← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 1800641] Re: [Ubuntu] qeth: Fix potential array overrun in cmd/rc lookup

 

This bug was fixed in the package linux - 4.15.0-42.45

---------------
linux (4.15.0-42.45) bionic; urgency=medium

  * linux: 4.15.0-42.45 -proposed tracker (LP: #1803592)

  * [FEAT] Guest-dedicated Crypto Adapters (LP: #1787405)
    - KVM: s390: reset crypto attributes for all vcpus
    - KVM: s390: vsie: simulate VCPU SIE entry/exit
    - KVM: s390: introduce and use KVM_REQ_VSIE_RESTART
    - KVM: s390: refactor crypto initialization
    - s390: vfio-ap: base implementation of VFIO AP device driver
    - s390: vfio-ap: register matrix device with VFIO mdev framework
    - s390: vfio-ap: sysfs interfaces to configure adapters
    - s390: vfio-ap: sysfs interfaces to configure domains
    - s390: vfio-ap: sysfs interfaces to configure control domains
    - s390: vfio-ap: sysfs interface to view matrix mdev matrix
    - KVM: s390: interface to clear CRYCB masks
    - s390: vfio-ap: implement mediated device open callback
    - s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl
    - s390: vfio-ap: zeroize the AP queues
    - s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl
    - KVM: s390: Clear Crypto Control Block when using vSIE
    - KVM: s390: vsie: Do the CRYCB validation first
    - KVM: s390: vsie: Make use of CRYCB FORMAT2 clear
    - KVM: s390: vsie: Allow CRYCB FORMAT-2
    - KVM: s390: vsie: allow CRYCB FORMAT-1
    - KVM: s390: vsie: allow CRYCB FORMAT-0
    - KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1
    - KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2
    - KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2
    - KVM: s390: device attrs to enable/disable AP interpretation
    - KVM: s390: CPU model support for AP virtualization
    - s390: doc: detailed specifications for AP virtualization
    - KVM: s390: fix locking for crypto setting error path
    - KVM: s390: Tracing APCB changes
    - s390: vfio-ap: setup APCB mask using KVM dedicated function
    - s390/zcrypt: Add ZAPQ inline function.
    - s390/zcrypt: Review inline assembler constraints.
    - s390/zcrypt: Integrate ap_asm.h into include/asm/ap.h.
    - s390/zcrypt: fix ap_instructions_available() returncodes
    - s390/zcrypt: remove VLA usage from the AP bus
    - s390/zcrypt: Remove deprecated ioctls.
    - s390/zcrypt: Remove deprecated zcrypt proc interface.
    - s390/zcrypt: Support up to 256 crypto adapters.
    - [Config:] Enable CONFIG_S390_AP_IOMMU and set CONFIG_VFIO_AP to module.

  * Bypass of mount visibility through userns + mount propagation (LP: #1789161)
    - mount: Retest MNT_LOCKED in do_umount
    - mount: Don't allow copying MNT_UNBINDABLE|MNT_LOCKED mounts

  *  CVE-2018-18955: nested user namespaces with more than five extents
    incorrectly grant privileges over inode (LP: #1801924) // CVE-2018-18955
    - userns: also map extents in the reverse map to kernel IDs

  * kdump fail due to an IRQ storm (LP: #1797990)
    - SAUCE: x86/PCI: Export find_cap() to be used in early PCI code
    - SAUCE: x86/quirks: Add parameter to clear MSIs early on boot
    - SAUCE: x86/quirks: Scan all busses for early PCI quirks

 -- Thadeu Lima de Souza Cascardo <cascardo@xxxxxxxxxxxxx>  Thu, 15 Nov
2018 17:01:46 -0200

** Changed in: linux (Ubuntu Bionic)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1800641

Title:
  [Ubuntu] qeth: Fix potential array overrun in cmd/rc lookup

Status in Ubuntu on IBM z Systems:
  Fix Committed
Status in linux package in Ubuntu:
  Fix Committed
Status in linux source package in Xenial:
  Fix Committed
Status in linux source package in Bionic:
  Fix Released
Status in linux source package in Cosmic:
  Fix Released

Bug description:
  
  == SRU Justification ==
  IBM is requesting these commits in s390 for X, B and C.  The bug
  description the commits fix is as follows:

  Description: qeth: Fix potential array overrun in cmd/rc lookup Symptom:
  Infinite loop when processing a received cmd.
  Problem: qeth_get_ipa_cmd_name() and qeth_get_ipa_msg() are used to build
  human-readable messages for received cmd data.


  == Fixes ==
  065a2cdcbdf8 ("s390: qeth_core_mpc: Use ARRAY_SIZE instead of reimplementing its function")
  048a7f8b4ec0 ("s390: qeth: Fix potential array overrun in cmd/rc lookup")

  == Regression Potential ==
  Low.  Limited to s390.

  == Test Case ==
  A test kernel was built with these two patches and tested by IBM.
  The bug reporter states the test kernel resolved the bug.



  Description:  qeth: Fix potential array overrun in cmd/rc lookup
  Symptom:      Infinite loop when processing a received cmd.
  Problem:      qeth_get_ipa_cmd_name() and qeth_get_ipa_msg() are used
                to build human-readable messages for received cmd data.

                They store the to-be translated value in the last entry of a
                global array, and then iterate over each entry until they found
                the queried value (and the corresponding message string).
                If there is no prior match, the lookup is intended to stop at
                the final entry (which was previously prepared).

                If two qeth devices are concurrently processing a received cmd,
                one lookup can over-write the last entry of the global array
                while a second lookup is in process. This second lookup will then
                never hit its stop-condition, and loop.
  Solution:     Remove the modification of the global array, and limit the number
                of iterations to the size of the array.

  Upstream-ID: kernel 4.19
  - 065a2cdcbdf8eb9aefb66e1a24b2d684b8b8852b
  - 048a7f8b4ec085d5c56ad4a3bf450389a4aed5f9

  Should also be applied, to all other Ubuntu Releases in the field !

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1800641/+subscriptions