runtime: pageAlloc.searchAddr may point to unmapped memory in discontiguous heaps, violating its invariant [1.14 backport]

[gopherbot]

@mknyszek requested issue #40191 to be considered for backport to the next 1.14 minor release.

@gopherbot Please open a backport issue to Go 1.14.

[dmitshur]

@mknyszek Can you please include a short rationale about why the backport might be needed? (Per MinorReleases.) Thanks.

[mknyszek]

Yes, sorry. I mentioned it in #40191 but forgot to copy it here.

This issue should not be considered a blocking issue for Go 1.15 because the bug was technically introduced in Go 1.14, but it should be fixed and probably backported too, since it can cause failures with no workaround.

Specifically, this bug causes a segfault that can happen to anyone for reasons outside of their control, with no workaround at the user level. Although it's generally very rare because OSes generally try to keep the mapped regions contiguous, if future versions of e.g. Linux decided not to try so hard to keep mmap'd regions contiguous (and it ignored all our hints), then someone might see a consistent segfault. Currently this only happens on Fuchsia (a port we don't support ourselves) but the problem theoretically applies to all platforms just at varying degrees of rarity.

[toothrot]

Approving for backport. This is a serious issue with no workaround.

[gopherbot]

Change https://golang.org/cl/246197 mentions this issue: [release-branch.go.1.14] runtime: validate candidate searchAddr in pageAlloc.find