CVE CyberSecurity Database News

CVE-2024-44933 - Critical Out-of-Bounds Bug in Linux `bnxt_en` Driver (Analysis, Exploit Details, and Patch Walkthrough)

Poster -

Recently discovered in the Linux kernel’s Broadcom NetXtreme Ethernet (bnxt_en) driver, CVE-2024-44933 exposes systems to a memory out-of-bounds vulnerability that could lead to kernel panic, DoS, or secure information leak. This post unpacks the bug, its journey through the code, root cause, exploit potential, and how the fix brings things back to safety.

Background: The Broadcom bnxt_en Driver

The bnxt_en driver is part of the kernel and manages network cards from Broadcom (NetXtreme series). This vulnerability arises from how the driver allocates and manages receive (RX) rings and the "Receive Side Scaling" (RSS) table—a mapping that helps spread network traffic across multiple CPU processors for better performance.

Vulnerability Summary

CVE-2024-44933 results from incorrect handling of the RX ring count and an out-of-bounds access in the bnxt_fill_hw_rss_tbl() function when using certain older firmware versions that do not require explicit RX ring reservation.

Let's look at the vulnerable scenario

1. With older firmware, the variable controlling RX ring reservation (resv_rx_rings) may be incorrect.
2. When the RX rings change (say, through an administrative configuration or network tool), the driver may skip setting the default RSS indirection table.
3. Later, when filling the RSS table, the code may read/write beyond the actual ring count. This triggers a kernel "slab-out-of-bounds" error—a memory safety violation that could be exploited or at least bring down the machine.

Example Error:

BUG: KASAN: slab-out-of-bounds in __bnxt_hwrm_vnic_set_rss+xb79/xe40
Read of size 2 at addr ffff8881c5809618 by task ethtool/31525

The problematic logic was

if (old_rx_rings != bp->hw_resc.resv_rx_rings)
    bnxt_set_dflt_rss_indir_tbl(bp);

But on older firmware, resv_rx_rings might not be updated when the RX rings change! So, the default RSS table is not set, even though it *should* be.

Later

// In bnxt_fill_hw_rss_tbl()
for (i = ; i < rss_table_size; i++)
    rss_table[i] = bp->rx_ring_map[i % num_rx_rings];

If rss_table_size does not match the *real* num_rx_rings, this code will index beyond the rx_ring_map array!

What Could an Attacker Do?

- Local privilege escalation: If a local user (or service) with limited privilege can adjust channel counts using tools like ethtool, they could trigger this bug. The out-of-bounds read/write could crash the kernel or, in the worst case, be used to leak kernel memory.

Denial of service: Causing intentional kernel panic, service loss, and system instability.

- Information exposure: With a carefully crafted setup, read accesses beyond the intended buffer could reveal sensitive kernel data.

Example Exploit Using ethtool:

# Triggering the bug by changing RX/TX ring channels
sudo ethtool -L ethX combined 8
sudo ethtool -L ethX combined 2
# (Can repeat/race to stress the ring allocation/frees)

Kernel Patch Overview

The fix involves ensuring the RSS table is always correctly set whenever RX rings may change, especially for older firmware:

After (Fixed logic)

- Unconditionally call bnxt_check_rss_tbl_no_rmgr() for old firmware and ensure the default RSS indirection table is properly updated.

Excerpt from Patch

// Old
if (old_rx_rings != bp->hw_resc.resv_rx_rings)
    bnxt_set_dflt_rss_indir_tbl(bp);

// Fixed
if (!BNXT_NEW_RM(bp)) {
    bnxt_check_rss_tbl_no_rmgr(bp, old_rx_rings, new_rx_rings, true);
} else {
    if (old_rx_rings != bp->hw_resc.resv_rx_rings)
        bnxt_set_dflt_rss_indir_tbl(bp);
}

References & Further Reading

- Upstream kernel commit fixing CVE-2024-44933
- Linux kernel bugzilla discussion, entry 218809
- CVE Record at MITRE
- bnxt_en Driver Docs

How to Protect Your Systems

1. Update your kernel! Ensure you are running a version with the above patch. Distributions will roll out fixes under important/security advisories.
2. Restrict privileges: Prevent untrusted users from using tools like ethtool or reconfiguring NIC channels.
3. Monitor dmesg logs for KASAN slab-out-of-bounds errors indicating possible exploitation attempts.

Conclusion

CVE-2024-44933 highlights how tiny oversights in driver code—especially in handling subtle differences between hardware generations or firmware—can open serious holes for attackers. The fix was swift and clean, but all admins should rush to patch, especially if using Broadcom NICs with Linux.

Stay up to date—and safe! If you want a detailed breakdown of related bugs or assistance on kernel patching, reach out.


Exclusive to this post: full walk-through, exploit, and patch code for easier system administrator action and understanding.

Timeline

Published on: 08/26/2024 11:15:05 UTC
Last modified on: 08/27/2024 16:08:38 UTC