cve/published/2021/CVE-2021-47015.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47015: bnxt_en: Fix RX consumer index logic in the error path.

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 bnxt_en: Fix RX consumer index logic in the error path.

 In bnxt_rx_pkt(), the RX buffers are expected to complete in order.
 If the RX consumer index indicates an out of order buffer completion,
 it means we are hitting a hardware bug and the driver will abort all
 remaining RX packets and reset the RX ring.  The RX consumer index
 that we pass to bnxt_discard_rx() is not correct.  We should be
 passing the current index (tmp_raw_cons) instead of the old index
 (raw_cons).  This bug can cause us to be at the wrong index when
 trying to abort the next RX packet.  It can crash like this:

  #0 [ffff9bbcdf5c39a8] machine_kexec at ffffffff9b05e007
  #1 [ffff9bbcdf5c3a00] __crash_kexec at ffffffff9b111232
  #2 [ffff9bbcdf5c3ad0] panic at ffffffff9b07d61e
  #3 [ffff9bbcdf5c3b50] oops_end at ffffffff9b030978
  #4 [ffff9bbcdf5c3b78] no_context at ffffffff9b06aaf0
  #5 [ffff9bbcdf5c3bd8] __bad_area_nosemaphore at ffffffff9b06ae2e
  #6 [ffff9bbcdf5c3c28] bad_area_nosemaphore at ffffffff9b06af24
  #7 [ffff9bbcdf5c3c38] __do_page_fault at ffffffff9b06b67e
  #8 [ffff9bbcdf5c3cb0] do_page_fault at ffffffff9b06bb12
  #9 [ffff9bbcdf5c3ce0] page_fault at ffffffff9bc015c5
     [exception RIP: bnxt_rx_pkt+237]
     RIP: ffffffffc0259cdd  RSP: ffff9bbcdf5c3d98  RFLAGS: 00010213
     RAX: 000000005dd8097f  RBX: ffff9ba4cb11b7e0  RCX: ffffa923cf6e9000
     RDX: 0000000000000fff  RSI: 0000000000000627  RDI: 0000000000001000
     RBP: ffff9bbcdf5c3e60   R8: 0000000000420003   R9: 000000000000020d
     R10: ffffa923cf6ec138  R11: ffff9bbcdf5c3e83  R12: ffff9ba4d6f928c0
     R13: ffff9ba4cac28080  R14: ffff9ba4cb11b7f0  R15: ffff9ba4d5a30000
     ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018

 The Linux kernel CVE team has assigned CVE-2021-47015 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.1 with commit a1b0e4e684e9c300b9e759b46cb7a0147e61ddff and fixed in 5.4.119 with commit b1523e4ba293b2a32d9fabaf70c1dcaa6e3e2847
 	Issue introduced in 5.1 with commit a1b0e4e684e9c300b9e759b46cb7a0147e61ddff and fixed in 5.10.37 with commit 4fcaad2b7dac3f16704f8118c7e481024ddbd3ed
 	Issue introduced in 5.1 with commit a1b0e4e684e9c300b9e759b46cb7a0147e61ddff and fixed in 5.11.21 with commit e187ef83c04a5d23e68d39cfdff1a1931e29890c
 	Issue introduced in 5.1 with commit a1b0e4e684e9c300b9e759b46cb7a0147e61ddff and fixed in 5.12.4 with commit 3fbc5bc651d688fbea2a59cdc91520a2f5334d0a
 	Issue introduced in 5.1 with commit a1b0e4e684e9c300b9e759b46cb7a0147e61ddff and fixed in 5.13 with commit bbd6f0a948139970f4a615dff189d9a503681a39
 	Issue introduced in 4.9.169 with commit 8e302e8e10b05165ed21273539a1e6a83ab93e9e
 	Issue introduced in 4.14.112 with commit 46281ee85b651b0df686001651b965d17b8e2c67
 	Issue introduced in 4.19.35 with commit d2d055a554036b0240f296743942b8111fd4ce97
 	Issue introduced in 5.0.8 with commit aecbbae850ede49183fa0b73c7445531a47669cf

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47015
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/ethernet/broadcom/bnxt/bnxt.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/b1523e4ba293b2a32d9fabaf70c1dcaa6e3e2847
 	https://git.kernel.org/stable/c/4fcaad2b7dac3f16704f8118c7e481024ddbd3ed
 	https://git.kernel.org/stable/c/e187ef83c04a5d23e68d39cfdff1a1931e29890c
 	https://git.kernel.org/stable/c/3fbc5bc651d688fbea2a59cdc91520a2f5334d0a
 	https://git.kernel.org/stable/c/bbd6f0a948139970f4a615dff189d9a503681a39
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47015: bnxt_en: Fix RX consumer index logic in the error path.

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	bnxt_en: Fix RX consumer index logic in the error path.

	In bnxt_rx_pkt(), the RX buffers are expected to complete in order.
	If the RX consumer index indicates an out of order buffer completion,
	it means we are hitting a hardware bug and the driver will abort all
	remaining RX packets and reset the RX ring. The RX consumer index
	that we pass to bnxt_discard_rx() is not correct. We should be
	passing the current index (tmp_raw_cons) instead of the old index
	(raw_cons). This bug can cause us to be at the wrong index when
	trying to abort the next RX packet. It can crash like this:

	#0 [ffff9bbcdf5c39a8] machine_kexec at ffffffff9b05e007
	#1 [ffff9bbcdf5c3a00] __crash_kexec at ffffffff9b111232
	#2 [ffff9bbcdf5c3ad0] panic at ffffffff9b07d61e
	#3 [ffff9bbcdf5c3b50] oops_end at ffffffff9b030978
	#4 [ffff9bbcdf5c3b78] no_context at ffffffff9b06aaf0
	#5 [ffff9bbcdf5c3bd8] __bad_area_nosemaphore at ffffffff9b06ae2e
	#6 [ffff9bbcdf5c3c28] bad_area_nosemaphore at ffffffff9b06af24
	#7 [ffff9bbcdf5c3c38] __do_page_fault at ffffffff9b06b67e
	#8 [ffff9bbcdf5c3cb0] do_page_fault at ffffffff9b06bb12
	#9 [ffff9bbcdf5c3ce0] page_fault at ffffffff9bc015c5
	[exception RIP: bnxt_rx_pkt+237]
	RIP: ffffffffc0259cdd RSP: ffff9bbcdf5c3d98 RFLAGS: 00010213
	RAX: 000000005dd8097f RBX: ffff9ba4cb11b7e0 RCX: ffffa923cf6e9000
	RDX: 0000000000000fff RSI: 0000000000000627 RDI: 0000000000001000
	RBP: ffff9bbcdf5c3e60 R8: 0000000000420003 R9: 000000000000020d
	R10: ffffa923cf6ec138 R11: ffff9bbcdf5c3e83 R12: ffff9ba4d6f928c0
	R13: ffff9ba4cac28080 R14: ffff9ba4cb11b7f0 R15: ffff9ba4d5a30000
	ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018

	The Linux kernel CVE team has assigned CVE-2021-47015 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.1 with commit a1b0e4e684e9c300b9e759b46cb7a0147e61ddff and fixed in 5.4.119 with commit b1523e4ba293b2a32d9fabaf70c1dcaa6e3e2847
	Issue introduced in 5.1 with commit a1b0e4e684e9c300b9e759b46cb7a0147e61ddff and fixed in 5.10.37 with commit 4fcaad2b7dac3f16704f8118c7e481024ddbd3ed
	Issue introduced in 5.1 with commit a1b0e4e684e9c300b9e759b46cb7a0147e61ddff and fixed in 5.11.21 with commit e187ef83c04a5d23e68d39cfdff1a1931e29890c
	Issue introduced in 5.1 with commit a1b0e4e684e9c300b9e759b46cb7a0147e61ddff and fixed in 5.12.4 with commit 3fbc5bc651d688fbea2a59cdc91520a2f5334d0a
	Issue introduced in 5.1 with commit a1b0e4e684e9c300b9e759b46cb7a0147e61ddff and fixed in 5.13 with commit bbd6f0a948139970f4a615dff189d9a503681a39
	Issue introduced in 4.9.169 with commit 8e302e8e10b05165ed21273539a1e6a83ab93e9e
	Issue introduced in 4.14.112 with commit 46281ee85b651b0df686001651b965d17b8e2c67
	Issue introduced in 4.19.35 with commit d2d055a554036b0240f296743942b8111fd4ce97
	Issue introduced in 5.0.8 with commit aecbbae850ede49183fa0b73c7445531a47669cf

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47015
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/ethernet/broadcom/bnxt/bnxt.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/b1523e4ba293b2a32d9fabaf70c1dcaa6e3e2847
	https://git.kernel.org/stable/c/4fcaad2b7dac3f16704f8118c7e481024ddbd3ed
	https://git.kernel.org/stable/c/e187ef83c04a5d23e68d39cfdff1a1931e29890c
	https://git.kernel.org/stable/c/3fbc5bc651d688fbea2a59cdc91520a2f5334d0a
	https://git.kernel.org/stable/c/bbd6f0a948139970f4a615dff189d9a503681a39