CVE-2025-21682 - Linux Kernel Vulnerability Resolved in Eth: Bnxt

A vulnerability has been resolved in the Linux kernel associated with the eth: bnxt. The vulnerability led to null pointer dereference and involved failing to recalculate features after clearing XDP. This post will provide details on the vulnerability, explain the fixes that have been applied, and provide code snippets for additional context.

Code Snippet Before Fix

# ip li set dev eth xdp obj xdp_dummy.bpf.o sec xdp
# ip li set dev eth xdp off
# ethtool -k eth | grep gro
rx-gro-hw: off [requested on]

Code Snippet After Fix

# ip li set dev eth xdp obj xdp_dummy.bpf.o sec xdp
# ip li set dev eth xdp off
# ethtool -k eth | grep gro
rx-gro-hw: on

Exploit Details

The primary issue is that the hardware-generic receive offload (HW-GRO) does not get re-enabled automatically, causing the features to randomly come back during another reconfiguration. Furthermore, the driver cannot handle reconfiguring two aspects simultaneously.

The vulnerability allowed the null pointer dereference to occur when the following condition occurred in __bnxt_reserve_rings(), leading to the system crash:

BUG: kernel NULL pointer dereference, address: 0000000000000168
RIP: 001:__bnxt_hwrm_vnic_set_rss+x13a/x1a
    bnxt_hwrm_vnic_rss_cfg_p5+x47/x180
    __bnxt_setup_vnic_p5+x58/x110
    bnxt_init_nic+xb72/xf50
    __bnxt_open_nic+x40d/xab
    bnxt_open_nic+x2b/x60
    ethtool_set_channels+x18c/x1d

Resolution

The vulnerability has been resolved by recalculating the features when XDP is detached. Now, the system will enable HW-GRO automatically, preventing crashes due to the null pointer dereference.

This issue has been present since XDP support was added, but only started causing significant problems after the commit 98ba1d931f61 ("bnxt_en: Fix RSS logic in __bnxt_reserve_rings()").

Original References

1. Bug report and patch
2. Linux kernel commit 98ba1d931f61
3. XDP project

Conclusion

The Linux kernel has resolved a vulnerability in the eth: bnxt component, which involved a null pointer dereference due to a failure to recalculate features after clearing XDP. The fix recalculates features when XDP is detached, properly enabling HW-GRO and preventing crashes.

Timeline

Published on: 01/31/2025 12:15:29 UTC
Last modified on: 02/04/2025 15:25:48 UTC