-
Austin Clements authored
reflect.callReflect heap-allocates a stack frame and then constructs pointers to the arguments and result areas of that frame. However, if there are no results, the results pointer will point past the end of the frame allocation. If there are also no arguments, the arguments pointer will also point past the end of the frame allocation. If the GC observes either these pointers, it may panic. Fix this by not constructing these pointers if these areas of the frame are empty. This adds a test of calling no-argument/no-result methods via reflect, since nothing in std did this before. However, it's quite difficult to demonstrate the actual failure because it depends on both exact allocation patterns and on GC scanning the goroutine's stack while inside one of the typedmemmovepartial calls. I also audited other uses of typedmemmovepartial and memclrNoHeapPointers in reflect, since these are the most susceptible to this. These appear to be the only two cases that can construct out-of-bounds arguments to these functions. Fixes #19724. Fixes #19768 (backport). Change-Id: I4b83c596b5625dc4ad0567b1e281bad4faef972b Reviewed-on: https://go-review.googlesource.com/39604 Run-TryBot: Austin Clements <austin@google.com> Reviewed-by:
Russ Cox <rsc@golang.org>
04017ffa
