diff --git a/SOURCES/ovt-Remove-some-dead-code.patch b/SOURCES/ovt-Remove-some-dead-code.patch new file mode 100644 index 0000000..4370eae --- /dev/null +++ b/SOURCES/ovt-Remove-some-dead-code.patch @@ -0,0 +1,168 @@ +From 626402d0e29e816e46fea97797c02c6264997a6f Mon Sep 17 00:00:00 2001 +From: John Wolfe +Date: Mon, 8 May 2023 20:15:01 -0700 +Subject: [PATCH] Remove some dead code. + +RH-Author: Ani Sinha +RH-MergeRequest: 22: Remove some dead code. +RH-Bugzilla: 2215562 +RH-Acked-by: Vitaly Kuznetsov +RH-Acked-by: Cathy Avery +RH-Commit: [1/1] f1963d6d390d5f10d827fb3f1057123bb32dda53 + +Address CVE-2023-20867. +Remove some authentication types which were deprecated long +ago and are no longer in use. These are dead code. + +cherry-picked from +https://github.com/vmware/open-vm-tools/blob/CVE-2023-20867.patch/2023-20867-Remove-some-dead-code-1100-1105.patch + +Signed-off-by: Ani Sinha +--- + open-vm-tools/services/plugins/vix/vixTools.c | 102 ------------------ + 1 file changed, 102 deletions(-) + +diff --git a/open-vm-tools/services/plugins/vix/vixTools.c b/open-vm-tools/services/plugins/vix/vixTools.c +index c40ad15a..d9b947f6 100644 +--- a/open-vm-tools/services/plugins/vix/vixTools.c ++++ b/open-vm-tools/services/plugins/vix/vixTools.c +@@ -228,8 +228,6 @@ char *gImpersonatedUsername = NULL; + #define VIX_TOOLS_CONFIG_API_AUTHENTICATION "Authentication" + #define VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS "InfrastructureAgents" + +-#define VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT TRUE +- + /* + * The switch that controls all APIs + */ +@@ -704,9 +702,6 @@ VixError GuestAuthSAMLAuthenticateAndImpersonate( + + void GuestAuthUnimpersonate(); + +-static Bool VixToolsCheckIfAuthenticationTypeEnabled(GKeyFile *confDictRef, +- const char *typeName); +- + #if SUPPORT_VGAUTH + + VGAuthError TheVGAuthContext(VGAuthContext **ctx); +@@ -7845,29 +7840,6 @@ VixToolsImpersonateUser(VixCommandRequestHeader *requestMsg, // IN + userToken); + break; + } +- case VIX_USER_CREDENTIAL_ROOT: +- { +- if ((requestMsg->requestFlags & VIX_REQUESTMSG_HAS_HASHED_SHARED_SECRET) && +- !VixToolsCheckIfAuthenticationTypeEnabled(gConfDictRef, +- VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS)) { +- /* +- * Don't accept hashed shared secret if disabled. +- */ +- g_message("%s: Requested authentication type has been disabled.\n", +- __FUNCTION__); +- err = VIX_E_GUEST_AUTHTYPE_DISABLED; +- goto done; +- } +- } +- // fall through +- +- case VIX_USER_CREDENTIAL_CONSOLE_USER: +- err = VixToolsImpersonateUserImplEx(NULL, +- credentialType, +- NULL, +- loadUserProfile, +- userToken); +- break; + case VIX_USER_CREDENTIAL_NAME_PASSWORD: + case VIX_USER_CREDENTIAL_NAME_PASSWORD_OBFUSCATED: + case VIX_USER_CREDENTIAL_NAMED_INTERACTIVE_USER: +@@ -8036,36 +8008,6 @@ VixToolsImpersonateUserImplEx(char const *credentialTypeStr, // IN + } + } + +- /* +- * If the VMX asks to be root, then we allow them. +- * The VMX will make sure that only it will pass this value in, +- * and only when the VM and host are configured to allow this. +- */ +- if ((VIX_USER_CREDENTIAL_ROOT == credentialType) +- && (thisProcessRunsAsRoot)) { +- *userToken = PROCESS_CREATOR_USER_TOKEN; +- +- gImpersonatedUsername = Util_SafeStrdup("_ROOT_"); +- err = VIX_OK; +- goto abort; +- } +- +- /* +- * If the VMX asks to be root, then we allow them. +- * The VMX will make sure that only it will pass this value in, +- * and only when the VM and host are configured to allow this. +- * +- * XXX This has been deprecated XXX +- */ +- if ((VIX_USER_CREDENTIAL_CONSOLE_USER == credentialType) +- && ((allowConsoleUserOps) || !(thisProcessRunsAsRoot))) { +- *userToken = PROCESS_CREATOR_USER_TOKEN; +- +- gImpersonatedUsername = Util_SafeStrdup("_CONSOLE_USER_NAME_"); +- err = VIX_OK; +- goto abort; +- } +- + /* + * If the VMX asks us to run commands in the context of the current + * user, make sure that the user who requested the command is the +@@ -10755,50 +10697,6 @@ VixToolsCheckIfVixCommandEnabled(int opcode, // IN + } + + +-/* +- *----------------------------------------------------------------------------- +- * +- * VixToolsCheckIfAuthenticationTypeEnabled -- +- * +- * Checks to see if a given authentication type has been +- * disabled via the tools configuration. +- * +- * Return value: +- * TRUE if enabled, FALSE otherwise. +- * +- * Side effects: +- * None +- * +- *----------------------------------------------------------------------------- +- */ +- +-static Bool +-VixToolsCheckIfAuthenticationTypeEnabled(GKeyFile *confDictRef, // IN +- const char *typeName) // IN +-{ +- char authnDisabledName[64]; // Authentication..disabled +- gboolean disabled; +- +- Str_Snprintf(authnDisabledName, sizeof(authnDisabledName), +- VIX_TOOLS_CONFIG_API_AUTHENTICATION ".%s.disabled", +- typeName); +- +- ASSERT(confDictRef != NULL); +- +- /* +- * XXX Skip doing the strcmp() to verify the auth type since we only +- * have the one typeName (VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS), and default +- * it to VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT. +- */ +- disabled = VixTools_ConfigGetBoolean(confDictRef, +- VIX_TOOLS_CONFIG_API_GROUPNAME, +- authnDisabledName, +- VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT); +- +- return !disabled; +-} +- +- + /* + *----------------------------------------------------------------------------- + * +-- +2.37.3 + diff --git a/SOURCES/ovt-Track-Linux-filesystem-id-FSID-for-quiesced-frozen-f.patch b/SOURCES/ovt-Track-Linux-filesystem-id-FSID-for-quiesced-frozen-f.patch new file mode 100644 index 0000000..31628a1 --- /dev/null +++ b/SOURCES/ovt-Track-Linux-filesystem-id-FSID-for-quiesced-frozen-f.patch @@ -0,0 +1,218 @@ +From 88826c7f64f3180711943b5311c4414d4b1dc1d1 Mon Sep 17 00:00:00 2001 +From: Katy Feng +Date: Tue, 17 Jan 2023 19:08:33 -0800 +Subject: [PATCH] Track Linux filesystem id (FSID) for quiesced (frozen) + filesystems + +RH-Author: Ani Sinha +RH-MergeRequest: 14: Track Linux filesystem id (FSID) for quiesced (frozen) filesystems +RH-Bugzilla: 1880404 1994590 +RH-Acked-by: Cathy Avery +RH-Commit: [1/1] c4ed73561eba36e7112cf96384f0c28f28489934 + +Tracking the filesystem FSID along with each file descriptor (FD) +as the ioctl FIFREEZE is done. An EBUSY could be seen because of +an attempt to freeze the same superblock more than once depending +on the OS configuration (e.g. usage of bind mounts). An EBUSY could +also mean another process has locked or frozen that filesystem. + +When an EBUSY is received, the filesyste FSID is checked against the +list of filesystems that have already be quiesced. If not previously +seen, a warning that the filesystem is controlled by another process +is logged and the quiesced snapshot request will be rejected. + +(cherry picked from commit 9d458c53a7a656d4d1ba3a28d090cce82ac4af0e) +Signed-off-by: Ani Sinha +--- + .../lib/syncDriver/syncDriverLinux.c | 112 +++++++++++++++--- + 1 file changed, 96 insertions(+), 16 deletions(-) + +diff --git a/open-vm-tools/lib/syncDriver/syncDriverLinux.c b/open-vm-tools/lib/syncDriver/syncDriverLinux.c +index eef65a2e..6d9a3568 100644 +--- a/open-vm-tools/lib/syncDriver/syncDriverLinux.c ++++ b/open-vm-tools/lib/syncDriver/syncDriverLinux.c +@@ -1,5 +1,5 @@ + /********************************************************* +- * Copyright (C) 2011-2018 VMware, Inc. All rights reserved. ++ * Copyright (C) 2011-2018, 2023 VMware, Inc. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as published +@@ -32,6 +32,7 @@ + #include + #include + #include ++#include + #include "debug.h" + #include "dynbuf.h" + #include "syncDriverInt.h" +@@ -43,12 +44,53 @@ + #endif + + ++ ++typedef struct LinuxFsInfo { ++ int fd; ++ fsid_t fsid; ++} LinuxFsInfo; ++ + typedef struct LinuxDriver { + SyncHandle driver; + size_t fdCnt; +- int *fds; ++ LinuxFsInfo *fds; + } LinuxDriver; + ++static ++const fsid_t MISSING_FSID = {}; ++ ++ ++/* ++ ******************************************************************************* ++ * LinuxFiFsIdMatch -- ++ * ++ * Check the collection of filesystems previously frozen for the specific ++ * FSID. ++ * ++ * @param[in] fds List of LinuxFsInfo data for filesystems previously ++ * frozen. ++ * @param[in] count Number of fds in the list. ++ * @param[in] nfsid The Filesystem ID of interest. ++ * ++ * @return TRUE if the FSID matches one previously processed. Otherwise FALSE ++ * ++ ******************************************************************************* ++ */ ++ ++static Bool ++LinuxFiFsIdMatch(const LinuxFsInfo *fds, ++ const size_t count, ++ const fsid_t *nfsid) { ++ size_t i; ++ ++ for (i = 0; i < count; i++) { ++ if (fds[i].fsid.__val[0] == nfsid->__val[0] && ++ fds[i].fsid.__val[1] == nfsid->__val[1]) { ++ return TRUE; ++ } ++ } ++ return FALSE; ++} + + /* + ******************************************************************************* +@@ -75,9 +117,11 @@ LinuxFiThaw(const SyncDriverHandle handle) + * Thaw in the reverse order of freeze + */ + for (i = sync->fdCnt; i > 0; i--) { +- Debug(LGPFX "Thawing fd=%d.\n", sync->fds[i-1]); +- if (ioctl(sync->fds[i-1], FITHAW) == -1) { +- Debug(LGPFX "Thaw failed for fd=%d.\n", sync->fds[i-1]); ++ int fd = sync->fds[i-1].fd; ++ ++ Debug(LGPFX "Thawing fd=%d.\n", fd); ++ if (ioctl(fd, FITHAW) == -1) { ++ Debug(LGPFX "Thaw failed for fd=%d.\n", fd); + err = SD_ERROR; + } + } +@@ -108,8 +152,10 @@ LinuxFiClose(SyncDriverHandle handle) + * Close in the reverse order of open + */ + for (i = sync->fdCnt; i > 0; i--) { +- Debug(LGPFX "Closing fd=%d.\n", sync->fds[i-1]); +- close(sync->fds[i-1]); ++ int fd = sync->fds[i-1].fd; ++ ++ Debug(LGPFX "Closing fd=%d.\n", fd); ++ close(fd); + } + free(sync->fds); + free(sync); +@@ -196,8 +242,11 @@ LinuxDriver_Freeze(const GSList *paths, + */ + while (paths != NULL) { + int fd; ++ LinuxFsInfo fsInfo; + struct stat sbuf; ++ struct statfs fsbuf; + const char *path = paths->data; ++ + Debug(LGPFX "opening path '%s'.\n", path); + paths = g_slist_next(paths); + fd = open(path, O_RDONLY); +@@ -258,23 +307,53 @@ LinuxDriver_Freeze(const GSList *paths, + continue; + } + ++ if (fstatfs(fd, &fsbuf) == 0) { ++ fsInfo.fsid = fsbuf.f_fsid; ++ } else { ++ Debug(LGPFX "failed to get file system id for path '%s'.\n", path); ++ fsInfo.fsid = MISSING_FSID; ++ } + Debug(LGPFX "freezing path '%s' (fd=%d).\n", path, fd); + if (ioctl(fd, FIFREEZE) == -1) { + int ioctlerr = errno; ++ ++ close(fd); ++ Debug(LGPFX "freeze on '%s' returned: %d (%s)\n", ++ path, ioctlerr, strerror(ioctlerr)); ++ /* ++ * Previously, an EBUSY error was ignored, assuming that we may try ++ * to freeze the same superblock more than once depending on the ++ * OS configuration (e.g., usage of bind mounts). ++ * Using the filesystem Id to check if this is a filesystem that we ++ * have seen previously and will ignore this FD only if that is ++ * the case. Log a warning otherwise since the quiesced snapshot ++ * attempt will fail. ++ */ ++ if (ioctlerr == EBUSY) { ++ if (LinuxFiFsIdMatch(DynBuf_Get(&fds), ++ DynBuf_GetSize(&fds), ++ &fsInfo.fsid)) { ++ /* ++ * We have previous knowledge of this file system by another ++ * mount point. Safe to ignore. ++ */ ++ Debug(LGPFX "skipping path '%s' - previously frozen", path); ++ continue; ++ } ++ /* ++ * It appears that this FS has been locked or frozen by another ++ * process. We cannot proceed with the quiesced snapshot request. ++ */ ++ Warning(LGPFX "'%s' appears locked or frozen by another process. " ++ "Cannot complete the quiesced snapshot request.\n", path); ++ } + /* + * If the ioctl does not exist, Linux will return ENOTTY. If it's not + * supported on the device, we get EOPNOTSUPP. Ignore the latter, + * since freezing does not make sense for all fs types, and some + * Linux fs drivers may not have been hooked up in the running kernel. +- * +- * Also ignore EBUSY since we may try to freeze the same superblock +- * more than once depending on the OS configuration (e.g., usage of +- * bind mounts). + */ +- close(fd); +- Debug(LGPFX "freeze on '%s' returned: %d (%s)\n", +- path, ioctlerr, strerror(ioctlerr)); +- if (ioctlerr != EBUSY && ioctlerr != EOPNOTSUPP) { ++ if (ioctlerr != EOPNOTSUPP) { + Debug(LGPFX "failed to freeze '%s': %d (%s)\n", + path, ioctlerr, strerror(ioctlerr)); + err = first && ioctlerr == ENOTTY ? SD_UNAVAILABLE : SD_ERROR; +@@ -282,7 +361,8 @@ LinuxDriver_Freeze(const GSList *paths, + } + } else { + Debug(LGPFX "successfully froze '%s' (fd=%d).\n", path, fd); +- if (!DynBuf_Append(&fds, &fd, sizeof fd)) { ++ fsInfo.fd = fd; ++ if (!DynBuf_Append(&fds, &fsInfo, sizeof fsInfo)) { + if (ioctl(fd, FITHAW) == -1) { + Warning(LGPFX "failed to thaw '%s': %d (%s)\n", + path, errno, strerror(errno)); +-- +2.39.1 + diff --git a/SPECS/open-vm-tools.spec b/SPECS/open-vm-tools.spec index fee2dcd..aaa49c5 100644 --- a/SPECS/open-vm-tools.spec +++ b/SPECS/open-vm-tools.spec @@ -28,7 +28,7 @@ Name: open-vm-tools Version: %{toolsversion} -Release: 3%{?dist}.4 +Release: 3%{?dist}.6 Summary: Open Virtual Machine Tools for virtual machines hosted on VMware Group: Applications/System License: GPLv2 @@ -40,7 +40,7 @@ Source3: run-vmblock\x2dfuse.mount Source4: open-vm-tools.conf Source5: vmtoolsd.pam -ExclusiveArch: x86_64 %{ix86} +ExclusiveArch: x86_64 Patch0002: 0002-Fix-RELRO-flag.patch # For bz#1809753 - [ESXi][RHEL7.9]open-vm-tools add appinfo plugin patch @@ -55,6 +55,11 @@ Patch6: ovt-Rectify-a-log-spew-in-vmsvc-logging-vmware-vmsvc-roo.patch Patch7: ovt-Fix-memory-leaks-in-guestInfo-diskInfo.c.patch # For bz#2119310 - CVE-2022-31676 open-vm-tools: local root privilege escalation in the virtual machine [rhel-7.9.z] Patch8: ovt-Properly-check-authorization-on-incoming-guestOps-re.patch +# For bz#1880404 - [ESXi] [RHEL7] vmtoolsd task is blocked in the uninterruptible state while attempting to delete (unlink) the file 'quiesce_manifest.xml' +# For bz#1994590 - [ESXi][RHEL7.9][open-vm-tools] Snapshot of the RHEL7 guest on the VMWare ESXi hypervisor failed vm hangs +Patch9: ovt-Track-Linux-filesystem-id-FSID-for-quiesced-frozen-f.patch +# For bz#2215562 - [CISA Major Incident] CVE-2023-20867 open-vm-tools: authentication bypass vulnerability in the vgauth module [rhel-7] +Patch10: ovt-Remove-some-dead-code.patch BuildRequires: autoconf BuildRequires: automake @@ -335,6 +340,18 @@ fi %{_bindir}/vmware-vgauth-smoketest %changelog +* Mon Jun 26 2023 Jon Maloy - 11.0.5-3.el7_9.6 +- ovt-Remove-some-dead-code.patch [bz#2215562] +- Resolves: bz#2215562 + ([CISA Major Incident] CVE-2023-20867 open-vm-tools: authentication bypass vulnerability in the vgauth module [rhel-7]) + +* Wed May 24 2023 Miroslav Rezanina - 11.0.5-3.el7_9.5 +- ovt-Track-Linux-filesystem-id-FSID-for-quiesced-frozen-f.patch [bz#1880404 bz#1994590] +- Resolves: bz#1880404 + ([ESXi] [RHEL7] vmtoolsd task is blocked in the uninterruptible state while attempting to delete (unlink) the file 'quiesce_manifest.xml') +- Resolves: bz#1994590 + ([ESXi][RHEL7.9][open-vm-tools] Snapshot of the RHEL7 guest on the VMWare ESXi hypervisor failed vm hangs) + * Fri Sep 02 2022 Jon Maloy - 11.0.5-3.el7_9.4 - ovt-Properly-check-authorization-on-incoming-guestOps-re.patch [bz#2119310] - Resolves: bz#2119310