{
  "id": "CVE-2024-53209",
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "published": "2024-12-27T14:15:28.793",
  "lastModified": "2025-03-06T12:47:14.427",
  "vulnStatus": "Analyzed",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Fix receive ring space parameters when XDP is active\n\nThe MTU setting at the time an XDP multi-buffer is attached\ndetermines whether the aggregation ring will be used and the\nrx_skb_func handler.  This is done in bnxt_set_rx_skb_mode().\n\nIf the MTU is later changed, the aggregation ring setting may need\nto be changed and it may become out-of-sync with the settings\ninitially done in bnxt_set_rx_skb_mode().  This may result in\nrandom memory corruption and crashes as the HW may DMA data larger\nthan the allocated buffer size, such as:\n\nBUG: kernel NULL pointer dereference, address: 00000000000003c0\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 17 PID: 0 Comm: swapper/17 Kdump: loaded Tainted: G S         OE      6.1.0-226bf9805506 #1\nHardware name: Wiwynn Delta Lake PVT BZA.02601.0150/Delta Lake-Class1, BIOS F0E_3A12 08/26/2021\nRIP: 0010:bnxt_rx_pkt+0xe97/0x1ae0 [bnxt_en]\nCode: 8b 95 70 ff ff ff 4c 8b 9d 48 ff ff ff 66 41 89 87 b4 00 00 00 e9 0b f7 ff ff 0f b7 43 0a 49 8b 95 a8 04 00 00 25 ff 0f 00 00 <0f> b7 14 42 48 c1 e2 06 49 03 95 a0 04 00 00 0f b6 42 33f\nRSP: 0018:ffffa19f40cc0d18 EFLAGS: 00010202\nRAX: 00000000000001e0 RBX: ffff8e2c805c6100 RCX: 00000000000007ff\nRDX: 0000000000000000 RSI: ffff8e2c271ab990 RDI: ffff8e2c84f12380\nRBP: ffffa19f40cc0e48 R08: 000000000001000d R09: 974ea2fcddfa4cbf\nR10: 0000000000000000 R11: ffffa19f40cc0ff8 R12: ffff8e2c94b58980\nR13: ffff8e2c952d6600 R14: 0000000000000016 R15: ffff8e2c271ab990\nFS:  0000000000000000(0000) GS:ffff8e3b3f840000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00000000000003c0 CR3: 0000000e8580a004 CR4: 00000000007706e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n <IRQ>\n __bnxt_poll_work+0x1c2/0x3e0 [bnxt_en]\n\nTo address the issue, we now call bnxt_set_rx_skb_mode() within\nbnxt_change_mtu() to properly set the AGG rings configuration and\nupdate rx_skb_func based on the new MTU value.\nAdditionally, BNXT_FLAG_NO_AGG_RINGS is cleared at the beginning of\nbnxt_set_rx_skb_mode() to make sure it gets set or cleared based on\nthe current MTU."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bnxt_en: Corregir par\u00e1metros de espacio de anillo de recepci\u00f3n cuando XDP est\u00e1 activo La configuraci\u00f3n de MTU en el momento en que se adjunta un multi-buffer XDP determina si se utilizar\u00e1 el anillo de agregaci\u00f3n y el controlador rx_skb_func. Esto se hace en bnxt_set_rx_skb_mode(). Si la MTU se cambia m\u00e1s tarde, es posible que sea necesario cambiar la configuraci\u00f3n del anillo de agregaci\u00f3n y que deje de estar sincronizada con la configuraci\u00f3n realizada inicialmente en bnxt_set_rx_skb_mode(). Esto puede provocar una corrupci\u00f3n aleatoria de la memoria y fallas, ya que el hardware puede DMA datos m\u00e1s grandes que el tama\u00f1o de b\u00fafer asignado, como: ERROR: desreferencia de puntero NULL del kernel, direcci\u00f3n: 00000000000003c0 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 17 PID: 0 Comm: swapper/17 Kdump: cargado Tainted: GS OE 6.1.0-226bf9805506 #1 Nombre del hardware: Wiwynn Delta Lake PVT BZA.02601.0150/Delta Lake-Class1, BIOS F0E_3A12 26/08/2021 RIP: 0010:bnxt_rx_pkt+0xe97/0x1ae0 [bnxt_en] C\u00f3digo: 8b 95 70 es ff es ff es 4c 8b 9d 48 es ff es ff es 66 41 89 87 b4 00 00 00 e9 0b f7 es ff es 0f b7 43 0a 49 8b 95 a8 04 00 00 25 es ff es 0f 00 00 &lt;0f&gt; b7 14 42 48 c1 e2 06 49 03 95 a0 04 00 00 0f b6 42 33f RSP: 0018:ffffa19f40cc0d18 EFLAGS: 00010202 RAX: 00000000000001e0 RBX: ffff8e2c805c6100 RCX: 000000000000007ff RDX: 00000000000000000 RSI: ffff8e2c271ab990 RDI: ffff8e2c84f12380 RBP: ffffa19f40cc0e48 R08: 000000000001000d R09: 974ea2fcddfa4cbf R10: 000000000000000 R11: ffffa19f40cc0ff8 R12: ffff8e2c94b58980 R13: ffff8e2c952d6600 R14: 0000000000000016 R15: ffff8e2c271ab990 FS: 0000000000000000(0000) GS:ffff8e3b3f840000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000003c0 CR3: 0000000e8580a004 CR4: 00000000007706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Seguimiento de llamadas:  __bnxt_poll_work+0x1c2/0x3e0 [bnxt_en] Para solucionar el problema, ahora llamamos a bnxt_set_rx_skb_mode() dentro de bnxt_change_mtu() para configurar correctamente la configuraci\u00f3n de anillos AGG y actualizar rx_skb_func en funci\u00f3n del nuevo valor de MTU. Adem\u00e1s, BNXT_FLAG_NO_AGG_RINGS se borra al comienzo de bnxt_set_rx_skb_mode() para asegurarnos de que se configure o borre en funci\u00f3n de la MTU actual."
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "attackVector": "LOCAL",
          "attackComplexity": "LOW",
          "privilegesRequired": "LOW",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "availabilityImpact": "HIGH"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6
      }
    ]
  },
  "weaknesses": [
    {
      "source": "nvd@nist.gov",
      "type": "Secondary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-476"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "versionStartIncluding": "6.1.45",
              "versionEndExcluding": "6.2",
              "matchCriteriaId": "8E203173-C610-4A6B-9280-34E2AAB018F8"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "versionStartIncluding": "6.4.10",
              "versionEndExcluding": "6.11.11",
              "matchCriteriaId": "995110A7-7FE4-4599-9493-806A6208BF8A"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "versionStartIncluding": "6.12",
              "versionEndExcluding": "6.12.2",
              "matchCriteriaId": "D8882B1B-2ABC-4838-AC1D-DBDBB5764776"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://git.kernel.org/stable/c/3051a77a09dfe3022aa012071346937fdf059033",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ]
    },
    {
      "url": "https://git.kernel.org/stable/c/84353386762a0a16dd444ead76c012e167d89b41",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ]
    },
    {
      "url": "https://git.kernel.org/stable/c/bf54a7660fc8d2166f41ff1d67a643b15d8b2250",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ]
    }
  ]
}