcbc from the ubuntu repository.

[lovasoa]

Here is a git repository where the issue is reproduced: https://github.com/lovasoa/libcbc-bug

https://github.com/lovasoa/libcbc-bug/runs/2033955168?check_suite_focus=true

[tkralphs]

The version @lovasoa is testing with on Ubuntu appears to be 2.10.5 and @jjhforrest is testing with master. I guess this is not an issue in master. It may be a while before master is pushed out to release and then the Ubuntu package repo is updated.

[lovasoa]

This is a security vulnerability. It should probably not wait until a new release is published...

[tkralphs]

Yes, security is something I would love to address and I would be surprised if there weren't more such vulnerabilities. It would be great if someone with the ability to do it and who cares about deploying Cbc in environments where security is an issue would come along and provide the resources to do a serious audit of the code. Unfortunately, I think this is something that would require manpower beyond what our tiny volunteer army can muster right now. Sponsorship is needed and I keep trying to get the word out. Given available bandwidth, pouring our efforts into pushing the current master version out seems the best strategy.

[lovasoa]

Thank you for the efforts you already make !

[jjhforrest]

The example code is incorrect - it should be int start[2] = {0} the length of column is start[1]-start[0] so all sorts of errors could occur. Here is a C program to make the reproduction easier : #include <coin/Cbc_C_Interface.h> #include <stdio.h> int main(int argc,char* argv[]) { if (argc <2)return 1; double low_bound; sscanf(argv[1],"%le", &low_bound); Cbc_Model* m =Cbc_newModel(); int numcols =1; int numrows =0; int start[] = {0}; int *index =0; double *value =0; double collb[] = {low_bound}; double *colub =0; double obj[] = {1.0}; double *rowlb =0; double *rowub =0; Cbc_loadProblem(m, numcols, numrows, start,index, value, collb, colub, obj, rowlb, rowub); Cbc_solve(m); Cbc_deleteModel(m); return 0; }

…

On 04/03/2021 19:08, Ophir LOJKINE wrote: Here is a git repository where the issue is reproduced: https://github.com/lovasoa/libcbc-bug https://github.com/lovasoa/libcbc-bug/runs/2033955168?check_suite_focus=true — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#367 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABWJYHG75JXVBRN6VWS6EZDTB7LCRANCNFSM4YTQAQLA>.

[lovasoa]

Yes you're right, my mistake !

[alexmurray]

Was a CVE ever assigned for this issue?

[lovasoa]

I reported it to ubuntu, and never got any response back. I don't think so.

[alexmurray]

Hah ok, I am on the Ubuntu Security Team - I'll see if we can allocate a CVE for this.

[lovasoa]

Oh, sorry, I didn't realize that. Thank you !