1
0
mirror of https://github.com/golang/go synced 2024-11-14 13:30:30 -07:00
go/misc
Ian Lance Taylor 3215982469 [release-branch.go1.15-security] cmd/go, cmd/cgo: don't let bogus symbol set cgo_ldflag
A hand-edited object file can have a symbol name that uses newline and
other normally invalid characters. The cgo tool will generate Go files
containing symbol names, unquoted. That can permit those symbol names
to inject Go code into a cgo-generated file. If that Go code uses the
//go:cgo_ldflag pragma, it can cause the C linker to run arbitrary
code when building a package. If you build an imported package we
permit arbitrary code at run time, but we don't want to permit it at
package build time. This CL prevents this in two ways.

In cgo, reject invalid symbols that contain non-printable or space
characters, or that contain anything that looks like a Go comment.

In the go tool, double check all //go:cgo_ldflag directives in
generated code, to make sure they follow the existing LDFLAG restrictions.

Thanks to Chris Brown and Tempus Ex for reporting this.

Fixes CVE-2020-28366

Change-Id: Ia1ad8f3791ea79612690fa7d26ac451d0f6df7c1
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/895832
Reviewed-by: Than McIntosh <thanm@google.com>
Reviewed-by: Cherry Zhang <cherryyz@google.com>
(cherry picked from commit 6bc814dd2bbfeaafa41d314dd4cc591b575dfbf6)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/901056
Reviewed-by: Filippo Valsorda <valsorda@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
2020-11-11 23:35:14 +00:00
..
android misc/android: fix a typo in README 2019-05-17 06:01:17 +00:00
arm
cgo [release-branch.go1.15-security] cmd/go, cmd/cgo: don't let bogus symbol set cgo_ldflag 2020-11-11 23:35:14 +00:00
chrome/gophertool misc/chrome/gophertool: replace deprecated tabs.getSelected method 2019-11-18 18:14:37 +00:00
ios all: remove scattered remnants of darwin/arm 2020-04-08 18:35:49 +00:00
linkcheck
reboot misc: remove use of relative directories in overlayDir functions 2019-11-25 16:26:15 +00:00
swig cmd/go: fix swig support and run swig tests during run.bash 2017-11-16 17:19:19 +00:00
trace cmd/trace: update to use WebComponents V0 polyfill 2020-02-20 19:12:11 +00:00
wasm syscall/js: prepare IDs for the preset objects 2020-05-12 15:01:56 +00:00
editors
go.mod misc: add go.mod file 2019-02-27 17:47:31 +00:00