CVE-2024-44933

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-44933
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-44933.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-44933
Downstream
Published
2024-08-26T10:11:24Z
Modified
2025-10-22T01:21:03.733583Z
Summary
bnxt_en : Fix memory out-of-bounds in bnxt_fill_hw_rss_tbl()
Details

In the Linux kernel, the following vulnerability has been resolved:

bnxten : Fix memory out-of-bounds in bnxtfillhwrss_tbl()

A recent commit has modified the code in _bnxtreserverings() to set the default RSS indirection table to default only when the number of RX rings is changing. While this works for newer firmware that requires RX ring reservations, it causes the regression on older firmware not requiring RX ring resrvations (BNXTNEW_RM() returns false).

With older firmware, RX ring reservations are not required and so hwresc->resvrx_rings is not always set to the proper value. The comparison:

if (oldrxrings != bp->hwresc.resvrx_rings)

in _bnxtreserverings() may be false even when the RX rings are changing. This will cause _bnxtreserverings() to skip setting the default RSS indirection table to default to match the current number of RX rings. This may later cause bnxtfillhwrsstbl() to use an out-of-range index.

We already have bnxtcheckrsstblnormgr() to handle exactly this scenario. We just need to move it up in bnxtneedreserverings() to be called unconditionally when using older firmware. Without the fix, if the TX rings are changing, we'll skip the bnxtcheckrsstblnormgr() call and _bnxtreserverings() may also skip the bnxtsetdfltrssindir_tbl() call for the reason explained in the last paragraph. Without setting the default RSS indirection table to default, it causes the regression:

BUG: KASAN: slab-out-of-bounds in _bnxthwrmvnicsetrss+0xb79/0xe40 Read of size 2 at addr ffff8881c5809618 by task ethtool/31525 Call Trace: _bnxthwrmvnicsetrss+0xb79/0xe40 bnxthwrmvnicrsscfgp5+0xf7/0x460 _bnxtsetupvnicp5+0x12e/0x270 _bnxtopennic+0x2262/0x2f30 bnxtopennic+0x5d/0xf0 ethnlsetchannels+0x5d4/0xb30 ethnldefaultset_doit+0x2f1/0x620

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
bc57f879a420d19bb5ecdb480f858371554f2258
Fixed
abd573e9ad2ba64eaa6418a5f4eec819de28f205
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
98ba1d931f611e8f8f519c0405fa0a1a76554bfa
Fixed
da03f5d1b2c319a2b74fe76edeadcd8fa5f44376

Affected versions

v6.*

v6.10.4
v6.11-rc1

Database specific

vanir_signatures

[
    {
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "function_hash": "257768990535874405288225529837160677565",
            "length": 850.0
        },
        "target": {
            "function": "bnxt_need_reserve_rings",
            "file": "drivers/net/ethernet/broadcom/bnxt/bnxt.c"
        },
        "id": "CVE-2024-44933-5aca86f8",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@da03f5d1b2c319a2b74fe76edeadcd8fa5f44376",
        "signature_type": "Function"
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "214737354199848399885499602403577090019",
                "202108630493841772321246613057783569715",
                "93431078913011302791472990268768193655",
                "194397966799968548549844129618954199420",
                "339885626280970262798290382295475873510",
                "69110347350632486804541746514694167160",
                "266314272478464547581518097197795391042",
                "248474182656830529565511736518565122546",
                "187827743495348969061059609057868974248",
                "330017243602469603040960260236517425689"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "drivers/net/ethernet/broadcom/bnxt/bnxt.c"
        },
        "id": "CVE-2024-44933-704f126a",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@da03f5d1b2c319a2b74fe76edeadcd8fa5f44376",
        "signature_type": "Line"
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "214737354199848399885499602403577090019",
                "202108630493841772321246613057783569715",
                "93431078913011302791472990268768193655",
                "194397966799968548549844129618954199420",
                "339885626280970262798290382295475873510",
                "69110347350632486804541746514694167160",
                "266314272478464547581518097197795391042",
                "248474182656830529565511736518565122546",
                "187827743495348969061059609057868974248",
                "330017243602469603040960260236517425689"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "drivers/net/ethernet/broadcom/bnxt/bnxt.c"
        },
        "id": "CVE-2024-44933-7a0f2523",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@abd573e9ad2ba64eaa6418a5f4eec819de28f205",
        "signature_type": "Line"
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "function_hash": "257768990535874405288225529837160677565",
            "length": 850.0
        },
        "target": {
            "function": "bnxt_need_reserve_rings",
            "file": "drivers/net/ethernet/broadcom/bnxt/bnxt.c"
        },
        "id": "CVE-2024-44933-dd2f631e",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@abd573e9ad2ba64eaa6418a5f4eec819de28f205",
        "signature_type": "Function"
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.10.4
Fixed
6.10.5