From 91d7ab2cefcc653f8b438fbfaa48d504dbfa4f00 Mon Sep 17 00:00:00 2001 From: Russ Cox Date: Tue, 26 Nov 2024 11:40:28 -0500 Subject: cmd/internal/obj: handle static assembly symbols correctly in FIPS check Static symbols don't have the package prefix, so we need to identify them specially. Change-Id: Iaa0456de802478f6a257164e9703f18f8dc7eb50 Reviewed-on: https://go-review.googlesource.com/c/go/+/631975 Reviewed-by: Cherry Mui LUCI-TryBot-Result: Go LUCI --- src/cmd/internal/obj/fips140.go | 76 +++++++++++++++++++++++------------------ 1 file changed, 42 insertions(+), 34 deletions(-) (limited to 'src/cmd/internal') diff --git a/src/cmd/internal/obj/fips140.go b/src/cmd/internal/obj/fips140.go index 35c4cdfcc9..eb6ffff009 100644 --- a/src/cmd/internal/obj/fips140.go +++ b/src/cmd/internal/obj/fips140.go @@ -221,47 +221,55 @@ func (s *LSym) setFIPSType(ctxt *Link) { return } - // Name must begin with crypto/internal/fips140, then dot or slash. - // The quick check for 'c' before the string compare is probably overkill, - // but this function is called a fair amount, and we don't want to - // slow down all the non-FIPS compilations. - const prefix = "crypto/internal/fips140" - name := s.Name - if len(name) <= len(prefix) || (name[len(prefix)] != '.' && name[len(prefix)] != '/') || name[0] != 'c' || name[:len(prefix)] != prefix { - return - } - - if strings.Contains(name, "_test.") { - // External test packages are not in the scope. + // External test packages are not in scope. + if strings.HasSuffix(ctxt.Pkgpath, "_test") { return } - // Now we're at least handling a FIPS symbol. - // It's okay to be slower now, since this code only runs when compiling a few packages. - // Text symbols are always okay, since they can use PC-relative relocations, - // but some data symbols are not. - if s.Type != objabi.STEXT && s.Type != objabi.STEXTFIPS { - // Even in the crypto/internal/fips140 packages, - // we exclude various Go runtime metadata, - // so that it can be allowed to contain data relocations. - if strings.Contains(name, ".inittask") || - strings.Contains(name, ".dict") || - strings.Contains(name, ".typeAssert") || - strings.HasSuffix(name, ".arginfo0") || - strings.HasSuffix(name, ".arginfo1") || - strings.HasSuffix(name, ".argliveinfo") || - strings.HasSuffix(name, ".args_stackmap") || - strings.HasSuffix(name, ".opendefer") || - strings.HasSuffix(name, ".stkobj") || - strings.HasSuffix(name, "·f") { + if s.Attribute.Static() { + // Static (file-scoped) symbol does not have name prefix, + // but must be local to package; rely on whether package is FIPS. + if !ctxt.IsFIPS() { return } - - // This symbol is linknamed to go:fipsinfo, - // so we shouldn't see it, but skip it just in case. - if s.Name == "crypto/internal/fips140/check.linkinfo" { + } else { + // Name must begin with crypto/internal/fips140, then dot or slash. + // The quick check for 'c' before the string compare is probably overkill, + // but this function is called a fair amount, and we don't want to + // slow down all the non-FIPS compilations. + const prefix = "crypto/internal/fips140" + name := s.Name + if len(name) <= len(prefix) || (name[len(prefix)] != '.' && name[len(prefix)] != '/') || name[0] != 'c' || name[:len(prefix)] != prefix { return } + + // Now we're at least handling a FIPS symbol. + // It's okay to be slower now, since this code only runs when compiling a few packages. + // Text symbols are always okay, since they can use PC-relative relocations, + // but some data symbols are not. + if s.Type != objabi.STEXT && s.Type != objabi.STEXTFIPS { + // Even in the crypto/internal/fips140 packages, + // we exclude various Go runtime metadata, + // so that it can be allowed to contain data relocations. + if strings.Contains(name, ".inittask") || + strings.Contains(name, ".dict") || + strings.Contains(name, ".typeAssert") || + strings.HasSuffix(name, ".arginfo0") || + strings.HasSuffix(name, ".arginfo1") || + strings.HasSuffix(name, ".argliveinfo") || + strings.HasSuffix(name, ".args_stackmap") || + strings.HasSuffix(name, ".opendefer") || + strings.HasSuffix(name, ".stkobj") || + strings.HasSuffix(name, "·f") { + return + } + + // This symbol is linknamed to go:fipsinfo, + // so we shouldn't see it, but skip it just in case. + if s.Name == "crypto/internal/fips140/check.linkinfo" { + return + } + } } // This is a FIPS symbol! Convert its type to FIPS. -- cgit v1.3