Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cmd/go: arbitrary code can be injected into cgo generated files #42559

Closed
katiehockman opened this issue Nov 12, 2020 · 2 comments
Closed

cmd/go: arbitrary code can be injected into cgo generated files #42559

katiehockman opened this issue Nov 12, 2020 · 2 comments
Labels
FrozenDueToAge Security
Milestone
Go1.16

Comments

@katiehockman
Copy link
Contributor

The go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get on a malicious package, or any other command that builds untrusted code.

This can be caused by malicious unquoted symbol names. This has been fixed by rejecting invalid symbols which may add a //go:cgo_ldflag directive to the generated file, and by ensuring that the go tool follows existing LDFLAG restrictions.

Thanks to Chris Brown and Tempus Ex for reporting this issue.

This issue is CVE-2020-28366.
@katiehockman katiehockman added this to the Go1.16 milestone Nov 12, 2020
This was referenced Nov 12, 2020
Closed
Closed
@katiehockman
Copy link
Contributor Author

katiehockman commented Nov 12, 2020
edited by FiloSottile

Fixed by da7aa86

Fixed by 062e0e5

dongsupark pushed a commit to flatcar-archive/coreos-overlay that referenced this issue Nov 13, 2020
eclass: remove -Wl,-O1 from LDFLAGS passed to go_export
28f3ae5 
Go 1.15.5 fixed a security issue CVE-2020-28366, by rejecting certain
LDFLAGS for CGO. See golang/go#42559.

However, that change breaks builds based on the Flatcar build chain,
because `go_export` sets `$LDFLAGS` to `-Wl,-O1 -Wl,--as-needed`.
As a result, Go build fails like:

```
go build runtime/cgo: invalid flag in go:cgo_ldflag: -Wl,-O1
```

We need to remove the flag `-Wl,-O1` from $LDFLAGS before building the
Go runtime, to fix the failure.
@dongsupark dongsupark mentioned this issue Nov 13, 2020
Merged
dongsupark pushed a commit to flatcar-archive/coreos-overlay that referenced this issue Nov 13, 2020
eclass: remove -Wl,-O1 from LDFLAGS passed to go_export
5a9df62 
Go 1.15.5 fixed a security issue CVE-2020-28366, by rejecting certain
LDFLAGS for CGO. See golang/go#42559.

However, that change breaks builds based on the Flatcar build chain,
because `go_export` sets `$LDFLAGS` to `-Wl,-O1 -Wl,--as-needed`.
As a result, Go build fails like:

```
go build runtime/cgo: invalid flag in go:cgo_ldflag: -Wl,-O1
```

We need to remove the flag `-Wl,-O1` from $LDFLAGS before building the
Go runtime, to fix the failure.
dongsupark pushed a commit to flatcar-archive/coreos-overlay that referenced this issue Nov 13, 2020
eclass: remove -Wl,-O1 from LDFLAGS passed to go_export
3e63c3c 
Go 1.15.5 fixed a security issue CVE-2020-28366, by rejecting certain
LDFLAGS for CGO. See golang/go#42559.

However, that change breaks builds based on the Flatcar build chain,
because `go_export` sets `$LDFLAGS` to `-Wl,-O1 -Wl,--as-needed`.
As a result, Go build fails like:

```
go build runtime/cgo: invalid flag in go:cgo_ldflag: -Wl,-O1
```

We need to remove the flag `-Wl,-O1` from $LDFLAGS before building the
Go runtime, to fix the failure.
@FiloSottile
Copy link
Contributor

FiloSottile commented Nov 13, 2020
edited

Note: the CVE and attribution in the fix (062e0e5) are incorrect. This is indeed CVE-2020-28366 reported by Chris Brown and Tempus Ex. We apologize for the mistake.

@DimitarKapashikov DimitarKapashikov mentioned this issue Dec 4, 2020
Closed
@golang golang locked and limited conversation to collaborators Nov 13, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge Security
Projects
None yet
Milestone
Go1.16
Development

No branches or pull requests
3 participants
@FiloSottile @gopherbot @katiehockman