cve/published/2025/CVE-2025-37911.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-37911: bnxt_en: Fix out-of-bound memcpy() during ethtool -w

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 bnxt_en: Fix out-of-bound memcpy() during ethtool -w

 When retrieving the FW coredump using ethtool, it can sometimes cause
 memory corruption:

 BUG: KFENCE: memory corruption in __bnxt_get_coredump+0x3ef/0x670 [bnxt_en]
 Corrupted memory at 0x000000008f0f30e8 [ ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ] (in kfence-#45):
 __bnxt_get_coredump+0x3ef/0x670 [bnxt_en]
 ethtool_get_dump_data+0xdc/0x1a0
 __dev_ethtool+0xa1e/0x1af0
 dev_ethtool+0xa8/0x170
 dev_ioctl+0x1b5/0x580
 sock_do_ioctl+0xab/0xf0
 sock_ioctl+0x1ce/0x2e0
 __x64_sys_ioctl+0x87/0xc0
 do_syscall_64+0x5c/0xf0
 entry_SYSCALL_64_after_hwframe+0x78/0x80

 ...

 This happens when copying the coredump segment list in
 bnxt_hwrm_dbg_dma_data() with the HWRM_DBG_COREDUMP_LIST FW command.
 The info->dest_buf buffer is allocated based on the number of coredump
 segments returned by the FW.  The segment list is then DMA'ed by
 the FW and the length of the DMA is returned by FW.  The driver then
 copies this DMA'ed segment list to info->dest_buf.

 In some cases, this DMA length may exceed the info->dest_buf length
 and cause the above BUG condition.  Fix it by capping the copy
 length to not exceed the length of info->dest_buf.  The extra
 DMA data contains no useful information.

 This code path is shared for the HWRM_DBG_COREDUMP_LIST and the
 HWRM_DBG_COREDUMP_RETRIEVE FW commands.  The buffering is different
 for these 2 FW commands.  To simplify the logic, we need to move
 the line to adjust the buffer length for HWRM_DBG_COREDUMP_RETRIEVE
 up, so that the new check to cap the copy length will work for both
 commands.

 The Linux kernel CVE team has assigned CVE-2025-37911 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.5 with commit c74751f4c39232c31214ec6a3bc1c7e62f5c728b and fixed in 5.15.182 with commit 69b10dd23ab826d0c7f2d9ab311842251978d0c1
 	Issue introduced in 5.5 with commit c74751f4c39232c31214ec6a3bc1c7e62f5c728b and fixed in 6.1.138 with commit 43292b83424158fa6ec458799f3cb9c54d18c484
 	Issue introduced in 5.5 with commit c74751f4c39232c31214ec6a3bc1c7e62f5c728b and fixed in 6.6.90 with commit 4d69864915a3a052538e4ba76cd6fd77cfc64ebe
 	Issue introduced in 5.5 with commit c74751f4c39232c31214ec6a3bc1c7e62f5c728b and fixed in 6.12.28 with commit 44807af79efd0d78fa36383dd865ddfe7992c0a6
 	Issue introduced in 5.5 with commit c74751f4c39232c31214ec6a3bc1c7e62f5c728b and fixed in 6.14.6 with commit 44d81a9ebf0cad92512e0ffdf7412bfe20db66ec
 	Issue introduced in 5.5 with commit c74751f4c39232c31214ec6a3bc1c7e62f5c728b and fixed in 6.15 with commit 6b87bd94f34370bbf1dfa59352bed8efab5bf419
 	Issue introduced in 4.19.95 with commit 4bf973a1f84aefb64750bdb3afe72d54de3199d7
 	Issue introduced in 5.4.8 with commit a76837dd731b68cc3b5690470bc9efa2a8e3801a

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-37911
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/ethernet/broadcom/bnxt/bnxt_coredump.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/69b10dd23ab826d0c7f2d9ab311842251978d0c1
 	https://git.kernel.org/stable/c/43292b83424158fa6ec458799f3cb9c54d18c484
 	https://git.kernel.org/stable/c/4d69864915a3a052538e4ba76cd6fd77cfc64ebe
 	https://git.kernel.org/stable/c/44807af79efd0d78fa36383dd865ddfe7992c0a6
 	https://git.kernel.org/stable/c/44d81a9ebf0cad92512e0ffdf7412bfe20db66ec
 	https://git.kernel.org/stable/c/6b87bd94f34370bbf1dfa59352bed8efab5bf419
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-37911: bnxt_en: Fix out-of-bound memcpy() during ethtool -w

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	bnxt_en: Fix out-of-bound memcpy() during ethtool -w

	When retrieving the FW coredump using ethtool, it can sometimes cause
	memory corruption:

	BUG: KFENCE: memory corruption in __bnxt_get_coredump+0x3ef/0x670 [bnxt_en]
	Corrupted memory at 0x000000008f0f30e8 [ ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ] (in kfence-#45):
	__bnxt_get_coredump+0x3ef/0x670 [bnxt_en]
	ethtool_get_dump_data+0xdc/0x1a0
	__dev_ethtool+0xa1e/0x1af0
	dev_ethtool+0xa8/0x170
	dev_ioctl+0x1b5/0x580
	sock_do_ioctl+0xab/0xf0
	sock_ioctl+0x1ce/0x2e0
	__x64_sys_ioctl+0x87/0xc0
	do_syscall_64+0x5c/0xf0
	entry_SYSCALL_64_after_hwframe+0x78/0x80

	...

	This happens when copying the coredump segment list in
	bnxt_hwrm_dbg_dma_data() with the HWRM_DBG_COREDUMP_LIST FW command.
	The info->dest_buf buffer is allocated based on the number of coredump
	segments returned by the FW. The segment list is then DMA'ed by
	the FW and the length of the DMA is returned by FW. The driver then
	copies this DMA'ed segment list to info->dest_buf.

	In some cases, this DMA length may exceed the info->dest_buf length
	and cause the above BUG condition. Fix it by capping the copy
	length to not exceed the length of info->dest_buf. The extra
	DMA data contains no useful information.

	This code path is shared for the HWRM_DBG_COREDUMP_LIST and the
	HWRM_DBG_COREDUMP_RETRIEVE FW commands. The buffering is different
	for these 2 FW commands. To simplify the logic, we need to move
	the line to adjust the buffer length for HWRM_DBG_COREDUMP_RETRIEVE
	up, so that the new check to cap the copy length will work for both
	commands.

	The Linux kernel CVE team has assigned CVE-2025-37911 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.5 with commit c74751f4c39232c31214ec6a3bc1c7e62f5c728b and fixed in 5.15.182 with commit 69b10dd23ab826d0c7f2d9ab311842251978d0c1
	Issue introduced in 5.5 with commit c74751f4c39232c31214ec6a3bc1c7e62f5c728b and fixed in 6.1.138 with commit 43292b83424158fa6ec458799f3cb9c54d18c484
	Issue introduced in 5.5 with commit c74751f4c39232c31214ec6a3bc1c7e62f5c728b and fixed in 6.6.90 with commit 4d69864915a3a052538e4ba76cd6fd77cfc64ebe
	Issue introduced in 5.5 with commit c74751f4c39232c31214ec6a3bc1c7e62f5c728b and fixed in 6.12.28 with commit 44807af79efd0d78fa36383dd865ddfe7992c0a6
	Issue introduced in 5.5 with commit c74751f4c39232c31214ec6a3bc1c7e62f5c728b and fixed in 6.14.6 with commit 44d81a9ebf0cad92512e0ffdf7412bfe20db66ec
	Issue introduced in 5.5 with commit c74751f4c39232c31214ec6a3bc1c7e62f5c728b and fixed in 6.15 with commit 6b87bd94f34370bbf1dfa59352bed8efab5bf419
	Issue introduced in 4.19.95 with commit 4bf973a1f84aefb64750bdb3afe72d54de3199d7
	Issue introduced in 5.4.8 with commit a76837dd731b68cc3b5690470bc9efa2a8e3801a

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-37911
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/ethernet/broadcom/bnxt/bnxt_coredump.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/69b10dd23ab826d0c7f2d9ab311842251978d0c1
	https://git.kernel.org/stable/c/43292b83424158fa6ec458799f3cb9c54d18c484
	https://git.kernel.org/stable/c/4d69864915a3a052538e4ba76cd6fd77cfc64ebe
	https://git.kernel.org/stable/c/44807af79efd0d78fa36383dd865ddfe7992c0a6
	https://git.kernel.org/stable/c/44d81a9ebf0cad92512e0ffdf7412bfe20db66ec
	https://git.kernel.org/stable/c/6b87bd94f34370bbf1dfa59352bed8efab5bf419