CVE-2021-47015

bnxt_en: Fix RX consumer index logic in the error path.

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

bnxt_en: Fix RX consumer index logic in the error path.

In bnxt_rx_pkt(), the RX buffers are expected to complete in order.
If the RX consumer index indicates an out of order buffer completion,
it means we are hitting a hardware bug and the driver will abort all
remaining RX packets and reset the RX ring. The RX consumer index
that we pass to bnxt_discard_rx() is not correct. We should be
passing the current index (tmp_raw_cons) instead of the old index
(raw_cons). This bug can cause us to be at the wrong index when
trying to abort the next RX packet. It can crash like this:

#0 [ffff9bbcdf5c39a8] machine_kexec at ffffffff9b05e007
#1 [ffff9bbcdf5c3a00] __crash_kexec at ffffffff9b111232
#2 [ffff9bbcdf5c3ad0] panic at ffffffff9b07d61e
#3 [ffff9bbcdf5c3b50] oops_end at ffffffff9b030978
#4 [ffff9bbcdf5c3b78] no_context at ffffffff9b06aaf0
#5 [ffff9bbcdf5c3bd8] __bad_area_nosemaphore at ffffffff9b06ae2e
#6 [ffff9bbcdf5c3c28] bad_area_nosemaphore at ffffffff9b06af24
#7 [ffff9bbcdf5c3c38] __do_page_fault at ffffffff9b06b67e
#8 [ffff9bbcdf5c3cb0] do_page_fault at ffffffff9b06bb12
#9 [ffff9bbcdf5c3ce0] page_fault at ffffffff9bc015c5
[exception RIP: bnxt_rx_pkt+237]
RIP: ffffffffc0259cdd RSP: ffff9bbcdf5c3d98 RFLAGS: 00010213
RAX: 000000005dd8097f RBX: ffff9ba4cb11b7e0 RCX: ffffa923cf6e9000
RDX: 0000000000000fff RSI: 0000000000000627 RDI: 0000000000001000
RBP: ffff9bbcdf5c3e60 R8: 0000000000420003 R9: 000000000000020d
R10: ffffa923cf6ec138 R11: ffff9bbcdf5c3e83 R12: ffff9ba4d6f928c0
R13: ffff9ba4cac28080 R14: ffff9ba4cb11b7f0 R15: ffff9ba4d5a30000
ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: bnxt_en: corrige la lógica del índice del consumidor RX en la ruta del error. En bnxt_rx_pkt(), se espera que los buffers RX se completen en orden. Si el índice del consumidor RX indica que el búfer está fuera de servicio, significa que estamos sufriendo un error de hardware y el controlador cancelará todos los paquetes RX restantes y restablecerá el anillo RX. El índice de consumidores RX que pasamos a bnxt_discard_rx() no es correcto. Deberíamos pasar el índice actual (tmp_raw_cons) en lugar del índice anterior (raw_cons). Este error puede hacer que estemos en el índice incorrecto al intentar abortar el siguiente paquete RX. Puede fallar así: #0 [ffff9bbcdf5c39a8] machine_kexec en ffffffff9b05e007 #1 [ffff9bbcdf5c3a00] __crash_kexec en ffffffff9b111232 #2 [ffff9bbcdf5c3ad0] pánico en ffffffff9b07d61e #3 [ffff9bbcdf5c3b50 ] oops_end en ffffffff9b030978 #4 [ffff9bbcdf5c3b78] no_context en ffffffff9b06aaf0 #5 [ffff9bbcdf5c3bd8 ] __bad_area_nosemaphore en ffffffff9b06ae2e #6 [ffff9bbcdf5c3c28] bad_area_nosemaphore en ffffffff9b06af24 #7 [ffff9bbcdf5c3c38] __do_page_fault en ffffffff9b06b67e #8 [ffff9bbcdf5c3cb0] do_page_fault en ffffffff9b06bb12 #9 [ffff9bbcdf5c3ce0] page_fault en ffffffff9bc015c5 [excepción RIP: bnxt_rx_pkt+237] RIP: ffffffffc0259cdd RSP: ffff9bbcdf5c3d98 RFLAGS: 00010213 RAX: 000000005dd8097f RBX: ffff9ba4cb11b7e0 RCX: ffffa923cf6e9000 RDX: 0000000000000fff RSI: 0000000000000627 RDI: 0000000000000100 0 RBP: ffff9bbcdf5c3e60 R8: 0000000000420003 R9: 000000000000020d R10: ffffa923cf6ec138 R11: ffff9bbcdf5c3e83 R12: ffff9ba4d6f928c0 R13: ffff9ba4cac28080 R14: ffff9ba4cb11b7f0 R15: ffff9ba4d5a30000 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-27 CVE Reserved
2024-02-28 CVE Published
2024-02-29 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (10)

URL	Tag	Source
https://git.kernel.org/stable/c/a1b0e4e684e9c300b9e759b46cb7a0147e61ddff	Vuln. Introduced
https://git.kernel.org/stable/c/8e302e8e10b05165ed21273539a1e6a83ab93e9e	Vuln. Introduced
https://git.kernel.org/stable/c/46281ee85b651b0df686001651b965d17b8e2c67	Vuln. Introduced
https://git.kernel.org/stable/c/d2d055a554036b0240f296743942b8111fd4ce97	Vuln. Introduced
https://git.kernel.org/stable/c/aecbbae850ede49183fa0b73c7445531a47669cf	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/b1523e4ba293b2a32d9fabaf70c1dcaa6e3e2847	2021-05-14
https://git.kernel.org/stable/c/4fcaad2b7dac3f16704f8118c7e481024ddbd3ed	2021-05-14
https://git.kernel.org/stable/c/e187ef83c04a5d23e68d39cfdff1a1931e29890c	2021-05-14
https://git.kernel.org/stable/c/3fbc5bc651d688fbea2a59cdc91520a2f5334d0a	2021-05-14
https://git.kernel.org/stable/c/bbd6f0a948139970f4a615dff189d9a503681a39	2021-04-26

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.1 < 5.4.119 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.1 < 5.4.119"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.1 < 5.10.37 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.1 < 5.10.37"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.1 < 5.11.21 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.1 < 5.11.21"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.1 < 5.12.4 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.1 < 5.12.4"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.1 < 5.13 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.1 < 5.13"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				4.9.169 Search vendor "Linux" for product "Linux Kernel" and version "4.9.169"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				4.14.112 Search vendor "Linux" for product "Linux Kernel" and version "4.14.112"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				4.19.35 Search vendor "Linux" for product "Linux Kernel" and version "4.19.35"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				5.0.8 Search vendor "Linux" for product "Linux Kernel" and version "5.0.8"		en		Affected