[Ubuntu] net/af_iucv: fix skb leaks for HiperTransport
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu on IBM z Systems |
Fix Released
|
High
|
Canonical Kernel Team | ||
linux (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Xenial |
Fix Released
|
High
|
Unassigned | ||
Bionic |
Fix Released
|
High
|
Unassigned | ||
Cosmic |
Fix Released
|
High
|
Unassigned |
Bug Description
== SRU Justification ==
Fix socket buffer (skb) leaks for HiperTransport
Description: net/af_iucv: fix skb leaks for HiperTransport
Symptom: Memory leaks and/or double-freed network packets.
Problem: Inbound packets may have any combination of flag bits set in
their iucv header. Current code only handles certain
combinations, and ignores (ie. leaks) all packets with other flags.
On Transmit, current code is inconsistent about whether the error
paths need to free the skb. Depending on which error path is
taken, it may either get freed twice, or leak.
Solution: On receive, drop any skb with an unexpected combination of iucv
Header flags.
On transmit, be consistent in all error paths about free'ing the skb.
== Fix ==
222440996d6daf6
b2f543949acd1ba
== Patch ==
commit 222440996d6daf6
Author: Julian Wiedmann <email address hidden>
Date: Wed Sep 5 16:55:10 2018 +0200
net/af_iucv: drop inbound packets with invalid flags
Inbound packets may have any combination of flag bits set in their iucv
header. If we don't know how to handle a specific combination, drop the
skb instead of leaking it.
To clarify what error is returned in this case, replace the hard-coded
0 with the corresponding macro.
Signed-off-by: Julian Wiedmann <email address hidden>
Signed-off-by: David S. Miller <email address hidden>
==
commit b2f543949acd1ba
Author: Julian Wiedmann <email address hidden>
Date: Wed Sep 5 16:55:11 2018 +0200
net/af_iucv: fix skb handling on HiperTransport xmit error
When sending an skb, afiucv_hs_send() bails out on various error
conditions. But currently the caller has no way of telling whether the
skb was freed or not - resulting in potentially either
a) leaked skbs from iucv_send_ctrl(), or
b) double-free's from iucv_sock_
As dev_queue_xmit() will always consume the skb (even on error), be
consistent and also free the skb from all other error paths. This way
callers no longer need to care about managing the skb.
Signed-off-by: Julian Wiedmann <email address hidden>
Reviewed-by: Ursula Braun <email address hidden>
Signed-off-by: David S. Miller <email address hidden>
== Regression Potential ==
Low, because:
- IUCV functionality is very special to s390x and is only supported in z/VM environments
(z/VM hypervisor to guest or guest to guest communications)
- So everything is s390x specific.
- Patch is limited to this single file: /net/iucv/af_iucv.c
- Patch was tested by IBM, and fixes an identified problem situation.
== Test Case ==
Set IUCV communication on an Ubuntu s390x system that runs as z/VM guest:
https:/
Provoke an error situation.
This is btw. hard to do, because the 'Inter-User Communication Vehicle" (IUCV) is a virtual z/VM internal
network that does not use any real media.
To check for regressions one can use a shell over an ssh connection using an IUCV interface
or use an application that utilises AF_IUCV sockets (like ICC).
__________
Description: net/af_iucv: fix skb leaks for HiperTransport
Symptom: Memory leaks and/or double-freed network packets.
Problem: Inbound packets may have any combination of flag bits set in
their iucv header. Current code only handles certain
combinations, and ignores (ie. leaks) all packets with other
flags.
On Transmit, current code is inconsistent about whether the error
paths need to free the skb. Depending on which error path is
taken, it may either get freed twice, or leak.
Solution: On receive, drop any skb with an unexpected combination of iucv
Header flags.
On transmit, be consistent in all error paths about free'ing the
skb.
kerne 4.19
Upstream-ID: 222440996d6daf6
b2f543949acd1ba
Should also be applied, to all other Ubuntu Releases in the field !
CVE References
tags: | added: architecture-s39064 bugnameltc-172698 severity-high targetmilestone-inin1810 |
Changed in ubuntu: | |
assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
affects: | ubuntu → linux (Ubuntu) |
Changed in ubuntu-z-systems: | |
importance: | Undecided → High |
status: | New → Triaged |
assignee: | nobody → Canonical Kernel Team (canonical-kernel-team) |
Changed in linux (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → High |
Changed in linux (Ubuntu Xenial): | |
status: | New → Triaged |
Changed in linux (Ubuntu Bionic): | |
status: | New → Triaged |
Changed in linux (Ubuntu Cosmic): | |
status: | New → Triaged |
Changed in linux (Ubuntu Xenial): | |
importance: | Undecided → High |
Changed in linux (Ubuntu Bionic): | |
importance: | Undecided → High |
Changed in linux (Ubuntu Cosmic): | |
importance: | Undecided → High |
Changed in linux (Ubuntu Xenial): | |
assignee: | nobody → Joseph Salisbury (jsalisbury) |
Changed in linux (Ubuntu Bionic): | |
assignee: | nobody → Joseph Salisbury (jsalisbury) |
Changed in linux (Ubuntu Cosmic): | |
assignee: | nobody → Joseph Salisbury (jsalisbury) |
Changed in linux (Ubuntu): | |
assignee: | Skipper Bug Screeners (skipper-screen-team) → Joseph Salisbury (jsalisbury) |
Changed in linux (Ubuntu Xenial): | |
status: | Triaged → In Progress |
Changed in linux (Ubuntu Cosmic): | |
status: | Triaged → In Progress |
Changed in linux (Ubuntu Bionic): | |
status: | Triaged → In Progress |
Changed in linux (Ubuntu): | |
status: | Triaged → In Progress |
Changed in ubuntu-z-systems: | |
status: | Triaged → In Progress |
description: | updated |
Changed in linux (Ubuntu Xenial): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Bionic): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Cosmic): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu): | |
status: | In Progress → Fix Committed |
Changed in ubuntu-z-systems: | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu): | |
status: | Fix Committed → Fix Released |
Changed in ubuntu-z-systems: | |
status: | Fix Committed → Fix Released |
tags: | added: cscc |
I built a test kernel with commits 065a2cdcbd and 048a7f8b4. The test kernel can be downloaded from: kernel. ubuntu. com/~jsalisbury /lp1800639
http://
Can you test this kernel and see if it resolves this bug?
Note about installing test kernels: unsigned .deb packages.
• If the test kernel is prior to 4.15(Bionic) you need to install the linux-image and linux-image-extra .deb packages.
• If the test kernel is 4.15(Bionic) or newer, you need to install the linux-modules, linux-modules-extra and linux-image-
Thanks in advance!