Updated bug description with comment #3 ** Description changed:
- Description: qeth: Fix potential array overrun in cmd/rc lookup - Symptom: Infinite loop when processing a received cmd. - Problem: qeth_get_ipa_cmd_name() and qeth_get_ipa_msg() are used - to build human-readable messages for received cmd data. + Description: net/af_iucv: fix skb leaks for HiperTransport + Symptom: Memory leaks and/or double-freed network packets. + Problem: Inbound packets may have any combination of flag bits set in + their iucv header. Current code only handles certain + combinations, and ignores (ie. leaks) all packets with other + flags. - They store the to-be translated value in the last entry of a - global array, and then iterate over each entry until they found - the queried value (and the corresponding message string). - If there is no prior match, the lookup is intended to stop at - the final entry (which was previously prepared). + On Transmit, current code is inconsistent about whether the error + paths need to free the skb. Depending on which error path is + taken, it may either get freed twice, or leak. + Solution: On receive, drop any skb with an unexpected combination of iucv + Header flags. + On transmit, be consistent in all error paths about free'ing the + skb. - If two qeth devices are concurrently processing a received cmd, - one lookup can over-write the last entry of the global array - while a second lookup is in process. This second lookup will then - never hit its stop-condition, and loop. + kerne 4.19 + Upstream-ID: 222440996d6daf635bed6cb35041be22ede3e8a0 + b2f543949acd1ba64313fdad9e672ef47550d773 - Solution: Remove the modification of the global array, and limit the number - of iterations to the size of the array. - - Upstream-ID: kernel 4.19 - - 065a2cdcbdf8eb9aefb66e1a24b2d684b8b8852b - - 048a7f8b4ec085d5c56ad4a3bf450389a4aed5f9 Should also be applied, to all other Ubuntu Releases in the field ! -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1800639 Title: [Ubuntu] net/af_iucv: fix skb leaks for HiperTransport Status in Ubuntu on IBM z Systems: In Progress Status in linux package in Ubuntu: In Progress Status in linux source package in Xenial: In Progress Status in linux source package in Bionic: In Progress Status in linux source package in Cosmic: In Progress Bug description: Description: net/af_iucv: fix skb leaks for HiperTransport Symptom: Memory leaks and/or double-freed network packets. Problem: Inbound packets may have any combination of flag bits set in their iucv header. Current code only handles certain combinations, and ignores (ie. leaks) all packets with other flags. On Transmit, current code is inconsistent about whether the error paths need to free the skb. Depending on which error path is taken, it may either get freed twice, or leak. Solution: On receive, drop any skb with an unexpected combination of iucv Header flags. On transmit, be consistent in all error paths about free'ing the skb. kerne 4.19 Upstream-ID: 222440996d6daf635bed6cb35041be22ede3e8a0 b2f543949acd1ba64313fdad9e672ef47550d773 Should also be applied, to all other Ubuntu Releases in the field ! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1800639/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
