This is a denial of service security bug, found by Tim Prouty of Isilon. 17:01:28) tprouty: ok. For an operation such as an unlink that does a createfile, it is possible that createfile will push the message onto the deferred open if it needs to wait for an oplock break. (17:02:33) tprouty: When the unlink is eventually retried, if it hits any error case along the way that causes it to return before cleaning up the deferred open state inside of open_file_ntcreate, the deferred open won't be removed from the deferred open queue (17:02:48) tprouty: And thus the operation will be tried continuously. (17:04:34) tprouty: The specific case we caught internally (and the one that I wrote a torture test for) is when another client unlinks the file after the first client tried the unlink, but before the first client received the break notification and completed it's unlink. (17:05:20) tprouty: There could presumably be other paths susceptible to this, including rename. This bug has been assigned the CVE number : CVE-2009-2906. Jeremy.
Created attachment 4756 [details] Torture test for this bug (not yet finished).
Created attachment 4757 [details] Patch for master.
Created attachment 4758 [details] Patch for v3-4-test
Created attachment 4760 [details] v3-3-test patch Still needs testing - but should be ok.
Created attachment 4761 [details] v3-2-test patch Still needs testing - but should be ok.
Created attachment 4762 [details] Patch for 3.0.x. Testing all versions follows....
Confirmed 3.0.x patch works with torture test. Jeremy.
Confirmed 3.2 patch works with torture test. Jeremy.
Confirmed 3.3 works with torture test. As Tim already confirmed 3.4 this patch is ready for all versions once Volker or Metze has reviewed. Jeremy.
Created attachment 4763 [details] Proposal for an advisory
Do we really want to explicitly list the *exact* packet stream that will cause us to spin ? :-). I'd prefer to say something like : "An unexpected reply to an oplock break can cause....". Let those who want to create exploits have to read the code :-). Jeremy.
Sure, fine by me. Volker
Created attachment 4767 [details] More opaque advisory :-)
Looks good, thanks. Volker
From reading the patches, they look good. Also the opaque advisory is fine. metze
Fix has been pushed to all branches and is included in 3.0.37, 3.2.15, 3.3.8 and 3.4.2. Closing out bug report.