This bug was fixed in the package linux - 4.15.0-42.45
---------------
linux (4.15.0-42.45) bionic; urgency=medium
* linux: 4.15.0-42.45 -proposed tracker (LP: #1803592)
* [FEAT] Guest-dedicated Crypto Adapters (LP: #1787405)
- KVM: s390: reset crypto attributes for all vcpus
- KVM: s390: vsie: simulate VCPU SIE entry/exit
- KVM: s390: introduce and use KVM_REQ_VSIE_RESTART
- KVM: s390: refactor crypto initialization
- s390: vfio-ap: base implementation of VFIO AP device driver
- s390: vfio-ap: register matrix device with VFIO mdev framework
- s390: vfio-ap: sysfs interfaces to configure adapters
- s390: vfio-ap: sysfs interfaces to configure domains
- s390: vfio-ap: sysfs interfaces to configure control domains
- s390: vfio-ap: sysfs interface to view matrix mdev matrix
- KVM: s390: interface to clear CRYCB masks
- s390: vfio-ap: implement mediated device open callback
- s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl
- s390: vfio-ap: zeroize the AP queues
- s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl
- KVM: s390: Clear Crypto Control Block when using vSIE
- KVM: s390: vsie: Do the CRYCB validation first
- KVM: s390: vsie: Make use of CRYCB FORMAT2 clear
- KVM: s390: vsie: Allow CRYCB FORMAT-2
- KVM: s390: vsie: allow CRYCB FORMAT-1
- KVM: s390: vsie: allow CRYCB FORMAT-0
- KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1
- KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2
- KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2
- KVM: s390: device attrs to enable/disable AP interpretation
- KVM: s390: CPU model support for AP virtualization
- s390: doc: detailed specifications for AP virtualization
- KVM: s390: fix locking for crypto setting error path
- KVM: s390: Tracing APCB changes
- s390: vfio-ap: setup APCB mask using KVM dedicated function
- s390/zcrypt: Add ZAPQ inline function.
- s390/zcrypt: Review inline assembler constraints.
- s390/zcrypt: Integrate ap_asm.h into include/asm/ap.h.
- s390/zcrypt: fix ap_instructions_available() returncodes
- s390/zcrypt: remove VLA usage from the AP bus
- s390/zcrypt: Remove deprecated ioctls.
- s390/zcrypt: Remove deprecated zcrypt proc interface.
- s390/zcrypt: Support up to 256 crypto adapters.
- [Config:] Enable CONFIG_S390_AP_IOMMU and set CONFIG_VFIO_AP to module.
* Bypass of mount visibility through userns + mount propagation (LP: #1789161)
- mount: Retest MNT_LOCKED in do_umount
- mount: Don't allow copying MNT_UNBINDABLE|MNT_LOCKED mounts
* CVE-2018-18955: nested user namespaces with more than five extents
incorrectly grant privileges over inode (LP: #1801924) // CVE-2018-18955
- userns: also map extents in the reverse map to kernel IDs
* kdump fail due to an IRQ storm (LP: #1797990)
- SAUCE: x86/PCI: Export find_cap() to be used in early PCI code
- SAUCE: x86/quirks: Add parameter to clear MSIs early on boot
- SAUCE: x86/quirks: Scan all busses for early PCI quirks
-- Thadeu Lima de Souza Cascardo <casca...@canonical.com> Thu, 15 Nov
2018 17:01:46 -0200
** Changed in: linux (Ubuntu Bionic)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1800639
Title:
[Ubuntu] net/af_iucv: fix skb leaks for HiperTransport
Status in Ubuntu on IBM z Systems:
Fix Committed
Status in linux package in Ubuntu:
Fix Committed
Status in linux source package in Xenial:
Fix Committed
Status in linux source package in Bionic:
Fix Released
Status in linux source package in Cosmic:
Fix Released
Bug description:
== SRU Justification ==
Fix socket buffer (skb) leaks for HiperTransport
Description: net/af_iucv: fix skb leaks for HiperTransport
Symptom: Memory leaks and/or double-freed network packets.
Problem: Inbound packets may have any combination of flag bits set in
their iucv header. Current code only handles certain
combinations, and ignores (ie. leaks) all packets with other flags.
On Transmit, current code is inconsistent about whether the error
paths need to free the skb. Depending on which error path is
taken, it may either get freed twice, or leak.
Solution: On receive, drop any skb with an unexpected combination of iucv
Header flags.
On transmit, be consistent in all error paths about free'ing the skb.
== Fix ==
222440996d6daf635bed6cb35041be22ede3e8a0 ("net/af_iucv: drop inbound packets
with invalid flags")
b2f543949acd1ba64313fdad9e672ef47550d773 ("net/af_iucv: fix skb handling on
HiperTransport xmit error")
== Patch ==
commit 222440996d6daf635bed6cb35041be22ede3e8a0
Author: Julian Wiedmann <j...@linux.ibm.com>
Date: Wed Sep 5 16:55:10 2018 +0200
net/af_iucv: drop inbound packets with invalid flags
Inbound packets may have any combination of flag bits set in their iucv
header. If we don't know how to handle a specific combination, drop the
skb instead of leaking it.
To clarify what error is returned in this case, replace the hard-coded
0 with the corresponding macro.
Signed-off-by: Julian Wiedmann <j...@linux.ibm.com>
Signed-off-by: David S. Miller <da...@davemloft.net>
==
commit b2f543949acd1ba64313fdad9e672ef47550d773
Author: Julian Wiedmann <j...@linux.ibm.com>
Date: Wed Sep 5 16:55:11 2018 +0200
net/af_iucv: fix skb handling on HiperTransport xmit error
When sending an skb, afiucv_hs_send() bails out on various error
conditions. But currently the caller has no way of telling whether the
skb was freed or not - resulting in potentially either
a) leaked skbs from iucv_send_ctrl(), or
b) double-free's from iucv_sock_sendmsg().
As dev_queue_xmit() will always consume the skb (even on error), be
consistent and also free the skb from all other error paths. This way
callers no longer need to care about managing the skb.
Signed-off-by: Julian Wiedmann <j...@linux.ibm.com>
Reviewed-by: Ursula Braun <ubr...@linux.ibm.com>
Signed-off-by: David S. Miller <da...@davemloft.net>
== Regression Potential ==
Low, because:
- IUCV functionality is very special to s390x and is only supported in z/VM
environments
(z/VM hypervisor to guest or guest to guest communications)
- So everything is s390x specific.
- Patch is limited to this single file: /net/iucv/af_iucv.c
- Patch was tested by IBM, and fixes an identified problem situation.
== Test Case ==
Set IUCV communication on an Ubuntu s390x system that runs as z/VM guest:
https://www.ibm.com/support/knowledgecenter/en/linuxonibm/com.ibm.linux.z.ludd/ludd_r_afiucv_setup.html
Provoke an error situation.
This is btw. hard to do, because the 'Inter-User Communication Vehicle"
(IUCV) is a virtual z/VM internal
network that does not use any real media.
To check for regressions one can use a shell over an ssh connection using an
IUCV interface
or use an application that utilises AF_IUCV sockets (like ICC).
__________
Description: net/af_iucv: fix skb leaks for HiperTransport
Symptom: Memory leaks and/or double-freed network packets.
Problem: Inbound packets may have any combination of flag bits set in
their iucv header. Current code only handles certain
combinations, and ignores (ie. leaks) all packets with other
flags.
On Transmit, current code is inconsistent about whether the error
paths need to free the skb. Depending on which error path is
taken, it may either get freed twice, or leak.
Solution: On receive, drop any skb with an unexpected combination of iucv
Header flags.
On transmit, be consistent in all error paths about free'ing the
skb.
kerne 4.19
Upstream-ID: 222440996d6daf635bed6cb35041be22ede3e8a0
b2f543949acd1ba64313fdad9e672ef47550d773
Should also be applied, to all other Ubuntu Releases in the field !
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1800639/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
