Trail of Bits Blog
Follow
Detect Go’s silent arithmetic bugs with go-panikint
Go's arithmetic operations on standard integer types are silent by default, meaning overflows wrap around without panicking, which can lead to hidden security vulnerabilities. To address this issue, a modified Go compiler called go-panikint has been released, which turns silent integer overflows into explicit panics. Go-panikint was used to find a live integer overflow in the Cosmos SDK's RPC pagination logic, demonstrating its effectiveness in eliminating a major blind spot for fuzzing Go projects. The tool works by injecting additional checks during the compiler's conversion of code into Static Single Assignment form, which trigger a panic with a detailed error message if an overflow occurs at runtime. Go-panikint can also detect integer truncation issues, but this feature is not currently being pursued due to false positives. The tool is easy to use and can be integrated into existing workflows by replacing the official Go compiler. Go-panikint has two filtering mechanisms to handle intentional overflows, including source-location-based filtering and in-code comments. The tool has been validated through a fuzzing campaign against the Cosmos SDK, which discovered an integer overflow vulnerability in the RPC pagination logic. Go-panikint has two main use cases: security research and fuzzing, and continuous deployment and integration. The community is invited to try go-panikint on their own projects and integrate it into their CI pipelines to uncover hidden arithmetic bugs. Overall, go-panikint provides a valuable tool for uncovering security vulnerabilities in Go projects that were previously invisible to dynamic analysis.
