Duplicate SMB file_ids leading to Windows client cache poisoning

J. Bruce Fields bfields at fieldses.org
Tue Dec 14 22:40:45 UTC 2021

On Fri, Dec 10, 2021 at 04:04:09PM -0500, Tom Talpey via samba-technical wrote:
> On 12/10/2021 2:08 PM, Christof Schmitt wrote:
> >As this thread shows, timestamps are not a universal solution.
> >In vfs_gpfs, we are able to retrieve the inode number and the inode
> >generation and use that to generate unique ids. That seems to work
> >reasonably well. But even the standard Linux statx() call does not
> >return the generation number.

I wonder why not?  Maybe it could be added.

> So that would only be solution for file
> >systems that that provide an interface to query the generation number.
> I believe the EXT, BTRFS, XFS and a few other Linux filesystems support
> retrieving the generation number via ioctl(FS_IOC_GETVERSION).

There's also name_to_handle_at() to get a filehandle, I don't know if
that's useful for your purposes.  (It can be tens of bytes long, so
you'd have to hash it and do some back-of-the-envelope calculations on
collision probabilities for the typical client cache sizes.)

> But I'm
> not certain how universal this is. There being hundreds of file systems
> in Linux...
> Could Samba perhaps insert a kernel module, or use the SMB client kmod,
> to fetch this? It'd be ugly and will have security implications, so I
> would not go into it lightly.

Even if you could: it's true that there's an i_generation in the generic
struct inode, but I doubt there's any guarantee it meets your
requirements (or is even initialized to anything at all) for a given

(Whereas if it were added to statx then the filesystem could choose to
return it or not depending on whether it's supported.)


More information about the samba-technical mailing list