diff options
| author | Neal Patel <nealpatel@google.com> | 2026-02-24 23:05:34 +0000 |
|---|---|---|
| committer | Gopher Robot <gobot@golang.org> | 2026-04-08 05:24:01 -0700 |
| commit | 22f65d37c46d8eb087d764a734693d0abe39080f (patch) | |
| tree | 0c9bddd6bc7ae3804366279957ada560354618c5 | |
| parent | f5b77a7e2fa0f7ff346c665974a8eded367b1bc2 (diff) | |
| download | go-22f65d37c46d8eb087d764a734693d0abe39080f.tar.xz | |
cmd/go: disallow cgo trust boundary bypass
The cgo compiler implicitly trusts generated files
with 'cgo' prefixes; thus, SWIG files containing 'cgo'
in their names will cause bypass of the trust boundary,
leading to code smuggling or arbitrary code execution.
The cgo compiler will now produce an error if it
encounters any SWIG files containing this prefix.
Thanks to Juho Forsén of Mattermost for reporting this issue.
Fixes #78335
Fixes CVE-2026-27140
Change-Id: I44185a84e07739b3b347efdb86be7d8fa560b030
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3520
Reviewed-by: Nicholas Husin <husin@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/763768
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: David Chase <drchase@google.com>
Reviewed-by: Russ Cox <rsc@golang.org>
| -rw-r--r-- | src/cmd/go/internal/work/exec.go | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/src/cmd/go/internal/work/exec.go b/src/cmd/go/internal/work/exec.go index 4217aee1bf..38d19c5743 100644 --- a/src/cmd/go/internal/work/exec.go +++ b/src/cmd/go/internal/work/exec.go @@ -3463,6 +3463,10 @@ func (b *Builder) swigIntSize(objdir string) (intsize string, err error) { // Run SWIG on one SWIG input file. func (b *Builder) swigOne(a *Action, file, objdir string, pcCFLAGS []string, cxx bool, intgosize string) error { + if strings.HasPrefix(file, "cgo") { + return errors.New("SWIG file must not use prefix 'cgo'") + } + p := a.Package sh := b.Shell(a) |