cve/published/2024/CVE-2024-53209.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-53209: bnxt_en: Fix receive ring space parameters when XDP is active

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 bnxt_en: Fix receive ring space parameters when XDP is active

 The MTU setting at the time an XDP multi-buffer is attached
 determines whether the aggregation ring will be used and the
 rx_skb_func handler.  This is done in bnxt_set_rx_skb_mode().

 If the MTU is later changed, the aggregation ring setting may need
 to be changed and it may become out-of-sync with the settings
 initially done in bnxt_set_rx_skb_mode().  This may result in
 random memory corruption and crashes as the HW may DMA data larger
 than the allocated buffer size, such as:

 BUG: kernel NULL pointer dereference, address: 00000000000003c0
 PGD 0 P4D 0
 Oops: 0000 [#1] PREEMPT SMP NOPTI
 CPU: 17 PID: 0 Comm: swapper/17 Kdump: loaded Tainted: G S         OE      6.1.0-226bf9805506 #1
 Hardware name: Wiwynn Delta Lake PVT BZA.02601.0150/Delta Lake-Class1, BIOS F0E_3A12 08/26/2021
 RIP: 0010:bnxt_rx_pkt+0xe97/0x1ae0 [bnxt_en]
 Code: 8b 95 70 ff ff ff 4c 8b 9d 48 ff ff ff 66 41 89 87 b4 00 00 00 e9 0b f7 ff ff 0f b7 43 0a 49 8b 95 a8 04 00 00 25 ff 0f 00 00 <0f> b7 14 42 48 c1 e2 06 49 03 95 a0 04 00 00 0f b6 42 33f
 RSP: 0018:ffffa19f40cc0d18 EFLAGS: 00010202
 RAX: 00000000000001e0 RBX: ffff8e2c805c6100 RCX: 00000000000007ff
 RDX: 0000000000000000 RSI: ffff8e2c271ab990 RDI: ffff8e2c84f12380
 RBP: ffffa19f40cc0e48 R08: 000000000001000d R09: 974ea2fcddfa4cbf
 R10: 0000000000000000 R11: ffffa19f40cc0ff8 R12: ffff8e2c94b58980
 R13: ffff8e2c952d6600 R14: 0000000000000016 R15: ffff8e2c271ab990
 FS:  0000000000000000(0000) GS:ffff8e3b3f840000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 00000000000003c0 CR3: 0000000e8580a004 CR4: 00000000007706e0
 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 PKRU: 55555554
 Call Trace:
  <IRQ>
  __bnxt_poll_work+0x1c2/0x3e0 [bnxt_en]

 To address the issue, we now call bnxt_set_rx_skb_mode() within
 bnxt_change_mtu() to properly set the AGG rings configuration and
 update rx_skb_func based on the new MTU value.
 Additionally, BNXT_FLAG_NO_AGG_RINGS is cleared at the beginning of
 bnxt_set_rx_skb_mode() to make sure it gets set or cleared based on
 the current MTU.

 The Linux kernel CVE team has assigned CVE-2024-53209 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.1.45 with commit 421e02bda0570eeb11636544fe97ec3097d1bb92 and fixed in 6.1.140 with commit b7fd784d7c6a1bd927a23e0d06f09a776ee3889b
 	Issue introduced in 6.5 with commit 08450ea98ae98d5a35145b675b76db616046ea11 and fixed in 6.6.85 with commit 7f306c651feab2f3689185f60b94e72b573255db
 	Issue introduced in 6.5 with commit 08450ea98ae98d5a35145b675b76db616046ea11 and fixed in 6.11.11 with commit bf54a7660fc8d2166f41ff1d67a643b15d8b2250
 	Issue introduced in 6.5 with commit 08450ea98ae98d5a35145b675b76db616046ea11 and fixed in 6.12.2 with commit 84353386762a0a16dd444ead76c012e167d89b41
 	Issue introduced in 6.5 with commit 08450ea98ae98d5a35145b675b76db616046ea11 and fixed in 6.13 with commit 3051a77a09dfe3022aa012071346937fdf059033
 	Issue introduced in 6.4.10 with commit 893096a7e5fd61cb666b4ead2fa69324e1f2aade

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-53209
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/ethernet/broadcom/bnxt/bnxt.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/b7fd784d7c6a1bd927a23e0d06f09a776ee3889b
 	https://git.kernel.org/stable/c/7f306c651feab2f3689185f60b94e72b573255db
 	https://git.kernel.org/stable/c/bf54a7660fc8d2166f41ff1d67a643b15d8b2250
 	https://git.kernel.org/stable/c/84353386762a0a16dd444ead76c012e167d89b41
 	https://git.kernel.org/stable/c/3051a77a09dfe3022aa012071346937fdf059033
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-53209: bnxt_en: Fix receive ring space parameters when XDP is active

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	bnxt_en: Fix receive ring space parameters when XDP is active

	The MTU setting at the time an XDP multi-buffer is attached
	determines whether the aggregation ring will be used and the
	rx_skb_func handler. This is done in bnxt_set_rx_skb_mode().

	If the MTU is later changed, the aggregation ring setting may need
	to be changed and it may become out-of-sync with the settings
	initially done in bnxt_set_rx_skb_mode(). This may result in
	random memory corruption and crashes as the HW may DMA data larger
	than the allocated buffer size, such as:

	BUG: kernel NULL pointer dereference, address: 00000000000003c0
	PGD 0 P4D 0
	Oops: 0000 [#1] PREEMPT SMP NOPTI
	CPU: 17 PID: 0 Comm: swapper/17 Kdump: loaded Tainted: G S OE 6.1.0-226bf9805506 #1
	Hardware name: Wiwynn Delta Lake PVT BZA.02601.0150/Delta Lake-Class1, BIOS F0E_3A12 08/26/2021
	RIP: 0010:bnxt_rx_pkt+0xe97/0x1ae0 [bnxt_en]
	Code: 8b 95 70 ff ff ff 4c 8b 9d 48 ff ff ff 66 41 89 87 b4 00 00 00 e9 0b f7 ff ff 0f b7 43 0a 49 8b 95 a8 04 00 00 25 ff 0f 00 00 <0f> b7 14 42 48 c1 e2 06 49 03 95 a0 04 00 00 0f b6 42 33f
	RSP: 0018:ffffa19f40cc0d18 EFLAGS: 00010202
	RAX: 00000000000001e0 RBX: ffff8e2c805c6100 RCX: 00000000000007ff
	RDX: 0000000000000000 RSI: ffff8e2c271ab990 RDI: ffff8e2c84f12380
	RBP: ffffa19f40cc0e48 R08: 000000000001000d R09: 974ea2fcddfa4cbf
	R10: 0000000000000000 R11: ffffa19f40cc0ff8 R12: ffff8e2c94b58980
	R13: ffff8e2c952d6600 R14: 0000000000000016 R15: ffff8e2c271ab990
	FS: 0000000000000000(0000) GS:ffff8e3b3f840000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 00000000000003c0 CR3: 0000000e8580a004 CR4: 00000000007706e0
	DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
	DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
	PKRU: 55555554
	Call Trace:
	<IRQ>
	__bnxt_poll_work+0x1c2/0x3e0 [bnxt_en]

	To address the issue, we now call bnxt_set_rx_skb_mode() within
	bnxt_change_mtu() to properly set the AGG rings configuration and
	update rx_skb_func based on the new MTU value.
	Additionally, BNXT_FLAG_NO_AGG_RINGS is cleared at the beginning of
	bnxt_set_rx_skb_mode() to make sure it gets set or cleared based on
	the current MTU.

	The Linux kernel CVE team has assigned CVE-2024-53209 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.1.45 with commit 421e02bda0570eeb11636544fe97ec3097d1bb92 and fixed in 6.1.140 with commit b7fd784d7c6a1bd927a23e0d06f09a776ee3889b
	Issue introduced in 6.5 with commit 08450ea98ae98d5a35145b675b76db616046ea11 and fixed in 6.6.85 with commit 7f306c651feab2f3689185f60b94e72b573255db
	Issue introduced in 6.5 with commit 08450ea98ae98d5a35145b675b76db616046ea11 and fixed in 6.11.11 with commit bf54a7660fc8d2166f41ff1d67a643b15d8b2250
	Issue introduced in 6.5 with commit 08450ea98ae98d5a35145b675b76db616046ea11 and fixed in 6.12.2 with commit 84353386762a0a16dd444ead76c012e167d89b41
	Issue introduced in 6.5 with commit 08450ea98ae98d5a35145b675b76db616046ea11 and fixed in 6.13 with commit 3051a77a09dfe3022aa012071346937fdf059033
	Issue introduced in 6.4.10 with commit 893096a7e5fd61cb666b4ead2fa69324e1f2aade

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-53209
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/ethernet/broadcom/bnxt/bnxt.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/b7fd784d7c6a1bd927a23e0d06f09a776ee3889b
	https://git.kernel.org/stable/c/7f306c651feab2f3689185f60b94e72b573255db
	https://git.kernel.org/stable/c/bf54a7660fc8d2166f41ff1d67a643b15d8b2250
	https://git.kernel.org/stable/c/84353386762a0a16dd444ead76c012e167d89b41
	https://git.kernel.org/stable/c/3051a77a09dfe3022aa012071346937fdf059033