runtime, cmd/compile: deeply nested array interaction leads to fatal error and segfault #29264
Description
What version of Go are you using (go version)?
$ go version go1.11.3.windows-amd64 (linux too)
Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (go env)?
Reproduceable on Win10, Ubuntu 18 and playground
go env Output
$ go env
What did you do?
Manually created a deeply nested array (exactly 102 layers) for security testing an encoding function. Interacting with the nested array leads to several issues related to reflection:
fatal error: bulkBarrierPreWrite: unaligned arguments
goroutine 1 [running]:
runtime.throw(0x10cc6f, 0x28)
/usr/local/go/src/runtime/panic.go:608 +0x80 fp=0x4655e0 sp=0x4655c0 pc=0x50fe0
runtime.bulkBarrierPreWrite(0x40cdc0, 0x10730e, 0xc, 0x0)
/usr/local/go/src/runtime/mbitmap.go:593 +0x5e0 fp=0x465638 sp=0x4655e0 pc=0x346e0
runtime.typedmemmove(0xe9b40, 0x40cdc0, 0x10730e, 0x0)
/usr/local/go/src/runtime/mbarrier.go:161 +0xe0 fp=0x465658 sp=0x465638 pc=0x32fc0
reflect.typedmemmove(0xe9b40, 0x40cdc0, 0x10730e, 0x0)
/usr/local/go/src/runtime/mbarrier.go:186 +0x40 fp=0x465670 sp=0x465658 pc=0x33020
reflect.packEface(0xe9b40, 0x10730e, 0x197, 0x0, 0x1, 0x1)
/usr/local/go/src/reflect/value.go:119 +0xa0 fp=0x465698 sp=0x465670 pc=0xbd300
reflect.valueInterface(0xe9b40, 0x10730e, 0x197, 0x1, 0xc, 0xe9b40)
/usr/local/go/src/reflect/value.go:1008 +0x100 fp=0x4656c8 sp=0x465698 pc=0xbedc0
reflect.Value.Interface(0xe9b40, 0x10730e, 0x197, 0x0, 0x4, 0xc)
/usr/local/go/src/reflect/value.go:978 +0x40 fp=0x4656e8 sp=0x4656c8 pc=0xbec60
https://play.golang.org/p/bbI3nbNprvi
In a different scenario it lead to a segfault:
unexpected fault address 0xffffffffffffffff
fatal error: fault
[signal 0xc0000005 code=0x0 addr=0xffffffffffffffff pc=0x4aaf0e]
goroutine 1 [running]:
runtime.throw(0x559e95, 0x5)
C:/Go/src/runtime/panic.go:608 +0x79 fp=0xc000073158 sp=0xc000073128 pc=0x42bba9
runtime.sigpanic()
C:/Go/src/runtime/signal_windows.go:207 +0x139 fp=0xc000073188 sp=0xc000073158 pc=0x43c7c9
reflect.Value.Len(0x51fe40, 0x2b202820736d6861, 0x197, 0xc0000528c0)
C:/Go/src/reflect/value.go:1080 +0x17e fp=0xc0000731b0 sp=0xc000073188 pc=0x4aaf0e
makeSliceWriter.func1(0x51fe40, 0x2b202820736d6861, 0x197, 0xc00008c000, 0x0, 0x0)
C:/my/code/encode.go:516 +0x6b fp=0xc000073210 sp=0xc0000731b0 pc=0x4fef5b
makeSliceWriter.func1(0x51fe40, 0x5599dd, 0x197, 0xc00008c000, 0x0, 0x0)
C:/my/code/encode.go:518 +0xf1 fp=0xc000073270 sp=0xc000073210 pc=0x4fefe1
makeSliceWriter.func1(0x51fe40, 0xc00003e560, 0x197, 0xc00008c000, 0x0, 0x0)
C:/my/code/encode.go:518 +0xf1 fp=0xc0000732d0 sp=0xc000073270 pc=0x4fefe1
makeSliceWriter.func1(0x51fe40, 0xc000049140, 0x197, 0xc00008c000, 0x0, 0x0)
C:/my/code/encode.go:518 +0xf1 fp=0xc000073330 sp=0xc0000732d0 pc=0x4fefe1
makeSliceWriter.func1(0x51fe40, 0xc000049120, 0x197, 0xc00008c000, 0x0, 0x0)
C:/my/code/encode.go:518 +0xf1 fp=0xc000073390 sp=0xc000073330 pc=0x4fefe1
I'm not sure how or if this could be exploited as it is probably an edgecase. Sadly, I'm far from a golang pro and don't know how to investigate further or if this is even "intended" behaviour. Maybe someone can shed a bit more light on what exactly the issue is?