go-fuzz-dep: sonar serialization contains faulty type assumption

[josharian]

While fuzzing something, I got this crash:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x2 addr=0x8 pc=0x10210d414]

goroutine 1 [running]:
go-fuzz-dep.serialize({0x0, 0x0}, {0x102205300?, 0x140000aa900?}, {0x1400011db60?, 0xbdbfefbfbdef2f20?, 0x1400011db78?})
	go-fuzz-dep/sonar.go:150 +0xd94
go-fuzz-dep.Sonar({0x0, 0x0}, {0x102205300, 0x140000aa900}, 0x7c700)
	go-fuzz-dep/sonar.go:31 +0x54
reflect.DeepEqual.func2(...)
	/Users/josh/go/1.18/src/reflect/deepequal.go:230
reflect.DeepEqual({0x0, 0x0}, {0x102205300?, 0x140000aa900})
	/Users/josh/go/1.18/src/reflect/deepequal.go:230 +0xcc
[...]

The relevant reflect.DeepEqual code is:

func DeepEqual(x, y any) bool {
	if x == nil || y == nil {
		return x == y  // <------
	}

The relevant sonar.go line is:

func serialize(v, v2 interface{}, buf []byte) (n, flags uint8) {
	switch vv := v.(type) {
        // omit many cases
	default:
		// Special case: string literal is compared with a variable of
		// user type with string underlying type:
		//	type Name string
		//	var name Name
		//	if name == "foo" { ... }
		if _, ok := v2.(string); ok {
			s := *(*string)((*iface)(unsafe.Pointer(&v)).val)  // <--------
			if len(s) <= SonarMaxLen {
				return uint8(copy(buf[:], s)), SonarString
			}
		}
        // ...

I think this code contains a faulty assumption. If v has an interface type (as with reflect.DeepEqual), it can be compared with a string without itself being a string. The iface conversion is thus unsafe. I believe in this case it is due to a nil interface being compared with a string, causing a nil pointer dereference when reading the iface.val field.

If anyone cares (unlikely), this should be made safer, probably by using reflect.Type.