In the Linux kernel, the following vulnerability has been resolved:
bnxtre: avoid shift undefined behavior in bnxtqpliballocinit_hwq
Undefined behavior is triggered when bnxtqpliballocinithwq is called with hwqattr->auxdepth != 0 and hwqattr->auxstride == 0. In that case, "rounduppowoftwo(hwqattr->auxstride)" gets called. rounduppowoftwo is documented as undefined for 0.
Fix it in the one caller that had this combination.
The undefined behavior was detected by UBSAN: UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13 shift exponent 64 is too large for 64-bit type 'long unsigned int' CPU: 24 PID: 1075 Comm: (udev-worker) Not tainted 6.9.0-rc6+ #4 Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.7 10/25/2023 Call Trace: <TASK> dumpstacklvl+0x5d/0x80 ubsanepilogue+0x5/0x30 ubsanhandleshiftoutofbounds.cold+0x61/0xec _rounduppowoftwo+0x25/0x35 [bnxtre] bnxtqpliballocinithwq+0xa1/0x470 [bnxtre] bnxtqplibcreateqp+0x19e/0x840 [bnxtre] bnxtrecreateqp+0x9b1/0xcd0 [bnxtre] ? srsoaliasreturnthunk+0x5/0xfbef5 ? srsoaliasreturnthunk+0x5/0xfbef5 ? _kmalloc+0x1b6/0x4f0 ? createqp.part.0+0x128/0x1c0 [ibcore] ? _pfxbnxtrecreateqp+0x10/0x10 [bnxtre] createqp.part.0+0x128/0x1c0 [ibcore] ibcreateqpkernel+0x50/0xd0 [ibcore] createmadqp+0x8e/0xe0 [ibcore] ? _pfxqpeventhandler+0x10/0x10 [ibcore] ibmadinitdevice+0x2be/0x680 [ibcore] addclientcontext+0x10d/0x1a0 [ibcore] enabledeviceandget+0xe0/0x1d0 [ibcore] ibregisterdevice+0x53c/0x630 [ibcore] ? srsoaliasreturnthunk+0x5/0xfbef5 bnxtreprobe+0xbd8/0xe50 [bnxtre] ? _pfxbnxtreprobe+0x10/0x10 [bnxtre] auxiliarybusprobe+0x49/0x80 ? driversysfsadd+0x57/0xc0 reallyprobe+0xde/0x340 ? pmruntimebarrier+0x54/0x90 ? _pfxdriverattach+0x10/0x10 _driverprobedevice+0x78/0x110 driverprobedevice+0x1f/0xa0 _driverattach+0xba/0x1c0 busforeachdev+0x8f/0xe0 busadddriver+0x146/0x220 driverregister+0x72/0xd0 _auxiliarydriverregister+0x6e/0xd0 ? _pfxbnxtremodinit+0x10/0x10 [bnxtre] bnxtremodinit+0x3e/0xff0 [bnxtre] ? _pfxbnxtremodinit+0x10/0x10 [bnxtre] dooneinitcall+0x5b/0x310 doinitmodule+0x90/0x250 initmodulefromfile+0x86/0xc0 idempotentinitmodule+0x121/0x2b0 _x64sysfinitmodule+0x5e/0xb0 dosyscall64+0x82/0x160 ? srsoaliasreturnthunk+0x5/0xfbef5 ? syscallexittousermodeprepare+0x149/0x170 ? srsoaliasreturnthunk+0x5/0xfbef5 ? syscallexittousermode+0x75/0x230 ? srsoaliasreturnthunk+0x5/0xfbef5 ? dosyscall64+0x8e/0x160 ? srsoaliasreturnthunk+0x5/0xfbef5 ? _countmemcgevents+0x69/0x100 ? srsoaliasreturnthunk+0x5/0xfbef5 ? countmemcgevents.constprop.0+0x1a/0x30 ? srsoaliasreturnthunk+0x5/0xfbef5 ? handlemmfault+0x1f0/0x300 ? srsoaliasreturnthunk+0x5/0xfbef5 ? douseraddrfault+0x34e/0x640 ? srsoaliasreturnthunk+0x5/0xfbef5 ? srsoaliasreturnthunk+0x5/0xfbef5 entrySYSCALL64afterhwframe+0x76/0x7e RIP: 0033:0x7f4e5132821d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e3 db 0c 00 f7 d8 64 89 01 48 RSP: 002b:00007ffca9c906a8 EFLAGS: 00000246 ORIGRAX: 0000000000000139 RAX: ffffffffffffffda RBX: 0000563ec8a8f130 RCX: 00007f4e5132821d RDX: 0000000000000000 RSI: 00007f4e518fa07d RDI: 000000000000003b RBP: 00007ffca9c90760 R08: 00007f4e513f6b20 R09: 00007ffca9c906f0 R10: 0000563ec8a8faa0 R11: 0000000000000246 R12: 00007f4e518fa07d R13: 0000000000020000 R14: 0000563ec8409e90 R15: 0000563ec8a8fa60 </TASK> ---[ end trace ]---