How Badlock was discovered and fixed

Post Syndicated from corbet original http://lwn.net/Articles/684194/rss

This
post on the Red Hat Enterprise Linux blog
describes the discovery and
repair of the “Badlock” vulnerability. One begins to understand a little
better why it took as long as it did. “The code was rewritten; in
March 2016 the changes needed to fix all eight CVEs amounted to about 200
individual patches against a development version of Samba, with about half
of those responsible for fixing CVE-2015-5370. When backported to previous
stable Samba versions, they needed additional hundred patches. To oldest
supported Samba version — about four hundred patches. What started as an
individual snowflake became an avalanche but it wasn’t finished
yet.