cmd/go/internal/security: add -ftls-model to valid compiler flags

Allow -ftls-model to be passed in to a system compiler. It does not
allow arbitrary code execution. See
https://gcc.gnu.org/onlinedocs/gcc/Code-Gen-Options.html#index-ftls-model
for documentation for the -ftls-model flag.

Fixes #69711

Change-Id: I842a96832e6858e62c171401d13baa3391d6d00a
Reviewed-on: https://go-review.googlesource.com/c/go/+/617136
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>

diff --git a/src/cmd/go/internal/work/security.go b/src/cmd/go/internal/work/security.go
index 543ab225abb65c5226b049273aed82b3f9fb968a..957fad1b40b6ce747fa23929ab3b423a4ceb8bda 100644 (file)
--- a/src/cmd/go/internal/work/security.go
+++ b/src/cmd/go/internal/work/security.go
@@ -91,6 +91,7 @@ var validCompilerFlags = []*lazyregexp.Regexp{
        re(`-f(no-)?visibility-inlines-hidden`),
        re(`-fsanitize=(.+)`),
        re(`-ftemplate-depth-(.+)`),
+       re(`-ftls-model=(global-dynamic|local-dynamic|initial-exec|local-exec)`),
        re(`-fvisibility=(.+)`),
        re(`-g([^@\-].*)?`),
        re(`-m32`),

diff --git a/src/cmd/go/internal/work/security_test.go b/src/cmd/go/internal/work/security_test.go
index 68d287ec2b4ce05bb34996bac2bcd66df530a4db..2ce7806c42111e79844edf313f69a0f30e410e14 100644 (file)
--- a/src/cmd/go/internal/work/security_test.go
+++ b/src/cmd/go/internal/work/security_test.go
@@ -47,6 +47,7 @@ var goodCompilerFlags = [][]string{
        {"-fstack-xxx"},
        {"-fno-stack-xxx"},
        {"-fsanitize=hands"},
+       {"-ftls-model=local-dynamic"},
        {"-g"},
        {"-ggdb"},
        {"-march=souza"},