From: Cuong Manh Le Date: Thu, 21 Oct 2021 16:35:05 +0000 (+0700) Subject: reflect: make Value.Pointer panic on bad notinheap pointers X-Git-Tag: go1.18beta1~802 X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=23e57e59556f42d6935b65be63b59a8b0fc0e6ad;p=gostls13.git reflect: make Value.Pointer panic on bad notinheap pointers Same as CL 350153 did for Value.Elem to panic on bad notinheap pointers. While at it, also add more tests for notinheap deref. Change-Id: Id7d9d12ad8467de5926b6a7e8f9d659fea5fedb5 Reviewed-on: https://go-review.googlesource.com/c/go/+/357630 Trust: Cuong Manh Le Run-TryBot: Cuong Manh Le TryBot-Result: Go Bot Reviewed-by: Keith Randall --- diff --git a/src/reflect/all_test.go b/src/reflect/all_test.go index fcd0e15f0a..922998125b 100644 --- a/src/reflect/all_test.go +++ b/src/reflect/all_test.go @@ -7721,6 +7721,8 @@ func TestNotInHeapDeref(t *testing.T) { v = ValueOf((*nih)(unsafe.Pointer(new(int)))) shouldPanic("reflect: reflect.Value.Elem on an invalid notinheap pointer", func() { v.Elem() }) + shouldPanic("reflect: reflect.Value.Pointer on an invalid notinheap pointer", func() { v.Pointer() }) + shouldPanic("reflect: reflect.Value.UnsafePointer on an invalid notinheap pointer", func() { v.UnsafePointer() }) } func TestMethodCallValueCodePtr(t *testing.T) { diff --git a/src/reflect/value.go b/src/reflect/value.go index 7bb8ae5b97..3e723e82a4 100644 --- a/src/reflect/value.go +++ b/src/reflect/value.go @@ -1940,11 +1940,13 @@ func (v Value) Pointer() uintptr { switch k { case Ptr: if v.typ.ptrdata == 0 { - // Handle pointers to go:notinheap types directly, - // so we never materialize such pointers as an - // unsafe.Pointer. (Such pointers are always indirect.) - // See issue 42076. - return *(*uintptr)(v.ptr) + val := *(*uintptr)(v.ptr) + // Since it is a not-in-heap pointer, all pointers to the heap are + // forbidden! See comment in Value.Elem and issue #48399. + if !verifyNotInHeapPtr(val) { + panic("reflect: reflect.Value.Pointer on an invalid notinheap pointer") + } + return val } fallthrough case Chan, Map, UnsafePointer: