open-vm-tools: Security fixes CVE-2023-34059

CVE-2023-34059: open-vm-tools contains a file descriptor hijack vulnerability in the vmware-user-suid-wrapper. A malicious actor with non-root privileges may be able to hijack the /dev/uinput file descriptor allowing them to simulate user inputs. Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-34059 Patch from: https://github.com/vmware/open-vm-tools/blob/CVE-2023-34059.patch/CVE-2023-34059.patch Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2026-06-13 17:39:57 +00:00 · 2024-10-28 16:47:41 +08:00
parent 33eb562e38
commit 5782095b7b
2 changed files with 189 additions and 0 deletions
@@ -0,0 +1,188 @@
+From 2011181cbe60b256ced8d28daf7b704e8613467c Mon Sep 17 00:00:00 2001
+From: John Wolfe <jwolfe@vmware.com>
+Date: Wed, 18 Oct 2023 09:11:54 -0700
+Subject: [PATCH] Address CVE-2023-34059
+
+Fix file descriptor vulnerability in the open-vm-tools
+   vmware-user-suid-wrapper on Linux.
+ - Moving the privilege drop logic (dropping privilege to the real uid
+   and gid of the process for the vmusr service) from suidWrapper to
+   vmtoolsd code.
+
+CVE: CVE-2023-34059
+
+Upstream-Status: Backport
+[https://github.com/vmware/open-vm-tools/blob/CVE-2023-34059.patch/CVE-2023-34059.patch]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ open-vm-tools/services/vmtoolsd/mainPosix.c   | 76 +++++++++++++++++++++++++++
+ open-vm-tools/vmware-user-suid-wrapper/main.c | 26 ++-------
+ 2 files changed, 79 insertions(+), 23 deletions(-)
+
+diff --git a/open-vm-tools/services/vmtoolsd/mainPosix.c b/open-vm-tools/services/vmtoolsd/mainPosix.c
+index fd2667c..8b46979 100644
+--- a/open-vm-tools/services/vmtoolsd/mainPosix.c
+++ b/open-vm-tools/services/vmtoolsd/mainPosix.c
+@@ -28,10 +28,12 @@
+ #include <signal.h>
+ #include <string.h>
+ #include <unistd.h>
+#include <fcntl.h>
+ #include <glib/gstdio.h>
+ #include "file.h"
+ #include "guestApp.h"
+ #include "hostinfo.h"
+#include "su.h"
+ #include "system.h"
+ #include "unicode.h"
+ #include "util.h"
+@@ -155,6 +157,59 @@ ToolsCoreWorkAroundLoop(ToolsServiceState *state,
+ 
+ 
+ /**
+ * Tools function to set close-on-exec flg for the fd.
+ *
+ * @param[in] fd   open file descriptor.
+ *
+ * @return TRUE on success, FALSE otherwise.
+ */
+
+static gboolean
+ToolsSetCloexecFlag(int fd)
+{
+   int flags;
+
+   if (fd == -1) {
+      /* fd is not present, no need to manipulate */
+      return TRUE;
+   }
+
+   flags = fcntl(fd, F_GETFD, 0);
+   if (flags < 0) {
+      g_printerr("Couldn't get the flags set for fd %d, error %u.", fd, errno);
+      return FALSE;
+   }
+   flags |= FD_CLOEXEC;
+   if (fcntl(fd, F_SETFD, flags) < 0) {
+      g_printerr("Couldn't set close-on-exec for fd %d, error %u.", fd, errno);
+      return FALSE;
+   }
+
+   return TRUE;
+}
+
+
+/**
+ * Tools function to close the fds.
+ */
+
+static void
+ToolsCloseFds(void)
+{
+   if (gState.ctx.blockFD != -1) {
+      close(gState.ctx.blockFD);
+   }
+
+   /*
+    * uinputFD will be available only for wayland.
+    */
+   if (gState.ctx.uinputFD != -1) {
+      close(gState.ctx.uinputFD);
+   }
+}
+
+
+/**
+  * Tools daemon entry function.
+  *
+  * @param[in] argc   Argument count.
+@@ -210,6 +265,27 @@ main(int argc,
+    g_free(argvCopy);
+    argvCopy = NULL;
+ 
+   /*
+    * Drops privilege to the real uid and gid of the process
+    * for the "vmusr" service.
+    */
+   if (TOOLS_IS_USER_SERVICE(&gState)) {
+      uid_t uid = getuid();
+      gid_t gid = getgid();
+
+      if ((Id_SetREUid(uid, uid) != 0) ||
+          (Id_SetREGid(gid, gid) != 0)) {
+         g_printerr("could not drop privileges: %s", strerror(errno));
+         ToolsCloseFds();
+         goto exit;
+      }
+      if (!ToolsSetCloexecFlag(gState.ctx.blockFD) ||
+          !ToolsSetCloexecFlag(gState.ctx.uinputFD)) {
+         ToolsCloseFds();
+         goto exit;
+      }
+   }
+
+    if (gState.pidFile != NULL) {
+       /*
+        * If argv[0] is not an absolute path, make it so; all other path
+diff --git a/open-vm-tools/vmware-user-suid-wrapper/main.c b/open-vm-tools/vmware-user-suid-wrapper/main.c
+index e9d7e50..a19af53 100644
+--- a/open-vm-tools/vmware-user-suid-wrapper/main.c
+++ b/open-vm-tools/vmware-user-suid-wrapper/main.c
+@@ -156,8 +156,7 @@ MaskSignals(void)
+  *
+  *    Obtains the library directory from the Tools locations database, then
+  *    opens a file descriptor (while still root) to add and remove blocks,
+- *    drops privilege to the real uid of this process, and finally starts
+- *    vmware-user.
+ *    and finally starts vmware-user.
+  *
+  * Results:
+  *    Parent: TRUE on success, FALSE on failure.
+@@ -173,8 +172,6 @@ static Bool
+ StartVMwareUser(char *const envp[])
+ {
+    pid_t pid;
+-   uid_t uid;
+-   gid_t gid;
+    int blockFd = -1;
+    char blockFdStr[8];
+    int uinputFd = -1;
+@@ -191,8 +188,8 @@ StartVMwareUser(char *const envp[])
+    }
+ 
+    /*
+-    * Now create a child process, obtain a file descriptor as root, downgrade
+-    * privilege, and run vmware-user.
+    * Now create a child process, obtain a file descriptor as root and
+    * run vmware-user.
+     */
+    pid = fork();
+    if (pid == -1) {
+@@ -229,23 +226,6 @@ StartVMwareUser(char *const envp[])
+       }
+    }
+ 
+-   uid = getuid();
+-   gid = getgid();
+-
+-   if ((setreuid(uid, uid) != 0) ||
+-       (setregid(gid, gid) != 0)) {
+-      Error("could not drop privileges: %s\n", strerror(errno));
+-      if (blockFd != -1) {
+-         close(blockFd);
+-      }
+-      if (useWayland) {
+-         if (uinputFd != -1) {
+-            close(uinputFd);
+-         }
+-      }
+-      return FALSE;
+-   }
+-
+    /*
+     * Since vmware-user provides features that don't depend on vmblock, we
+     * invoke vmware-user even if we couldn't obtain a file descriptor or we
+-- 
+2.6.2
+
@@ -48,6 +48,7 @@ SRC_URI = "git://github.com/vmware/open-vm-tools.git;protocol=https;branch=maste
           file://CVE-2023-20867.patch;patchdir=.. \
           file://CVE-2023-20900.patch;patchdir=.. \
           file://CVE-2023-34058.patch;patchdir=.. \
+           file://CVE-2023-34059.patch;patchdir=.. \
           "

 UPSTREAM_CHECK_GITTAGREGEX = "stable-(?P<pver>\d+(\.\d+)+)"