| Ian Lance Taylor | e932a16 | 2018-02-14 17:49:49 -0800 | [diff] [blame] | 1 | # `invalid flag in #cgo CFLAGS` |
| 2 | |
| 3 | This page describes the background for build errors like `invalid flag in #cgo CFLAGS` and what you can do about them. |
| 4 | |
| 5 | [CVE-2018-6574](https://nvd.nist.gov/vuln/detail/CVE-2018-6574) described a potential security violation in the go tool: running `go get` downloads and builds Go code from the Internet, Go code that uses cgo can specify options to pass to the compiler, so careful use of `-fplugin` can cause `go get` to execute arbitrary code. While it is difficult to block every possible way that the compiler might be attacked, we have chosen to block the obvious ones. |
| 6 | |
| Eddie Webb | 43ba4de | 2019-02-27 08:41:34 -0500 | [diff] [blame] | 7 | As described at [issue 23672](https://golang.org/issue/23672), this is done by using a safelist of compiler/linker options that are permitted during `go get`, `go build`, and friends. When cgo code tries to use to pass an option that is not on the safelist, the go tool will report an error `invalid flag in #cgo CFLAGS` (or `#cgo LDFLAGS`, `pkg-config --cflags`, `pkg-config --ldflags`, and so forth). |
| Ian Lance Taylor | e932a16 | 2018-02-14 17:49:49 -0800 | [diff] [blame] | 8 | |
| Eddie Webb | 43ba4de | 2019-02-27 08:41:34 -0500 | [diff] [blame] | 9 | This safelist is new in releases 1.8.7, 1.9.4, and 1.10, and all subsequent releases. |
| Ian Lance Taylor | e932a16 | 2018-02-14 17:49:49 -0800 | [diff] [blame] | 10 | |
| 11 | ## What can I do? |
| 12 | |
| 13 | If this happens to you, and the option is benign, you should do two things: |
| 14 | 1. Set the environment variable `CGO_CFLAGS_ALLOW` (or `CGO_LDFLAGS_ALLOW`, `CGO_CXXFLAGS_ALLOW`, and so forth) to a [regexp](https://golang.org/pkg/regexp/) that matches the option. |
| Eddie Webb | 43ba4de | 2019-02-27 08:41:34 -0500 | [diff] [blame] | 15 | 2. [File a bug](https://golang.org/issue/new) requesting that the option be added to the safelist. Be sure to include the complete error message and, if possible, a description of the code you are building. |
| Ian Lance Taylor | e932a16 | 2018-02-14 17:49:49 -0800 | [diff] [blame] | 16 | |
| Eddie Webb | 43ba4de | 2019-02-27 08:41:34 -0500 | [diff] [blame] | 17 | ## Why not use an unsafe list? |
| Ian Lance Taylor | e932a16 | 2018-02-14 17:49:49 -0800 | [diff] [blame] | 18 | |
| 19 | Because if some new unsafe option is added to a compiler, all existing Go releases will become immediately vulnerable. |
| 20 | |
| Eddie Webb | 43ba4de | 2019-02-27 08:41:34 -0500 | [diff] [blame] | 21 | ## Why not get a complete list of compiler options and safelist all of them? |
| Ian Lance Taylor | e932a16 | 2018-02-14 17:49:49 -0800 | [diff] [blame] | 22 | |
| 23 | Because there are hundreds of options, and there is no clear way to get a complete list. Many compiler and linker options are target dependent, and thus only reported on specific platforms or in specific configurations. The documentation is known to be incomplete. |
