From c4772d30bfbed6cfbfdf92066990b5c6dc4065bb Mon Sep 17 00:00:00 2001 From: Cherry Mui Date: Tue, 14 May 2024 00:01:49 -0400 Subject: cmd/link: disallow pull-only linknames As mentioned in CL 584598, linkname is a mechanism that, when abused, can break API integrity and even safety of Go programs. CL 584598 is a first step to restrict the use of linknames, by implementing a blocklist. This CL takes a step further, tightening up the restriction by allowing linkname references ("pull") only when the definition side explicitly opts into it, by having a linkname on the definition (possibly to itself). This way, it is at least clear on the definition side that the symbol, despite being unexported, is accessed outside of the package. Unexported symbols without linkname can now be actually private. This is similar to the symbol visibility rule used by gccgo for years (which defines unexported non-linknamed symbols as C static symbols). As there can be pull-only linknames in the wild that may be broken by this change, we currently only enforce this rule for symbols defined in the standard library. Push linknames are added in the standard library to allow things build. Linkname references to external (non-Go) symbols are still allowed, as their visibility is controlled by the C symbol visibility rules and enforced by the C (static or dynamic) linker. Assembly symbols are treated similar to linknamed symbols. This is controlled by -checklinkname linker flag, currently not enabled by default. A follow-up CL will enable it by default. Change-Id: I07344f5c7a02124dbbef0fbc8fec3b666a4b2b0e Reviewed-on: https://go-review.googlesource.com/c/go/+/585358 LUCI-TryBot-Result: Go LUCI Reviewed-by: Than McIntosh Reviewed-by: Russ Cox --- src/cmd/internal/obj/link.go | 1 + src/cmd/internal/obj/objfile.go | 13 +++++++++++-- 2 files changed, 12 insertions(+), 2 deletions(-) (limited to 'src/cmd/internal/obj') diff --git a/src/cmd/internal/obj/link.go b/src/cmd/internal/obj/link.go index 38869f0f47..647a459d59 100644 --- a/src/cmd/internal/obj/link.go +++ b/src/cmd/internal/obj/link.go @@ -1048,6 +1048,7 @@ type Link struct { InParallel bool // parallel backend phase in effect UseBASEntries bool // use Base Address Selection Entries in location lists and PC ranges IsAsm bool // is the source assembly language, which may contain surprising idioms (e.g., call tables) + Std bool // is standard library package // state for writing objects Text []*LSym diff --git a/src/cmd/internal/obj/objfile.go b/src/cmd/internal/obj/objfile.go index 648aae4fa2..2ed98cb577 100644 --- a/src/cmd/internal/obj/objfile.go +++ b/src/cmd/internal/obj/objfile.go @@ -57,6 +57,9 @@ func WriteObjFile(ctxt *Link, b *bio.Writer) { if ctxt.IsAsm { flags |= goobj.ObjFlagFromAssembly } + if ctxt.Std { + flags |= goobj.ObjFlagStd + } h := goobj.Header{ Magic: goobj.Magic, Fingerprint: ctxt.Fingerprint, @@ -309,6 +312,7 @@ func (w *writer) StringTable() { const cutoff = int64(2e9) // 2 GB (or so; looks better in errors than 2^31) func (w *writer) Sym(s *LSym) { + name := s.Name abi := uint16(s.ABI()) if s.Static() { abi = goobj.SymABIstatic @@ -348,10 +352,15 @@ func (w *writer) Sym(s *LSym) { if s.IsPkgInit() { flag2 |= goobj.SymFlagPkgInit } - if s.IsLinkname() || w.ctxt.IsAsm { // assembly reference is treated the same as linkname + if s.IsLinkname() || (w.ctxt.IsAsm && name != "") || name == "main.main" { + // Assembly reference is treated the same as linkname, + // but not for unnamed (aux) symbols. + // The runtime linknames main.main. flag2 |= goobj.SymFlagLinkname } - name := s.Name + if s.ABIWrapper() { + flag2 |= goobj.SymFlagABIWrapper + } if strings.HasPrefix(name, "gofile..") { name = filepath.ToSlash(name) } -- cgit v1.3