2.5 KiB
CVE-2024-44933
Description
In the Linux kernel, the following vulnerability has been resolved:bnxt_en : Fix memory out-of-bounds in bnxt_fill_hw_rss_tbl()A recent commit has modified the code in __bnxt_reserve_rings() toset the default RSS indirection table to default only when the numberof RX rings is changing. While this works for newer firmware thatrequires RX ring reservations, it causes the regression on olderfirmware not requiring RX ring resrvations (BNXT_NEW_RM() returnsfalse).With older firmware, RX ring reservations are not required and sohw_resc->resv_rx_rings is not always set to the proper value. Thecomparison:if (old_rx_rings != bp->hw_resc.resv_rx_rings)in __bnxt_reserve_rings() may be false even when the RX rings arechanging. This will cause __bnxt_reserve_rings() to skip settingthe default RSS indirection table to default to match the currentnumber of RX rings. This may later cause bnxt_fill_hw_rss_tbl() touse an out-of-range index.We already have bnxt_check_rss_tbl_no_rmgr() to handle exactly thisscenario. We just need to move it up in bnxt_need_reserve_rings()to be called unconditionally when using older firmware. Without thefix, if the TX rings are changing, we'll skip thebnxt_check_rss_tbl_no_rmgr() call and __bnxt_reserve_rings() may alsoskip the bnxt_set_dflt_rss_indir_tbl() call for the reason explainedin the last paragraph. Without setting the default RSS indirectiontable to default, it causes the regression:BUG: KASAN: slab-out-of-bounds in __bnxt_hwrm_vnic_set_rss+0xb79/0xe40Read of size 2 at addr ffff8881c5809618 by task ethtool/31525Call Trace:__bnxt_hwrm_vnic_set_rss+0xb79/0xe40 bnxt_hwrm_vnic_rss_cfg_p5+0xf7/0x460 __bnxt_setup_vnic_p5+0x12e/0x270 __bnxt_open_nic+0x2262/0x2f30 bnxt_open_nic+0x5d/0xf0 ethnl_set_channels+0x5d4/0xb30 ethnl_default_set_doit+0x2f1/0x620
POC
Reference
No PoCs from references.