From: Michael Anthony Knyszek <mknyszek@google.com>
Date: Sat, 28 Mar 2020 16:11:15 +0000 (+0000)
Subject: runtime: check the correct sanity condition in the page allocator
X-Git-Tag: go1.15beta1~718
X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=89e13c88e4f9f3a3eea7bf105e5af475727a4c33;p=gostls13.git

runtime: check the correct sanity condition in the page allocator

Currently there are a few sanity checks in the page allocator which
should fail immediately but because it's a check for a negative number
on a uint, it's actually dead-code.

If there's a bug in the page allocator which would cause the sanity
check to fail, this could cause memory corruption by returning an
invalid address (more precisely, one might either see a segfault, or
span overlap).

This change fixes these sanity checks to check the correct condition.

Fixes #38130.

Change-Id: Ia19786cece783d39f26df24dec8788833a6a3f21
Reviewed-on: https://go-review.googlesource.com/c/go/+/226297
Reviewed-by: Giovanni Bajo <rasky@develer.com>
Reviewed-by: Cherry Zhang <cherryyz@google.com>
---

diff --git a/src/runtime/mpagealloc.go b/src/runtime/mpagealloc.go
index bb751f1f8e..60926fbebf 100644
--- a/src/runtime/mpagealloc.go
+++ b/src/runtime/mpagealloc.go
@@ -724,7 +724,7 @@ nextLevel:
 	// is what the final level represents.
 	ci := chunkIdx(i)
 	j, searchIdx := s.chunkOf(ci).find(npages, 0)
-	if j < 0 {
+	if j == ^uint(0) {
 		// We couldn't find any space in this chunk despite the summaries telling
 		// us it should be there. There's likely a bug, so dump some state and throw.
 		sum := s.summary[len(s.summary)-1][i]
@@ -766,7 +766,7 @@ func (s *pageAlloc) alloc(npages uintptr) (addr uintptr, scav uintptr) {
 		i := chunkIndex(s.searchAddr)
 		if max := s.summary[len(s.summary)-1][i].max(); max >= uint(npages) {
 			j, searchIdx := s.chunkOf(i).find(npages, chunkPageIndex(s.searchAddr))
-			if j < 0 {
+			if j == ^uint(0) {
 				print("runtime: max = ", max, ", npages = ", npages, "\n")
 				print("runtime: searchIdx = ", chunkPageIndex(s.searchAddr), ", s.searchAddr = ", hex(s.searchAddr), "\n")
 				throw("bad summary data")
diff --git a/src/runtime/mpagecache.go b/src/runtime/mpagecache.go
index 9fc338bd8e..5b679d357d 100644
--- a/src/runtime/mpagecache.go
+++ b/src/runtime/mpagecache.go
@@ -115,7 +115,7 @@ func (s *pageAlloc) allocToCache() pageCache {
 		// Fast path: there's free pages at or near the searchAddr address.
 		chunk := s.chunkOf(ci)
 		j, _ := chunk.find(1, chunkPageIndex(s.searchAddr))
-		if j < 0 {
+		if j == ^uint(0) {
 			throw("bad summary data")
 		}
 		c = pageCache{