This bug was fixed in the package linux - 5.15.0-138.148
---------------
linux (5.15.0-138.148) jammy; urgency=medium
* jammy/linux: 5.15.0-138.148 -proposed tracker (LP: #2102587)
* ipsec_offload in rtnetlink.sh from ubunsu_kselftests_net fails on O/J
(LP: #2096976)
- SAUCE: selftest: netfilter: fix null IP field in kci_test_ipsec_offload
* CVE-2025-21756
- vsock: Keep the binding until socket destruction
- vsock: Orphan socket after transport release
* CVE-2024-50256
- netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6()
* CVE-2025-21702
- pfifo_tail_enqueue: Drop new packet when sch->limit == 0
* CVE-2025-21703
- netem: Update sch->q.qlen before qdisc_tree_reduce_backlog()
* CVE-2025-21700
- net: sched: Disallow replacing of child qdisc from one parent to another
* CVE-2024-46826
- ELF: fix kernel.randomize_va_space double read
* CVE-2024-56651
- can: hi311x: hi3110_can_ist(): fix potential use-after-free
* iBFT iSCSI out-of-bounds shift UBSAN warning (LP: #2097824)
- iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic()
* CVE-2024-50248
- ntfs3: Add bounds checking to mi_enum_attr()
- fs/ntfs3: Sequential field availability check in mi_enum_attr()
* CVE-2022-0995
- watch_queue: Use the bitmap API when applicable
* CVE-2024-26837
- net: bridge: switchdev: Skip MDB replays of deferred events on offload
* CVE-2025-21701
- net: avoid race between device unregistration and ethnl ops
* CVE-2024-57798
- drm/dp_mst: Skip CSN if topology probing is not done yet
- drm/dp_mst: Ensure mst_primary pointer is valid in
drm_dp_mst_handle_up_req()
* CVE-2024-56658
- net: defer final 'struct net' free in netns dismantle
* CVE-2024-35864
- smb: client: fix potential UAF in smb2_is_valid_lease_break()
* CVE-2024-35864/CVE-2024-26928
- smb: client: fix potential UAF in cifs_debug_files_proc_show()
-- Stefan Bader <[email protected]> Fri, 14 Mar 2025 15:32:05
+0100
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2097824
Title:
iBFT iSCSI out-of-bounds shift UBSAN warning
Status in linux package in Ubuntu:
In Progress
Status in linux source package in Focal:
Won't Fix
Status in linux source package in Jammy:
Fix Released
Status in linux source package in Noble:
Fix Committed
Status in linux source package in Oracular:
Fix Released
Status in linux source package in Plucky:
In Progress
Bug description:
[Impact]
During an iSCSI boot in an IPv6 environment, `iscsistart` continues to access
the `/sys/firmware/ibft/ethernetX/subnet-mask` entry, despite subnet masks
being irrelevant for IPv6. Since the IPv6 prefix length is 64, this leads to a
negative shift exponent, triggering a UBSAN warning.
[Fix]
A commit has been made to fix this issue.
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=07e0d99a2f701123ad3104c0f1a1e66bce74d6e5
[Test Plan]
1. Set up a machine with an iSCSI backend in an IPv6-only environment.
2. Power on the machine and verify that the following error does not occur:
[ 105.283243] UBSAN: shift-out-of-bounds in
/build/linux-oracle-cD7q0d/linux-oracle-6.8.0/drivers/firmware/iscsi_ibft.c:313:9
[ 105.432609] shift exponent -32 is negative
[ 105.498209] CPU: 106 PID: 2536 Comm: iscsistart Not tainted
6.8.0-1008-oracle #8-Ubuntu
[ 105.610611] Hardware name: Oracle Corporation ORACLE SERVER E4-2c/Asm,MB
Tray,2U,E4-2c, BIOS 78016100 04/11/2024
[ 105.749047] Call Trace:
[ 105.794939] <TASK>
[ 105.832503] dump_stack_lvl+0x76/0xa0
[ 105.876679] dump_stack+0x10/0x20
[ 105.916742] __ubsan_handle_shift_out_of_bounds+0x199/0x370
[ 105.983788] ibft_attr_show_nic.cold+0x17/0x2c [iscsi_ibft]
[ 106.050817] iscsi_boot_show_attribute+0x3f/0x70 [iscsi_boot_sysfs]
[ 106.126167] sysfs_kf_seq_show+0xa7/0x120
[ 106.174475] kernfs_seq_show+0x27/0x40
[ 106.219654] seq_read_iter+0x132/0x4b0
[ 106.264824] kernfs_fop_read_iter+0x34/0x40
[ 106.315190] vfs_read+0x258/0x390
[ 106.355160] ksys_read+0x73/0x100
[ 106.395116] __x64_sys_read+0x19/0x30
[ 106.439234] x64_sys_call+0x1ada/0x25c0
[ 106.485422] do_syscall_64+0x7f/0x180
[ 106.529528] ? srso_alias_return_thunk+0x5/0xfbef5
[ 106.587154] ? syscall_exit_to_user_mode+0x89/0x260
[ 106.645810] ? srso_alias_return_thunk+0x5/0xfbef5
[ 106.703424] ? do_syscall_64+0x8c/0x180
[ 106.749594] ? srso_alias_return_thunk+0x5/0xfbef5
[ 106.807197] ? __do_sys_newfstatat+0x44/0x90
[ 106.858552] ? srso_alias_return_thunk+0x5/0xfbef5
[ 106.916147] ? syscall_exit_to_user_mode+0x89/0x260
[ 106.974771] ? srso_alias_return_thunk+0x5/0xfbef5
[ 107.032350] ? do_syscall_64+0x8c/0x180
[ 107.078488] ? do_syscall_64+0x8c/0x180
[ 107.124620] ? exc_page_fault+0x94/0x190
[ 107.171789] entry_SYSCALL_64_after_hwframe+0x78/0x80
[ 107.232475] RIP: 0033:0x764465a69a61
[ 107.275484] Code: 00 48 8b 15 b9 73 0e 00 f7 d8 64 89 02 b8 ff ff ff ff eb
bd e8 40 c4 01 00 f3 0f 1e fa 80 3d e5 f5 0e 00 00 74 13 31 c0 0f 05 <48> 3d 00
f0 ff ff 77 4f c3 66 0f 1f 44 00 00 55 48 89 e5 48 83 ec
[ 107.500766] RSP: 002b:00007ffc83fa6798 EFLAGS: 00000246 ORIG_RAX:
0000000000000000
[ 107.591622] RAX: ffffffffffffffda RBX: 00007ffc83fa6840 RCX:
0000764465a69a61
[ 107.677276] RDX: 0000000000000100 RSI: 00007ffc83fa6840 RDI:
0000000000000003
[ 107.762929] RBP: 00007ffc83fa6f80 R08: 00005d0f5c8b7fb4 R09:
0000000000000007
[ 107.848624] R10: 0000000000000000 R11: 0000000000000246 R12:
00005d0f5c8b7fb4
[ 107.934283] R13: 00007ffc83fa6940 R14: 00005d0f5c8bf650 R15:
0000000000000003
[ 108.019949] </TASK>
[Where problems could occur]
The patch resolves the UBSAN warning that occurs when accessing the
`/sys/firmware/ibft/ethernetX/subnet-mask` entry. However, if any regressions
occur, the entry may display an incorrect value.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2097824/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
