diff options
author | Stefano Brivio <sbrivio@redhat.com> | 2024-12-11 00:13:39 +0100 |
---|---|---|
committer | Stefano Brivio <sbrivio@redhat.com> | 2024-12-11 12:21:23 +0100 |
commit | 09478d55fe1a21f8c55902399df84d13867e71be (patch) | |
tree | 2da5e56ad80f2fb0d47b278d1eb1d4ebf9978f92 /pasta.c | |
parent | e24f0262229a1f9c673dca3452ad103cbe06b866 (diff) | |
download | passt-09478d55fe1a21f8c55902399df84d13867e71be.tar passt-09478d55fe1a21f8c55902399df84d13867e71be.tar.gz passt-09478d55fe1a21f8c55902399df84d13867e71be.tar.bz2 passt-09478d55fe1a21f8c55902399df84d13867e71be.tar.lz passt-09478d55fe1a21f8c55902399df84d13867e71be.tar.xz passt-09478d55fe1a21f8c55902399df84d13867e71be.tar.zst passt-09478d55fe1a21f8c55902399df84d13867e71be.zip |
treewide: Dodge dynamic memory allocation in strerror() from glibc > 2.402024_12_11.09478d5
With glibc commit 25a5eb4010df ("string: strerror, strsignal cannot
use buffer after dlmopen (bug 32026)"), strerror() now needs, at least
on x86, the getrandom() and brk() system calls, in order to fill in
the locale-translated error message. But getrandom() and brk() are not
allowed by our seccomp profiles.
This became visible on Fedora Rawhide with the "podman login and
logout" Podman tests, defined at test/e2e/login_logout_test.go in the
Podman source tree, where pasta would terminate upon printing error
descriptions (at least the ones related to the SO_ERROR queue for
spliced connections).
Avoid dynamic memory allocation by calling strerrordesc_np() instead,
which is a GNU function returning a static, untranslated version of
the error description. If it's not available, keep calling strerror(),
which at that point should be simple enough as to be usable (at least,
that's currently the case for musl).
Reported-by: Paul Holzinger <pholzing@redhat.com>
Link: https://github.com/containers/podman/issues/24804
Analysed-by: Paul Holzinger <pholzing@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Tested-by: Paul Holzinger <pholzing@redhat.com>
Diffstat (limited to 'pasta.c')
-rw-r--r-- | pasta.c | 22 |
1 files changed, 11 insertions, 11 deletions
@@ -296,7 +296,7 @@ void pasta_ns_conf(struct ctx *c) rc = nl_link_set_flags(nl_sock_ns, 1 /* lo */, IFF_UP, IFF_UP); if (rc < 0) die("Couldn't bring up loopback interface in namespace: %s", - strerror(-rc)); + strerror_(-rc)); /* Get or set MAC in target namespace */ if (MAC_IS_ZERO(c->guest_mac)) @@ -305,7 +305,7 @@ void pasta_ns_conf(struct ctx *c) rc = nl_link_set_mac(nl_sock_ns, c->pasta_ifi, c->guest_mac); if (rc < 0) die("Couldn't set MAC address in namespace: %s", - strerror(-rc)); + strerror_(-rc)); if (c->pasta_conf_ns) { unsigned int flags = IFF_UP; @@ -332,7 +332,7 @@ void pasta_ns_conf(struct ctx *c) if (rc < 0) { die("Couldn't set IPv4 address(es) in namespace: %s", - strerror(-rc)); + strerror_(-rc)); } if (c->ip4.no_copy_routes) { @@ -346,7 +346,7 @@ void pasta_ns_conf(struct ctx *c) if (rc < 0) { die("Couldn't set IPv4 route(s) in guest: %s", - strerror(-rc)); + strerror_(-rc)); } } @@ -355,13 +355,13 @@ void pasta_ns_conf(struct ctx *c) &c->ip6.addr_ll_seen); if (rc < 0) { warn("Can't get LL address from namespace: %s", - strerror(-rc)); + strerror_(-rc)); } rc = nl_addr_set_ll_nodad(nl_sock_ns, c->pasta_ifi); if (rc < 0) { warn("Can't set nodad for LL in namespace: %s", - strerror(-rc)); + strerror_(-rc)); } /* We dodged DAD: re-enable neighbour solicitations */ @@ -382,7 +382,7 @@ void pasta_ns_conf(struct ctx *c) if (rc < 0) { die("Couldn't set IPv6 address(es) in namespace: %s", - strerror(-rc)); + strerror_(-rc)); } if (c->ip6.no_copy_routes) { @@ -397,7 +397,7 @@ void pasta_ns_conf(struct ctx *c) if (rc < 0) { die("Couldn't set IPv6 route(s) in guest: %s", - strerror(-rc)); + strerror_(-rc)); } } } @@ -446,18 +446,18 @@ void pasta_netns_quit_init(const struct ctx *c) return; if ((dir_fd = open(c->netns_dir, O_CLOEXEC | O_RDONLY)) < 0) - die("netns dir open: %s, exiting", strerror(errno)); + die("netns dir open: %s, exiting", strerror_(errno)); if (fstatfs(dir_fd, &s) || s.f_type == DEVPTS_SUPER_MAGIC || s.f_type == PROC_SUPER_MAGIC || s.f_type == SYSFS_MAGIC) try_inotify = false; if (try_inotify && (fd = inotify_init1(flags)) < 0) - warn("inotify_init1(): %s, use a timer", strerror(errno)); + warn("inotify_init1(): %s, use a timer", strerror_(errno)); if (fd >= 0 && inotify_add_watch(fd, c->netns_dir, IN_DELETE) < 0) { warn("inotify_add_watch(): %s, use a timer", - strerror(errno)); + strerror_(errno)); close(fd); fd = -1; } |