Skip to content

Detect Go’s silent arithmetic bugs with go-panikint #1725

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Detect Go’s silent arithmetic bugs with go-panikint #1725

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 33 additions & 2 deletions src/binary-exploitation/integer-overflow-and-underflow.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -379,11 +379,42 @@ clang -O0 -Wall -Wextra -std=c11 -D_FORTIFY_SOURCE=0 \
- [https://8ksec.io/arm64-reversing-and-exploitation-part-8-exploiting-an-integer-overflow-vulnerability/](https://8ksec.io/arm64-reversing-and-exploitation-part-8-exploiting-an-integer-overflow-vulnerability/)
- Only 1B is used to store the size of the password so it's possible to overflow it and make it think it's length of 4 while it actually is 260 to bypass the length check protection and overwrite in the stack the next local variable and bypass both protections

## Go integer overflow detection with go-panikint

Go wraps integers silently. [go-panikint](https://github.com/trailofbits/go-panikint) is a forked Go toolchain that injects SSA overflow checks so wrapped arithmetic immediately calls `runtime.panicoverflow()` (panic + stack trace).

**Why use it**

- Makes overflow/truncation reachable in fuzzing/CI because arithmetic wraps now crash.
- Useful around user-controlled pagination, offsets, quotas, size calculations, or access-control math (e.g., `end := offset + limit` on `uint64` wrapping small).

**Build & use**

```bash
git clone https://github.com/trailofbits/go-panikint
cd go-panikint/src && ./make.bash
export GOROOT=/path/to/go-panikint
./bin/go test -fuzz=FuzzOverflowHarness
```

Run this forked `go` binary for tests/fuzzing to surface overflows as panics.

**Noise control**

- Truncation checks (casts to smaller ints) can be noisy.
- Suppress intentional wrap-around via source-path filters or inline `// overflow_false_positive` / `// truncation_false_positive` comments.

**Real-world pattern**

go-panikint revealed a Cosmos SDK `uint64` pagination overflow: `end := pageRequest.Offset + pageRequest.Limit` wrapped past `MaxUint64`, returning empty results. Instrumentation turned the silent wrap into a panic that fuzzers could minimize.

## ARM64

This **doesn't change in ARM64** as you can see in [**this blog post**](https://8ksec.io/arm64-reversing-and-exploitation-part-8-exploiting-an-integer-overflow-vulnerability/).

{{#include ../banners/hacktricks-training.md}}

## References

- [Detect Go’s silent arithmetic bugs with go-panikint](https://blog.trailofbits.com/2025/12/31/detect-gos-silent-arithmetic-bugs-with-go-panikint/)
- [go-panikint (compiler fork)](https://github.com/trailofbits/go-panikint)

{{#include ../banners/hacktricks-training.md}}