From 66e562cc522ecbb269d2a2d9cffb1bdba2e37aee Mon Sep 17 00:00:00 2001 From: Ian Lance Taylor Date: Mon, 16 Sep 2019 12:35:15 -0700 Subject: [PATCH] runtime: avoid overflow in markrootBlock In a position independent executable the data or BSS may be located close to the end of memory. If it is placed closer than rootBlockBytes, then the calculations in markrootBlock would overflow, and the test that ensures that n is not larger than n0 would fail. This would then cause scanblock to scan data that it shouldn't, using an effectively random ptrmask, leading to program crashes. No test because the only way to test it is to build a PIE and convince the kernel to put the data section near the end of memory, and I don't know how to do that. Or perhaps we could use a linker script, but that is painful. The new code is algebraically identical to the original code, but avoids the potential overflow of b+rootBlockBytes. Change-Id: Ieb4e5465174bb762b063d2491caeaa745017345e Reviewed-on: https://go-review.googlesource.com/c/go/+/195717 Run-TryBot: Ian Lance Taylor TryBot-Result: Gobot Gobot Reviewed-by: Austin Clements --- src/runtime/mgcmark.go | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/src/runtime/mgcmark.go b/src/runtime/mgcmark.go index 2c63724472..645083db07 100644 --- a/src/runtime/mgcmark.go +++ b/src/runtime/mgcmark.go @@ -237,14 +237,18 @@ func markrootBlock(b0, n0 uintptr, ptrmask0 *uint8, gcw *gcWork, shard int) { throw("rootBlockBytes must be a multiple of 8*ptrSize") } - b := b0 + uintptr(shard)*rootBlockBytes - if b >= b0+n0 { + // Note that if b0 is toward the end of the address space, + // then b0 + rootBlockBytes might wrap around. + // These tests are written to avoid any possible overflow. + off := uintptr(shard) * rootBlockBytes + if off >= n0 { return } + b := b0 + off ptrmask := (*uint8)(add(unsafe.Pointer(ptrmask0), uintptr(shard)*(rootBlockBytes/(8*sys.PtrSize)))) n := uintptr(rootBlockBytes) - if b+n > b0+n0 { - n = b0 + n0 - b + if off+n > n0 { + n = n0 - off } // Scan this shard.