Finding Hidden Overflows in Go: Fuzzing Beyond the Compiler’s Limits

While fuzzing Rust binaries, overflow checks exposed many arithmetic bugs. Go, however, silently wraps on integer overflow, leaving fuzzing campaigns blind to an entire class of vulnerabilities. Since static analyzers produce many false positives and cannot tell which overflows are actually reachable, a runtime detector was required, one that never flags unreachable bugs.

Our work led to patching the Go compiler to inject overflow checks during SSA conversion and adding runtime verification for every arithmetic operation. On overflow the program panics with, making previously invisible issues visible to fuzzers.

The tool was validated by fuzzing the Cosmos SDK, uncovering a integer overflow in RPC logic that standard Go fuzzers missed. The results show that compiler-level instrumentation can eliminate static-analysis blind spots and enable discovery of previously undetectable vulnerabilities.

Participants will learn how Go's intermediate representation works, how compiler modifications can enable some deterministic bug classes, and how to extend this approach to catch other bug classes like integer truncation.

Work: https://github.com/trailofbits/go-panikint