cmd/gc: unsafe memory access through append() #9634
Description
Testing with go1.4 I can use append on a struct if its first member happens to be a slice. This in turn allows for arbitrary memory writes:
package main
import (
"fmt"
)
type SS struct {
List []uint64
X, Y, Z, K *uint64
}
func InternalWriteToPointer(s *SS) {
fmt.Printf("X 0x%X Y 0x%X Z 0x%X K 0x%X\n", s.X, s.Y, s.Z, s.K)
*s.Y = 0
}
func WriteAtAddress(t uint64) {
var s SS
s.List = append(s, t)
s.List = append(s, t)
s.List = append(s, t)
InternalWriteToPointer(&s)
}
func main() {
WriteAtAddress(0x1122334455667788)
}