121 lines
4.4 KiB
Diff
121 lines
4.4 KiB
Diff
From 646a6420b6cdf9dbea6d9e16b67021a7942be8fc Mon Sep 17 00:00:00 2001
|
|
From: Ian Lance Taylor <iant@golang.org>
|
|
Date: Thu, 4 May 2023 14:06:39 -0700
|
|
Subject: [PATCH 4/4] [Backport] cmd/go,cmd/cgo: in _cgo_flags use one line per
|
|
flag
|
|
|
|
Offering: Cloud Core Network
|
|
CVE: CVE-2023-29405
|
|
Reference: https://go-review.googlesource.com/c/go/+/501216
|
|
|
|
The flags that we recorded in _cgo_flags did not use any quoting,
|
|
so a flag containing embedded spaces was mishandled.
|
|
Change the _cgo_flags format to put each flag on a separate line.
|
|
That is a simple format that does not require any quoting.
|
|
|
|
As far as I can tell only cmd/go uses _cgo_flags, and it is only
|
|
used for gccgo. If this patch doesn't cause any trouble, then
|
|
in the next release we can change to only using _cgo_flags for gccgo.
|
|
|
|
Thanks to Juho Nurminen of Mattermost for reporting this issue.
|
|
|
|
Note: Merged with CL: https://go-review.googlesource.com/c/go/+/501297
|
|
|
|
Edited-by: tangxi t00586138
|
|
|
|
Updates #60306
|
|
Fixes #60513
|
|
Fixes CVE-2023-29405
|
|
|
|
Change-Id: Id738a737ecae47babb34c4b4fc4d65336cf0c0f3
|
|
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1875094
|
|
Reviewed-by: Damien Neil <dneil@google.com>
|
|
Reviewed-by: Roland Shoemaker <bracewell@google.com>
|
|
(cherry picked from commit bcdfcadd5612212089d958bc352a6f6c90742dcc)
|
|
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1902227
|
|
Run-TryBot: Roland Shoemaker <bracewell@google.com>
|
|
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1904341
|
|
Reviewed-by: Michael Knyszek <mknyszek@google.com>
|
|
Reviewed-on: https://go-review.googlesource.com/c/go/+/501216
|
|
Auto-Submit: Michael Knyszek <mknyszek@google.com>
|
|
Run-TryBot: David Chase <drchase@google.com>
|
|
TryBot-Bypass: David Chase <drchase@google.com>
|
|
Signed-off-by: Tang Xi tangxi6@huawei.com
|
|
|
|
---
|
|
src/cmd/cgo/out.go | 4 +++-
|
|
src/cmd/go/internal/work/gccgo.go | 14 ++++++-------
|
|
.../go/testdata/script/gccgo_link_ldflags.txt | 20 +++++++++++++++++++
|
|
3 files changed, 29 insertions(+), 9 deletions(-)
|
|
create mode 100644 src/cmd/go/testdata/script/gccgo_link_ldflags.txt
|
|
|
|
diff --git a/src/cmd/cgo/out.go b/src/cmd/cgo/out.go
|
|
index 94152f4278..62e6528f60 100644
|
|
--- a/src/cmd/cgo/out.go
|
|
+++ b/src/cmd/cgo/out.go
|
|
@@ -47,7 +47,9 @@ func (p *Package) writeDefs() {
|
|
|
|
fflg := creat(*objDir + "_cgo_flags")
|
|
for k, v := range p.CgoFlags {
|
|
- fmt.Fprintf(fflg, "_CGO_%s=%s\n", k, strings.Join(v, " "))
|
|
+ for _, arg := range v {
|
|
+ fmt.Fprintf(fflg, "_CGO_%s=%s\n", k, arg)
|
|
+ }
|
|
if k == "LDFLAGS" && !*gccgo {
|
|
for _, arg := range v {
|
|
fmt.Fprintf(fgo2, "//go:cgo_ldflag %q\n", arg)
|
|
diff --git a/src/cmd/go/internal/work/gccgo.go b/src/cmd/go/internal/work/gccgo.go
|
|
index 1499536932..bb4be2fd10 100644
|
|
--- a/src/cmd/go/internal/work/gccgo.go
|
|
+++ b/src/cmd/go/internal/work/gccgo.go
|
|
@@ -283,14 +283,12 @@ func (tools gccgoToolchain) link(b *Builder, root *Action, out, importcfg string
|
|
const ldflagsPrefix = "_CGO_LDFLAGS="
|
|
for _, line := range strings.Split(string(flags), "\n") {
|
|
if strings.HasPrefix(line, ldflagsPrefix) {
|
|
- newFlags := strings.Fields(line[len(ldflagsPrefix):])
|
|
- for _, flag := range newFlags {
|
|
- // Every _cgo_flags file has -g and -O2 in _CGO_LDFLAGS
|
|
- // but they don't mean anything to the linker so filter
|
|
- // them out.
|
|
- if flag != "-g" && !strings.HasPrefix(flag, "-O") {
|
|
- cgoldflags = append(cgoldflags, flag)
|
|
- }
|
|
+ flag := line[len(ldflagsPrefix):]
|
|
+ // Every _cgo_flags file has -g and -O2 in _CGO_LDFLAGS
|
|
+ // but they don't mean anything to the linker so filter
|
|
+ // them out.
|
|
+ if flag != "-g" && !strings.HasPrefix(flag, "-O") {
|
|
+ cgoldflags = append(cgoldflags, flag)
|
|
}
|
|
}
|
|
}
|
|
diff --git a/src/cmd/go/testdata/script/gccgo_link_ldflags.txt b/src/cmd/go/testdata/script/gccgo_link_ldflags.txt
|
|
new file mode 100644
|
|
index 0000000000..4e91ae5650
|
|
--- /dev/null
|
|
+++ b/src/cmd/go/testdata/script/gccgo_link_ldflags.txt
|
|
@@ -0,0 +1,20 @@
|
|
+# Test that #cgo LDFLAGS are properly quoted.
|
|
+# The #cgo LDFLAGS below should pass a string with spaces to -L,
|
|
+# as though searching a directory with a space in its name.
|
|
+# It should not pass --nosuchoption to the external linker.
|
|
+
|
|
+[!cgo] skip
|
|
+
|
|
+go build
|
|
+
|
|
+[!exec:gccgo] skip
|
|
+
|
|
+go build -compiler gccgo
|
|
+
|
|
+-- go.mod --
|
|
+module m
|
|
+-- cgo.go --
|
|
+package main
|
|
+// #cgo LDFLAGS: -L "./ -Wl,--nosuchoption"
|
|
+import "C"
|
|
+func main() {}
|
|
--
|
|
2.33.0
|
|
|