[release-branch.go1.15-security] cmd/go: in cgoflags, permit -DX1, prohibit -Wp,-D,opt

Restrict -D and -U to ASCII C identifiers, but do permit trailing digits.
When using -Wp, prohibit commas in -D values.

Thanks to Imre Rad (https://www.linkedin.com/in/imre-rad-2358749b) for reporting this.

Fixes CVE-2020-28367

Change-Id: Ibfc4dfdd6e6c258e131448e7682610c44eee9492
Reviewed-on: https://go-review.googlesource.com/c/go/+/267277
Trust: Ian Lance Taylor <[email protected]>
Run-TryBot: Ian Lance Taylor <[email protected]>
TryBot-Result: Go Bot <[email protected]>
Reviewed-by: Bryan C. Mills <[email protected]>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/899924
Reviewed-by: Filippo Valsorda <[email protected]>

Author: ianlancetaylor

src/cmd/go/internal/work/security.go

@@ -42,17 +42,17 @@ import (
 var re = lazyregexp.New
 
 var validCompilerFlags = []*lazyregexp.Regexp{
-	re(`-D([A-Za-z_].*)`),
-	re(`-U([A-Za-z_]*)`),
+	re(`-D([A-Za-z_][A-Za-z0-9_]*)(=[^@\-]*)?`),
+	re(`-U([A-Za-z_][A-Za-z0-9_]*)`),
 	re(`-F([^@\-].*)`),
 	re(`-I([^@\-].*)`),
 	re(`-O`),
 	re(`-O([^@\-].*)`),
 	re(`-W`),
 	re(`-W([^@,]+)`), // -Wall but not -Wa,-foo.
 	re(`-Wa,-mbig-obj`),
-	re(`-Wp,-D([A-Za-z_].*)`),
-	re(`-Wp,-U([A-Za-z_]*)`),
+	re(`-Wp,-D([A-Za-z_][A-Za-z0-9_]*)(=[^@,\-]*)?`),
+	re(`-Wp,-U([A-Za-z_][A-Za-z0-9_]*)`),
 	re(`-ansi`),
 	re(`-f(no-)?asynchronous-unwind-tables`),
 	re(`-f(no-)?blocks`),

src/cmd/go/internal/work/security_test.go

@@ -13,6 +13,7 @@ var goodCompilerFlags = [][]string{
 	{"-DFOO"},
 	{"-Dfoo=bar"},
 	{"-Ufoo"},
+	{"-Ufoo1"},
 	{"-F/Qt"},
 	{"-I/"},
 	{"-I/etc/passwd"},
@@ -24,6 +25,8 @@ var goodCompilerFlags = [][]string{
 	{"-Wall"},
 	{"-Wp,-Dfoo=bar"},
 	{"-Wp,-Ufoo"},
+	{"-Wp,-Dfoo1"},
+	{"-Wp,-Ufoo1"},
 	{"-fobjc-arc"},
 	{"-fno-objc-arc"},
 	{"-fomit-frame-pointer"},
@@ -78,6 +81,8 @@ var badCompilerFlags = [][]string{
 	{"-O@1"},
 	{"-Wa,-foo"},
 	{"-W@foo"},
+	{"-Wp,-DX,-D@X"},
+	{"-Wp,-UX,-U@X"},
 	{"-g@gdb"},
 	{"-g-gdb"},
 	{"-march=@dawn"},