CVE-2024-42148

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bnx2x: Fix multiple UBSAN array-index-out-of-bounds<br /> <br /> Fix UBSAN warnings that occur when using a system with 32 physical<br /> cpu cores or more, or when the user defines a number of Ethernet<br /> queues greater than or equal to FP_SB_MAX_E1x using the num_queues<br /> module parameter.<br /> <br /> Currently there is a read/write out of bounds that occurs on the array<br /> "struct stats_query_entry query" present inside the "bnx2x_fw_stats_req"<br /> struct in "drivers/net/ethernet/broadcom/bnx2x/bnx2x.h".<br /> Looking at the definition of the "struct stats_query_entry query" array:<br /> <br /> struct stats_query_entry query[FP_SB_MAX_E1x+<br /> BNX2X_FIRST_QUEUE_QUERY_IDX];<br /> <br /> FP_SB_MAX_E1x is defined as the maximum number of fast path interrupts and<br /> has a value of 16, while BNX2X_FIRST_QUEUE_QUERY_IDX has a value of 3<br /> meaning the array has a total size of 19.<br /> Since accesses to "struct stats_query_entry query" are offset-ted by<br /> BNX2X_FIRST_QUEUE_QUERY_IDX, that means that the total number of Ethernet<br /> queues should not exceed FP_SB_MAX_E1x (16). However one of these queues<br /> is reserved for FCOE and thus the number of Ethernet queues should be set<br /> to [FP_SB_MAX_E1x -1] (15) if FCOE is enabled or [FP_SB_MAX_E1x] (16) if<br /> it is not.<br /> <br /> This is also described in a comment in the source code in<br /> drivers/net/ethernet/broadcom/bnx2x/bnx2x.h just above the Macro definition<br /> of FP_SB_MAX_E1x. Below is the part of this explanation that it important<br /> for this patch<br /> <br /> /*<br /> * The total number of L2 queues, MSIX vectors and HW contexts (CIDs) is<br /> * control by the number of fast-path status blocks supported by the<br /> * device (HW/FW). Each fast-path status block (FP-SB) aka non-default<br /> * status block represents an independent interrupts context that can<br /> * serve a regular L2 networking queue. However special L2 queues such<br /> * as the FCoE queue do not require a FP-SB and other components like<br /> * the CNIC may consume FP-SB reducing the number of possible L2 queues<br /> *<br /> * If the maximum number of FP-SB available is X then:<br /> * a. If CNIC is supported it consumes 1 FP-SB thus the max number of<br /> * regular L2 queues is Y=X-1<br /> * b. In MF mode the actual number of L2 queues is Y= (X-1/MF_factor)<br /> * c. If the FCoE L2 queue is supported the actual number of L2 queues<br /> * is Y+1<br /> * d. The number of irqs (MSIX vectors) is either Y+1 (one extra for<br /> * slow-path interrupts) or Y+2 if CNIC is supported (one additional<br /> * FP interrupt context for the CNIC).<br /> * e. The number of HW context (CID count) is always X or X+1 if FCoE<br /> * L2 queue is supported. The cid for the FCoE L2 queue is always X.<br /> */<br /> <br /> However this driver also supports NICs that use the E2 controller which can<br /> handle more queues due to having more FP-SB represented by FP_SB_MAX_E2.<br /> Looking at the commits when the E2 support was added, it was originally<br /> using the E1x parameters: commit f2e0899f0f27 ("bnx2x: Add 57712 support").<br /> Back then FP_SB_MAX_E2 was set to 16 the same as E1x. However the driver<br /> was later updated to take full advantage of the E2 instead of having it be<br /> limited to the capabilities of the E1x. But as far as we can tell, the<br /> array "stats_query_entry query" was still limited to using the FP-SB<br /> available to the E1x cards as part of an oversignt when the driver was<br /> updated to take full advantage of the E2, and now with the driver being<br /> aware of the greater queue size supported by E2 NICs, it causes the UBSAN<br /> warnings seen in the stack traces below.<br /> <br /> This patch increases the size of the "stats_query_entry query" array by<br /> replacing FP_SB_MAX_E1x with FP_SB_MAX_E2 to be large enough to handle<br /> both types of NICs.<br /> <br /> Stack traces:<br /> <br /> UBSAN: array-index-out-of-bounds in<br /> drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.c:1529:11<br /> index 20 is out of range for type &amp;#39;stats_query_entry [19]&amp;#39;<br /> CPU: 12 PID: 858 Comm: systemd-network Not tainted 6.9.0-060900rc7-generic<br /> #202405052133<br /> Hardware name: HP ProLiant DL360 Gen9/ProLiant DL360 <br /> ---truncated---