• Go’s arithmetic operations on standard integer types are silent by default, meaning overflows “wrap around” without panicking. • This behavior has hidden an entire class of security vulnerabilities from fuzzing campaigns. • Today we’re changing that by releasinggo-panikint, a modified Go compiler that turns silent integer overflows into explicit panics. • We used it to find a live integer overflow in the Cosmos SDK’s RPC pagination logic, showing how this approach eliminates a major blind spot for anyone fuzzing Go projects. • (The issue in the Cosmos SDK has not been fixed, but apull requesthas been created to mitigate it.) The sound of silence In Rust, debug builds are designed to panic on integer overflow, a feature that is highly valuable for fuzzing. • Go, however, takes a different approach.
Article Summaries:
- Go’s default silent integer overflows have long hidden security bugs. To expose these, the Go community released go‑panikint, a forked compiler that injects runtime checks into the SSA intermediate representation. When an arithmetic overflow occurs, the binary panics with a detailed error message, turning silent wrap‑arounds into explicit failures. The tool also flags integer truncation, though fuzzing focus remains on overflows. In a recent fuzzing run, go‑panikint uncovered a live overflow in the Cosmos SDK’s RPC pagination logic; the issue is still unfixed but a mitigation pull request has been submitted. This approach aims to close a major blind spot for Go fuzzers.
Sources: