A recent vulnerability in the Linux kernel has been resolved, specifically in the bnxt_en driver. The vulnerability is related to the RX consumer index logic in the error path, which could potentially lead to crashes. In this article, we will delve into the details of this vulnerability along with its impacts and the patch that has been released to fix it.

Understanding the Vulnerability

The bnxt_rx_pkt() function in the bnxt_en driver is designed to expect the RX buffers to complete in order. When the RX consumer index indicates an out of order buffer completion, it signifies the driver hitting a hardware bug and therefore aborting all remaining RX packets and resetting the RX ring.

The issue lies in the RX consumer index being passed to bnxt_discard_rx() is incorrect. It should be using the current index (tmp_raw_cons) instead of the old index (raw_cons). This bug can result in the system being at a wrong index when attempting to abort the next RX packet, leading to crashes.

Here’s an example of a crash

[ffff9bbcdf5c39a8] machine_kexec at ffffffff9b05e007

...
...
[exception RIP: bnxt_rx_pkt+237]
...
...

Understanding the Patch

The patch has been applied to fix the RX consumer index logic in the error path in the bnxt_en driver. You can find the official patch release notes here: [Link to original reference]

The significant change in the patch is that the RX consumer index is now correctly set to the current index (tmp_raw_cons) instead of the old index (raw_cons). This ensures that the correct index is used when attempting to abort the next RX packet, avoiding potential crashes.

Here is a snippet of the modified code in the patched bnxt_en driver


// Fixed index assignment

tmp_raw_cons = bnxt_next_raw_cons(rxr, tmp_raw_cons);

...

raw_cons = tmp_raw_cons;

...

Exploit Details

This vulnerability could potentially be exploited by a malicious user or application triggering the hardware bug and causing the Linux kernel to crash. However, it is important to note that this vulnerability has a relatively limited potential impact as it would require the presence of hardware bug in a specific network device driver (bnxt_en).

Systems using the bnxt_en driver are recommended to update their Linux kernel to a version containing the patch to address the CVE-2021-47015 vulnerability. This will mitigate the risk of encountering potential crashes arising from incorrect RX consumer index logic in the error path.

Conclusion

CVE-2021-47015 is a vulnerability in the Linux kernel specific to the bnxt_en driver. By resolving incorrect RX consumer index logic, the recent patch mitigates the risks associated with potential crashes. As always, it is important to keep the Linux kernel updated to protect against any known vulnerabilities.

Timeline

Published on: 02/28/2024 09:15:38 UTC
Last modified on: 05/29/2024 05:00:33 UTC