runtime: fix ASAN poison calculation in mallocgc

A previous CL broke the ASAN poisoning calculation in mallocgc by not
taking into account a possible allocation header, so the beginning of
the following allocation could have been poisoned.

This mostly isn't a problem, actually, since the following slot would
usually just have an allocation header in it that programs shouldn't be
touching anyway, but if we're going a word-past-the-end at the end of a
span, we could be poisoning a valid heap allocation.

Change-Id: I76a4f59bcef01af513a1640c4c212c0eb6be85b3
Reviewed-on: https://go-review.googlesource.com/c/go/+/622295
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Keith Randall <khr@golang.org>
Reviewed-by: Keith Randall <khr@google.com>

diff --git a/src/runtime/malloc.go b/src/runtime/malloc.go
index 02c096a8593ec8c62187812dc970d5d7b507d599..74decd54c4473b4f0684dc514f13b80a18e6349b 100644 (file)
--- a/src/runtime/malloc.go
+++ b/src/runtime/malloc.go
@@ -1064,7 +1064,11 @@ func mallocgc(size uintptr, typ *_type, needzero bool) unsafe.Pointer {
        if asanenabled {
                // Poison the space between the end of the requested size of x
                // and the end of the slot. Unpoison the requested allocation.
-               asanpoison(unsafe.Add(x, size-asanRZ), asanRZ+(elemsize-size))
+               frag := elemsize - size
+               if typ != nil && typ.Pointers() && !heapBitsInSpan(elemsize) {
+                       frag -= mallocHeaderSize
+               }
+               asanpoison(unsafe.Add(x, size-asanRZ), asanRZ+frag)
                asanunpoison(x, size-asanRZ)
        }