Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cmd/go: Some C compiler and linker flags are not applied when using CGo #43771

Closed
domust opened this issue Jan 19, 2021 · 2 comments
Closed

cmd/go: Some C compiler and linker flags are not applied when using CGo #43771

domust opened this issue Jan 19, 2021 · 2 comments
Labels
FrozenDueToAge GoCommand cmd/go NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.
Milestone
Backlog

Comments

@domust
Copy link
Contributor

domust commented Jan 19, 2021

What version of Go are you using (go version)?

$ go version
go version go1.15.5 linux/amd64

I've also tested this with versions:

Still works:
1.14.4
1.14.5
1.14.6
1.14.7
1.14.8
1.14.8
1.14.9
1.14.10
1.14.11
1.14.12
1.14.13

Does not work anymore:
1.15.0
1.15.1
1.15.2
1.15.3
1.15.4
1.15.5
1.15.6

1.15.5 even produces this error message which is not present in 1.15.6
go build runtime/cgo: invalid flag in go:cgo_ldflag: -Wl,-z,relro,-z,now

Does this issue reproduce with the latest release?

Yes.

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/domust/.cache/go-build"
GOENV="/home/domust/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/home/domust/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/domust/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/lib/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/lib/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build798847071=/tmp/go-build -gno-record-gcc-switches"
GOROOT/bin/go version: go version go1.15.5 linux/amd64
GOROOT/bin/go tool compile -V: compile version go1.15.5
uname -sr: Linux 5.7.19-2-MANJARO
LSB Version:	n/a
Distributor ID:	ManjaroLinux
Description:	Manjaro Linux
Release:	20.2
Codename:	Nibia
/usr/lib/libc.so.6: GNU C Library (GNU libc) release release version 2.32.

What did you do?

I have this Go code:

~/Documents/cgo >>> cat main.go                                                                                                                                                                                    
package main

import "fmt"

func main() {
	fmt.Println("Hello world!")
}

I'm building using this Makefile:

~/Documents/cgo >>> cat Makefile                                                                                                                                                                                   
VERSION ?= 1.14.4

build:
	docker run \
		--rm \
		--volume ${PWD}:/opt \
		--workdir /opt \
		--env CGO_ENABLED=1 \
		--env CGO_CFLAGS="-g -O2 -D_FORTIFY_SOURCE=2" \
		--env CGO_LDFLAGS="-Wl,-z,relro,-z,now" \
		golang:$(VERSION) \
		go build -buildmode=pie -o hello main.go

clean:
	rm hello

And checking whether resulting binary is properly hardened: https://manpages.debian.org/testing/devscripts/hardening-check.1.en.html

~/Documents/cgo >>> hardening-check -s hello

What did you expect to see?

hello:
 Position Independent Executable: yes
 Stack protected: no, not found! (ignored)
 Fortify Source functions: yes
 Read-only relocations: yes
 Immediate binding: yes

What did you see instead?

hello:
 Position Independent Executable: yes
 Stack protected: no, not found! (ignored)
 Fortify Source functions: unknown, no protectable libc functions used
 Read-only relocations: yes
 Immediate binding: no, not found!

Fortification and immediate binding flags are not handled correctly.
@bcmills
Copy link
Contributor

bcmills commented Jan 19, 2021

What is the stderr output of the go build command if you add the -x flag (“print the commands”)?

@bcmills bcmills added GoCommand cmd/go NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided. labels Jan 19, 2021
@bcmills bcmills added this to the Backlog milestone Jan 19, 2021
@bcmills bcmills changed the title Some C compiler and linker flags are not applied when using CGo cmd/go: Some C compiler and linker flags are not applied when using CGo Jan 19, 2021
@ianlancetaylor
Copy link
Contributor

This is because in Go 1.15 -buildmode=pie now defaults to using internal linking for a program that does not use cgo, as documented at https://golang.org/doc/go1.15#linker. In internal linking mode, the values of CGO_LDFLAGS are ignored. You can force external linking, and get the results you want, by using go build -buildmode=pie -ldflags=-linkmode=external.

@golang golang locked and limited conversation to collaborators Jan 19, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge GoCommand cmd/go NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
4 participants
@ianlancetaylor @bcmills @gopherbot @domust