CVE-2024-44933

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-44933
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-44933.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-44933
Related
Published
2024-08-26T11:15:05Z
Modified
2024-09-18T03:26:36.987509Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

bnxten : Fix memory out-of-bounds in bnxtfillhwrss_tbl()

A recent commit has modified the code in _bnxtreserverings() to set the default RSS indirection table to default only when the number of RX rings is changing. While this works for newer firmware that requires RX ring reservations, it causes the regression on older firmware not requiring RX ring resrvations (BNXTNEW_RM() returns false).

With older firmware, RX ring reservations are not required and so hwresc->resvrx_rings is not always set to the proper value. The comparison:

if (oldrxrings != bp->hwresc.resvrx_rings)

in _bnxtreserverings() may be false even when the RX rings are changing. This will cause _bnxtreserverings() to skip setting the default RSS indirection table to default to match the current number of RX rings. This may later cause bnxtfillhwrsstbl() to use an out-of-range index.

We already have bnxtcheckrsstblnormgr() to handle exactly this scenario. We just need to move it up in bnxtneedreserverings() to be called unconditionally when using older firmware. Without the fix, if the TX rings are changing, we'll skip the bnxtcheckrsstblnormgr() call and _bnxtreserverings() may also skip the bnxtsetdfltrssindir_tbl() call for the reason explained in the last paragraph. Without setting the default RSS indirection table to default, it causes the regression:

BUG: KASAN: slab-out-of-bounds in _bnxthwrmvnicsetrss+0xb79/0xe40 Read of size 2 at addr ffff8881c5809618 by task ethtool/31525 Call Trace: _bnxthwrmvnicsetrss+0xb79/0xe40 bnxthwrmvnicrsscfgp5+0xf7/0x460 _bnxtsetupvnicp5+0x12e/0x270 _bnxtopennic+0x2262/0x2f30 bnxtopennic+0x5d/0xf0 ethnlsetchannels+0x5d4/0xb30 ethnldefaultset_doit+0x2f1/0x620

References

Affected packages

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.10.6-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1
6.1.64-1
6.1.66-1
6.1.67-1
6.1.69-1~bpo11+1
6.1.69-1
6.1.76-1~bpo11+1
6.1.76-1
6.1.82-1
6.1.85-1
6.1.90-1~bpo11+1
6.1.90-1
6.1.94-1~bpo11+1
6.1.94-1
6.1.98-1
6.1.99-1
6.1.106-1
6.1.106-2
6.1.106-3
6.3.1-1~exp1
6.3.2-1~exp1
6.3.4-1~exp1
6.3.5-1~exp1
6.3.7-1~bpo12+1
6.3.7-1
6.3.11-1
6.4~rc6-1~exp1
6.4~rc7-1~exp1
6.4.1-1~exp1
6.4.4-1~bpo12+1
6.4.4-1
6.4.4-2
6.4.4-3~bpo12+1
6.4.4-3
6.4.11-1
6.4.13-1
6.5~rc4-1~exp1
6.5~rc6-1~exp1
6.5~rc7-1~exp1
6.5.1-1~exp1
6.5.3-1~bpo12+1
6.5.3-1
6.5.6-1
6.5.8-1
6.5.10-1~bpo12+1
6.5.10-1
6.5.13-1
6.6.3-1~exp1
6.6.4-1~exp1
6.6.7-1~exp1
6.6.8-1
6.6.9-1
6.6.11-1
6.6.13-1~bpo12+1
6.6.13-1
6.6.15-1
6.6.15-2
6.7-1~exp1
6.7.1-1~exp1
6.7.4-1~exp1
6.7.7-1
6.7.9-1
6.7.9-2
6.7.12-1~bpo12+1
6.7.12-1
6.8.9-1
6.8.11-1
6.8.12-1~bpo12+1
6.8.12-1
6.9.2-1~exp1
6.9.7-1~bpo12+1
6.9.7-1
6.9.8-1
6.9.9-1
6.9.10-1~bpo12+1
6.9.10-1
6.9.11-1
6.9.12-1
6.10-1~exp1
6.10.1-1~exp1
6.10.3-1
6.10.4-1
6.10.6-1~bpo12+1

Ecosystem specific

{
    "urgency": "not yet assigned"
}