CVE-2024-44933

{"id": "CVE-2024-44933", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-08-26T11:15:05.547", "references": [{"url": "https://git.kernel.org/stable/c/abd573e9ad2ba64eaa6418a5f4eec819de28f205", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/da03f5d1b2c319a2b74fe76edeadcd8fa5f44376", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en : Fix memory out-of-bounds in bnxt_fill_hw_rss_tbl()\n\nA recent commit has modified the code in __bnxt_reserve_rings() to\nset the default RSS indirection table to default only when the number\nof RX rings is changing. While this works for newer firmware that\nrequires RX ring reservations, it causes the regression on older\nfirmware not requiring RX ring resrvations (BNXT_NEW_RM() returns\nfalse).\n\nWith older firmware, RX ring reservations are not required and so\nhw_resc->resv_rx_rings is not always set to the proper value. The\ncomparison:\n\nif (old_rx_rings != bp->hw_resc.resv_rx_rings)\n\nin __bnxt_reserve_rings() may be false even when the RX rings are\nchanging. This will cause __bnxt_reserve_rings() to skip setting\nthe default RSS indirection table to default to match the current\nnumber of RX rings. This may later cause bnxt_fill_hw_rss_tbl() to\nuse an out-of-range index.\n\nWe already have bnxt_check_rss_tbl_no_rmgr() to handle exactly this\nscenario. We just need to move it up in bnxt_need_reserve_rings()\nto be called unconditionally when using older firmware. Without the\nfix, if the TX rings are changing, we'll skip the\nbnxt_check_rss_tbl_no_rmgr() call and __bnxt_reserve_rings() may also\nskip the bnxt_set_dflt_rss_indir_tbl() call for the reason explained\nin the last paragraph. Without setting the default RSS indirection\ntable to default, it causes the regression:\n\nBUG: KASAN: slab-out-of-bounds in __bnxt_hwrm_vnic_set_rss+0xb79/0xe40\nRead of size 2 at addr ffff8881c5809618 by task ethtool/31525\nCall Trace:\n__bnxt_hwrm_vnic_set_rss+0xb79/0xe40\n bnxt_hwrm_vnic_rss_cfg_p5+0xf7/0x460\n __bnxt_setup_vnic_p5+0x12e/0x270\n __bnxt_open_nic+0x2262/0x2f30\n bnxt_open_nic+0x5d/0xf0\n ethnl_set_channels+0x5d4/0xb30\n ethnl_default_set_doit+0x2f1/0x620"}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: bnxt_en: corrige la memoria fuera de los l\u00edmites en bnxt_fill_hw_rss_tbl() Una confirmaci\u00f3n reciente modific\u00f3 el c\u00f3digo en __bnxt_reserve_rings() para configurar la tabla de direccionamiento indirecto RSS predeterminada solo cuando el n\u00famero de Los anillos RX est\u00e1n cambiando. Si bien esto funciona para firmware m\u00e1s nuevo que requiere reservas de anillo RX, provoca la regresi\u00f3n en firmware m\u00e1s antiguo que no requiere reservas de anillo RX (BNXT_NEW_RM() devuelve falso). Con firmware anterior, no se requieren reservas de anillo RX y, por lo tanto, hw_resc->resv_rx_rings no siempre est\u00e1 configurado en el valor adecuado. La comparaci\u00f3n: if (old_rx_rings != bp->hw_resc.resv_rx_rings) en __bnxt_reserve_rings() puede ser falso incluso cuando los anillos RX est\u00e1n cambiando. Esto har\u00e1 que __bnxt_reserve_rings() omita la configuraci\u00f3n de la tabla de direccionamiento indirecto RSS predeterminada para que coincida con el n\u00famero actual de anillos RX. Posteriormente, esto puede provocar que bnxt_fill_hw_rss_tbl() utilice un \u00edndice fuera de rango. Ya tenemos bnxt_check_rss_tbl_no_rmgr() para manejar exactamente este escenario. Solo necesitamos moverlo hacia arriba en bnxt_need_reserve_rings() para que se llame incondicionalmente cuando usemos firmware anterior. Sin la soluci\u00f3n, si los anillos TX est\u00e1n cambiando, omitiremos la llamada a bnxt_check_rss_tbl_no_rmgr() y __bnxt_reserve_rings() tambi\u00e9n puede omitir la llamada a bnxt_set_dflt_rss_indir_tbl() por el motivo explicado en el \u00faltimo p\u00e1rrafo. Sin configurar la tabla de direccionamiento indirecto RSS predeterminada, se produce la regresi\u00f3n: ERROR: KASAN: slab-out-of-bounds in __bnxt_hwrm_vnic_set_rss+0xb79/0xe40 Lectura de tama\u00f1o 2 en la direcci\u00f3n ffff8881c5809618 mediante la tarea ethtool/31525 Call Trace: __bnxt_hwrm_vnic_set_rss+0 xb79 /0xe40 bnxt_hwrm_vnic_rss_cfg_p5+0xf7/0x460 __bnxt_setup_vnic_p5+0x12e/0x270 __bnxt_open_nic+0x2262/0x2f30 bnxt_open_nic+0x5d/0xf0 ethnl_set_channels+0x5d4/0 xb30 ethnl_default_set_doit+0x2f1/0x620"}], "lastModified": "2024-08-27T16:08:38.973", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:6.10.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "00FEED69-9465-4F0C-870C-DE98C3FFFD94"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4DEB27E7-30AA-45CC-8934-B89263EF3551"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}