cmd/compile: prove pass regression enables memory corruption

[jake-ciolek]

Go version

d91148c

Output of go env in your module/workspace:

GOARCH=amd64

What did you do?

Ran a program and it corrupted memory.

git bisect points to:

d91148c
https://go-review.googlesource.com/c/go/+/704875

PoC (linux/amd64):

package main

import "fmt"

var TargetLen = 22
var TargetAddr int64 = 0xDEADBEEF
var Sink int64

//go:noinline
func getSlice() []int {
    return make([]int, TargetLen)
}

//go:noinline
func trigger(i int) {
    s := getSlice()

    if i <= len(s)-1 {
        v := len(s) - i

        var arr [10]int64

        if v < 10 {
            arr[v] = TargetAddr
            Sink = arr[0]
        }
    }
}

func main() {
    fmt.Println("Triggering...")

    // Pass MinInt64 to cause the overflow
    trigger(-1 << 63)

    fmt.Println("Failed (Function returned normally).")
}

What did you see happen?

at d91148c we get this:

Triggering...
Failed (Function returned normally).
unexpected fault address 0xdeadbeef
fatal error: fault
[signal SIGSEGV: segmentation violation code=0x1 addr=0xdeadbeef pc=0xdeadbeef]

goroutine 1 gp=0x1aa899e6e1c0 m=0 mp=0x58cc20 [running]:
runtime.throw({0x4cb28b?, 0x4f5678?})
/home/jake/25nov/go/src/runtime/panic.go:1227 +0x48 fp=0x1aa899f8cee8 sp=0x1aa899f8ceb8 pc=0x47d3a8
runtime.sigpanic()
/home/jake/25nov/go/src/runtime/signal_unix.go:939 +0x26c fp=0x1aa899f8cf48 sp=0x1aa899f8cee8 pc=0x47e74c
runtime: g 1: unexpected return pc for runtime.sigpanic called from 0xdeadbeef
stack: frame={sp:0x1aa899f8cee8, fp:0x1aa899f8cf48} stack=[0x1aa899f8c000,0x1aa899f8d000)
0x00001aa899f8cde8:  0x00001aa899f8ce10  0x000000000045eaa5 <runtime.writeErrData+0x0000000000000025>
0x00001aa899f8cdf8:  0x000000000047fd71 <runtime.write+0x0000000000000031>  0x0000000000000002
0x00001aa899f8ce08:  0x00000000004f4b10  0x00001aa800000001
0x00001aa899f8ce18:  0x0000000000000001  0x00001aa899f8ce48
0x00001aa899f8ce28:  0x000000000045eaa5 <runtime.writeErrData+0x0000000000000025>  0x000000000000000a

What did you expect to see?

This panics as expected on 1.25.4 / 1.24.10:

Triggering...
panic: runtime error: index out of range [-9223372036854775786]

goroutine 1 [running]:
main.trigger(0x8000000000000000)
/home/jake/25nov/mem/main.go:24 +0x6e
main.main()
/home/jake/25nov/mem/main.go:34 +0x59
exit status 2

[jake-ciolek]

I have a patch for this and will send it shortly cc @dr2chase @randall77 @Jorropo

[gopherbot]

Change https://go.dev/cl/721920 mentions this issue: cmd/compile: fix integer overflow in prove pass

[gabyhelp]

Related Issues

• runtime: memory corruption after append to huge slice #29495 (closed)
• cmd/8g: Slice memory corruption when using uint64 indices #5820 (closed)
• cmd/gc: GOARCH=386: invalid reuse of register #4353 (closed)
• cmd/compile: out-of-bounds panic with uint32 conversion and modulus operation in Go 1.22.0 on arm64 #66066 (closed)
• cmd/compile: fatal error: out of memory on reslice with negative index #28797 (closed)
• cmd/compile: panic: runtime error: invalid memory address or nil pointer dereference [dev.regabi] #43701 (closed)
• cmd/compile: internal compiler error: panic during prove #68816 (closed)
• cmd/compile: index out of range error prints wrong length #75327 (closed)
• cmd/compile: miscompilation with store combining #44823 (closed)
• cmd/compile: Program should arguably panic, but doesn't #39122 (closed)

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[mknyszek]

Dropping the security label because this doesn't affect any released version of Go. Thanks for sending a fix!