[Ubuntu] qeth: Fix potential array overrun in cmd/rc lookup
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu on IBM z Systems |
Fix Released
|
High
|
Canonical Kernel Team | ||
linux (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Xenial |
Fix Released
|
High
|
Unassigned | ||
Bionic |
Fix Released
|
High
|
Unassigned | ||
Cosmic |
Fix Released
|
High
|
Unassigned |
Bug Description
== SRU Justification ==
IBM is requesting these commits in s390 for X, B and C. The bug
description the commits fix is as follows:
Description: qeth: Fix potential array overrun in cmd/rc lookup Symptom:
Infinite loop when processing a received cmd.
Problem: qeth_get_
human-readable messages for received cmd data.
== Fixes ==
065a2cdcbdf8 ("s390: qeth_core_mpc: Use ARRAY_SIZE instead of reimplementing its function")
048a7f8b4ec0 ("s390: qeth: Fix potential array overrun in cmd/rc lookup")
== Regression Potential ==
Low. Limited to s390.
== Test Case ==
A test kernel was built with these two patches and tested by IBM.
The bug reporter states the test kernel resolved the bug.
Description: qeth: Fix potential array overrun in cmd/rc lookup
Symptom: Infinite loop when processing a received cmd.
Problem: qeth_get_
to build human-readable messages for received cmd data.
They store the to-be translated value in the last entry of a
the queried value (and the corresponding message string).
If there is no prior match, the lookup is intended to stop at
the final entry (which was previously prepared).
If two qeth devices are concurrently processing a received cmd,
one lookup can over-write the last entry of the global array
while a second lookup is in process. This second lookup will then
never hit its stop-condition, and loop.
Solution: Remove the modification of the global array, and limit the number
of iterations to the size of the array.
Upstream-ID: kernel 4.19
- 065a2cdcbdf8eb9
- 048a7f8b4ec085d
Should also be applied, to all other Ubuntu Releases in the field !
CVE References
tags: | added: architecture-s39064 bugnameltc-172700 severity-high targetmilestone-inin1810 |
Changed in ubuntu: | |
assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
affects: | ubuntu → linux (Ubuntu) |
Changed in ubuntu-z-systems: | |
status: | New → Triaged |
importance: | Undecided → High |
assignee: | nobody → Canonical Kernel Team (canonical-kernel-team) |
Changed in linux (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → High |
Changed in linux (Ubuntu Xenial): | |
status: | New → Triaged |
Changed in linux (Ubuntu Bionic): | |
status: | New → Triaged |
Changed in linux (Ubuntu Cosmic): | |
status: | New → Triaged |
Changed in linux (Ubuntu Xenial): | |
importance: | Undecided → High |
Changed in linux (Ubuntu Bionic): | |
importance: | Undecided → High |
Changed in linux (Ubuntu Cosmic): | |
importance: | Undecided → High |
Changed in ubuntu-z-systems: | |
status: | Triaged → In Progress |
Changed in linux (Ubuntu Xenial): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Bionic): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Cosmic): | |
status: | In Progress → Fix Committed |
Changed in ubuntu-z-systems: | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu): | |
status: | In Progress → Fix Committed |
tags: |
added: verification-done-bionic verification-done-cosmic verification-done-xenial removed: verification-needed-bionic verification-needed-cosmic verification-needed-xenial |
Changed in linux (Ubuntu): | |
status: | Fix Committed → Fix Released |
Changed in ubuntu-z-systems: | |
status: | Fix Committed → Fix Released |
tags: | added: cscc |
These are the same two commits requested in bug 1800639. Is that correct? If so, I'll mark this bug as a duplicate of that bug.