runtime: ensure the fixalloc object size is valid

Usually, fixalloc is used to allocate small, persistent and reuseable
objects. The size is typically between range [sizeof(mlink), _FixAllocChunk].

It's rare for being out of the range. But if it did happen, we got a
hard-to-discover memory corruption. This commit prevents that situation by limiting object's size.

Change-Id: If6ef8b0831596464e0f55d09f79094b79ae08c66
GitHub-Last-Rev: cb8b1b01bbf452195f4f098d53cca74affc496ff
GitHub-Pull-Request: golang/go#47395
Reviewed-on: https://go-review.googlesource.com/c/go/+/337429
Reviewed-by: Austin Clements <austin@google.com>
Run-TryBot: Austin Clements <austin@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Trust: Cherry Mui <cherryyz@google.com>

diff --git a/src/runtime/mfixalloc.go b/src/runtime/mfixalloc.go
index 293c16b38b1bc1ebc5eb7802757d7bcaf92b5e60..a81139a389cbe37050b23422f2983e0c9a82bed9 100644 (file)
--- a/src/runtime/mfixalloc.go
+++ b/src/runtime/mfixalloc.go
@@ -50,6 +50,13 @@ type mlink struct {
 // Initialize f to allocate objects of the given size,
 // using the allocator to obtain chunks of memory.
 func (f *fixalloc) init(size uintptr, first func(arg, p unsafe.Pointer), arg unsafe.Pointer, stat *sysMemStat) {
+       if size > _FixAllocChunk {
+               throw("runtime: fixalloc size too large")
+       }
+       if min := unsafe.Sizeof(mlink{}); size < min {
+               size = min
+       }
+
        f.size = size
        f.first = first
        f.arg = arg