• Austin Clements's avatar
    reflect: fix out-of-bounds pointers calling no-result method · 627798db
    Austin Clements authored
    reflect.callReflect heap-allocates a stack frame and then constructs
    pointers to the arguments and result areas of that frame. However, if
    there are no results, the results pointer will point past the end of
    the frame allocation. If there are also no arguments, the arguments
    pointer will also point past the end of the frame allocation. If the
    GC observes either these pointers, it may panic.
    
    Fix this by not constructing these pointers if these areas of the
    frame are empty.
    
    This adds a test of calling no-argument/no-result methods via reflect,
    since nothing in std did this before. However, it's quite difficult to
    demonstrate the actual failure because it depends on both exact
    allocation patterns and on GC scanning the goroutine's stack while
    inside one of the typedmemmovepartial calls.
    
    I also audited other uses of typedmemmovepartial and
    memclrNoHeapPointers in reflect, since these are the most susceptible
    to this. These appear to be the only two cases that can construct
    out-of-bounds arguments to these functions.
    
    Fixes #19724.
    
    Change-Id: I4b83c596b5625dc4ad0567b1e281bad4faef972b
    Reviewed-on: https://go-review.googlesource.com/38736
    Run-TryBot: Austin Clements <austin@google.com>
    TryBot-Result: Gobot Gobot <gobot@golang.org>
    Reviewed-by: default avatarIan Lance Taylor <iant@golang.org>
    627798db
value.go 72.7 KB