[Ubuntu] qeth: Fix potential array overrun in cmd/rc lookup
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | Ubuntu on IBM z Systems |
High
|
Canonical Kernel Team | ||
| | linux (Ubuntu) |
High
|
Joseph Salisbury | ||
| | Xenial |
High
|
Joseph Salisbury | ||
| | Bionic |
High
|
Joseph Salisbury | ||
| | Cosmic |
High
|
Joseph Salisbury | ||
Bug Description
== SRU Justification ==
IBM is requesting these commits in s390 for X, B and C. The bug
description the commits fix is as follows:
Description: qeth: Fix potential array overrun in cmd/rc lookup Symptom:
Infinite loop when processing a received cmd.
Problem: qeth_get_
human-readable messages for received cmd data.
== Fixes ==
065a2cdcbdf8 ("s390: qeth_core_mpc: Use ARRAY_SIZE instead of reimplementing its function")
048a7f8b4ec0 ("s390: qeth: Fix potential array overrun in cmd/rc lookup")
== Regression Potential ==
Low. Limited to s390.
== Test Case ==
A test kernel was built with these two patches and tested by IBM.
The bug reporter states the test kernel resolved the bug.
Description: qeth: Fix potential array overrun in cmd/rc lookup
Symptom: Infinite loop when processing a received cmd.
Problem: qeth_get_
to build human-readable messages for received cmd data.
They store the to-be translated value in the last entry of a
the queried value (and the corresponding message string).
If there is no prior match, the lookup is intended to stop at
the final entry (which was previously prepared).
If two qeth devices are concurrently processing a received cmd,
one lookup can over-write the last entry of the global array
while a second lookup is in process. This second lookup will then
never hit its stop-condition, and loop.
Solution: Remove the modification of the global array, and limit the number
of iterations to the size of the array.
Upstream-ID: kernel 4.19
- 065a2cdcbdf8eb9
- 048a7f8b4ec085d
Should also be applied, to all other Ubuntu Releases in the field !
CVE References
| tags: | added: architecture-s39064 bugnameltc-172700 severity-high targetmilestone-inin1810 |
| Changed in ubuntu: | |
| assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
| affects: | ubuntu → linux (Ubuntu) |
| Changed in ubuntu-z-systems: | |
| status: | New → Triaged |
| importance: | Undecided → High |
| assignee: | nobody → Canonical Kernel Team (canonical-kernel-team) |
| Changed in linux (Ubuntu): | |
| status: | New → Triaged |
| importance: | Undecided → High |
| Changed in linux (Ubuntu Xenial): | |
| status: | New → Triaged |
| Changed in linux (Ubuntu Bionic): | |
| status: | New → Triaged |
| Changed in linux (Ubuntu Cosmic): | |
| status: | New → Triaged |
| Changed in linux (Ubuntu Xenial): | |
| importance: | Undecided → High |
| Changed in linux (Ubuntu Bionic): | |
| importance: | Undecided → High |
| Changed in linux (Ubuntu Cosmic): | |
| importance: | Undecided → High |
| Joseph Salisbury (jsalisbury) wrote : | #1 |
| Changed in linux (Ubuntu Xenial): | |
| assignee: | nobody → Joseph Salisbury (jsalisbury) |
| Changed in linux (Ubuntu Bionic): | |
| assignee: | nobody → Joseph Salisbury (jsalisbury) |
| Changed in linux (Ubuntu Cosmic): | |
| assignee: | nobody → Joseph Salisbury (jsalisbury) |
| Changed in linux (Ubuntu): | |
| assignee: | Skipper Bug Screeners (skipper-screen-team) → Joseph Salisbury (jsalisbury) |
------- Comment From <email address hidden> 2018-10-31 06:27 EDT-------
@jsalisbury:
I copied your comment from LP1800639
### External Comment ###
I built a test kernel with commits 065a2cdcbd and 048a7f8b4. The test kernel can be downloaded from:
http://
Can you test this kernel and see if it resolves this bug?
Note about installing test kernels:
? If the test kernel is prior to 4.15(Bionic) you need to install the linux-image and linux-image-extra .deb packages.
? If the test kernel is 4.15(Bionic) or newer, you need to install the linux-modules, linux-modules-extra and linux-image-
Thanks in advance!
This is the correct LP/Bugzilla, you can set this LP into Progress.
LP1800639 will be updated with the correct commit ID's and problem description.
| Frank Heimes (frank-heimes) wrote : | #3 |
To make it a bit more clear - this (LP 1800641) is the ticket these upstream commit IDs belong to:
Upstream-ID: kernel 4.19
- 065a2cdcbdf8eb9
- 048a7f8b4ec085d
(On LP 1800639 they were a c&p error - LP LP1800639 will be updated with new commits ...)
| Joseph Salisbury (jsalisbury) wrote : | #4 |
SRU request submitted:
https:/
| Changed in linux (Ubuntu): | |
| status: | Triaged → Fix Released |
| status: | Fix Released → In Progress |
| Changed in linux (Ubuntu Xenial): | |
| status: | Triaged → In Progress |
| Changed in linux (Ubuntu Bionic): | |
| status: | Triaged → In Progress |
| Changed in linux (Ubuntu Cosmic): | |
| status: | Triaged → In Progress |
| description: | updated |
| Changed in ubuntu-z-systems: | |
| status: | Triaged → In Progress |
| Changed in linux (Ubuntu Xenial): | |
| status: | In Progress → Fix Committed |
| Changed in linux (Ubuntu Bionic): | |
| status: | In Progress → Fix Committed |
| Changed in linux (Ubuntu Cosmic): | |
| status: | In Progress → Fix Committed |
| Changed in ubuntu-z-systems: | |
| status: | In Progress → Fix Committed |
| Changed in linux (Ubuntu): | |
| status: | In Progress → Fix Committed |
| Brad Figg (brad-figg) wrote : | #5 |
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/
| tags: | added: verification-needed-cosmic |
| Brad Figg (brad-figg) wrote : | #6 |
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/
| tags: | added: verification-needed-bionic |
| Brad Figg (brad-figg) wrote : | #7 |
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/
| tags: | added: verification-needed-xenial |
| bugproxy (bugproxy) wrote : | #8 |
------- Comment From <email address hidden> 2018-11-19 02:39 EDT-------
Comment for all releases. This fix was verified upfront on the upstream kernel by IBM
| tags: |
added: verification-done-bionic verification-done-cosmic verification-done-xenial removed: verification-needed-bionic verification-needed-cosmic verification-needed-xenial |
| Launchpad Janitor (janitor) wrote : | #9 |
This bug was fixed in the package linux - 4.18.0-12.13
---------------
linux (4.18.0-12.13) cosmic; urgency=medium
* linux: 4.18.0-12.13 -proposed tracker (LP: #1802743)
* [FEAT] Guest-dedicated Crypto Adapters (LP: #1787405)
- s390/zcrypt: Add ZAPQ inline function.
- s390/zcrypt: Review inline assembler constraints.
- s390/zcrypt: Integrate ap_asm.h into include/asm/ap.h.
- s390/zcrypt: fix ap_instructions
- KVM: s390: vsie: simulate VCPU SIE entry/exit
- KVM: s390: introduce and use KVM_REQ_
- KVM: s390: refactor crypto initialization
- s390: vfio-ap: base implementation of VFIO AP device driver
- s390: vfio-ap: register matrix device with VFIO mdev framework
- s390: vfio-ap: sysfs interfaces to configure adapters
- s390: vfio-ap: sysfs interfaces to configure domains
- s390: vfio-ap: sysfs interfaces to configure control domains
- s390: vfio-ap: sysfs interface to view matrix mdev matrix
- KVM: s390: interface to clear CRYCB masks
- s390: vfio-ap: implement mediated device open callback
- s390: vfio-ap: implement VFIO_DEVICE_
- s390: vfio-ap: zeroize the AP queues
- s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl
- KVM: s390: Clear Crypto Control Block when using vSIE
- KVM: s390: vsie: Do the CRYCB validation first
- KVM: s390: vsie: Make use of CRYCB FORMAT2 clear
- KVM: s390: vsie: Allow CRYCB FORMAT-2
- KVM: s390: vsie: allow CRYCB FORMAT-1
- KVM: s390: vsie: allow CRYCB FORMAT-0
- KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1
- KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2
- KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2
- KVM: s390: device attrs to enable/disable AP interpretation
- KVM: s390: CPU model support for AP virtualization
- s390: doc: detailed specifications for AP virtualization
- KVM: s390: fix locking for crypto setting error path
- KVM: s390: Tracing APCB changes
- s390: vfio-ap: setup APCB mask using KVM dedicated function
- [Config:] Enable CONFIG_
* Bypass of mount visibility through userns + mount propagation (LP: #1789161)
- mount: Retest MNT_LOCKED in do_umount
- mount: Don't allow copying MNT_UNBINDABLE|
* CVE-2018-18955: nested user namespaces with more than five extents
incorrectly grant privileges over inode (LP: #1801924) // CVE-2018-18955
- userns: also map extents in the reverse map to kernel IDs
* kdump fail due to an IRQ storm (LP: #1797990)
- SAUCE: x86/PCI: Export find_cap() to be used in early PCI code
- SAUCE: x86/quirks: Add parameter to clear MSIs early on boot
- SAUCE: x86/quirks: Scan all busses for early PCI quirks
* crash in ENA driver on removing an interface (LP: #1802341)
- SAUCE: net: ena: fix crash during ena_remove()
* Ubuntu 18.04.1 - [s390x] Kernel panic while stressing network bonding
(LP: #1797367)
- s390/qeth: reduce hard-coded access to ccw channels
- s390/qeth: sanitize strings in debug messages
* Add checksum offload and T...
| Changed in linux (Ubuntu Cosmic): | |
| status: | Fix Committed → Fix Released |
| Launchpad Janitor (janitor) wrote : | #10 |
This bug was fixed in the package linux - 4.15.0-42.45
---------------
linux (4.15.0-42.45) bionic; urgency=medium
* linux: 4.15.0-42.45 -proposed tracker (LP: #1803592)
* [FEAT] Guest-dedicated Crypto Adapters (LP: #1787405)
- KVM: s390: reset crypto attributes for all vcpus
- KVM: s390: vsie: simulate VCPU SIE entry/exit
- KVM: s390: introduce and use KVM_REQ_
- KVM: s390: refactor crypto initialization
- s390: vfio-ap: base implementation of VFIO AP device driver
- s390: vfio-ap: register matrix device with VFIO mdev framework
- s390: vfio-ap: sysfs interfaces to configure adapters
- s390: vfio-ap: sysfs interfaces to configure domains
- s390: vfio-ap: sysfs interfaces to configure control domains
- s390: vfio-ap: sysfs interface to view matrix mdev matrix
- KVM: s390: interface to clear CRYCB masks
- s390: vfio-ap: implement mediated device open callback
- s390: vfio-ap: implement VFIO_DEVICE_
- s390: vfio-ap: zeroize the AP queues
- s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl
- KVM: s390: Clear Crypto Control Block when using vSIE
- KVM: s390: vsie: Do the CRYCB validation first
- KVM: s390: vsie: Make use of CRYCB FORMAT2 clear
- KVM: s390: vsie: Allow CRYCB FORMAT-2
- KVM: s390: vsie: allow CRYCB FORMAT-1
- KVM: s390: vsie: allow CRYCB FORMAT-0
- KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1
- KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2
- KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2
- KVM: s390: device attrs to enable/disable AP interpretation
- KVM: s390: CPU model support for AP virtualization
- s390: doc: detailed specifications for AP virtualization
- KVM: s390: fix locking for crypto setting error path
- KVM: s390: Tracing APCB changes
- s390: vfio-ap: setup APCB mask using KVM dedicated function
- s390/zcrypt: Add ZAPQ inline function.
- s390/zcrypt: Review inline assembler constraints.
- s390/zcrypt: Integrate ap_asm.h into include/asm/ap.h.
- s390/zcrypt: fix ap_instructions
- s390/zcrypt: remove VLA usage from the AP bus
- s390/zcrypt: Remove deprecated ioctls.
- s390/zcrypt: Remove deprecated zcrypt proc interface.
- s390/zcrypt: Support up to 256 crypto adapters.
- [Config:] Enable CONFIG_
* Bypass of mount visibility through userns + mount propagation (LP: #1789161)
- mount: Retest MNT_LOCKED in do_umount
- mount: Don't allow copying MNT_UNBINDABLE|
* CVE-2018-18955: nested user namespaces with more than five extents
incorrectly grant privileges over inode (LP: #1801924) // CVE-2018-18955
- userns: also map extents in the reverse map to kernel IDs
* kdump fail due to an IRQ storm (LP: #1797990)
- SAUCE: x86/PCI: Export find_cap() to be used in early PCI code
- SAUCE: x86/quirks: Add parameter to clear MSIs early on boot
- SAUCE: x86/quirks: Scan all busses for early PCI quirks
-- Thadeu Lima de Souza Cascardo <email address hidden> Thu, 15 Nov 2018 17:01:46 ...
| Changed in linux (Ubuntu Bionic): | |
| status: | Fix Committed → Fix Released |
| Launchpad Janitor (janitor) wrote : | #11 |
This bug was fixed in the package linux - 4.4.0-140.166
---------------
linux (4.4.0-140.166) xenial; urgency=medium
* linux: 4.4.0-140.166 -proposed tracker (LP: #1802776)
* Bypass of mount visibility through userns + mount propagation (LP: #1789161)
- mount: Retest MNT_LOCKED in do_umount
- mount: Don't allow copying MNT_UNBINDABLE|
* kdump fail due to an IRQ storm (LP: #1797990)
- SAUCE: x86/PCI: Export find_cap() to be used in early PCI code
- SAUCE: x86/quirks: Add parameter to clear MSIs early on boot
- SAUCE: x86/quirks: Scan all busses for early PCI quirks
* crash in ENA driver on removing an interface (LP: #1802341)
- SAUCE: net: ena: fix crash during ena_remove()
* xenial guest on arm64 drops to busybox under openstack bionic-rocky
(LP: #1797092)
- [Config] CONFIG_PCI_ECAM=y
- PCI: Provide common functions for ECAM mapping
- PCI: generic, thunder: Use generic ECAM API
- PCI, of: Move PCI I/O space management to PCI core code
- PCI: Move ecam.h to linux/include/
- PCI: Add parent device field to ECAM struct pci_config_window
- PCI: Add pci_unmap_iospace() to unmap I/O resources
- PCI/ACPI: Support I/O resources when parsing host bridge resources
- [Config] CONFIG_ACPI_MCFG=y
- PCI/ACPI: Add generic MCFG table handling
- PCI: Refactor pci_bus_
- PCI: Factor DT-specific pci_bus_
- ARM64: PCI: Add acpi_pci_
- ARM64: PCI: ACPI support for legacy IRQs parsing and consolidation with DT
code
- ARM64: PCI: Support ACPI-based PCI host controller
* [GLK/CLX] Enhanced IBRS (LP: #1786139)
- x86/speculation: Remove SPECTRE_V2_IBRS in enum spectre_
- x86/speculation: Support Enhanced IBRS on future CPUs
* Update ENA driver to version 2.0.1K (LP: #1798182)
- net: ena: remove ndo_poll_controller
- net: ena: fix warning in rmmod caused by double iounmap
- net: ena: fix rare bug when failed restart/resume is followed by driver
removal
- net: ena: fix NULL dereference due to untimely napi initialization
- net: ena: fix auto casting to boolean
- net: ena: minor performance improvement
- net: ena: complete host info to match latest ENA spec
- net: ena: introduce Low Latency Queues data structures according to ENA spec
- net: ena: add functions for handling Low Latency Queues in ena_com
- net: ena: add functions for handling Low Latency Queues in ena_netdev
- net: ena: use CSUM_CHECKED device indication to report skb's checksum status
- net: ena: explicit casting and initialization, and clearer error handling
- net: ena: limit refill Rx threshold to 256 to avoid latency issues
- net: ena: change rx copybreak default to reduce kernel memory pressure
- net: ena: remove redundant parameter in ena_com_
- net: ena: update driver version to 2.0.1
- net: ena: fix indentations in ena_defs for better readability
- net: ena: Fix Kconfig dependency on X86
- net: ena: enable Low Latency Queues
- net: ena: fix compilat...
| Changed in linux (Ubuntu Xenial): | |
| status: | Fix Committed → Fix Released |
| bugproxy (bugproxy) wrote : | #12 |
------- Comment From <email address hidden> 2018-12-03 10:58 EDT-------
IBM Bugzilla status-> closed, Fix Released
| Changed in linux (Ubuntu): | |
| status: | Fix Committed → Fix Released |
| Changed in ubuntu-z-systems: | |
| status: | Fix Committed → Fix Released |
These are the same two commits requested in bug 1800639. Is that correct? If so, I'll mark this bug as a duplicate of that bug.