diff --git a/SOURCES/ovt-Don-t-accept-tokens-with-unrelated-certs.patch b/SOURCES/ovt-Don-t-accept-tokens-with-unrelated-certs.patch new file mode 100644 index 0000000..45d8b7d --- /dev/null +++ b/SOURCES/ovt-Don-t-accept-tokens-with-unrelated-certs.patch @@ -0,0 +1,267 @@ +From c1be13f4eb5b3d24a273b6c8c9ca5421dcfac87b Mon Sep 17 00:00:00 2001 +From: Katy Feng +Date: Tue, 17 Oct 2023 15:24:48 -0700 +Subject: [PATCH 1/2] Don't accept tokens with unrelated certs + +RH-Author: Ani Sinha +RH-MergeRequest: 41: Don't accept tokens with unrelated certs +RH-Jira: RHEL-14642 +RH-Acked-by: Vitaly Kuznetsov +RH-Commit: [1/1] e1be40a04b53412393050e1e6106e8edad8b1716 + +If a SAML token has a cert that's not a part of a chain, +fail the token as invalid. + +CVE-2023-34058 +(cherry picked from commit 1bfe23d728b74e08f4f65cd9b0093ca73937003a) +--- + open-vm-tools/vgauth/common/certverify.c | 147 +++++++++++++++++- + open-vm-tools/vgauth/common/certverify.h | 6 +- + open-vm-tools/vgauth/common/prefs.h | 4 +- + .../vgauth/serviceImpl/saml-xmlsec1.c | 14 ++ + 4 files changed, 168 insertions(+), 3 deletions(-) + +diff --git a/open-vm-tools/vgauth/common/certverify.c b/open-vm-tools/vgauth/common/certverify.c +index db280e91..b84ebc7d 100644 +--- a/open-vm-tools/vgauth/common/certverify.c ++++ b/open-vm-tools/vgauth/common/certverify.c +@@ -1,5 +1,5 @@ + /********************************************************* +- * Copyright (C) 2011-2016,2018-2019 VMware, Inc. All rights reserved. ++ * Copyright (c) 2011-2016, 2018-2019, 2021-2023 VMware, Inc. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as published +@@ -893,3 +893,148 @@ done: + + return err; + } ++ ++ ++/* ++ * Finds a cert with a subject (if checkSubj is set) or issuer (if ++ * checkSUbj is unset), matching 'val' in the list ++ * of certs. Returns a match or NULL. ++ */ ++ ++static X509 * ++FindCert(GList *cList, ++ X509_NAME *val, ++ int checkSubj) ++{ ++ GList *l; ++ X509 *c; ++ X509_NAME *v; ++ ++ l = cList; ++ while (l != NULL) { ++ c = (X509 *) l->data; ++ if (checkSubj) { ++ v = X509_get_subject_name(c); ++ } else { ++ v = X509_get_issuer_name(c); ++ } ++ if (X509_NAME_cmp(val, v) == 0) { ++ return c; ++ } ++ l = l->next; ++ } ++ return NULL; ++} ++ ++ ++/* ++ ****************************************************************************** ++ * CertVerify_CheckForUnrelatedCerts -- */ /** ++ * ++ * Looks over a list of certs. If it finds that they are not all ++ * part of the same chain, returns failure. ++ * ++ * @param[in] numCerts The number of certs in the chain. ++ * @param[in] pemCerts The chain of certificates to verify. ++ * ++ * @return VGAUTH_E_OK on success, VGAUTH_E_FAIL if unrelated certs are found. ++ * ++ ****************************************************************************** ++ */ ++ ++VGAuthError ++CertVerify_CheckForUnrelatedCerts(int numCerts, ++ const char **pemCerts) ++{ ++ VGAuthError err = VGAUTH_E_FAIL; ++ int chainLen = 0; ++ int i; ++ X509 **certs = NULL; ++ GList *rawList = NULL; ++ X509 *baseCert; ++ X509 *curCert; ++ X509_NAME *subject; ++ X509_NAME *issuer; ++ ++ /* common single cert case; nothing to do */ ++ if (numCerts == 1) { ++ return VGAUTH_E_OK; ++ } ++ ++ /* convert all PEM to X509 objects */ ++ certs = g_malloc0(numCerts * sizeof(X509 *)); ++ for (i = 0; i < numCerts; i++) { ++ certs[i] = CertStringToX509(pemCerts[i]); ++ if (NULL == certs[i]) { ++ g_warning("%s: failed to convert cert to X509\n", __FUNCTION__); ++ goto done; ++ } ++ } ++ ++ /* choose the cert to start the chain. shouldn't matter which */ ++ baseCert = certs[0]; ++ ++ /* put the rest into a list */ ++ for (i = 1; i < numCerts; i++) { ++ rawList = g_list_append(rawList, certs[i]); ++ } ++ ++ /* now chase down to a leaf, looking for certs the baseCert issued */ ++ subject = X509_get_subject_name(baseCert); ++ while ((curCert = FindCert(rawList, subject, 0)) != NULL) { ++ /* pull it from the list */ ++ rawList = g_list_remove(rawList, curCert); ++ /* set up the next find */ ++ subject = X509_get_subject_name(curCert); ++ } ++ ++ /* ++ * walk up to the root cert, by finding a cert where the ++ * issuer equals the subject of the current ++ */ ++ issuer = X509_get_issuer_name(baseCert); ++ while ((curCert = FindCert(rawList, issuer, 1)) != NULL) { ++ /* pull it from the list */ ++ rawList = g_list_remove(rawList, curCert); ++ /* set up the next find */ ++ issuer = X509_get_issuer_name(curCert); ++ } ++ ++ /* ++ * At this point, anything on the list should be certs that are not part ++ * of the chain that includes the original 'baseCert'. ++ * ++ * For a valid token, the list should be empty. ++ */ ++ chainLen = g_list_length(rawList); ++ if (chainLen != 0 ) { ++ GList *l; ++ ++ g_warning("%s: %d unrelated certs found in list\n", ++ __FUNCTION__, chainLen); ++ ++ /* debug helper */ ++ l = rawList; ++ while (l != NULL) { ++ X509* c = (X509 *) l->data; ++ char *s = X509_NAME_oneline(X509_get_subject_name(c), NULL, 0); ++ ++ g_debug("%s: unrelated cert subject: %s\n", __FUNCTION__, s); ++ free(s); ++ l = l->next; ++ } ++ ++ goto done; ++ } ++ ++ g_debug("%s: Success! no unrelated certs found\n", __FUNCTION__); ++ err = VGAUTH_E_OK; ++ ++done: ++ g_list_free(rawList); ++ for (i = 0; i < numCerts; i++) { ++ X509_free(certs[i]); ++ } ++ g_free(certs); ++ return err; ++} +diff --git a/open-vm-tools/vgauth/common/certverify.h b/open-vm-tools/vgauth/common/certverify.h +index 3fe1bcb4..228c143c 100644 +--- a/open-vm-tools/vgauth/common/certverify.h ++++ b/open-vm-tools/vgauth/common/certverify.h +@@ -1,5 +1,5 @@ + /********************************************************* +- * Copyright (C) 2011-2016 VMware, Inc. All rights reserved. ++ * Copyright (C) 2011-2016, 2020, 2023 VMware, Inc. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as published +@@ -66,6 +66,10 @@ VGAuthError CertVerify_CheckSignatureUsingCert(VGAuthHashAlg hash, + size_t signatureLen, + const unsigned char *signature); + ++ ++VGAuthError CertVerify_CheckForUnrelatedCerts(int numCerts, ++ const char **pemCerts); ++ + gchar * CertVerify_StripPEMCert(const gchar *pemCert); + + gchar * CertVerify_CertToX509String(const gchar *pemCert); +diff --git a/open-vm-tools/vgauth/common/prefs.h b/open-vm-tools/vgauth/common/prefs.h +index ff116928..6c58f3f4 100644 +--- a/open-vm-tools/vgauth/common/prefs.h ++++ b/open-vm-tools/vgauth/common/prefs.h +@@ -1,5 +1,5 @@ + /********************************************************* +- * Copyright (C) 2011-2019 VMware, Inc. All rights reserved. ++ * Copyright (C) 2011-2019,2023 VMware, Inc. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as published +@@ -136,6 +136,8 @@ msgCatalog = /etc/vmware-tools/vgauth/messages + #define VGAUTH_PREF_ALIASSTORE_DIR "aliasStoreDir" + /** The number of seconds slack allowed in either direction in SAML token date checks. */ + #define VGAUTH_PREF_CLOCK_SKEW_SECS "clockSkewAdjustment" ++/** If unrelated certificates are allowed in a SAML token */ ++#define VGAUTH_PREF_ALLOW_UNRELATED_CERTS "allowUnrelatedCerts" + + /** Ticket group name. */ + #define VGAUTH_PREF_GROUP_NAME_TICKET "ticket" +diff --git a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c +index 57db3b88..1c3e96e7 100644 +--- a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c ++++ b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c +@@ -47,6 +47,7 @@ + #include "vmxlog.h" + + static int gClockSkewAdjustment = VGAUTH_PREF_DEFAULT_CLOCK_SKEW_SECS; ++static gboolean gAllowUnrelatedCerts = FALSE; + static xmlSchemaPtr gParsedSchemas = NULL; + static xmlSchemaValidCtxtPtr gSchemaValidateCtx = NULL; + +@@ -313,6 +314,10 @@ LoadPrefs(void) + VGAUTH_PREF_DEFAULT_CLOCK_SKEW_SECS); + Log("%s: Allowing %d of clock skew for SAML date validation\n", + __FUNCTION__, gClockSkewAdjustment); ++ gAllowUnrelatedCerts = Pref_GetBool(gPrefs, ++ VGAUTH_PREF_ALLOW_UNRELATED_CERTS, ++ VGAUTH_PREF_GROUP_NAME_SERVICE, ++ FALSE); + } + + +@@ -1525,6 +1530,15 @@ SAML_VerifyBearerTokenAndChain(const char *xmlText, + return VGAUTH_E_AUTHENTICATION_DENIED; + } + ++ if (!gAllowUnrelatedCerts) { ++ err = CertVerify_CheckForUnrelatedCerts(num, (const char **) certChain); ++ if (err != VGAUTH_E_OK) { ++ VMXLog_Log(VMXLOG_LEVEL_WARNING, ++ "Unrelated certs found in SAML token, failing\n"); ++ return VGAUTH_E_AUTHENTICATION_DENIED; ++ } ++ } ++ + subj.type = SUBJECT_TYPE_NAMED; + subj.name = *subjNameOut; + err = ServiceVerifyAndCheckTrustCertChainForSubject(num, +-- +2.39.3 + diff --git a/SOURCES/ovt-File-descriptor-vulnerability-in-the-open-vm-tools-v.patch b/SOURCES/ovt-File-descriptor-vulnerability-in-the-open-vm-tools-v.patch new file mode 100644 index 0000000..2ab807a --- /dev/null +++ b/SOURCES/ovt-File-descriptor-vulnerability-in-the-open-vm-tools-v.patch @@ -0,0 +1,209 @@ +From e79672890799f6ed4dcfb44a4346489c9f3ea6e3 Mon Sep 17 00:00:00 2001 +From: Katy Feng +Date: Tue, 17 Oct 2023 15:24:48 -0700 +Subject: [PATCH 2/2] File descriptor vulnerability in the open-vm-tools + vmware-user-suid-wrapperx + +RH-Author: Ani Sinha +RH-MergeRequest: 52: File descriptor vulnerability in the open-vm-tools vmware-user-suid-wrapperx on Linux +RH-Jira: RHEL-14676 +RH-Acked-by: Vitaly Kuznetsov +RH-Commit: [1/1] c78a1d638849f1589b2f4b8ff1437b0f25bbd19c + +Moving the privilege drop logic (dropping privilege to the real uid and +gid of the process for the vmusr service) from suidWrapper to vmtoolsd code. +Now the vmtoolsd is not executed with dropped privileges (started as setuid +program) and the dumpable attribute of the process is not reset. +The unprivileged user will not have access to the privileged file descriptors +in the vmtoolsd vmusr process. +Also, setting the FD_CLOEXEC flag for both uinputFd and blockFd preventing +the file descriptors being inherited any further from the vmtoolsd. + +CVE-2023-34059 +(cherry picked from commit 63f7c79c4aecb14d37cc4ce9da509419e31d394f) +Signed-off-by: Ani Sinha +--- + open-vm-tools/services/vmtoolsd/mainPosix.c | 78 ++++++++++++++++++- + open-vm-tools/vmware-user-suid-wrapper/main.c | 28 +------ + 2 files changed, 81 insertions(+), 25 deletions(-) + +diff --git a/open-vm-tools/services/vmtoolsd/mainPosix.c b/open-vm-tools/services/vmtoolsd/mainPosix.c +index cfe67984..674d5bda 100644 +--- a/open-vm-tools/services/vmtoolsd/mainPosix.c ++++ b/open-vm-tools/services/vmtoolsd/mainPosix.c +@@ -1,5 +1,5 @@ + /********************************************************* +- * Copyright (C) 2008-2019 VMware, Inc. All rights reserved. ++ * Copyright (c) 2008-2020,2022-2023 VMware, Inc. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as published +@@ -28,10 +28,12 @@ + #include + #include + #include ++#include + #include + #include "file.h" + #include "guestApp.h" + #include "hostinfo.h" ++#include "su.h" + #include "system.h" + #include "unicode.h" + #include "util.h" +@@ -153,6 +155,59 @@ ToolsCoreWorkAroundLoop(ToolsServiceState *state, + } + + ++/** ++ * Tools function to set close-on-exec flg for the fd. ++ * ++ * @param[in] fd open file descriptor. ++ * ++ * @return TRUE on success, FALSE otherwise. ++ */ ++ ++static gboolean ++ToolsSetCloexecFlag(int fd) ++{ ++ int flags; ++ ++ if (fd == -1) { ++ /* fd is not present, no need to manipulate */ ++ return TRUE; ++ } ++ ++ flags = fcntl(fd, F_GETFD, 0); ++ if (flags < 0) { ++ g_printerr("Couldn't get the flags set for fd %d, error %u.", fd, errno); ++ return FALSE; ++ } ++ flags |= FD_CLOEXEC; ++ if (fcntl(fd, F_SETFD, flags) < 0) { ++ g_printerr("Couldn't set close-on-exec for fd %d, error %u.", fd, errno); ++ return FALSE; ++ } ++ ++ return TRUE; ++} ++ ++ ++/** ++ * Tools function to close the fds. ++ */ ++ ++static void ++ToolsCloseFds(void) ++{ ++ if (gState.ctx.blockFD != -1) { ++ close(gState.ctx.blockFD); ++ } ++ ++ /* ++ * uinputFD will be available only for wayland. ++ */ ++ if (gState.ctx.uinputFD != -1) { ++ close(gState.ctx.uinputFD); ++ } ++} ++ ++ + /** + * Tools daemon entry function. + * +@@ -200,6 +255,27 @@ main(int argc, + g_free(argvCopy); + argvCopy = NULL; + ++ /* ++ * Drops privilege to the real uid and gid of the process ++ * for the "vmusr" service. ++ */ ++ if (TOOLS_IS_USER_SERVICE(&gState)) { ++ uid_t uid = getuid(); ++ gid_t gid = getgid(); ++ ++ if ((Id_SetREUid(uid, uid) != 0) || ++ (Id_SetREGid(gid, gid) != 0)) { ++ g_printerr("could not drop privileges: %s", strerror(errno)); ++ ToolsCloseFds(); ++ goto exit; ++ } ++ if (!ToolsSetCloexecFlag(gState.ctx.blockFD) || ++ !ToolsSetCloexecFlag(gState.ctx.uinputFD)) { ++ ToolsCloseFds(); ++ goto exit; ++ } ++ } ++ + if (gState.pidFile != NULL) { + /* + * If argv[0] is not an absolute path, make it so; all other path +diff --git a/open-vm-tools/vmware-user-suid-wrapper/main.c b/open-vm-tools/vmware-user-suid-wrapper/main.c +index e9d7e508..73ae9b9b 100644 +--- a/open-vm-tools/vmware-user-suid-wrapper/main.c ++++ b/open-vm-tools/vmware-user-suid-wrapper/main.c +@@ -1,5 +1,5 @@ + /********************************************************* +- * Copyright (C) 2007-2018 VMware, Inc. All rights reserved. ++ * Copyright (C) 2007-2018,2023 VMware, Inc. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as published +@@ -156,8 +156,7 @@ MaskSignals(void) + * + * Obtains the library directory from the Tools locations database, then + * opens a file descriptor (while still root) to add and remove blocks, +- * drops privilege to the real uid of this process, and finally starts +- * vmware-user. ++ * and finally starts vmware-user. + * + * Results: + * Parent: TRUE on success, FALSE on failure. +@@ -173,8 +172,6 @@ static Bool + StartVMwareUser(char *const envp[]) + { + pid_t pid; +- uid_t uid; +- gid_t gid; + int blockFd = -1; + char blockFdStr[8]; + int uinputFd = -1; +@@ -191,8 +188,8 @@ StartVMwareUser(char *const envp[]) + } + + /* +- * Now create a child process, obtain a file descriptor as root, downgrade +- * privilege, and run vmware-user. ++ * Now create a child process, obtain a file descriptor as root and ++ * run vmware-user. + */ + pid = fork(); + if (pid == -1) { +@@ -229,23 +226,6 @@ StartVMwareUser(char *const envp[]) + } + } + +- uid = getuid(); +- gid = getgid(); +- +- if ((setreuid(uid, uid) != 0) || +- (setregid(gid, gid) != 0)) { +- Error("could not drop privileges: %s\n", strerror(errno)); +- if (blockFd != -1) { +- close(blockFd); +- } +- if (useWayland) { +- if (uinputFd != -1) { +- close(uinputFd); +- } +- } +- return FALSE; +- } +- + /* + * Since vmware-user provides features that don't depend on vmblock, we + * invoke vmware-user even if we couldn't obtain a file descriptor or we +-- +2.39.3 + diff --git a/SOURCES/ovt-Provide-alternate-method-to-allow-expected-pre-froze.patch b/SOURCES/ovt-Provide-alternate-method-to-allow-expected-pre-froze.patch new file mode 100644 index 0000000..ba2d12e --- /dev/null +++ b/SOURCES/ovt-Provide-alternate-method-to-allow-expected-pre-froze.patch @@ -0,0 +1,445 @@ +From 5b3562a9f0ea7ab11212639753cdf9064394df92 Mon Sep 17 00:00:00 2001 +From: Katy Feng +Date: Tue, 22 Aug 2023 11:11:42 -0700 +Subject: [PATCH] Provide alternate method to allow (expected) pre-frozen + filesystems when taking a quiesced snapshot. + +RH-Author: Ani Sinha +RH-MergeRequest: 29: Provide alternate method to allow (expected) pre-frozen filesystems when taking a quiesced snapshot. +RH-Bugzilla: 2226921 +RH-Acked-by: Vitaly Kuznetsov +RH-Commit: [1/1] 5582a9588692896258f3711c278e97127e748f67 + +Effective with open-vm-tools 12.2.0, Linux quiesced snapshots will fail if +any filesystem(s) have been prefrozen by other than the vmtoolsd process. +This has been done to assure that filesystems are inactive while the +snapshots are being taken. Some existing prefreeze scripts may be freezing +some filesystem(s). In these cases, the vmtoolsd process must be informed of +anticipated pre-frozen filesystems by providing an "excludedFileSystem" list in +the [vmbackup] section of the tools.conf file. + +This change provides a new switch in the tools.conf file to allow pre-frozen +filesystems to be encountered and accepted when doing a quiesced snapshot +operation. With the default value of "false", the "ignoreFrozenFileSystems" +can be configured with a setting of "true" to notify the quiesced snapshot +operation that pre-frozen filesystems are allowed. + +(cherry picked from commit 60c3a80ddc2b400366ed05169e16a6bed6501da2) +Signed-off-by: Ani Sinha + + Conflicts: + open-vm-tools/services/plugins/vix/foundryToolsDaemon.c + open-vm-tools/services/plugins/vmbackup/syncDriverOps.c + open-vm-tools/tools.conf +--- + open-vm-tools/lib/include/syncDriver.h | 5 ++-- + open-vm-tools/lib/syncDriver/nullDriver.c | 10 ++++--- + open-vm-tools/lib/syncDriver/syncDriverInt.h | 14 ++++++---- + .../lib/syncDriver/syncDriverLinux.c | 25 +++++++++++++---- + .../lib/syncDriver/syncDriverPosix.c | 7 +++-- + open-vm-tools/lib/syncDriver/vmSyncDriver.c | 10 ++++--- + .../services/plugins/vix/foundryToolsDaemon.c | 16 +++++++++-- + .../services/plugins/vmbackup/stateMachine.c | 8 ++++-- + .../services/plugins/vmbackup/syncDriverOps.c | 5 ++-- + .../services/plugins/vmbackup/vmBackupInt.h | 19 ++++++++----- + open-vm-tools/tools.conf | 28 +++++++++++++++++++ + 11 files changed, 109 insertions(+), 38 deletions(-) + +diff --git a/open-vm-tools/lib/include/syncDriver.h b/open-vm-tools/lib/include/syncDriver.h +index 20712f66..8ef229d4 100644 +--- a/open-vm-tools/lib/include/syncDriver.h ++++ b/open-vm-tools/lib/include/syncDriver.h +@@ -1,5 +1,5 @@ + /********************************************************* +- * Copyright (C) 2005-2018 VMware, Inc. All rights reserved. ++ * Copyright (c) 2005-2018, 2023 VMware, Inc. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as published +@@ -51,7 +51,8 @@ typedef enum { + Bool SyncDriver_Init(void); + Bool SyncDriver_Freeze(const char *drives, Bool enableNullDriver, + SyncDriverHandle *handle, +- const char *excludedFileSystems); ++ const char *excludedFileSystems, ++ Bool ignoreFrozenFS); + Bool SyncDriver_Thaw(const SyncDriverHandle handle); + SyncDriverStatus SyncDriver_QueryStatus(const SyncDriverHandle handle, + int32 timeout); +diff --git a/open-vm-tools/lib/syncDriver/nullDriver.c b/open-vm-tools/lib/syncDriver/nullDriver.c +index 5e19e208..be96222a 100644 +--- a/open-vm-tools/lib/syncDriver/nullDriver.c ++++ b/open-vm-tools/lib/syncDriver/nullDriver.c +@@ -1,5 +1,5 @@ + /********************************************************* +- * Copyright (C) 2011-2016 VMware, Inc. All rights reserved. ++ * Copyright (c) 2011-2016, 2023 VMware, Inc. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as published +@@ -54,8 +54,9 @@ NullDriverClose(SyncDriverHandle handle) + * + * Calls sync(). + * +- * @param[in] paths Unused. +- * @param[out] handle Where to store the operation handle. ++ * @param[in] paths Unused. ++ * @param[out] handle Where to store the operation handle. ++ * @param[in] ignoreFrozenFS Unused. + * + * @return A SyncDriverErr. + * +@@ -64,7 +65,8 @@ NullDriverClose(SyncDriverHandle handle) + + SyncDriverErr + NullDriver_Freeze(const GSList *paths, +- SyncDriverHandle *handle) ++ SyncDriverHandle *handle, ++ Bool ignoreFrozenFS) + { + /* + * This is more of a "let's at least do something" than something that +diff --git a/open-vm-tools/lib/syncDriver/syncDriverInt.h b/open-vm-tools/lib/syncDriver/syncDriverInt.h +index 04f37bf2..a5706298 100644 +--- a/open-vm-tools/lib/syncDriver/syncDriverInt.h ++++ b/open-vm-tools/lib/syncDriver/syncDriverInt.h +@@ -1,5 +1,5 @@ + /********************************************************* +- * Copyright (C) 2011-2017 VMware, Inc. All rights reserved. ++ * Copyright (c) 2011-2017, 2023 VMware, Inc. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as published +@@ -41,7 +41,8 @@ typedef enum { + } SyncDriverErr; + + typedef SyncDriverErr (*SyncFreezeFn)(const GSList *paths, +- SyncDriverHandle *handle); ++ SyncDriverHandle *handle, ++ Bool ignoreFrozenFs); + + typedef struct SyncHandle { + SyncDriverErr (*thaw)(const SyncDriverHandle handle); +@@ -55,15 +56,18 @@ typedef struct SyncHandle { + #if defined(__linux__) + SyncDriverErr + LinuxDriver_Freeze(const GSList *userPaths, +- SyncDriverHandle *handle); ++ SyncDriverHandle *handle, ++ Bool ignoreFrozenFs); + + SyncDriverErr + VmSync_Freeze(const GSList *userPaths, +- SyncDriverHandle *handle); ++ SyncDriverHandle *handle, ++ Bool ignoreFrozenFs); + + SyncDriverErr + NullDriver_Freeze(const GSList *userPaths, +- SyncDriverHandle *handle); ++ SyncDriverHandle *handle, ++ Bool ignoreFrozenFs); + #endif + + #endif +diff --git a/open-vm-tools/lib/syncDriver/syncDriverLinux.c b/open-vm-tools/lib/syncDriver/syncDriverLinux.c +index 6d9a3568..4581098e 100644 +--- a/open-vm-tools/lib/syncDriver/syncDriverLinux.c ++++ b/open-vm-tools/lib/syncDriver/syncDriverLinux.c +@@ -199,8 +199,9 @@ LinuxFiGetAttr(const SyncDriverHandle handle, // IN (ignored) + * slow when guest is performing significant IO. Therefore, caller should + * consider running this function in a separate thread. + * +- * @param[in] paths List of paths to freeze. +- * @param[out] handle Handle to use for thawing. ++ * @param[in] paths List of paths to freeze. ++ * @param[out] handle Handle to use for thawing. ++ * @param[in] ignoreFrozenFS Switch to allow EBUSY error. + * + * @return A SyncDriverErr. + * +@@ -209,7 +210,8 @@ LinuxFiGetAttr(const SyncDriverHandle handle, // IN (ignored) + + SyncDriverErr + LinuxDriver_Freeze(const GSList *paths, +- SyncDriverHandle *handle) ++ SyncDriverHandle *handle, ++ Bool ignoreFrozenFS) + { + ssize_t count = 0; + Bool first = TRUE; +@@ -324,9 +326,12 @@ LinuxDriver_Freeze(const GSList *paths, + * Previously, an EBUSY error was ignored, assuming that we may try + * to freeze the same superblock more than once depending on the + * OS configuration (e.g., usage of bind mounts). +- * Using the filesystem Id to check if this is a filesystem that we +- * have seen previously and will ignore this FD only if that is +- * the case. Log a warning otherwise since the quiesced snapshot ++ * Use the filesystem Id to check if this filesystem has been ++ * handled before and, if so, ignore it. ++ * Alternatively, allow (ignore) the EBUSY if the ++ * "ignoreFrozenFileSystems" switch inside "vmbackup" section of ++ * tools.conf file is TRUE. ++ * Otherwise, log a warning as the quiesced snapshot + * attempt will fail. + */ + if (ioctlerr == EBUSY) { +@@ -339,6 +344,14 @@ LinuxDriver_Freeze(const GSList *paths, + */ + Debug(LGPFX "skipping path '%s' - previously frozen", path); + continue; ++ } else if (ignoreFrozenFS) { ++ /* ++ * Ignores the EBUSY error if the FS has been frozen by another ++ * process and the 'ignoreFrozenFileSystems' setting is ++ * turned on in tools.conf file. ++ */ ++ Debug(LGPFX "Ignoring the frozen filesystem '%s'",path); ++ continue; + } + /* + * It appears that this FS has been locked or frozen by another +diff --git a/open-vm-tools/lib/syncDriver/syncDriverPosix.c b/open-vm-tools/lib/syncDriver/syncDriverPosix.c +index 7b6132ba..27369639 100644 +--- a/open-vm-tools/lib/syncDriver/syncDriverPosix.c ++++ b/open-vm-tools/lib/syncDriver/syncDriverPosix.c +@@ -1,5 +1,5 @@ + /********************************************************* +- * Copyright (C) 2005-2019 VMware, Inc. All rights reserved. ++ * Copyright (c) 2005-2019, 2023 VMware, Inc. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as published +@@ -456,7 +456,8 @@ Bool + SyncDriver_Freeze(const char *userPaths, // IN + Bool enableNullDriver, // IN + SyncDriverHandle *handle, // OUT +- const char *excludedFileSystems) // IN ++ const char *excludedFileSystems, // IN ++ Bool ignoreFrozenFS) // IN + { + GSList *paths = NULL; + SyncDriverErr err = SD_UNAVAILABLE; +@@ -517,7 +518,7 @@ SyncDriver_Freeze(const char *userPaths, // IN + continue; + } + #endif +- err = freezeFn(paths, handle); ++ err = freezeFn(paths, handle, ignoreFrozenFS); + } + + /* +diff --git a/open-vm-tools/lib/syncDriver/vmSyncDriver.c b/open-vm-tools/lib/syncDriver/vmSyncDriver.c +index 2bd0e886..a0d4a315 100644 +--- a/open-vm-tools/lib/syncDriver/vmSyncDriver.c ++++ b/open-vm-tools/lib/syncDriver/vmSyncDriver.c +@@ -1,5 +1,5 @@ + /********************************************************* +- * Copyright (C) 2011-2016 VMware, Inc. All rights reserved. ++ * Copyright (c) 2011-2016, 2023 VMware, Inc. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as published +@@ -91,8 +91,9 @@ VmSyncClose(SyncDriverHandle handle) + * Opens a description to the driver's proc node, and if successful, send an + * ioctl to freeze the requested filesystems. + * +- * @param[in] paths List of paths to freeze. +- * @param[out] handle Where to store the handle to use for thawing. ++ * @param[in] paths List of paths to freeze. ++ * @param[out] handle Where to store the handle to use for thawing. ++ * @param[in] ignoreFrozenFS Unused. + * + * @return A SyncDriverErr. + * +@@ -101,7 +102,8 @@ VmSyncClose(SyncDriverHandle handle) + + SyncDriverErr + VmSync_Freeze(const GSList *paths, +- SyncDriverHandle *handle) ++ SyncDriverHandle *handle, ++ Bool ignoreFrozenFS) + { + int file; + Bool first = TRUE; +diff --git a/open-vm-tools/services/plugins/vix/foundryToolsDaemon.c b/open-vm-tools/services/plugins/vix/foundryToolsDaemon.c +index 99a40a8c..437c90fd 100644 +--- a/open-vm-tools/services/plugins/vix/foundryToolsDaemon.c ++++ b/open-vm-tools/services/plugins/vix/foundryToolsDaemon.c +@@ -1,5 +1,5 @@ + /********************************************************* +- * Copyright (C) 2003-2019 VMware, Inc. All rights reserved. ++ * Copyright (c) 2003-2021, 2023 VMware, Inc. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as published +@@ -544,6 +544,8 @@ ToolsDaemonTcloSyncDriverFreeze(RpcInData *data) + GKeyFile *confDictRef = ctx->config; + Bool enableNullDriver; + GSource *timer; ++ char *excludedFileSystems; ++ Bool ignoreFrozenFS; + + /* + * Parse the arguments +@@ -576,14 +578,22 @@ ToolsDaemonTcloSyncDriverFreeze(RpcInData *data) + goto abort; + } + +- enableNullDriver = VixTools_ConfigGetBoolean(confDictRef, ++ enableNullDriver = VMTools_ConfigGetBoolean(confDictRef, + "vmbackup", + "enableNullDriver", + FALSE); ++ excludedFileSystems = VMTools_ConfigGetString(confDictRef, ++ "vmbackup", ++ "excludedFileSystems", ++ NULL); ++ ignoreFrozenFS = VMTools_ConfigGetBoolean(confDictRef, ++ "vmbackup", ++ "ignoreFrozenFileSystems", ++ FALSE); + + /* Perform the actual freeze. */ + if (!SyncDriver_Freeze(driveList, enableNullDriver, &gSyncDriverHandle, +- NULL) || ++ excludedFileSystems, ignoreFrozenFS) || + SyncDriver_QueryStatus(gSyncDriverHandle, INFINITE) != SYNCDRIVER_IDLE) { + g_warning("%s: Failed to Freeze drives '%s'\n", + __FUNCTION__, driveList); +diff --git a/open-vm-tools/services/plugins/vmbackup/stateMachine.c b/open-vm-tools/services/plugins/vmbackup/stateMachine.c +index 6b422869..9e6f0541 100644 +--- a/open-vm-tools/services/plugins/vmbackup/stateMachine.c ++++ b/open-vm-tools/services/plugins/vmbackup/stateMachine.c +@@ -1024,9 +1024,13 @@ VmBackupStartCommon(RpcInData *data, + #if defined(__linux__) + gBackupState->excludedFileSystems = + VMBACKUP_CONFIG_GET_STR(ctx->config, "excludedFileSystems", NULL); +- g_debug("Using excludedFileSystems = \"%s\"\n", ++ gBackupState->ignoreFrozenFS = ++ VMBACKUP_CONFIG_GET_BOOL(ctx->config, "ignoreFrozenFileSystems", FALSE); ++ ++ g_debug("Using excludedFileSystems = \"%s\", ignoreFrozenFileSystems = %d\n", + (gBackupState->excludedFileSystems != NULL) ? +- gBackupState->excludedFileSystems : "(null)"); ++ gBackupState->excludedFileSystems : "(null)", ++ gBackupState->ignoreFrozenFS); + #endif + g_debug("Quiescing volumes: %s", + (gBackupState->volumes) ? gBackupState->volumes : "(null)"); +diff --git a/open-vm-tools/services/plugins/vmbackup/syncDriverOps.c b/open-vm-tools/services/plugins/vmbackup/syncDriverOps.c +index 4245feba..d8b635f1 100644 +--- a/open-vm-tools/services/plugins/vmbackup/syncDriverOps.c ++++ b/open-vm-tools/services/plugins/vmbackup/syncDriverOps.c +@@ -1,5 +1,5 @@ + /********************************************************* +- * Copyright (C) 2007-2019 VMware, Inc. All rights reserved. ++ * Copyright (C) 2007-2019, 2021, 2023 VMware, Inc. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as published +@@ -276,7 +276,8 @@ VmBackupNewDriverOp(VmBackupState *state, // IN + useNullDriverPrefs ? + state->enableNullDriver : FALSE, + op->syncHandle, +- state->excludedFileSystems); ++ state->excludedFileSystems, ++ state->ignoreFrozenFS); + break; + case OP_THAW: + op->manifest = SyncNewManifest(state, *op->syncHandle); +diff --git a/open-vm-tools/services/plugins/vmbackup/vmBackupInt.h b/open-vm-tools/services/plugins/vmbackup/vmBackupInt.h +index 0c912174..65e2e552 100644 +--- a/open-vm-tools/services/plugins/vmbackup/vmBackupInt.h ++++ b/open-vm-tools/services/plugins/vmbackup/vmBackupInt.h +@@ -1,5 +1,5 @@ + /********************************************************* +- * Copyright (C) 2008-2019 VMware, Inc. All rights reserved. ++ * Copyright (c) 2008-2019, 2023 VMware, Inc. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as published +@@ -100,18 +100,22 @@ struct VmBackupSyncCompleter; + * Don't modify the fields directly - rather, use VmBackup_SetCurrentOp, + * which does most of the handling needed by users of the state machine. + * +- * NOTE: The thread for freeze operation modifies currentOp in BackupState +- * which is also accessed by the AsyncCallback driving the state +- * machine (run by main thread). Also, gcc might generate two +- * instructions for writing a 64-bit value. Therefore, protect the +- * access to currentOp and related fields using opLock mutex. ++ * NOTE 1: The thread for freeze operation modifies currentOp in BackupState ++ * which is also accessed by the AsyncCallback driving the state ++ * machine (run by main thread). Also, gcc might generate two ++ * instructions for writing a 64-bit value. Therefore, protect the ++ * access to currentOp and related fields using opLock mutex. ++ * ++ * NOTE 2: Only used by Linux guests, ignored on Windows guests and is ++ * initialized to "false" when the VmBackupState is initialized ++ * at the start of a backup operation. + */ + + typedef struct VmBackupState { + ToolsAppCtx *ctx; + VmBackupOp *currentOp; + const char *currentOpName; +- GMutex opLock; // See note above ++ GMutex opLock; // See note 1 above + char *volumes; + char *snapshots; + guint pollPeriod; +@@ -127,6 +131,7 @@ typedef struct VmBackupState { + Bool allowHWProvider; + Bool execScripts; + Bool enableNullDriver; ++ Bool ignoreFrozenFS; // See note 2 above + Bool needsPriv; + gchar *scriptArg; + guint timeout; +diff --git a/open-vm-tools/tools.conf b/open-vm-tools/tools.conf +index 7c99b4dc..57ad9271 100644 +--- a/open-vm-tools/tools.conf ++++ b/open-vm-tools/tools.conf +@@ -270,11 +270,39 @@ + # including '/' + #excludedFileSystems= + ++ ++# Linux: ++# It is possible that filesystems are being frozen in pre-freeze scripts ++# to control the order in which those specific filesystems are to be frozen. ++# The vmtoolsd process must be informed of all such filesystems with the help ++# of "excludedFileSystems" setting of tools.conf. ++# ++# A temporary workaround is available (starting from 12.3.0) for admins to allow ++# quiesceing operation to succeed until the "excludedFileSystems" list ++# is configured. ++# ++# If another process thaws the file system while a quiescing operation ++# operation is ongoing, the snapshot may be compromised. Once the ++# "excludedFileSystems" list is configured this setting MUST be unset (or set ++# to false). ++# ++# The value of ignoreFrozenFileSystems is a true or false; the default is ++# false. ++# ++# Set to true to ignore pre-frozen file systems during the quiescing operation. ++# ++# ignoreFrozenFileSystems is Linux only (Not supported on Windows). ++#ignoreFrozenFileSystems=false ++ + # Whether to execute scripts on quiescing. + # Scripts are executed from /etc/vmware-tools/backupScripts.d on Linux and + # %installpath%\backupScripts.d on Windows, and the legacy scripts + # "c:\windows\pre-freeze-script.bat" + # "c:\windows\post-thaw-script.bat" ++# execScripts specifies whether to execute scripts as part of the quiescing ++# operation. Scripts are executed from the scripts directory along with the ++# legacy scripts. ++ + # + # Linux: + # "/usr/sbin/pre-freeze-script" +-- +2.41.0 + diff --git a/SPECS/open-vm-tools.spec b/SPECS/open-vm-tools.spec index 0167e5a..8ade38f 100644 --- a/SPECS/open-vm-tools.spec +++ b/SPECS/open-vm-tools.spec @@ -28,7 +28,7 @@ Name: open-vm-tools Version: %{toolsversion} -Release: 3%{?dist}.7 +Release: 3%{?dist}.9 Summary: Open Virtual Machine Tools for virtual machines hosted on VMware Group: Applications/System License: GPLv2 @@ -40,7 +40,7 @@ Source3: run-vmblock\x2dfuse.mount Source4: open-vm-tools.conf Source5: vmtoolsd.pam -ExclusiveArch: x86_64 %{ix86} +ExclusiveArch: x86_64 Patch0002: 0002-Fix-RELRO-flag.patch # For bz#1809753 - [ESXi][RHEL7.9]open-vm-tools add appinfo plugin patch @@ -62,6 +62,12 @@ Patch9: ovt-Track-Linux-filesystem-id-FSID-for-quiesced-frozen-f.patch Patch10: ovt-Remove-some-dead-code.patch # For RHEL-2413 - CVE-2023-20900 open-vm-tools: SAML token signature bypass [rhel-7.9.z] Patch11: ovt-VGAuth-Allow-only-X509-certs-to-verify-the-SAML-toke.patch +# For bz#2226921 - [RHEL7.9][ESXi]Latest version of open-vm-tools breaks VM backups +Patch12: ovt-Provide-alternate-method-to-allow-expected-pre-froze.patch +# For RHEL-14642 - CVE-2023-34058 open-vm-tools: SAML token signature bypass [rhel-7.9.z] +Patch13: ovt-Don-t-accept-tokens-with-unrelated-certs.patch +# For RHEL-14676 - CVE-2023-34059 open-vm-tools: file descriptor hijack vulnerability in the vmware-user-suid-wrapper [rhel-7.9.z] +Patch14: ovt-File-descriptor-vulnerability-in-the-open-vm-tools-v.patch BuildRequires: autoconf BuildRequires: automake @@ -342,6 +348,19 @@ fi %{_bindir}/vmware-vgauth-smoketest %changelog +* Thu Nov 02 2023 Miroslav Rezanina - 11.0.5-3.el7_9.9 +- ovt-Don-t-accept-tokens-with-unrelated-certs.patch [RHEL-14642] +- ovt-File-descriptor-vulnerability-in-the-open-vm-tools-v.patch [RHEL-14676] +- Resolves: RHEL-14642 + (CVE-2023-34058 open-vm-tools: SAML token signature bypass [rhel-7.9.z]) +- Resolves: RHEL-14676 + (CVE-2023-34059 open-vm-tools: file descriptor hijack vulnerability in the vmware-user-suid-wrapper [rhel-7.9.z]) + +* Thu Sep 28 2023 Jon Maloy - 11.0.5-3.el7_9.8 +- ovt-Provide-alternate-method-to-allow-expected-pre-froze.patch [bz#2226921] +- Resolves: bz#2226921 + ([RHEL7.9][ESXi]Latest version of open-vm-tools breaks VM backups) + * Thu Sep 07 2023 Miroslav Rezanina - 11.0.5-3.el7_9.7 - ovt-VGAuth-Allow-only-X509-certs-to-verify-the-SAML-toke.patch [RHEL-2413] - Resolves: RHEL-2413