cmd/go: allow flags in CGO_LDFLAGS environment variable not in security allowlist

[jayconrod]

What version of Go are you using (go version)?

$ go version
go version go1.15.5 darwin/amd64

Does this issue reproduce with the latest release?

yes

What operating system and processor architecture are you using (go env)?

go env Output

$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/jayconrod/Library/Caches/go-build"
GOENV="/Users/jayconrod/Library/Application Support/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOINSECURE=""
GOMODCACHE="/Users/jayconrod/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="darwin"
GOPATH="/Users/jayconrod/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/opt/go/installed"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/opt/go/installed/pkg/tool/darwin_amd64"
GCCGO="gccgo"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-D_FORTIFY_SOURCE=1 -fstack-protector -Wthread-safety -Wself-assign -fno-omit-frame-pointer -O0 -DDEBUG -mmacosx-version-min=10.15 -no-canonical-prefixes -Wno-builtin-macro-redefined -D__DATE__="redacted" -D__TIMESTAMP__="redacted" -D__TIME__="redacted""
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-fobjc-link-runtime -headerpad_max_install_names -no-canonical-prefixes -mmacosx-version-min=10.15"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/rq/x0692kqj6ml8cvrhcqh5bswc008xj1/T/go-build236636493=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

CGO_LDFLAGS=-fobjc-link-runtime go build runtime/cgo

What did you expect to see?

Build succeeds, embedding the specified flags as //go:cgo_ldflag pragmas in compiled packages.

What did you see instead?

Build fails with:

go build runtime/cgo: invalid flag in go:cgo_ldflag: -fobjc-link-runtime

I believe this is an unintentional side effect of 3215982, the fix for #42558.

Previously, the security check was applied to flags in #cgo LDFLAGS directives in source files. That prevents malicious source files from executing arbitrary code.

With the commit above, we now apply the security check to all //go:cgo_ldflag pragmas in generated cgo code, in case there's a way for the original source code to cause such a comment to appear in generated code.

However, the CGO_LDFLAGS environment variable causes //go:cgo_ldflag pragmas to be written in generated cgo code. The user has complete control over flags in that environment variable, so they should not be subject to the security check.

A workaround is to set CGO_ALLOW_LDFLAGS to a regular expression that covers everything in CGO_LDFLAGS.

[jayconrod]

cc @ianlancetaylor @bcmills @matloob

[ianlancetaylor]

@gopherbot Please open backport issues.

This is a usability regression introduced by the security fix for #42556. The security fix was applied to all release branches, and we should follow up with a fix for this usability regression.

[gopherbot]

Backport issue(s) opened: #42566 (for 1.14), #42567 (for 1.15).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://golang.org/wiki/MinorReleases.

[gopherbot]

Change https://golang.org/cl/269818 mentions this issue: cmd/go: permit CGO_LDFLAGS to appear in //go:ldflag

[Foxboron]

This is a usability regression introduced by the security fix for #42556. The security fix was applied to all release branches, and we should follow up with a fix for this usability regression.

It's a bit more then that though. In Arch Linux we utilize CGO_LDFLAGS to ensure binary hardening, this regression is actually causing all our go packages to fail building.

[dmgk]

It also broke (so far) tinygo build on FreeBSD: go build runtime/cgo: invalid flag in go:cgo_ldflag: -std=c++14

[Foxboron]

I used the patch from the change set on our go compiler, and it works on our end.

https://github.com/archlinux/svntogit-community/blob/packages/go/trunk/fix-ldflags.patch

[gopherbot]

Change https://golang.org/cl/270137 mentions this issue: [release-branch.go1.15] cmd/go: permit CGO_LDFLAGS to appear in //go:ldflag

[gopherbot]

Change https://golang.org/cl/270080 mentions this issue: [release-branch.go1.14] cmd/go: permit CGO_LDFLAGS to appear in //go:ldflag

[ianlancetaylor]

I apologize for this problem. It was caused by a patch to fix a security problem. Because that patch could not be shared before the fix, it was not widely tested.

Please don't comment just to say that the problem affects you too. See https://golang.org/wiki/NoPlusOne. Thanks.

This will be fixed in the next release. Until then, the workaround, as mentioned in the original issue report, is to copy CGO_LDFLAGS into CGO_LDFLAGS_ALLOW.

Again, sorry for the problem.