CVE-2024-38540
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
19/06/2024
Last modified:
03/11/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq<br />
<br />
Undefined behavior is triggered when bnxt_qplib_alloc_init_hwq is called<br />
with hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0.<br />
In that case, "roundup_pow_of_two(hwq_attr->aux_stride)" gets called.<br />
roundup_pow_of_two is documented as undefined for 0.<br />
<br />
Fix it in the one caller that had this combination.<br />
<br />
The undefined behavior was detected by UBSAN:<br />
UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13<br />
shift exponent 64 is too large for 64-bit type &#39;long unsigned int&#39;<br />
CPU: 24 PID: 1075 Comm: (udev-worker) Not tainted 6.9.0-rc6+ #4<br />
Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.7 10/25/2023<br />
Call Trace:<br />
<br />
dump_stack_lvl+0x5d/0x80<br />
ubsan_epilogue+0x5/0x30<br />
__ubsan_handle_shift_out_of_bounds.cold+0x61/0xec<br />
__roundup_pow_of_two+0x25/0x35 [bnxt_re]<br />
bnxt_qplib_alloc_init_hwq+0xa1/0x470 [bnxt_re]<br />
bnxt_qplib_create_qp+0x19e/0x840 [bnxt_re]<br />
bnxt_re_create_qp+0x9b1/0xcd0 [bnxt_re]<br />
? srso_alias_return_thunk+0x5/0xfbef5<br />
? srso_alias_return_thunk+0x5/0xfbef5<br />
? __kmalloc+0x1b6/0x4f0<br />
? create_qp.part.0+0x128/0x1c0 [ib_core]<br />
? __pfx_bnxt_re_create_qp+0x10/0x10 [bnxt_re]<br />
create_qp.part.0+0x128/0x1c0 [ib_core]<br />
ib_create_qp_kernel+0x50/0xd0 [ib_core]<br />
create_mad_qp+0x8e/0xe0 [ib_core]<br />
? __pfx_qp_event_handler+0x10/0x10 [ib_core]<br />
ib_mad_init_device+0x2be/0x680 [ib_core]<br />
add_client_context+0x10d/0x1a0 [ib_core]<br />
enable_device_and_get+0xe0/0x1d0 [ib_core]<br />
ib_register_device+0x53c/0x630 [ib_core]<br />
? srso_alias_return_thunk+0x5/0xfbef5<br />
bnxt_re_probe+0xbd8/0xe50 [bnxt_re]<br />
? __pfx_bnxt_re_probe+0x10/0x10 [bnxt_re]<br />
auxiliary_bus_probe+0x49/0x80<br />
? driver_sysfs_add+0x57/0xc0<br />
really_probe+0xde/0x340<br />
? pm_runtime_barrier+0x54/0x90<br />
? __pfx___driver_attach+0x10/0x10<br />
__driver_probe_device+0x78/0x110<br />
driver_probe_device+0x1f/0xa0<br />
__driver_attach+0xba/0x1c0<br />
bus_for_each_dev+0x8f/0xe0<br />
bus_add_driver+0x146/0x220<br />
driver_register+0x72/0xd0<br />
__auxiliary_driver_register+0x6e/0xd0<br />
? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]<br />
bnxt_re_mod_init+0x3e/0xff0 [bnxt_re]<br />
? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]<br />
do_one_initcall+0x5b/0x310<br />
do_init_module+0x90/0x250<br />
init_module_from_file+0x86/0xc0<br />
idempotent_init_module+0x121/0x2b0<br />
__x64_sys_finit_module+0x5e/0xb0<br />
do_syscall_64+0x82/0x160<br />
? srso_alias_return_thunk+0x5/0xfbef5<br />
? syscall_exit_to_user_mode_prepare+0x149/0x170<br />
? srso_alias_return_thunk+0x5/0xfbef5<br />
? syscall_exit_to_user_mode+0x75/0x230<br />
? srso_alias_return_thunk+0x5/0xfbef5<br />
? do_syscall_64+0x8e/0x160<br />
? srso_alias_return_thunk+0x5/0xfbef5<br />
? __count_memcg_events+0x69/0x100<br />
? srso_alias_return_thunk+0x5/0xfbef5<br />
? count_memcg_events.constprop.0+0x1a/0x30<br />
? srso_alias_return_thunk+0x5/0xfbef5<br />
? handle_mm_fault+0x1f0/0x300<br />
? srso_alias_return_thunk+0x5/0xfbef5<br />
? do_user_addr_fault+0x34e/0x640<br />
? srso_alias_return_thunk+0x5/0xfbef5<br />
? srso_alias_return_thunk+0x5/0xfbef5<br />
entry_SYSCALL_64_after_hwframe+0x76/0x7e<br />
RIP: 0033:0x7f4e5132821d<br />
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 8b 0d e3 db 0c 00 f7 d8 64 89 01 48<br />
RSP: 002b:00007ffca9c906a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139<br />
RAX: ffffffffffffffda RBX: 0000563ec8a8f130 RCX: 00007f4e5132821d<br />
RDX: 0000000000000000 RSI: 00007f4e518fa07d RDI: 000000000000003b<br />
RBP: 00007ffca9c90760 R08: 00007f4e513f6b20 R09: 00007ffca9c906f0<br />
R10: 0000563ec8a8faa0 R11: 0000000000000246 R12: 00007f4e518fa07d<br />
R13: 0000000000020000 R14: 0000563ec8409e90 R15: 0000563ec8a8fa60<br />
<br />
---[ end trace ]---
Impact
Base Score 3.x
4.40
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.7 (including) | 6.1.117 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.33 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.8.12 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.9 (including) | 6.9.3 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/627493443f3a8458cb55cdae1da254a7001123bc
- https://git.kernel.org/stable/c/66a9937187ac9b5c5ffff07b8b284483e56804d1
- https://git.kernel.org/stable/c/78cfd17142ef70599d6409cbd709d94b3da58659
- https://git.kernel.org/stable/c/84d2f29152184f0d72ed7c9648c4ee6927df4e59
- https://git.kernel.org/stable/c/8b799c00cea6fcfe5b501bbaeb228c8821acb753
- https://git.kernel.org/stable/c/a658f011d89dd20cf2c7cb4760ffd79201700b98
- https://git.kernel.org/stable/c/627493443f3a8458cb55cdae1da254a7001123bc
- https://git.kernel.org/stable/c/78cfd17142ef70599d6409cbd709d94b3da58659
- https://git.kernel.org/stable/c/8b799c00cea6fcfe5b501bbaeb228c8821acb753
- https://git.kernel.org/stable/c/a658f011d89dd20cf2c7cb4760ffd79201700b98
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html