Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cmd/go: allow flags in CGO_LDFLAGS environment variable not in security allowlist #42565

Closed
jayconrod opened this issue Nov 12, 2020 · 10 comments
Closed

cmd/go: allow flags in CGO_LDFLAGS environment variable not in security allowlist #42565

jayconrod opened this issue Nov 12, 2020 · 10 comments
Labels
FrozenDueToAge GoCommand cmd/go NeedsFix The path to resolution is known, but the work has not been done. release-blocker
Milestone
Go1.16

Comments

@jayconrod
Copy link
Contributor

What version of Go are you using (go version)?

$ go version
go version go1.15.5 darwin/amd64

Does this issue reproduce with the latest release?

yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/jayconrod/Library/Caches/go-build"
GOENV="/Users/jayconrod/Library/Application Support/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOINSECURE=""
GOMODCACHE="/Users/jayconrod/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="darwin"
GOPATH="/Users/jayconrod/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/opt/go/installed"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/opt/go/installed/pkg/tool/darwin_amd64"
GCCGO="gccgo"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-D_FORTIFY_SOURCE=1 -fstack-protector -Wthread-safety -Wself-assign -fno-omit-frame-pointer -O0 -DDEBUG -mmacosx-version-min=10.15 -no-canonical-prefixes -Wno-builtin-macro-redefined -D__DATE__="redacted" -D__TIMESTAMP__="redacted" -D__TIME__="redacted""
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-fobjc-link-runtime -headerpad_max_install_names -no-canonical-prefixes -mmacosx-version-min=10.15"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/rq/x0692kqj6ml8cvrhcqh5bswc008xj1/T/go-build236636493=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

CGO_LDFLAGS=-fobjc-link-runtime go build runtime/cgo

What did you expect to see?

Build succeeds, embedding the specified flags as //go:cgo_ldflag pragmas in compiled packages.

What did you see instead?

Build fails with:

go build runtime/cgo: invalid flag in go:cgo_ldflag: -fobjc-link-runtime

I believe this is an unintentional side effect of 3215982, the fix for #42558.

Previously, the security check was applied to flags in #cgo LDFLAGS directives in source files. That prevents malicious source files from executing arbitrary code.

With the commit above, we now apply the security check to all //go:cgo_ldflag pragmas in generated cgo code, in case there's a way for the original source code to cause such a comment to appear in generated code.

However, the CGO_LDFLAGS environment variable causes //go:cgo_ldflag pragmas to be written in generated cgo code. The user has complete control over flags in that environment variable, so they should not be subject to the security check.

A workaround is to set CGO_ALLOW_LDFLAGS to a regular expression that covers everything in CGO_LDFLAGS.
@jayconrod jayconrod added NeedsFix The path to resolution is known, but the work has not been done. GoCommand cmd/go release-blocker labels Nov 12, 2020
@jayconrod jayconrod added this to the Go1.16 milestone Nov 12, 2020
@jayconrod
Copy link
Contributor Author

cc @ianlancetaylor @bcmills @matloob

@jayconrod jayconrod mentioned this issue Nov 12, 2020
Merged
@ianlancetaylor
Copy link
Contributor

@gopherbot Please open backport issues.

This is a usability regression introduced by the security fix for #42556. The security fix was applied to all release branches, and we should follow up with a fix for this usability regression.

jayconrod pushed a commit to jayconrod/rules_go that referenced this issue Nov 12, 2020
GoStdLib: add CGO_LDFLAGS to CGO_LDFLAGS_ALLOW
8b21d93 
For golang/go#42565
For bazelbuild#2710
This was referenced Nov 12, 2020
Closed
Closed
@gopherbot
Copy link

Backport issue(s) opened: #42566 (for 1.14), #42567 (for 1.15).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://golang.org/wiki/MinorReleases.

@jayconrod jayconrod mentioned this issue Nov 12, 2020
Merged
jayconrod pushed a commit to jayconrod/rules_go that referenced this issue Nov 12, 2020
GoStdLib: add CGO_LDFLAGS to CGO_LDFLAGS_ALLOW
6c56169 
For golang/go#42565
For bazelbuild#2710
jayconrod pushed a commit to bazelbuild/rules_go that referenced this issue Nov 12, 2020
GoStdLib: add CGO_LDFLAGS to CGO_LDFLAGS_ALLOW (#2714)
6ac2c02 
For golang/go#42565
For #2710
jayconrod pushed a commit to bazelbuild/rules_go that referenced this issue Nov 12, 2020
GoStdLib: add CGO_LDFLAGS to CGO_LDFLAGS_ALLOW (#2714)
ed620b7 
For golang/go#42565
For #2710
jayconrod pushed a commit to bazelbuild/rules_go that referenced this issue Nov 12, 2020
GoStdLib: add CGO_LDFLAGS to CGO_LDFLAGS_ALLOW (#2714)
7133d80 
For golang/go#42565
For #2710
@gopherbot
Copy link

Change https://golang.org/cl/269818 mentions this issue: cmd/go: permit CGO_LDFLAGS to appear in //go:ldflag

@Foxboron
Copy link
Contributor

This is a usability regression introduced by the security fix for #42556. The security fix was applied to all release branches, and we should follow up with a fix for this usability regression.

It's a bit more then that though. In Arch Linux we utilize CGO_LDFLAGS to ensure binary hardening, this regression is actually causing all our go packages to fail building.

@dmgk
Copy link
Member

dmgk commented Nov 14, 2020

It also broke (so far) tinygo build on FreeBSD: go build runtime/cgo: invalid flag in go:cgo_ldflag: -std=c++14

@Foxboron
Copy link
Contributor

I used the patch from the change set on our go compiler, and it works on our end.

https://github.com/archlinux/svntogit-community/blob/packages/go/trunk/fix-ldflags.patch

@gopherbot
Copy link

Change https://golang.org/cl/270137 mentions this issue: [release-branch.go1.15] cmd/go: permit CGO_LDFLAGS to appear in //go:ldflag

@gopherbot
Copy link

Change https://golang.org/cl/270080 mentions this issue: [release-branch.go1.14] cmd/go: permit CGO_LDFLAGS to appear in //go:ldflag

@ianlancetaylor
Copy link
Contributor

I apologize for this problem. It was caused by a patch to fix a security problem. Because that patch could not be shared before the fix, it was not widely tested.

Please don't comment just to say that the problem affects you too. See https://golang.org/wiki/NoPlusOne. Thanks.

This will be fixed in the next release. Until then, the workaround, as mentioned in the original issue report, is to copy CGO_LDFLAGS into CGO_LDFLAGS_ALLOW.

Again, sorry for the problem.

@aykevl aykevl mentioned this issue Nov 14, 2020
Merged
gopherbot pushed a commit that referenced this issue Nov 16, 2020
@ianlancetaylor
[release-branch.go1.15] cmd/go: permit CGO_LDFLAGS to appear in //go:…
730d5f4 
…ldflag

For #42565
Fixes #42567

Change-Id: If7cf39905d124dbd54dfac6a53ee38270498efed
Reviewed-on: https://go-review.googlesource.com/c/go/+/269818
Trust: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Jay Conrod <jayconrod@google.com>
(cherry picked from commit 782cf56)
Reviewed-on: https://go-review.googlesource.com/c/go/+/270137
gopherbot pushed a commit that referenced this issue Nov 16, 2020
@ianlancetaylor
[release-branch.go1.14] cmd/go: permit CGO_LDFLAGS to appear in //go:…
7177852 
…ldflag

For #42565
Fixes #42566

Change-Id: If7cf39905d124dbd54dfac6a53ee38270498efed
Reviewed-on: https://go-review.googlesource.com/c/go/+/269818
Trust: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Jay Conrod <jayconrod@google.com>
(cherry picked from commit 782cf56)
Reviewed-on: https://go-review.googlesource.com/c/go/+/270080
@danp danp mentioned this issue Nov 16, 2020
Merged
@ianlancetaylor ianlancetaylor mentioned this issue Nov 17, 2020
Closed
@foxcpp foxcpp mentioned this issue Nov 30, 2020
Closed
@AlexRouSg AlexRouSg mentioned this issue Dec 8, 2020
Closed
@toothrot toothrot mentioned this issue Dec 11, 2020
Closed
@steeve steeve mentioned this issue Dec 12, 2020
Closed
@golang golang locked and limited conversation to collaborators Dec 26, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge GoCommand cmd/go NeedsFix The path to resolution is known, but the work has not been done. release-blocker
Projects
None yet
Milestone
Go1.16
Development

No branches or pull requests
6 participants
@jayconrod @Foxboron @ianlancetaylor @dmgk @gopherbot and others