-
Notifications
You must be signed in to change notification settings - Fork 17.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cmd/compile: missing bounds checks in 1.11 #27289
Comments
Duplicate of #27251? |
Yeah, might be so. Obviously can't handle
Outputs:
|
It seems that this can be used to corrupt arbitrary memory. Output:
Program:
|
There's a probably an off-by-one somewhere... I need to look at it but I'm off this week. |
https://play.golang.org/p/Ooi-BHysN21 Most of a test case for the above issue, if this helps anyone. Needs some cleanup still. |
@gopherbot please file this for backport against 1.11. This is a regression. @ALTree please make a cherry-pick CL once your change is merged in master. |
Backport issue(s) opened: #27390 (for 1.11). Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://golang.org/wiki/MinorReleases. |
Here's a simple repro:
This should panic, but it doesn't. Definitely an error in prove. At some point we derive the following fact, in the bounds-check-failed direction of the branch:
That is, the index is unsigned >= the length of the array (i.e. negative, or too big). This is correct. Then the fence-post logic kicks in. If x-1 >= y, then x > y, right?
That's a contradiction, a value can't be greater than itself. Prove then assumes that the bounds-check-failed direction is unreachable. Hence the bug. Here's the relevant fencepost logic:
This is all seems reasonable with signed logic. But the bug is that (A) I think we need signed/unsigned versions of this fencepost logic. |
Change https://golang.org/cl/132476 mentions this issue: |
Mailed a CL. I don't think Giovanni's CL is to blame, really. His CL just adds some facts like len(a)>=0 that triggered a latent bug. |
Change https://golang.org/cl/132495 mentions this issue: |
Eheh we did the same analysis at the same time and mailed an identical CL 👍 🥇 |
I agree the bug is latent. I'm not sure it can be triggered in 1.10 because the prove pass is simpler there, but it doesn't sound too risky to backport anyway just in case. |
Actually, the fence-post implications were introduced by Austin in CL87480 which was early in the Go 1.11 cycle, so no 1.10 backport is required. |
What version of Go are you using (
go version
)?go version go1.11 linux/amd64
Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (
go env
)?What did you do?
I've narrowed it down to this code: https://play.golang.org/p/3543rqBvJ74
What did you expect to see?
The playground output:
That's what
go version 1.10 darwin/amd64
outputs too.What did you see instead?
The text was updated successfully, but these errors were encountered: