Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential Integer Overflow vulnerability in src/mmio.c #9

Open
gaborcsardi opened this issue Sep 5, 2021 · 0 comments
Open

Potential Integer Overflow vulnerability in src/mmio.c #9

gaborcsardi opened this issue Sep 5, 2021 · 0 comments

Comments

@gaborcsardi
Copy link
Owner

I got the following bug report against the Debian instance of lpSolve which
you maintain. This clearly comes from an automated scanning system so may
have false positives. A (very quick) look for mmio upstream suggests that it
has not changed. So maybe worth putting a local change in. Let me know if you
have other thoughts / if you become aware of a more general solution.

Best, Dirk

On 3 September 2021 at 21:12, Potential Buffer Overflow vulnerability in xfig-3.2.7b wrote:
| Package: r-cran-lpsolve
| Version: 5.6.15
| Severity: normal
|
| Dear Maintainer,
|
| It seems that there exits a potential Integer Overflow in src/mmio.c.
| in line 53,
| (53) if (mm_read_mtx_crd_size(f, &M, &N, &nz) !=0)
| ...
| (65) I = (int *) malloc(nz * sizeof(int));
| (66) J = (int *) malloc(nz * sizeof(int));
|
| in function mm_read_mtx_crd_size(FILE *f, int *M, int *N, int *nz ),
| in line 207,
| (207) if (sscanf(line, "%d %d %d", M, N, nz) >= 2)
|
| As a result, in line 65, variable nz is read from external source.
| If nz is large enough, multiplication may cause allocation to wrong value.
|
|
| -- System Information:
| Debian Release: 11.0
| APT prefers oldstable-updates
| APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
| Architecture: amd64 (x86_64)
|
| Kernel: Linux 4.4.0-19041-Microsoft
| Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
| Shell: /bin/sh linked to /bin/dash
| Init: unable to detect
gaborcsardi added a commit that referenced this issue Sep 27, 2022
@gaborcsardi
Fix undefined behavior reported by CRAN
31a18bb 
Following lpSolveAPI.

Original error:
```
> ### Name: lp
> ### Title: Linear and Integer Programming
> ### Aliases: lp
> ### Keywords: optimize
>
> ### ** Examples
>
> #
> # Set up problem: maximize
> #   x1 + 9 x2 +   x3 subject to
> #   x1 + 2 x2 + 3 x3  <= 9
> # 3 x1 + 2 x2 + 2 x3 <= 15
> #
> f.obj <- c(1, 9, 1)
> f.con <- matrix (c(1, 2, 3, 3, 2, 2), nrow=2, byrow=TRUE)
> f.dir <- c("<=", "<=")
> f.rhs <- c(9, 15)
> #
> # Now run.
> #
> lp ("max", f.obj, f.con, f.dir, f.rhs)
lp_presolve.c:193:34: runtime error: applying non-zero offset 16 to null pointer
    #0 0x7f9ffc9213db in presolve_rebuildUndo /data/gannet/ripley/R/packages/tests-clang-SAN/lpSolve/src/lp_presolve.c:193:34
    #1 0x7f9ffc988821 in postsolve /data/gannet/ripley/R/packages/tests-clang-SAN/lpSolve/src/lp_presolve.c:5620:5
    #2 0x7f9ffc9fcbff in spx_solve /data/gannet/ripley/R/packages/tests-clang-SAN/lpSolve/src/lp_simplex.c:2062:9
    #3 0x7f9ffc9fe260 in lin_solve /data/gannet/ripley/R/packages/tests-clang-SAN/lpSolve/src/lp_simplex.c:2154:12
    #4 0x7f9ffca13511 in lpslink /data/gannet/ripley/R/packages/tests-clang-SAN/lpSolve/src/lpslink56.c:377:25
    #5 0x74ef88 in do_dotCode /data/gannet/ripley/R/svn/R-devel/src/main/dotcode.c
    #6 0x83f0a5 in bcEval /data/gannet/ripley/R/svn/R-devel/src/main/eval.c:7126:14
    #7 0x829ade in Rf_eval /data/gannet/ripley/R/svn/R-devel/src/main/eval.c:748:8
    #8 0x891fd3 in R_execClosure /data/gannet/ripley/R/svn/R-devel/src/main/eval.c
    #9 0x88dc7f in Rf_applyClosure /data/gannet/ripley/R/svn/R-devel/src/main/eval.c:1844:16
    #10 0x82a518 in Rf_eval /data/gannet/ripley/R/svn/R-devel/src/main/eval.c:871:12
    #11 0x95ade6 in Rf_ReplIteration /data/gannet/ripley/R/svn/R-devel/src/main/main.c:264:2
    #12 0x95e340 in R_ReplConsole /data/gannet/ripley/R/svn/R-devel/src/main/main.c:316:11
    #13 0x95e149 in run_Rmainloop /data/gannet/ripley/R/svn/R-devel/src/main/main.c:1194:5
    #14 0x95e482 in Rf_mainloop /data/gannet/ripley/R/svn/R-devel/src/main/main.c:1201:5
    #15 0x4f30ba in main /data/gannet/ripley/R/svn/R-devel/src/main/Rmain.c:29:5
    #16 0x7fa00c1cab74 in __libc_start_main (/lib64/libc.so.6+0x27b74) (BuildId: 08df60634339b221bb854d4e10b7278cafde70c4)
    #17 0x43231d in _start (/data/gannet/ripley/R/R-clang-SAN/bin/exec/R+0x43231d)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior lp_presolve.c:193:34 in
Success: the objective function is 40.5
```
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@gaborcsardi