Skip to content

Commit

Permalink
Merge pull request #123760 from rickystewart/backport-security-fixes-…
Browse files Browse the repository at this point in the history 
…23.1

release-23.1: build: backport security fix from Go CVE
  • Loading branch information
@rickystewart
rickystewart authored May 7, 2024
2 parents cf8dba6 + 2f05b30 commit 1957f27
Show file tree
Hide file tree
Showing 5 changed files with 135 additions and 16 deletions.
16 changes: 8 additions & 8 deletions WORKSPACE
View file
Original file line number Diff line number Diff line change
Expand Up @@ -164,14 +164,14 @@ load(
go_download_sdk(
name = "go_sdk",
sdks = {
"darwin_amd64": ("go1.19.13.darwin-amd64.tar.gz", "07e7617b23201451b115e2f7d537143aee5ab209703d7a88b00a1d38d5292655"),
"darwin_arm64": ("go1.19.13.darwin-arm64.tar.gz", "d91c7a3f5197b771d41e4692e9373b7340149cb3f41662a5c224902cb8ca5c78"),
"darwin_amd64": ("go1.19.13.darwin-amd64.tar.gz", "e11ce691fe737caec990716d96362a3ac76a673719f649cbca98755fe6742484"),
"darwin_arm64": ("go1.19.13.darwin-arm64.tar.gz", "6af64ba7762589f3181e15848ff08fe072234c4c5f071c727c511095008886f0"),
"freebsd_amd64": ("go1.19.13.freebsd-amd64.tar.gz", "97fd4990c5349ab922b9bf3e4c655e899135559ea6ad666d4b3c7a27b1e147a2"),
"linux_amd64": ("go1.19.13.linux-amd64.tar.gz", "edfce314025a829c934c81b9ee638ab560ab022a761cb71deab6b661682dfaf5"),
"linux_arm64": ("go1.19.13.linux-arm64.tar.gz", "e4cfa5f374c60acc7c342d4642fadc54f4314c30e5212414a4557315499e281a"),
"windows_amd64": ("go1.19.13.windows-amd64.tar.gz", "3ff8a1e2fd27f2ea499f2ed4acd8975a30b4748ade9f8b76640a0d631c12f5dc"),
"linux_amd64": ("go1.19.13.linux-amd64.tar.gz", "bc9d7946d4aa0c9b87ad498db0757720653c47ddbdb2c7818821229c34d210a8"),
"linux_arm64": ("go1.19.13.linux-arm64.tar.gz", "3155a4d7026ab1980e7f092a891861f4006752a0f1e0194b0cc8b924eb187870"),
"windows_amd64": ("go1.19.13.windows-amd64.tar.gz", "4038ce4d20abef80df1348e8b75e4cb0acdaea95db948e16d531667a63b14249"),
},
urls = ["https://storage.googleapis.com/public-bazel-artifacts/go/20240502-135909/{}"],
urls = ["https://storage.googleapis.com/public-bazel-artifacts/go/20240507-190210/{}"],
version = "1.19.13",
)

Expand Down Expand Up @@ -615,8 +615,8 @@ distdir_repositories()
go_download_sdk(
name = "go_sdk_fips",
sdks = {
"linux_amd64": ("go1.19.13fips.linux-amd64.tar.gz", "1256af160deeb1d47ee4d76ab6c0342f6e7b6d4541bf515c012c7c6357c8edee"),
"linux_amd64": ("go1.19.13fips.linux-amd64.tar.gz", "64c89d9407e8be4b4d6565402e771387d512e985d826d451352d5c1e3d7360dd"),
},
urls = ["https://storage.googleapis.com/public-bazel-artifacts/go/20240422-222025/{}"],
urls = ["https://storage.googleapis.com/public-bazel-artifacts/go/20240507-190210/{}"],
version = "1.19.13fips",
)
14 changes: 7 additions & 7 deletions build/bazelutil/distdir_files.bzl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1175,13 +1175,13 @@ DISTDIR_FILES = {
"https://storage.googleapis.com/public-bazel-artifacts/c-deps/20240422-202506/libproj_foreign.macos.20240422-202506.tar.gz": "899876960787afbb1bd10d0611180bf47a09fb17691ee1a2dec76e5ad526d18f",
"https://storage.googleapis.com/public-bazel-artifacts/c-deps/20240422-202506/libproj_foreign.macosarm.20240422-202506.tar.gz": "df02d74f66290a1479ed05da1e448694b0de6bab9a1a7b72c8299f30444ad97b",
"https://storage.googleapis.com/public-bazel-artifacts/c-deps/20240422-202506/libproj_foreign.windows.20240422-202506.tar.gz": "40fc37cb8c66a2ca9220107b57f0339199adad2a23849f70e9b4a6d2495b8db1",
"https://storage.googleapis.com/public-bazel-artifacts/go/20240422-222025/go1.19.13fips.linux-amd64.tar.gz": "1256af160deeb1d47ee4d76ab6c0342f6e7b6d4541bf515c012c7c6357c8edee",
"https://storage.googleapis.com/public-bazel-artifacts/go/20240502-135909/go1.19.13.darwin-amd64.tar.gz": "07e7617b23201451b115e2f7d537143aee5ab209703d7a88b00a1d38d5292655",
"https://storage.googleapis.com/public-bazel-artifacts/go/20240502-135909/go1.19.13.darwin-arm64.tar.gz": "d91c7a3f5197b771d41e4692e9373b7340149cb3f41662a5c224902cb8ca5c78",
"https://storage.googleapis.com/public-bazel-artifacts/go/20240502-135909/go1.19.13.freebsd-amd64.tar.gz": "97fd4990c5349ab922b9bf3e4c655e899135559ea6ad666d4b3c7a27b1e147a2",
"https://storage.googleapis.com/public-bazel-artifacts/go/20240502-135909/go1.19.13.linux-amd64.tar.gz": "edfce314025a829c934c81b9ee638ab560ab022a761cb71deab6b661682dfaf5",
"https://storage.googleapis.com/public-bazel-artifacts/go/20240502-135909/go1.19.13.linux-arm64.tar.gz": "e4cfa5f374c60acc7c342d4642fadc54f4314c30e5212414a4557315499e281a",
"https://storage.googleapis.com/public-bazel-artifacts/go/20240502-135909/go1.19.13.windows-amd64.tar.gz": "3ff8a1e2fd27f2ea499f2ed4acd8975a30b4748ade9f8b76640a0d631c12f5dc",
"https://storage.googleapis.com/public-bazel-artifacts/go/20240507-190210/go1.19.13.darwin-amd64.tar.gz": "e11ce691fe737caec990716d96362a3ac76a673719f649cbca98755fe6742484",
"https://storage.googleapis.com/public-bazel-artifacts/go/20240507-190210/go1.19.13.darwin-arm64.tar.gz": "6af64ba7762589f3181e15848ff08fe072234c4c5f071c727c511095008886f0",
"https://storage.googleapis.com/public-bazel-artifacts/go/20240507-190210/go1.19.13.freebsd-amd64.tar.gz": "97fd4990c5349ab922b9bf3e4c655e899135559ea6ad666d4b3c7a27b1e147a2",
"https://storage.googleapis.com/public-bazel-artifacts/go/20240507-190210/go1.19.13.linux-amd64.tar.gz": "bc9d7946d4aa0c9b87ad498db0757720653c47ddbdb2c7818821229c34d210a8",
"https://storage.googleapis.com/public-bazel-artifacts/go/20240507-190210/go1.19.13.linux-arm64.tar.gz": "3155a4d7026ab1980e7f092a891861f4006752a0f1e0194b0cc8b924eb187870",
"https://storage.googleapis.com/public-bazel-artifacts/go/20240507-190210/go1.19.13.windows-amd64.tar.gz": "4038ce4d20abef80df1348e8b75e4cb0acdaea95db948e16d531667a63b14249",
"https://storage.googleapis.com/public-bazel-artifacts/go/20240507-190210/go1.19.13fips.linux-amd64.tar.gz": "64c89d9407e8be4b4d6565402e771387d512e985d826d451352d5c1e3d7360dd",
"https://storage.googleapis.com/public-bazel-artifacts/gomod/github.com/bazelbuild/buildtools/v0.0.0-20200718160251-b1667ff58f71/buildtools-v0.0.0-20200718160251-b1667ff58f71.tar.gz": "a9ef5103739dfb5ed2a5b47ab1654842a89695812e4af09e57d7015a5caf97e0",
"https://storage.googleapis.com/public-bazel-artifacts/java/railroad/rr-1.63-java8.zip": "d2791cd7a44ea5be862f33f5a9b3d40aaad9858455828ebade7007ad7113fb41",
"https://storage.googleapis.com/public-bazel-artifacts/js/rules_jest-v0.18.4.tar.gz": "d3bb833f74b8ad054e6bff5e41606ff10a62880cc99e4d480f4bdfa70add1ba7",
Expand Down
118 changes: 118 additions & 0 deletions build/teamcity/internal/release/build-and-publish-patched-go/a79ea27.diff
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,118 @@
From a79ea27e36a1c56ae48dc36ce48549c9787ca4b7 Mon Sep 17 00:00:00 2001
From: Roland Shoemaker <[email protected]>
Date: Thu, 25 Apr 2024 13:09:54 -0700
Subject: [PATCH] [release-branch.go1.21] cmd/go: disallow -lto_library in LDFLAGS

The darwin linker allows setting the LTO library with the -lto_library
flag. This wasn't caught by our "safe linker flags" check because it
was covered by the -lx flag used for linking libraries. This change
adds a specific check for excluded flags which otherwise satisfy our
existing checks.

Loading a mallicious LTO library would allow an attacker to cause the
linker to execute abritrary code when "go build" was called.

Thanks to Juho Forsén of Mattermost for reporting this issue.

Fixes #67119
Fixes #67121
Fixes CVE-2024-24787

Change-Id: I77ac8585efbdbdfd5f39c39ed623b9408a0f9eaf
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1380
Reviewed-by: Russ Cox <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
(cherry picked from commit 9a79141fbbca1105e5c786f15e38741ca7843290)
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1401
Reviewed-by: Tatiana Bradley <[email protected]>
Reviewed-on: https://go-review.googlesource.com/c/go/+/583795
Reviewed-by: David Chase <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
---

diff --git a/src/cmd/go/internal/work/security.go b/src/cmd/go/internal/work/security.go
index 270a34e..db49eb6 100644
--- a/src/cmd/go/internal/work/security.go
+++ b/src/cmd/go/internal/work/security.go
@@ -141,6 +141,12 @@
"-x",
}

+var invalidLinkerFlags = []*lazyregexp.Regexp{
+ // On macOS this means the linker loads and executes the next argument.
+ // Have to exclude separately because -lfoo is allowed in general.
+ re(`-lto_library`),
+}
+
var validLinkerFlags = []*lazyregexp.Regexp{
re(`-F([^@\-].*)`),
re(`-l([^@\-].*)`),
@@ -231,12 +237,12 @@

func checkCompilerFlags(name, source string, list []string) error {
checkOverrides := true
- return checkFlags(name, source, list, validCompilerFlags, validCompilerFlagsWithNextArg, checkOverrides)
+ return checkFlags(name, source, list, nil, validCompilerFlags, validCompilerFlagsWithNextArg, checkOverrides)
}

func checkLinkerFlags(name, source string, list []string) error {
checkOverrides := true
- return checkFlags(name, source, list, validLinkerFlags, validLinkerFlagsWithNextArg, checkOverrides)
+ return checkFlags(name, source, list, invalidLinkerFlags, validLinkerFlags, validLinkerFlagsWithNextArg, checkOverrides)
}

// checkCompilerFlagsForInternalLink returns an error if 'list'
@@ -245,7 +251,7 @@
// external linker).
func checkCompilerFlagsForInternalLink(name, source string, list []string) error {
checkOverrides := false
- if err := checkFlags(name, source, list, validCompilerFlags, validCompilerFlagsWithNextArg, checkOverrides); err != nil {
+ if err := checkFlags(name, source, list, nil, validCompilerFlags, validCompilerFlagsWithNextArg, checkOverrides); err != nil {
return err
}
// Currently the only flag on the allow list that causes problems
@@ -258,7 +264,7 @@
return nil
}

-func checkFlags(name, source string, list []string, valid []*lazyregexp.Regexp, validNext []string, checkOverrides bool) error {
+func checkFlags(name, source string, list []string, invalid, valid []*lazyregexp.Regexp, validNext []string, checkOverrides bool) error {
// Let users override rules with $CGO_CFLAGS_ALLOW, $CGO_CFLAGS_DISALLOW, etc.
var (
allow *regexp.Regexp
@@ -290,6 +296,11 @@
if allow != nil && allow.FindString(arg) == arg {
continue Args
}
+ for _, re := range invalid {
+ if re.FindString(arg) == arg { // must be complete match
+ goto Bad
+ }
+ }
for _, re := range valid {
if re.FindString(arg) == arg { // must be complete match
continue Args
diff --git a/src/cmd/go/testdata/script/darwin_lto_library_ldflag.txt b/src/cmd/go/testdata/script/darwin_lto_library_ldflag.txt
new file mode 100644
index 0000000..d7acefd
--- /dev/null
+++ b/src/cmd/go/testdata/script/darwin_lto_library_ldflag.txt
@@ -0,0 +1,17 @@
+[!GOOS:darwin] skip
+[!cgo] skip
+
+! go build
+stderr 'invalid flag in #cgo LDFLAGS: -lto_library'
+
+-- go.mod --
+module ldflag
+
+-- main.go --
+package main
+
+// #cgo CFLAGS: -flto
+// #cgo LDFLAGS: -lto_library bad.dylib
+import "C"
+
+func main() {}
\ No newline at end of file
1 change: 1 addition & 0 deletions build/teamcity/internal/release/build-and-publish-patched-go/impl-fips.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ sed -i "s/go mod tidy/go mod tidy -go=1.16/g" scripts/create-secondary-patch.sh
cd go/src
# Apply the CRL patch
patch -p2 < /bootstrap/diff.patch
patch -p2 < /bootstrap/a79ea27.diff
# add a special version modifier so we can explicitly use it in bazel
sed -i 's/$/fips/' ../VERSION
./make.bash -v
Expand Down
2 changes: 1 addition & 1 deletion build/teamcity/internal/release/build-and-publish-patched-go/impl.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ rm golang.tar.gz
cd /tmp/go$GOVERS/go
# NB: we apply a patch to the Go runtime to keep track of running time on a
# per-goroutine basis. See #82356 and #82625.
git apply /bootstrap/diff.patch /bootstrap/6446af9.diff /bootstrap/008-fix-CVE-2023-45288.patch
git apply /bootstrap/diff.patch /bootstrap/6446af9.diff /bootstrap/008-fix-CVE-2023-45288.patch /bootstrap/a79ea27.diff
cd ..

CONFIGS="linux_amd64 linux_arm64 darwin_amd64 darwin_arm64 windows_amd64"
Expand Down

0 comments on commit 1957f27

Please sign in to comment.