Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cmd/go: add CXXFLAGS options to whitelist #23923

Closed
wd256 opened this issue Feb 19, 2018 · 6 comments
Closed

cmd/go: add CXXFLAGS options to whitelist #23923

wd256 opened this issue Feb 19, 2018 · 6 comments

Comments

@wd256
Copy link

wd256 commented Feb 19, 2018

What version of Go are you using (go version)?

go1.10 linux/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

linux / amd64

What did you do?

Ran go build

What did you expect to see?

Application build successfully

What did you see instead?

go build gitrepo.local/project/myapp: invalid flag in #cgo CXXFLAGS: -ffat-lto-objects

Running again with CGO_CXXFLAGS_ALLOW="-ffat-lto-objects" go build gives the following result:

go build gitrepo.local/project/myapp: invalid flag in #cgo CXXFLAGS: -fuse-linker-plugin

Please add the -ffat-lto-objects and -fuse-linker-plugin options to the whitelist.

@AlexRouSg
Copy link
Contributor

Isn't -fuse-linker-plugin normally used together with -flto? I don't think -flto is whitelisted either. On the topic of -flto, the linker optimization flags -O* used with it are not whitelisted too.

Are you sure those are the only 2 flags you need?

@ianlancetaylor
Copy link
Contributor

Unfortunately, we really can't add -fuse-linker-plugin to the whitelist. That option permits a simple go get to use -fuse-linker-plugin to refer to a linker plugin in the repo being downloaded, and thus permits arbitrary code execution on the system running go get.

@ianlancetaylor
Copy link
Contributor

Oh, wait, sorry, I think I'm wrong. -fuse-linker-plugin itself may be safe.

@wd256
Copy link
Author

wd256 commented Feb 20, 2018

The full set of flags being used is as follows:

#cgo CXXFLAGS: -O3 -flto -fomit-frame-pointer -ffat-lto-objects -fuse-linker-plugin -std=c++14

If I build using the following command I don't receive any errors:

CGO_CXXFLAGS_ALLOW="-ffat-lto-objects|-fuse-linker-plugin" go build

@AlexRouSg
Copy link
Contributor

@wd256
Sorry my bad, looks like I found old examples of -fuse-linker-plugin. In those examples they were setting -flto in the linker flags too which isn't whitelisted but the compile flag is. And since GCC 5 no one sets the -flto and related linker flags anymore since they're ignored.

@ianlancetaylor
Copy link
Contributor

Consolidating into #23937.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

4 participants