[Kernel-packages] [Bug 1800641] Re: [Ubuntu] qeth: Fix potential array overrun in cmd/rc lookup

Tue, 30 Oct 2018 07:41:02 -0700 

These are the same two commits requested in bug 1800639.  Is that
correct?  If so, I'll mark this bug as a duplicate of that bug.

** Changed in: linux (Ubuntu Xenial)
     Assignee: (unassigned) => Joseph Salisbury (jsalisbury)

** Changed in: linux (Ubuntu Bionic)
     Assignee: (unassigned) => Joseph Salisbury (jsalisbury)

** Changed in: linux (Ubuntu Cosmic)
     Assignee: (unassigned) => Joseph Salisbury (jsalisbury)

** Changed in: linux (Ubuntu)
     Assignee: Skipper Bug Screeners (skipper-screen-team) => Joseph Salisbury 
(jsalisbury)

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1800641

Title:
  [Ubuntu] qeth: Fix potential array overrun in cmd/rc lookup

Status in Ubuntu on IBM z Systems:
  Triaged
Status in linux package in Ubuntu:
  Triaged
Status in linux source package in Xenial:
  Triaged
Status in linux source package in Bionic:
  Triaged
Status in linux source package in Cosmic:
  Triaged

Bug description:
  Description:  qeth: Fix potential array overrun in cmd/rc lookup
  Symptom:      Infinite loop when processing a received cmd.
  Problem:      qeth_get_ipa_cmd_name() and qeth_get_ipa_msg() are used
                to build human-readable messages for received cmd data.

                They store the to-be translated value in the last entry of a
                global array, and then iterate over each entry until they found
                the queried value (and the corresponding message string).
                If there is no prior match, the lookup is intended to stop at
                the final entry (which was previously prepared).

                If two qeth devices are concurrently processing a received cmd,
                one lookup can over-write the last entry of the global array
                while a second lookup is in process. This second lookup will 
then
                never hit its stop-condition, and loop.
  Solution:     Remove the modification of the global array, and limit the 
number
                of iterations to the size of the array.

  
  Upstream-ID: kernel 4.19
  - 065a2cdcbdf8eb9aefb66e1a24b2d684b8b8852b
  - 048a7f8b4ec085d5c56ad4a3bf450389a4aed5f9

  Should also be applied, to all other Ubuntu Releases in the field !

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1800641/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to