CVE-2024-53209: Linux Kernel Vulnerability Resolved - bnxt_en: Fixing Receive Ring Space Parameters When XDP is Active

The Linux kernel has recently resolved a vulnerability identified as CVE-2024-53209. This vulnerability is related to the bnxt_en (Broadcom NetXtreme Ethernet driver) and concerns the fixing of receive ring space parameters when XDP (eXpress Data Path) is active. The issue could lead to random memory corruption and crashes, as the allocated buffer size might be smaller than the DMA (Direct Memory Access) data from the hardware.

Here is a code snippet from the Linux kernel commit that addresses this issue

/* In bnxt_change_mtu() */
...
/* Configure the AGG rings based on the new MTU value */
bnxt_set_rx_skb_mode(bp, bp->rx_dir);
...

In order to comprehend the issue, we need to discuss the role of XDP within the bnxt_en driver. When XDP multi-buffer is enabled, the MTU (Maximum Transmission Unit) setting determines whether the aggregation ring will be used and the rx_skb_func handler. This decision is made in the bnxt_set_rx_skb_mode() function.

When the MTU is later changed, the aggregation ring setting might need to be altered. However, it could become out-of-sync with the initial settings done in bnxt_set_rx_skb_mode(). Consequently, this misconfiguration results in memory corruption and crashes due to DMA data size being larger than the buffer size.

Below is an example of an error log associated with this vulnerability

BUG: kernel NULL pointer dereference, address: 00000000000003c
PGD  P4D 
Oops: 000 [#1] PREEMPT SMP NOPTI
...

In order to address this issue, the bnxt_set_rx_skb_mode() function is called within the bnxt_change_mtu() function. This ensures that the aggregation ring configuration is properly set and updates the rx_skb_func based on the new MTU value. Furthermore, BNXT_FLAG_NO_AGG_RINGS is cleared at the beginning of bnxt_set_rx_skb_mode() to make sure it gets set or cleared based on the current MTU.

References

1. Linux kernel commit addressing the issue
2. More details about XDP
3. Broadcom NetXtreme Ethernet driver (bnxt_en)

In conclusion, CVE-2024-53209 refers to a vulnerability in the Linux kernel related to bnxt_en and XDP. By addressing this issue, the kernel ensures proper handling of receive ring space parameters when XDP is active, preventing memory corruption and crashes caused by DMA data size misconfigurations. Users and administrators should update their Linux kernel versions to incorporate these necessary changes and ensure the safety and stability of their systems.

Timeline

Published on: 12/27/2024 14:15:28 UTC
Last modified on: 03/06/2025 12:42:52 UTC