[release-branch.go1.15-security] cmd/go: in cgoflags, permit -DX1, prohibit -Wp,...

Restrict -D and -U to ASCII C identifiers, but do permit trailing digits.
When using -Wp, prohibit commas in -D values.

Thanks to Imre Rad (https://www.linkedin.com/in/imre-rad-2358749b) for reporting this.

Fixes CVE-2020-28367

Change-Id: Ibfc4dfdd6e6c258e131448e7682610c44eee9492
Reviewed-on: https://go-review.googlesource.com/c/go/+/267277
Trust: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Bryan C. Mills <bcmills@google.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/899924
Reviewed-by: Filippo Valsorda <valsorda@google.com>

diff --git a/src/cmd/go/internal/work/security.go b/src/cmd/go/internal/work/security.go
index 3ee68ac1b4144e3ab32b9caa2094ddfd010cc558..0d9628241fd85e2bb0447eda1dae2b8c2a41d20e 100644 (file)
--- a/src/cmd/go/internal/work/security.go
+++ b/src/cmd/go/internal/work/security.go
@@ -42,8 +42,8 @@ import (
 var re = lazyregexp.New
 
 var validCompilerFlags = []*lazyregexp.Regexp{
-       re(`-D([A-Za-z_].*)`),
-       re(`-U([A-Za-z_]*)`),
+       re(`-D([A-Za-z_][A-Za-z0-9_]*)(=[^@\-]*)?`),
+       re(`-U([A-Za-z_][A-Za-z0-9_]*)`),
        re(`-F([^@\-].*)`),
        re(`-I([^@\-].*)`),
        re(`-O`),
@@ -51,8 +51,8 @@ var validCompilerFlags = []*lazyregexp.Regexp{
        re(`-W`),
        re(`-W([^@,]+)`), // -Wall but not -Wa,-foo.
        re(`-Wa,-mbig-obj`),
-       re(`-Wp,-D([A-Za-z_].*)`),
-       re(`-Wp,-U([A-Za-z_]*)`),
+       re(`-Wp,-D([A-Za-z_][A-Za-z0-9_]*)(=[^@,\-]*)?`),
+       re(`-Wp,-U([A-Za-z_][A-Za-z0-9_]*)`),
        re(`-ansi`),
        re(`-f(no-)?asynchronous-unwind-tables`),
        re(`-f(no-)?blocks`),

diff --git a/src/cmd/go/internal/work/security_test.go b/src/cmd/go/internal/work/security_test.go
index 11e74f29c6a6a7f94c6eec7bb403537a726f762e..aec9789185e8a178a295e0b3f1146b1d94c21551 100644 (file)
--- a/src/cmd/go/internal/work/security_test.go
+++ b/src/cmd/go/internal/work/security_test.go
@@ -13,6 +13,7 @@ var goodCompilerFlags = [][]string{
        {"-DFOO"},
        {"-Dfoo=bar"},
        {"-Ufoo"},
+       {"-Ufoo1"},
        {"-F/Qt"},
        {"-I/"},
        {"-I/etc/passwd"},
@@ -24,6 +25,8 @@ var goodCompilerFlags = [][]string{
        {"-Wall"},
        {"-Wp,-Dfoo=bar"},
        {"-Wp,-Ufoo"},
+       {"-Wp,-Dfoo1"},
+       {"-Wp,-Ufoo1"},
        {"-fobjc-arc"},
        {"-fno-objc-arc"},
        {"-fomit-frame-pointer"},
@@ -78,6 +81,8 @@ var badCompilerFlags = [][]string{
        {"-O@1"},
        {"-Wa,-foo"},
        {"-W@foo"},
+       {"-Wp,-DX,-D@X"},
+       {"-Wp,-UX,-U@X"},
        {"-g@gdb"},
        {"-g-gdb"},
        {"-march=@dawn"},