diff --git a/src/cmd/compile/internal/gc/obj.go b/src/cmd/compile/internal/gc/obj.go
index a2c944ba9c..3c79212528 100644
--- a/src/cmd/compile/internal/gc/obj.go
+++ b/src/cmd/compile/internal/gc/obj.go
@@ -6,7 +6,9 @@ package gc
 
 import (
 	"cmd/internal/obj"
+	"crypto/sha256"
 	"fmt"
+	"io"
 	"strconv"
 )
 
@@ -181,27 +183,22 @@ func duintptr(s *Sym, off int, v uint64) int {
 	return duintxx(s, off, v, Widthptr)
 }
 
-var stringsym_gen int
-
 func stringsym(s string) (hdr, data *Sym) {
 	var symname string
-	var pkg *Pkg
 	if len(s) > 100 {
-		// huge strings are made static to avoid long names
-		stringsym_gen++
-		symname = fmt.Sprintf(".gostring.%d", stringsym_gen)
-
-		pkg = localpkg
+		// Huge strings are hashed to avoid long names in object files.
+		// Indulge in some paranoia by writing the length of s, too,
+		// as protection against length extension attacks.
+		h := sha256.New()
+		io.WriteString(h, s)
+		symname = fmt.Sprintf(".gostring.%d.%x", len(s), h.Sum(nil))
 	} else {
-		// small strings get named by their contents,
-		// so that multiple modules using the same string
-		// can share it.
+		// Small strings get named directly by their contents.
 		symname = strconv.Quote(s)
-		pkg = gostringpkg
 	}
 
-	symhdr := Pkglookup("hdr."+symname, pkg)
-	symdata := Pkglookup(symname, pkg)
+	symhdr := Pkglookup("hdr."+symname, gostringpkg)
+	symdata := Pkglookup(symname, gostringpkg)
 
 	// SymUniq flag indicates that data is generated already
 	if symhdr.Flags&SymUniq != 0 {