Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cmd/go: arbitrary code execution during build on darwin (CVE-2024-24787) #67119

Closed
rolandshoemaker opened this issue Apr 30, 2024 · 5 comments
Closed

cmd/go: arbitrary code execution during build on darwin (CVE-2024-24787) #67119

rolandshoemaker opened this issue Apr 30, 2024 · 5 comments
Labels
NeedsFix The path to resolution is known, but the work has not been done. release-blocker Security
Milestone
Go1.23

Comments

@rolandshoemaker
Copy link
Member

rolandshoemaker commented Apr 30, 2024
edited by cherrymui

On Darwin, building a Go module which contains CGO can trigger arbitrary code
execution when using the Apple version of ld, due to usage of the -lto_library
flag in a "#cgo LDFLAGS" directive.

Thanks to Juho Forsén of Mattermost for reporting this issue.

This is CVE-2024-24787.

This is a PRIVATE issue for CVE-2024-24787, tracked in http://b/335700829.

/cc @golang/security and @golang/release
@rolandshoemaker rolandshoemaker added this to the Go1.23 milestone Apr 30, 2024
@rolandshoemaker
Copy link
Member Author

@gopherbot please open backports, this is a PRIVATE track security issue.

@gopherbot gopherbot mentioned this issue Apr 30, 2024
Closed
@gopherbot
Copy link

Backport issue(s) opened: #67121 (for 1.21), #67122 (for 1.22).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

@gopherbot gopherbot mentioned this issue Apr 30, 2024
Closed
@cherrymui cherrymui added the NeedsFix The path to resolution is known, but the work has not been done. label May 6, 2024
@gopherbot
Copy link

Change https://go.dev/cl/583795 mentions this issue: [release-branch.go1.21] cmd/go: disallow -lto_library in LDFLAGS

@gopherbot
Copy link

Change https://go.dev/cl/583796 mentions this issue: [release-branch.go1.22] cmd/go: disallow -lto_library in LDFLAGS

@gopherbot
Copy link

Change https://go.dev/cl/583815 mentions this issue: cmd/go: disallow -lto_library in LDFLAGS

gopherbot pushed a commit that referenced this issue May 7, 2024
@rolandshoemaker @cherrymui
[release-branch.go1.21] cmd/go: disallow -lto_library in LDFLAGS
a79ea27 
The darwin linker allows setting the LTO library with the -lto_library
flag. This wasn't caught by our "safe linker flags" check because it
was covered by the -lx flag used for linking libraries. This change
adds a specific check for excluded flags which otherwise satisfy our
existing checks.

Loading a mallicious LTO library would allow an attacker to cause the
linker to execute abritrary code when "go build" was called.

Thanks to Juho Forsén of Mattermost for reporting this issue.

Fixes #67119
Fixes #67121
Fixes CVE-2024-24787

Change-Id: I77ac8585efbdbdfd5f39c39ed623b9408a0f9eaf
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1380
Reviewed-by: Russ Cox <rsc@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
(cherry picked from commit 9a79141fbbca1105e5c786f15e38741ca7843290)
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1401
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/583795
Reviewed-by: David Chase <drchase@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
gopherbot pushed a commit that referenced this issue May 7, 2024
@rolandshoemaker @cherrymui
[release-branch.go1.22] cmd/go: disallow -lto_library in LDFLAGS
fa0292d 
The darwin linker allows setting the LTO library with the -lto_library
flag. This wasn't caught by our "safe linker flags" check because it
was covered by the -lx flag used for linking libraries. This change
adds a specific check for excluded flags which otherwise satisfy our
existing checks.

Loading a mallicious LTO library would allow an attacker to cause the
linker to execute abritrary code when "go build" was called.

Thanks to Juho Forsén of Mattermost for reporting this issue.

Fixes #67119
Fixes #67122
Fixes CVE-2024-24787

Change-Id: I77ac8585efbdbdfd5f39c39ed623b9408a0f9eaf
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1380
Reviewed-by: Russ Cox <rsc@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
(cherry picked from commit 9a79141fbbca1105e5c786f15e38741ca7843290)
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1420
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/583796
Reviewed-by: David Chase <drchase@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
@cherrymui cherrymui changed the title security: fix CVE-2024-24787 cmd/go: arbitrary code execution during build on darwin (CVE-2024-24787) May 7, 2024
@MisterMX MisterMX mentioned this issue May 13, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
NeedsFix The path to resolution is known, but the work has not been done. release-blocker Security
Projects
None yet
Milestone
Go1.23
Development

No branches or pull requests
3 participants
@rolandshoemaker @gopherbot @cherrymui