SRU request submitted:
https://lists.ubuntu.com/archives/kernel-team/2018-October/096372.html
** Changed in: linux (Ubuntu)
Status: Triaged => Fix Released
** Changed in: linux (Ubuntu)
Status: Fix Released => In Progress
** Changed in: linux (Ubuntu Xenial)
Status: Triaged => In Progress
** Changed in: linux (Ubuntu Bionic)
Status: Triaged => In Progress
** Changed in: linux (Ubuntu Cosmic)
Status: Triaged => In Progress
** Description changed:
+
+ == SRU Justification ==
+ IBM is requesting these commits in s390 for X, B and C. The bug
+ description the commits fix is as follows:
+
+ Description: qeth: Fix potential array overrun in cmd/rc lookup Symptom:
+ Infinite loop when processing a received cmd.
+ Problem: qeth_get_ipa_cmd_name() and qeth_get_ipa_msg() are used to build
+ human-readable messages for received cmd data.
+
+
+ == Fixes ==
+ 065a2cdcbdf8 ("s390: qeth_core_mpc: Use ARRAY_SIZE instead of reimplementing
its function")
+ 048a7f8b4ec0 ("s390: qeth: Fix potential array overrun in cmd/rc lookup")
+
+ == Regression Potential ==
+ Low. Limited to s390.
+
+ == Test Case ==
+ A test kernel was built with these two patches and tested by IBM.
+ The bug reporter states the test kernel resolved the bug.
+
+
+
Description: qeth: Fix potential array overrun in cmd/rc lookup
Symptom: Infinite loop when processing a received cmd.
Problem: qeth_get_ipa_cmd_name() and qeth_get_ipa_msg() are used
- to build human-readable messages for received cmd data.
+ to build human-readable messages for received cmd data.
- They store the to-be translated value in the last entry of a
- global array, and then iterate over each entry until they found
- the queried value (and the corresponding message string).
- If there is no prior match, the lookup is intended to stop at
- the final entry (which was previously prepared).
+ They store the to-be translated value in the last entry of a
+ global array, and then iterate over each entry until they found
+ the queried value (and the corresponding message string).
+ If there is no prior match, the lookup is intended to stop at
+ the final entry (which was previously prepared).
- If two qeth devices are concurrently processing a received cmd,
- one lookup can over-write the last entry of the global array
- while a second lookup is in process. This second lookup will
then
- never hit its stop-condition, and loop.
+ If two qeth devices are concurrently processing a received cmd,
+ one lookup can over-write the last entry of the global array
+ while a second lookup is in process. This second lookup will
then
+ never hit its stop-condition, and loop.
Solution: Remove the modification of the global array, and limit the
number
- of iterations to the size of the array.
-
+ of iterations to the size of the array.
Upstream-ID: kernel 4.19
- 065a2cdcbdf8eb9aefb66e1a24b2d684b8b8852b
- 048a7f8b4ec085d5c56ad4a3bf450389a4aed5f9
Should also be applied, to all other Ubuntu Releases in the field !
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1800641
Title:
[Ubuntu] qeth: Fix potential array overrun in cmd/rc lookup
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1800641/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
