virlog: determine the hostname on startup CVE-2018-6764

At later point it might not be possible or even safe to use getaddrinfo(). It can in turn result in a load of NSS module. Notably, on a LXC container startup we may find ourselves with the guest filesystem already having replaced the host one. Loading a NSS module from the guest tree would allow a malicous guest to escape the confinement of its container environment because libvirt will not yet have locked it down.
2025-02-09 13:57:27 +03:00 · 2018-01-27 23:43:58 +01:00 · 2018-01-27 23:43:58 +01:00 · 759b4d1b0f
commit 759b4d1b0f
parent 818a29e0c7
1 changed files with 9 additions and 5 deletions
--- a/src/util/virlog.c
+++ b/src/util/virlog.c
@ -64,6 +64,7 @@
 VIR_LOG_INIT("util.log");

 static regex_t *virLogRegex;
+static char *virLogHostname;


 #define VIR_LOG_DATE_REGEX "[0-9]{4}-[0-9]{2}-[0-9]{2}"
@ -271,6 +272,12 @@ virLogOnceInit(void)
            VIR_FREE(virLogRegex);
    }

+    /* We get and remember the hostname early, because at later time
+     * it might not be possible to load NSS modules via getaddrinfo()
+     * (e.g. at container startup the host filesystem will not be
+     * accessible anymore. */
+    virLogHostname = virGetHostnameQuiet();
+
    virLogUnlock();
    return 0;
 }
@ -466,17 +473,14 @@ static int
 virLogHostnameString(char **rawmsg,
                     char **msg)
 {
-    char *hostname = virGetHostnameQuiet();
    char *hoststr;

-    if (!hostname)
+    if (!virLogHostname)
        return -1;

-    if (virAsprintfQuiet(&hoststr, "hostname: %s", hostname) < 0) {
-        VIR_FREE(hostname);
+    if (virAsprintfQuiet(&hoststr, "hostname: %s", virLogHostname) < 0) {
        return -1;
    }
-    VIR_FREE(hostname);

    if (virLogFormatString(msg, 0, NULL, VIR_LOG_INFO, hoststr) < 0) {
        VIR_FREE(hoststr);