[OpenAFS-announce] OpenAFS Security Advisory 2007-003: denial of service in OpenAFS fileserver

Derrick J Brashear openafs-info@openafs.org
Thu, 20 Dec 2007 17:00:14 -0500 (EST)

(in the event of line wrap breakage to the signature, a signed copy is 
also available on the OpenAFS web site)
Hash: SHA1

 		OpenAFS Security Advisory 2007-003

Topic: denial of service in OpenAFS fileserver

Issued:	      		 20-Dev-2007
Last Update:		 21-Dec-2007
Affected:		 OpenAFS 1.3.50 - 1.4.5, OpenAFS 1.5.0 - 1.5.27

A user with network access can attack a fileserver via a race condition and
cause it to crash.


The AFS fileserver tracks client callbacks on files via a series of 
linked lists internally. When a client acquires a new callback or gives up
an old one, these lists must be updated.

In OpenAFS 1.3.50, a new mechanism to allow for more efficient bulk disposal
of unwanted callbacks was added. Due to a necessary lock not being held 
internally, this results in unsafe access to the linked lists containing
the callback information. By simultaneously acquiring and giving back 
callbacks on a file or files it is possible to crash a fileserver,
thus denying service for the duration of the recovery period.

No privilege escalation, data integrity or access issue is known.

There are no known publicly-available exploits for this vulnerability at
this time although in the course of normal operation this issue can be 


By using public interfaces to the fileserver, an attacker can construct
cases which trigger the race condition and thus crash the fileserver.

Likewise, with the increased use of the RPC handler for giving up callbacks
in bulk in recent Windows clients, crashes will become more common.


All releases of OpenAFS 1.3.x subsequent to 1.3.50.
All releases of OpenAFS 1.4.x, up to and including OpenAFS 1.4.5.
All releases of OpenAFS 1.5.x, up to and including OpenAFS 1.5.27.


The OpenAFS project recommends that administrators with systems which could 
be affected by this race condition upgrade to OpenAFS version 1.4.6 or newer,
or as appropriate for people testing features in the OpenAFS 1.5 series,
OpenAFS version 1.5.28 or newer. Only fileservers need to be upgraded.

The latest stable OpenAFS release is
always available from http://www.openafs.org/release/latest.html.

This announcement and code patches related to it may be found on the
OpenAFS security advisory page at:


The main OpenAFS web page is at:



Thanks to Russ Allbery, Jeffrey Altman, Dan Hyde, and Thomas Mueller for
their work in tracking this issue.

In pthread-aware fileservers, the "host_glock" pthread lock, accessed
via the H_LOCK and H_UNLOCK macros, is used to provide safe access to
host structures. This lock is required to be held when updating 
information pertaining to a host. The RPC handler for the 
GiveUpAllCallBacks RPC did not hold this lock while performing its work.
Version: GnuPG v1.4.6 (Darwin)