]> git.ipfire.org Git - thirdparty/open-vm-tools.git/commitdiff
projects / thirdparty / open-vm-tools.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f433164)
In ServiceLoadFileContentsPosix, in addition to existing checks
authorKruti Pendharkar <kp025370@broadcom.com>
Wed, 24 Dec 2025 05:58:16 +0000 (21:58 -0800)
committerKruti Pendharkar <kp025370@broadcom.com>
Thu, 14 May 2026 02:30:39 +0000 (19:30 -0700)
(size, mode, uid, gid), add verification of modification time,
device, inode to ensure the opened file matches the intended file.

open-vm-tools/configure.ac patch | blob | blame | history
open-vm-tools/vgauth/serviceImpl/alias.c patch | blob | blame | history
open-vm-tools/vgauth/serviceImpl/serviceInt.h patch | blob | blame | history
open-vm-tools/vgauth/test/Makefile.am patch | blob | blame | history

diff --git a/open-vm-tools/configure.ac b/open-vm-tools/configure.ac
index 8ead1dd4b59f432a8325e634449752da792f67dd..91c00575f5f34e5b03e50a44a0c8a6f6cc8bb428 100644 (file)
--- a/open-vm-tools/configure.ac
+++ b/open-vm-tools/configure.ac
@@ -1937,6 +1937,7 @@ AC_CONFIG_FILES([                      \
 
 
 
+
 ###
 ### Output
 ###
diff --git a/open-vm-tools/vgauth/serviceImpl/alias.c b/open-vm-tools/vgauth/serviceImpl/alias.c
index 4551c9b9a746c024ae2faa02f18751530b5ae0ab..2b92f48784b696d7529a05eff315853f7d983c0f 100644 (file)
--- a/open-vm-tools/vgauth/serviceImpl/alias.c
+++ b/open-vm-tools/vgauth/serviceImpl/alias.c
@@ -23,6 +23,11 @@
  *    Functions to support the Alias store.
  */
 
+#ifndef _WIN32
+// Some Linux distributions need this for flag O_NOFOLLOW used in open.
+#define _GNU_SOURCE
+#endif
+
 #include <errno.h>
 #include <glib.h>
 #include <glib/gstdio.h>
@@ -806,16 +811,18 @@ ServiceLoadFileContentsPosix(const gchar *fileName,
       }
    }
 
+
    /*
     * Now open the file.
     */
-   fd = g_open(fileName, O_RDONLY);
+   fd = g_open(fileName, O_RDONLY | O_NOFOLLOW);
    if (fd < 0) {
       Warning("%s: failed to open %s for read (%d)\n",
               __FUNCTION__, fileName, errno);
       return VGAUTH_E_FAIL;
    }
 
+
    /*
     * fstat() to make sure it wasn't changed between the first check
     * and the open().
@@ -832,6 +839,30 @@ ServiceLoadFileContentsPosix(const gchar *fileName,
    /*
     * Now the confidence checks.
     */
+   if (lstatBuf.st_mtime != fstatBuf.st_mtime) {
+      Warning("%s: mtime of %s changed (%ld vs %ld)\n", __FUNCTION__,
+              fileName, lstatBuf.st_mtime, fstatBuf.st_mtime);
+      // XXX audit this?
+      err = VGAUTH_E_FAIL;
+      goto done;
+   }
+
+   if (lstatBuf.st_dev != fstatBuf.st_dev) {
+      Warning("%s: dev of %s changed (%"FMT64"u vs %"FMT64"u)\n", __FUNCTION__,
+              fileName, lstatBuf.st_dev, fstatBuf.st_dev);
+      // XXX audit this?
+      err = VGAUTH_E_FAIL;
+      goto done;
+   }
+
+   if (lstatBuf.st_ino != fstatBuf.st_ino) {
+      Warning("%s: ino of %s changed (%"FMT64"u vs %"FMT64"u)\n", __FUNCTION__,
+              fileName, lstatBuf.st_ino, fstatBuf.st_ino);
+      // XXX audit this?
+      err = VGAUTH_E_FAIL;
+      goto done;
+   }
+
    if (lstatBuf.st_size != fstatBuf.st_size) {
       Warning("%s: size of %s changed (%d vs %d)\n", __FUNCTION__,
               fileName, (int) lstatBuf.st_size, (int) fstatBuf.st_size);
@@ -939,6 +970,7 @@ ServiceLoadFileContents(const gchar *fileName,
 }
 
 
+
 /*
  ******************************************************************************
  * AliasDumpAliases --                                                   */ /**
diff --git a/open-vm-tools/vgauth/serviceImpl/serviceInt.h b/open-vm-tools/vgauth/serviceImpl/serviceInt.h
index 46b31490a6c7d00d15de6b2086126bcdaf169bcb..d42e01f6c40fe7a1cd7afec6a0542340e3105204 100644 (file)
--- a/open-vm-tools/vgauth/serviceImpl/serviceInt.h
+++ b/open-vm-tools/vgauth/serviceImpl/serviceInt.h
@@ -344,6 +344,7 @@ gboolean ServiceAliasIsSubjectEqual(ServiceSubjectType t1,
 gboolean ServiceComparePEMCerts(const gchar *pemCert1,
                                 const gchar *pemCert2);
 
+
 /*
  * Connection functions
  */
diff --git a/open-vm-tools/vgauth/test/Makefile.am b/open-vm-tools/vgauth/test/Makefile.am
index 92259a7553648cdc1e39eeeac9cb5cab99883d58..5f5fdd81aabbb6f65e97faa2a7b5ba9b0181ec91 100644 (file)
--- a/open-vm-tools/vgauth/test/Makefile.am
+++ b/open-vm-tools/vgauth/test/Makefile.am
@@ -1,6 +1,8 @@
 ################################################################################
-### Copyright (C) 2014-2017 VMware, Inc.  All rights reserved.
-###
+### Copyright (C) 2014-2025 Broadcom.  All rights reserved.
+### Broadcom Confidential. The term "Broadcom" refers to Broadcom Inc.
+### and/or its subsidiaries.
+################################################################################
 ### This program is free software; you can redistribute it and/or modify
 ### it under the terms of version 2 of the GNU General Public License as
 ### published by the Free Software Foundation.
@@ -43,3 +45,4 @@ if HAVE_ICU
 else
    vmware_vgauth_smoketest_LINK = $(LINK)
 endif
+
Mirror of https://github.com/vmware/open-vm-tools.git