[release-branch.go1.22] cmd/go: disallow -lto_library in LDFLAGS

The darwin linker allows setting the LTO library with the -lto_library flag. This wasn't caught by our "safe linker flags" check because it was covered by the -lx flag used for linking libraries. This change adds a specific check for excluded flags which otherwise satisfy our existing checks. Loading a mallicious LTO library would allow an attacker to cause the linker to execute abritrary code when "go build" was called. Thanks to Juho Forsén of Mattermost for reporting this issue. Fixes #67119 Fixes #67122 Fixes CVE-2024-24787 Change-Id: I77ac8585efbdbdfd5f39c39ed623b9408a0f9eaf Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1380 Reviewed-by: Russ Cox <rsc@google.com> Reviewed-by: Damien Neil <dneil@google.com> (cherry picked from commit 9a79141fbbca1105e5c786f15e38741ca7843290) Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1420 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/583796 Reviewed-by: David Chase <drchase@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
author: Roland Shoemaker <bracewell@google.com> 2024-04-25 13:09:54 -0700
committer: Cherry Mui <cherryyz@google.com> 2024-05-07 15:28:49 +0000
commit: fa0292d252c762ff3de92b87d13417c50704f3a0 (patch)
tree: ff08b81d9cd1f11edb0dc753a83c3ad8335e550d
parent: 947e43e3711948aa3f4d2bbb55ae51ccf54e7638 (diff)
download: go-fa0292d252c762ff3de92b87d13417c50704f3a0.tar.gz
go-fa0292d252c762ff3de92b87d13417c50704f3a0.zip
2 files changed, 32 insertions, 4 deletions
diff --git a/src/cmd/go/internal/work/security.go b/src/cmd/go/internal/work/security.go
index 88504be6cd..568eecd325 100644
--- a/src/cmd/go/internal/work/security.go
+++ b/src/cmd/go/internal/work/security.go
@@ -145,6 +145,12 @@ var validCompilerFlagsWithNextArg = []string{
 	"-x",
 }
 
+var invalidLinkerFlags = []*lazyregexp.Regexp{
+	// On macOS this means the linker loads and executes the next argument.
+	// Have to exclude separately because -lfoo is allowed in general.
+	re(`-lto_library`),
+}
+
 var validLinkerFlags = []*lazyregexp.Regexp{
 	re(`-F([^@\-].*)`),
 	re(`-l([^@\-].*)`),
@@ -235,12 +241,12 @@ var validLinkerFlagsWithNextArg = []string{
 
 func checkCompilerFlags(name, source string, list []string) error {
 	checkOverrides := true
-	return checkFlags(name, source, list, validCompilerFlags, validCompilerFlagsWithNextArg, checkOverrides)
+	return checkFlags(name, source, list, nil, validCompilerFlags, validCompilerFlagsWithNextArg, checkOverrides)
 }
 
 func checkLinkerFlags(name, source string, list []string) error {
 	checkOverrides := true
-	return checkFlags(name, source, list, validLinkerFlags, validLinkerFlagsWithNextArg, checkOverrides)
+	return checkFlags(name, source, list, invalidLinkerFlags, validLinkerFlags, validLinkerFlagsWithNextArg, checkOverrides)
 }
 
 // checkCompilerFlagsForInternalLink returns an error if 'list'
@@ -249,7 +255,7 @@ func checkLinkerFlags(name, source string, list []string) error {
 // external linker).
 func checkCompilerFlagsForInternalLink(name, source string, list []string) error {
 	checkOverrides := false
-	if err := checkFlags(name, source, list, validCompilerFlags, validCompilerFlagsWithNextArg, checkOverrides); err != nil {
+	if err := checkFlags(name, source, list, nil, validCompilerFlags, validCompilerFlagsWithNextArg, checkOverrides); err != nil {
 		return err
 	}
 	// Currently the only flag on the allow list that causes problems
@@ -262,7 +268,7 @@ func checkCompilerFlagsForInternalLink(name, source string, list []string) error
 	return nil
 }
 
-func checkFlags(name, source string, list []string, valid []*lazyregexp.Regexp, validNext []string, checkOverrides bool) error {
+func checkFlags(name, source string, list []string, invalid, valid []*lazyregexp.Regexp, validNext []string, checkOverrides bool) error {
 	// Let users override rules with $CGO_CFLAGS_ALLOW, $CGO_CFLAGS_DISALLOW, etc.
 	var (
 		allow    *regexp.Regexp
@@ -294,6 +300,11 @@ Args:
 		if allow != nil && allow.FindString(arg) == arg {
 			continue Args
 		}
+		for _, re := range invalid {
+			if re.FindString(arg) == arg { // must be complete match
+				goto Bad
+			}
+		}
 		for _, re := range valid {
 			if re.FindString(arg) == arg { // must be complete match
 				continue Args
diff --git a/src/cmd/go/testdata/script/darwin_lto_library_ldflag.txt b/src/cmd/go/testdata/script/darwin_lto_library_ldflag.txt
new file mode 100644
index 0000000000..d7acefdbad
--- /dev/null
+++ b/src/cmd/go/testdata/script/darwin_lto_library_ldflag.txt
@@ -0,0 +1,17 @@
+[!GOOS:darwin] skip
+[!cgo] skip
+
+! go build
+stderr 'invalid flag in #cgo LDFLAGS: -lto_library'
+
+-- go.mod --
+module ldflag
+
+-- main.go --
+package main
+
+// #cgo CFLAGS: -flto
+// #cgo LDFLAGS: -lto_library bad.dylib
+import "C"
+
+func main() {}
+\ No newline at end of file
author	Roland Shoemaker <bracewell@google.com>	2024-04-25 13:09:54 -0700
committer	Cherry Mui <cherryyz@google.com>	2024-05-07 15:28:49 +0000
commit	fa0292d252c762ff3de92b87d13417c50704f3a0 (patch)
tree	ff08b81d9cd1f11edb0dc753a83c3ad8335e550d
parent	947e43e3711948aa3f4d2bbb55ae51ccf54e7638 (diff)
download	go-fa0292d252c762ff3de92b87d13417c50704f3a0.tar.gz go-fa0292d252c762ff3de92b87d13417c50704f3a0.zip