[OpenAFS-announce] OpenAFS Security Advisory 2007-003: denial of service in OpenAFS fileserver

Derrick J Brashear openafs-info@openafs.org
Thu, 20 Dec 2007 17:00:14 -0500 (EST) 

(in the event of line wrap breakage to the signature, a signed copy is 
also available on the OpenAFS web site)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 		OpenAFS Security Advisory 2007-003

Topic: denial of service in OpenAFS fileserver

Issued:	      		 20-Dev-2007
Last Update:		 21-Dec-2007
Affected:		 OpenAFS 1.3.50 - 1.4.5, OpenAFS 1.5.0 - 1.5.27

A user with network access can attack a fileserver via a race condition and
cause it to crash.

SUMMARY
=======

The AFS fileserver tracks client callbacks on files via a series of 
linked lists internally. When a client acquires a new callback or gives up
an old one, these lists must be updated.

In OpenAFS 1.3.50, a new mechanism to allow for more efficient bulk disposal
of unwanted callbacks was added. Due to a necessary lock not being held 
internally, this results in unsafe access to the linked lists containing
the callback information. By simultaneously acquiring and giving back 
callbacks on a file or files it is possible to crash a fileserver,
thus denying service for the duration of the recovery period.

No privilege escalation, data integrity or access issue is known.

There are no known publicly-available exploits for this vulnerability at
this time although in the course of normal operation this issue can be 
triggered.

IMPACT
======

By using public interfaces to the fileserver, an attacker can construct
cases which trigger the race condition and thus crash the fileserver.

Likewise, with the increased use of the RPC handler for giving up callbacks
in bulk in recent Windows clients, crashes will become more common.

AFFECTED SOFTWARE
=================

All releases of OpenAFS 1.3.x subsequent to 1.3.50.
All releases of OpenAFS 1.4.x, up to and including OpenAFS 1.4.5.
All releases of OpenAFS 1.5.x, up to and including OpenAFS 1.5.27.

FIXES
=====

The OpenAFS project recommends that administrators with systems which could 
be affected by this race condition upgrade to OpenAFS version 1.4.6 or newer,
or as appropriate for people testing features in the OpenAFS 1.5 series,
OpenAFS version 1.5.28 or newer. Only fileservers need to be upgraded.

The latest stable OpenAFS release is
always available from http://www.openafs.org/release/latest.html.

This announcement and code patches related to it may be found on the
OpenAFS security advisory page at:

     http://www.openafs.org/security/

The main OpenAFS web page is at:

     http://www.openafs.org/

ACKNOWLEDGEMENTS
================

Thanks to Russ Allbery, Jeffrey Altman, Dan Hyde, and Thomas Mueller for
their work in tracking this issue.


DETAIL
======
In pthread-aware fileservers, the "host_glock" pthread lock, accessed
via the H_LOCK and H_UNLOCK macros, is used to provide safe access to
host structures. This lock is required to be held when updating 
information pertaining to a host. The RPC handler for the 
GiveUpAllCallBacks RPC did not hold this lock while performing its work.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (Darwin)

iQEVAwUBR2rkT6grZQAZNTvhAQLnZgf+Oxx2tLCZKzbXqULwp28s3suh9XVaty+f
1Y270oqDzBLgJOAwebbQQDLt0kO7Is6x6G8TFIobhYsMz7Q0zg8VSEHmkGfe7XZP
Lr0bgQI2LSYM3usZGdCW6ah76/Eg34JfjYRnYpWhtaOlDwyvUbKcn6GlPcvLSedY
Xbk5ex251of2ho2Mjcbag9nxVt7v3BeZCRBJq71/a4AlJB+5XU+EWEkv3kdaDktR
pPQqCR+FqccV8y2VB7nSA4wwNJ4jSUiZdeXKk7pZeJdhOkmxnXzLNXFrtsYk4kDu
hPBxKR33tYRXEIx1nzpCLSXF5utgcQwyX2bWwbxoYE2ntc4xOcsbcA==
=J2DB
-----END PGP SIGNATURE-----