CVE-2024-38540
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-38540
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-38540.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-38540
- Downstream
- Related
- Published
- 2024-06-19T13:35:15Z
- Modified
- 2025-10-15T12:41:29.745824Z
- Severity
-
- 4.4 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
bnxtre: avoid shift undefined behavior in bnxtqpliballocinit_hwq
Undefined behavior is triggered when bnxtqpliballocinithwq is called with hwqattr->auxdepth != 0 and hwqattr->auxstride == 0. In that case, "rounduppowoftwo(hwqattr->auxstride)" gets called. rounduppowoftwo is documented as undefined for 0.
Fix it in the one caller that had this combination.
The undefined behavior was detected by UBSAN: UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13 shift exponent 64 is too large for 64-bit type 'long unsigned int' CPU: 24 PID: 1075 Comm: (udev-worker) Not tainted 6.9.0-rc6+ #4 Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.7 10/25/2023 Call Trace: <TASK> dumpstacklvl+0x5d/0x80 ubsanepilogue+0x5/0x30 ubsanhandleshiftoutofbounds.cold+0x61/0xec _rounduppowoftwo+0x25/0x35 [bnxtre] bnxtqpliballocinithwq+0xa1/0x470 [bnxtre] bnxtqplibcreateqp+0x19e/0x840 [bnxtre] bnxtrecreateqp+0x9b1/0xcd0 [bnxtre] ? srsoaliasreturnthunk+0x5/0xfbef5 ? srsoaliasreturnthunk+0x5/0xfbef5 ? _kmalloc+0x1b6/0x4f0 ? createqp.part.0+0x128/0x1c0 [ibcore] ? _pfxbnxtrecreateqp+0x10/0x10 [bnxtre] createqp.part.0+0x128/0x1c0 [ibcore] ibcreateqpkernel+0x50/0xd0 [ibcore] createmadqp+0x8e/0xe0 [ibcore] ? _pfxqpeventhandler+0x10/0x10 [ibcore] ibmadinitdevice+0x2be/0x680 [ibcore] addclientcontext+0x10d/0x1a0 [ibcore] enabledeviceandget+0xe0/0x1d0 [ibcore] ibregisterdevice+0x53c/0x630 [ibcore] ? srsoaliasreturnthunk+0x5/0xfbef5 bnxtreprobe+0xbd8/0xe50 [bnxtre] ? _pfxbnxtreprobe+0x10/0x10 [bnxtre] auxiliarybusprobe+0x49/0x80 ? driversysfsadd+0x57/0xc0 reallyprobe+0xde/0x340 ? pmruntimebarrier+0x54/0x90 ? _pfxdriverattach+0x10/0x10 _driverprobedevice+0x78/0x110 driverprobedevice+0x1f/0xa0 _driverattach+0xba/0x1c0 busforeachdev+0x8f/0xe0 busadddriver+0x146/0x220 driverregister+0x72/0xd0 _auxiliarydriverregister+0x6e/0xd0 ? _pfxbnxtremodinit+0x10/0x10 [bnxtre] bnxtremodinit+0x3e/0xff0 [bnxtre] ? _pfxbnxtremodinit+0x10/0x10 [bnxtre] dooneinitcall+0x5b/0x310 doinitmodule+0x90/0x250 initmodulefromfile+0x86/0xc0 idempotentinitmodule+0x121/0x2b0 _x64sysfinitmodule+0x5e/0xb0 dosyscall64+0x82/0x160 ? srsoaliasreturnthunk+0x5/0xfbef5 ? syscallexittousermodeprepare+0x149/0x170 ? srsoaliasreturnthunk+0x5/0xfbef5 ? syscallexittousermode+0x75/0x230 ? srsoaliasreturnthunk+0x5/0xfbef5 ? dosyscall64+0x8e/0x160 ? srsoaliasreturnthunk+0x5/0xfbef5 ? _countmemcgevents+0x69/0x100 ? srsoaliasreturnthunk+0x5/0xfbef5 ? countmemcgevents.constprop.0+0x1a/0x30 ? srsoaliasreturnthunk+0x5/0xfbef5 ? handlemmfault+0x1f0/0x300 ? srsoaliasreturnthunk+0x5/0xfbef5 ? douseraddrfault+0x34e/0x640 ? srsoaliasreturnthunk+0x5/0xfbef5 ? srsoaliasreturnthunk+0x5/0xfbef5 entrySYSCALL64afterhwframe+0x76/0x7e RIP: 0033:0x7f4e5132821d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e3 db 0c 00 f7 d8 64 89 01 48 RSP: 002b:00007ffca9c906a8 EFLAGS: 00000246 ORIGRAX: 0000000000000139 RAX: ffffffffffffffda RBX: 0000563ec8a8f130 RCX: 00007f4e5132821d RDX: 0000000000000000 RSI: 00007f4e518fa07d RDI: 000000000000003b RBP: 00007ffca9c90760 R08: 00007f4e513f6b20 R09: 00007ffca9c906f0 R10: 0000563ec8a8faa0 R11: 0000000000000246 R12: 00007f4e518fa07d R13: 0000000000020000 R14: 0000563ec8409e90 R15: 0000563ec8a8fa60 </TASK> ---[ end trace ]---
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/627493443f3a8458cb55cdae1da254a7001123bc
- https://git.kernel.org/stable/c/66a9937187ac9b5c5ffff07b8b284483e56804d1
- https://git.kernel.org/stable/c/78cfd17142ef70599d6409cbd709d94b3da58659
- https://git.kernel.org/stable/c/84d2f29152184f0d72ed7c9648c4ee6927df4e59
- https://git.kernel.org/stable/c/8b799c00cea6fcfe5b501bbaeb228c8821acb753
- https://git.kernel.org/stable/c/a658f011d89dd20cf2c7cb4760ffd79201700b98
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced0c4dcd602817502bb3dced7a834a13ef717d65a4Fixed66a9937187ac9b5c5ffff07b8b284483e56804d1
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced0c4dcd602817502bb3dced7a834a13ef717d65a4Fixed84d2f29152184f0d72ed7c9648c4ee6927df4e59
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced0c4dcd602817502bb3dced7a834a13ef717d65a4Fixeda658f011d89dd20cf2c7cb4760ffd79201700b98
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced0c4dcd602817502bb3dced7a834a13ef717d65a4Fixed627493443f3a8458cb55cdae1da254a7001123bc
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced0c4dcd602817502bb3dced7a834a13ef717d65a4Fixed8b799c00cea6fcfe5b501bbaeb228c8821acb753
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced0c4dcd602817502bb3dced7a834a13ef717d65a4Fixed78cfd17142ef70599d6409cbd709d94b3da58659
Affected versions
v5.*
v6.*
Database specific
{
"vanir_signatures": [
{
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "drivers/infiniband/hw/bnxt_re/qplib_fp.c"
},
"deprecated": false,
"digest": {
"line_hashes": [
"65776851917497132738259424665258051287",
"323981950100286316100816247466651227893",
"281173768437573383211836589740681202288",
"46213123452445462520971055677249057336"
],
"threshold": 0.9
},
"id": "CVE-2024-38540-105ed463",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@66a9937187ac9b5c5ffff07b8b284483e56804d1"
},
{
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "drivers/infiniband/hw/bnxt_re/qplib_fp.c",
"function": "bnxt_qplib_create_qp"
},
"deprecated": false,
"digest": {
"length": 5923.0,
"function_hash": "217995477216188391660237452190485782292"
},
"id": "CVE-2024-38540-18810a55",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@78cfd17142ef70599d6409cbd709d94b3da58659"
},
{
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "drivers/infiniband/hw/bnxt_re/qplib_fp.c"
},
"deprecated": false,
"digest": {
"line_hashes": [
"65776851917497132738259424665258051287",
"43530322489072236618402815583906666953",
"13429974276297825451271092887674925227",
"73991523915691768006038367963265839963"
],
"threshold": 0.9
},
"id": "CVE-2024-38540-31ed8579",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8b799c00cea6fcfe5b501bbaeb228c8821acb753"
},
{
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "drivers/infiniband/hw/bnxt_re/qplib_fp.c"
},
"deprecated": false,
"digest": {
"line_hashes": [
"65776851917497132738259424665258051287",
"43530322489072236618402815583906666953",
"13429974276297825451271092887674925227",
"73991523915691768006038367963265839963"
],
"threshold": 0.9
},
"id": "CVE-2024-38540-71cf4839",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a658f011d89dd20cf2c7cb4760ffd79201700b98"
},
{
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "drivers/infiniband/hw/bnxt_re/qplib_fp.c",
"function": "bnxt_qplib_create_qp"
},
"deprecated": false,
"digest": {
"length": 5923.0,
"function_hash": "217995477216188391660237452190485782292"
},
"id": "CVE-2024-38540-74d1f000",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8b799c00cea6fcfe5b501bbaeb228c8821acb753"
},
{
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "drivers/infiniband/hw/bnxt_re/qplib_fp.c"
},
"deprecated": false,
"digest": {
"line_hashes": [
"65776851917497132738259424665258051287",
"43530322489072236618402815583906666953",
"13429974276297825451271092887674925227",
"73991523915691768006038367963265839963"
],
"threshold": 0.9
},
"id": "CVE-2024-38540-a00ce16d",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@78cfd17142ef70599d6409cbd709d94b3da58659"
},
{
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "drivers/infiniband/hw/bnxt_re/qplib_fp.c",
"function": "bnxt_qplib_create_qp"
},
"deprecated": false,
"digest": {
"length": 5923.0,
"function_hash": "217995477216188391660237452190485782292"
},
"id": "CVE-2024-38540-b1d8808e",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@627493443f3a8458cb55cdae1da254a7001123bc"
},
{
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "drivers/infiniband/hw/bnxt_re/qplib_fp.c",
"function": "bnxt_qplib_create_qp"
},
"deprecated": false,
"digest": {
"length": 5923.0,
"function_hash": "217995477216188391660237452190485782292"
},
"id": "CVE-2024-38540-ca6addbf",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a658f011d89dd20cf2c7cb4760ffd79201700b98"
},
{
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "drivers/infiniband/hw/bnxt_re/qplib_fp.c",
"function": "bnxt_qplib_create_qp"
},
"deprecated": false,
"digest": {
"length": 5295.0,
"function_hash": "339195989780640466712949513708766862790"
},
"id": "CVE-2024-38540-caff30df",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@66a9937187ac9b5c5ffff07b8b284483e56804d1"
},
{
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "drivers/infiniband/hw/bnxt_re/qplib_fp.c"
},
"deprecated": false,
"digest": {
"line_hashes": [
"65776851917497132738259424665258051287",
"43530322489072236618402815583906666953",
"13429974276297825451271092887674925227",
"73991523915691768006038367963265839963"
],
"threshold": 0.9
},
"id": "CVE-2024-38540-cb603732",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@627493443f3a8458cb55cdae1da254a7001123bc"
}
]
}