2018-10-30 11:39:13 |
bugproxy |
bug |
|
|
added bug |
2018-10-30 11:39:14 |
bugproxy |
tags |
|
architecture-s39064 bugnameltc-172698 severity-high targetmilestone-inin1810 |
|
2018-10-30 11:39:15 |
bugproxy |
ubuntu: assignee |
|
Skipper Bug Screeners (skipper-screen-team) |
|
2018-10-30 11:39:18 |
bugproxy |
affects |
ubuntu |
linux (Ubuntu) |
|
2018-10-30 11:45:18 |
Frank Heimes |
bug task added |
|
ubuntu-z-systems |
|
2018-10-30 11:45:57 |
Frank Heimes |
ubuntu-z-systems: importance |
Undecided |
High |
|
2018-10-30 11:46:03 |
Frank Heimes |
ubuntu-z-systems: status |
New |
Triaged |
|
2018-10-30 11:46:23 |
Frank Heimes |
ubuntu-z-systems: assignee |
|
Canonical Kernel Team (canonical-kernel-team) |
|
2018-10-30 14:16:10 |
Joseph Salisbury |
linux (Ubuntu): status |
New |
Triaged |
|
2018-10-30 14:16:15 |
Joseph Salisbury |
linux (Ubuntu): importance |
Undecided |
High |
|
2018-10-30 14:16:24 |
Joseph Salisbury |
nominated for series |
|
Ubuntu Cosmic |
|
2018-10-30 14:16:24 |
Joseph Salisbury |
bug task added |
|
linux (Ubuntu Cosmic) |
|
2018-10-30 14:16:24 |
Joseph Salisbury |
nominated for series |
|
Ubuntu Xenial |
|
2018-10-30 14:16:24 |
Joseph Salisbury |
bug task added |
|
linux (Ubuntu Xenial) |
|
2018-10-30 14:16:24 |
Joseph Salisbury |
nominated for series |
|
Ubuntu Bionic |
|
2018-10-30 14:16:24 |
Joseph Salisbury |
bug task added |
|
linux (Ubuntu Bionic) |
|
2018-10-30 14:20:30 |
Joseph Salisbury |
linux (Ubuntu Xenial): status |
New |
Triaged |
|
2018-10-30 14:20:33 |
Joseph Salisbury |
linux (Ubuntu Bionic): status |
New |
Triaged |
|
2018-10-30 14:20:36 |
Joseph Salisbury |
linux (Ubuntu Cosmic): status |
New |
Triaged |
|
2018-10-30 14:20:39 |
Joseph Salisbury |
linux (Ubuntu Xenial): importance |
Undecided |
High |
|
2018-10-30 14:20:41 |
Joseph Salisbury |
linux (Ubuntu Bionic): importance |
Undecided |
High |
|
2018-10-30 14:20:43 |
Joseph Salisbury |
linux (Ubuntu Cosmic): importance |
Undecided |
High |
|
2018-10-30 14:27:47 |
Joseph Salisbury |
linux (Ubuntu Xenial): assignee |
|
Joseph Salisbury (jsalisbury) |
|
2018-10-30 14:27:50 |
Joseph Salisbury |
linux (Ubuntu Bionic): assignee |
|
Joseph Salisbury (jsalisbury) |
|
2018-10-30 14:27:53 |
Joseph Salisbury |
linux (Ubuntu Cosmic): assignee |
|
Joseph Salisbury (jsalisbury) |
|
2018-10-30 14:27:54 |
Joseph Salisbury |
linux (Ubuntu): assignee |
Skipper Bug Screeners (skipper-screen-team) |
Joseph Salisbury (jsalisbury) |
|
2018-10-30 14:28:12 |
Joseph Salisbury |
linux (Ubuntu Xenial): status |
Triaged |
In Progress |
|
2018-10-30 14:28:14 |
Joseph Salisbury |
linux (Ubuntu Cosmic): status |
Triaged |
In Progress |
|
2018-10-30 15:53:47 |
Joseph Salisbury |
linux (Ubuntu Bionic): status |
Triaged |
In Progress |
|
2018-10-30 15:53:51 |
Joseph Salisbury |
linux (Ubuntu): status |
Triaged |
In Progress |
|
2018-10-30 16:25:43 |
Frank Heimes |
ubuntu-z-systems: status |
Triaged |
In Progress |
|
2018-10-31 13:13:47 |
Frank Heimes |
description |
Description: qeth: Fix potential array overrun in cmd/rc lookup
Symptom: Infinite loop when processing a received cmd.
Problem: qeth_get_ipa_cmd_name() and qeth_get_ipa_msg() are used
to build human-readable messages for received cmd data.
They store the to-be translated value in the last entry of a
global array, and then iterate over each entry until they found
the queried value (and the corresponding message string).
If there is no prior match, the lookup is intended to stop at
the final entry (which was previously prepared).
If two qeth devices are concurrently processing a received cmd,
one lookup can over-write the last entry of the global array
while a second lookup is in process. This second lookup will then
never hit its stop-condition, and loop.
Solution: Remove the modification of the global array, and limit the number
of iterations to the size of the array.
Upstream-ID: kernel 4.19
- 065a2cdcbdf8eb9aefb66e1a24b2d684b8b8852b
- 048a7f8b4ec085d5c56ad4a3bf450389a4aed5f9
Should also be applied, to all other Ubuntu Releases in the field ! |
Description: net/af_iucv: fix skb leaks for HiperTransport
Symptom: Memory leaks and/or double-freed network packets.
Problem: Inbound packets may have any combination of flag bits set in
their iucv header. Current code only handles certain
combinations, and ignores (ie. leaks) all packets with other
flags.
On Transmit, current code is inconsistent about whether the error
paths need to free the skb. Depending on which error path is
taken, it may either get freed twice, or leak.
Solution: On receive, drop any skb with an unexpected combination of iucv
Header flags.
On transmit, be consistent in all error paths about free'ing the
skb.
kerne 4.19
Upstream-ID: 222440996d6daf635bed6cb35041be22ede3e8a0
b2f543949acd1ba64313fdad9e672ef47550d773
Should also be applied, to all other Ubuntu Releases in the field ! |
|
2018-11-01 14:22:20 |
Frank Heimes |
description |
Description: net/af_iucv: fix skb leaks for HiperTransport
Symptom: Memory leaks and/or double-freed network packets.
Problem: Inbound packets may have any combination of flag bits set in
their iucv header. Current code only handles certain
combinations, and ignores (ie. leaks) all packets with other
flags.
On Transmit, current code is inconsistent about whether the error
paths need to free the skb. Depending on which error path is
taken, it may either get freed twice, or leak.
Solution: On receive, drop any skb with an unexpected combination of iucv
Header flags.
On transmit, be consistent in all error paths about free'ing the
skb.
kerne 4.19
Upstream-ID: 222440996d6daf635bed6cb35041be22ede3e8a0
b2f543949acd1ba64313fdad9e672ef47550d773
Should also be applied, to all other Ubuntu Releases in the field ! |
== SRU Justification ==
Fix socket buffer (skb) leaks for HiperTransport
Description: net/af_iucv: fix skb leaks for HiperTransport
Symptom: Memory leaks and/or double-freed network packets.
Problem: Inbound packets may have any combination of flag bits set in
their iucv header. Current code only handles certain
combinations, and ignores (ie. leaks) all packets with other flags.
On Transmit, current code is inconsistent about whether the error
paths need to free the skb. Depending on which error path is
taken, it may either get freed twice, or leak.
Solution: On receive, drop any skb with an unexpected combination of iucv
Header flags.
On transmit, be consistent in all error paths about free'ing the skb.
== Fix ==
222440996d6daf635bed6cb35041be22ede3e8a0 ("net/af_iucv: drop inbound packets with invalid flags")
b2f543949acd1ba64313fdad9e672ef47550d773 ("net/af_iucv: fix skb handling on HiperTransport xmit error")
== Patch ==
commit 222440996d6daf635bed6cb35041be22ede3e8a0
Author: Julian Wiedmann <jwi@linux.ibm.com>
Date: Wed Sep 5 16:55:10 2018 +0200
net/af_iucv: drop inbound packets with invalid flags
Inbound packets may have any combination of flag bits set in their iucv
header. If we don't know how to handle a specific combination, drop the
skb instead of leaking it.
To clarify what error is returned in this case, replace the hard-coded
0 with the corresponding macro.
Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
==
commit b2f543949acd1ba64313fdad9e672ef47550d773
Author: Julian Wiedmann <jwi@linux.ibm.com>
Date: Wed Sep 5 16:55:11 2018 +0200
net/af_iucv: fix skb handling on HiperTransport xmit error
When sending an skb, afiucv_hs_send() bails out on various error
conditions. But currently the caller has no way of telling whether the
skb was freed or not - resulting in potentially either
a) leaked skbs from iucv_send_ctrl(), or
b) double-free's from iucv_sock_sendmsg().
As dev_queue_xmit() will always consume the skb (even on error), be
consistent and also free the skb from all other error paths. This way
callers no longer need to care about managing the skb.
Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
Reviewed-by: Ursula Braun <ubraun@linux.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
== Regression Potential ==
Low, because:
- IUCV functionality is very special to s390x and is only supported in z/VM environments
(z/VM hypervisor to guest or guest to guest communications)
- So everything is s390x specific.
- Patch is limited to this single file: /net/iucv/af_iucv.c
- Patch was tested by IBM, and fixes an identified problem situation.
== Test Case ==
Set IUCV communication on an Ubuntu s390x system that runs as z/VM guest:
https://www.ibm.com/support/knowledgecenter/en/linuxonibm/com.ibm.linux.z.ludd/ludd_r_afiucv_setup.html
Provoke an error situation.
This is btw. hard to do, because the 'Inter-User Communication Vehicle" (IUCV) is a virtual z/VM internal
network that does not use any real media.
To check for regressions one can use a shell over an ssh connection using an IUCV interface
or use an application that utilises AF_IUCV sockets (like ICC).
__________
Description: net/af_iucv: fix skb leaks for HiperTransport
Symptom: Memory leaks and/or double-freed network packets.
Problem: Inbound packets may have any combination of flag bits set in
their iucv header. Current code only handles certain
combinations, and ignores (ie. leaks) all packets with other
flags.
On Transmit, current code is inconsistent about whether the error
paths need to free the skb. Depending on which error path is
taken, it may either get freed twice, or leak.
Solution: On receive, drop any skb with an unexpected combination of iucv
Header flags.
On transmit, be consistent in all error paths about free'ing the
skb.
kerne 4.19
Upstream-ID: 222440996d6daf635bed6cb35041be22ede3e8a0
b2f543949acd1ba64313fdad9e672ef47550d773
Should also be applied, to all other Ubuntu Releases in the field ! |
|
2018-11-08 05:27:50 |
Khaled El Mously |
linux (Ubuntu Xenial): status |
In Progress |
Fix Committed |
|
2018-11-08 05:27:52 |
Khaled El Mously |
linux (Ubuntu Bionic): status |
In Progress |
Fix Committed |
|
2018-11-08 05:27:54 |
Khaled El Mously |
linux (Ubuntu Cosmic): status |
In Progress |
Fix Committed |
|
2018-11-08 06:13:38 |
Frank Heimes |
linux (Ubuntu): status |
In Progress |
Fix Committed |
|
2018-11-08 06:13:42 |
Frank Heimes |
ubuntu-z-systems: status |
In Progress |
Fix Committed |
|
2018-11-15 11:04:16 |
Brad Figg |
tags |
architecture-s39064 bugnameltc-172698 severity-high targetmilestone-inin1810 |
architecture-s39064 bugnameltc-172698 severity-high targetmilestone-inin1810 verification-needed-cosmic |
|
2018-11-15 11:34:41 |
Brad Figg |
tags |
architecture-s39064 bugnameltc-172698 severity-high targetmilestone-inin1810 verification-needed-cosmic |
architecture-s39064 bugnameltc-172698 severity-high targetmilestone-inin1810 verification-needed-bionic verification-needed-cosmic |
|
2018-11-16 16:36:28 |
Brad Figg |
tags |
architecture-s39064 bugnameltc-172698 severity-high targetmilestone-inin1810 verification-needed-bionic verification-needed-cosmic |
architecture-s39064 bugnameltc-172698 severity-high targetmilestone-inin1810 verification-needed-bionic verification-needed-cosmic verification-needed-xenial |
|
2018-11-20 09:56:48 |
Frank Heimes |
tags |
architecture-s39064 bugnameltc-172698 severity-high targetmilestone-inin1810 verification-needed-bionic verification-needed-cosmic verification-needed-xenial |
architecture-s39064 bugnameltc-172698 severity-high targetmilestone-inin1810 verification-done-bionic verification-done-cosmic verification-done-xenial |
|
2018-12-03 08:49:32 |
Launchpad Janitor |
linux (Ubuntu Cosmic): status |
Fix Committed |
Fix Released |
|
2018-12-03 08:49:32 |
Launchpad Janitor |
cve linked |
|
2018-18653 |
|
2018-12-03 08:49:32 |
Launchpad Janitor |
cve linked |
|
2018-18955 |
|
2018-12-03 08:49:32 |
Launchpad Janitor |
cve linked |
|
2018-6559 |
|
2018-12-03 14:01:15 |
Launchpad Janitor |
linux (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
2018-12-03 14:59:47 |
Launchpad Janitor |
linux (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
2018-12-04 13:19:43 |
Frank Heimes |
linux (Ubuntu): status |
Fix Committed |
Fix Released |
|
2018-12-04 13:19:51 |
Frank Heimes |
ubuntu-z-systems: status |
Fix Committed |
Fix Released |
|
2019-07-24 20:56:49 |
Brad Figg |
tags |
architecture-s39064 bugnameltc-172698 severity-high targetmilestone-inin1810 verification-done-bionic verification-done-cosmic verification-done-xenial |
architecture-s39064 bugnameltc-172698 cscc severity-high targetmilestone-inin1810 verification-done-bionic verification-done-cosmic verification-done-xenial |
|