Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cmd/go: arbitrary code can be injected into cgo generated files #42559

Closed
katiehockman opened this issue Nov 12, 2020 · 2 comments
Closed

cmd/go: arbitrary code can be injected into cgo generated files #42559

katiehockman opened this issue Nov 12, 2020 · 2 comments
Labels
Milestone

Comments

@katiehockman
Copy link
Member

@katiehockman katiehockman commented Nov 12, 2020

The go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get on a malicious package, or any other command that builds untrusted code.

This can be caused by malicious unquoted symbol names. This has been fixed by rejecting invalid symbols which may add a //go:cgo_ldflag directive to the generated file, and by ensuring that the go tool follows existing LDFLAG restrictions.

Thanks to Chris Brown and Tempus Ex for reporting this issue.

This issue is CVE-2020-28366.

@katiehockman
Copy link
Member Author

@katiehockman katiehockman commented Nov 12, 2020

Fixed by da7aa86

Fixed by 062e0e5

dongsupark added a commit to kinvolk/coreos-overlay that referenced this issue Nov 13, 2020
Go 1.15.5 fixed a security issue CVE-2020-28366, by rejecting certain
LDFLAGS for CGO. See golang/go#42559.

However, that change breaks builds based on the Flatcar build chain,
because `go_export` sets `$LDFLAGS` to `-Wl,-O1 -Wl,--as-needed`.
As a result, Go build fails like:

```
go build runtime/cgo: invalid flag in go:cgo_ldflag: -Wl,-O1
```

We need to remove the flag `-Wl,-O1` from $LDFLAGS before building the
Go runtime, to fix the failure.
dongsupark added a commit to kinvolk/coreos-overlay that referenced this issue Nov 13, 2020
Go 1.15.5 fixed a security issue CVE-2020-28366, by rejecting certain
LDFLAGS for CGO. See golang/go#42559.

However, that change breaks builds based on the Flatcar build chain,
because `go_export` sets `$LDFLAGS` to `-Wl,-O1 -Wl,--as-needed`.
As a result, Go build fails like:

```
go build runtime/cgo: invalid flag in go:cgo_ldflag: -Wl,-O1
```

We need to remove the flag `-Wl,-O1` from $LDFLAGS before building the
Go runtime, to fix the failure.
dongsupark added a commit to kinvolk/coreos-overlay that referenced this issue Nov 13, 2020
Go 1.15.5 fixed a security issue CVE-2020-28366, by rejecting certain
LDFLAGS for CGO. See golang/go#42559.

However, that change breaks builds based on the Flatcar build chain,
because `go_export` sets `$LDFLAGS` to `-Wl,-O1 -Wl,--as-needed`.
As a result, Go build fails like:

```
go build runtime/cgo: invalid flag in go:cgo_ldflag: -Wl,-O1
```

We need to remove the flag `-Wl,-O1` from $LDFLAGS before building the
Go runtime, to fix the failure.
@FiloSottile
Copy link
Member

@FiloSottile FiloSottile commented Nov 13, 2020

Note: the CVE and attribution in the fix (062e0e5) are incorrect. This is indeed CVE-2020-28366 reported by Chris Brown and Tempus Ex. We apologize for the mistake.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.