CVE-2024-38540

In the Linux kernel, the following vulnerability has been resolved:
bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq
Undefined behavior is triggered when bnxt_qplib_alloc_init_hwq is called
with hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0. In that case,
“roundup_pow_of_two(hwq_attr->aux_stride)” gets called. roundup_pow_of_two
is documented as undefined for 0. Fix it in the one caller that had this
combination. The undefined behavior was detected by UBSAN: UBSAN:
shift-out-of-bounds in ./include/linux/log2.h:57:13 shift exponent 64 is
too large for 64-bit type ‘long unsigned int’ CPU: 24 PID: 1075 Comm:
(udev-worker) Not tainted 6.9.0-rc6+ #4 Hardware name: Abacus electric,
s.r.o. - [email protected] Super Server/H12SSW-iN, BIOS 2.7 10/25/2023 Call
Trace: <TASK> dump_stack_lvl+0x5d/0x80 ubsan_epilogue+0x5/0x30
__ubsan_handle_shift_out_of_bounds.cold+0x61/0xec
__roundup_pow_of_two+0x25/0x35 [bnxt_re]
bnxt_qplib_alloc_init_hwq+0xa1/0x470 [bnxt_re]
bnxt_qplib_create_qp+0x19e/0x840 [bnxt_re] bnxt_re_create_qp+0x9b1/0xcd0
[bnxt_re] ? srso_alias_return_thunk+0x5/0xfbef5 ?
srso_alias_return_thunk+0x5/0xfbef5 ? __kmalloc+0x1b6/0x4f0 ?
create_qp.part.0+0x128/0x1c0 [ib_core] ? __pfx_bnxt_re_create_qp+0x10/0x10
[bnxt_re] create_qp.part.0+0x128/0x1c0 [ib_core]
ib_create_qp_kernel+0x50/0xd0 [ib_core] create_mad_qp+0x8e/0xe0 [ib_core] ?
__pfx_qp_event_handler+0x10/0x10 [ib_core] ib_mad_init_device+0x2be/0x680
[ib_core] add_client_context+0x10d/0x1a0 [ib_core]
enable_device_and_get+0xe0/0x1d0 [ib_core] ib_register_device+0x53c/0x630
[ib_core] ? srso_alias_return_thunk+0x5/0xfbef5 bnxt_re_probe+0xbd8/0xe50
[bnxt_re] ? __pfx_bnxt_re_probe+0x10/0x10 [bnxt_re]
auxiliary_bus_probe+0x49/0x80 ? driver_sysfs_add+0x57/0xc0
really_probe+0xde/0x340 ? pm_runtime_barrier+0x54/0x90 ?
__pfx___driver_attach+0x10/0x10 __driver_probe_device+0x78/0x110
driver_probe_device+0x1f/0xa0 __driver_attach+0xba/0x1c0
bus_for_each_dev+0x8f/0xe0 bus_add_driver+0x146/0x220
driver_register+0x72/0xd0 __auxiliary_driver_register+0x6e/0xd0 ?
__pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re] bnxt_re_mod_init+0x3e/0xff0
[bnxt_re] ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]
do_one_initcall+0x5b/0x310 do_init_module+0x90/0x250
init_module_from_file+0x86/0xc0 idempotent_init_module+0x121/0x2b0
__x64_sys_finit_module+0x5e/0xb0 do_syscall_64+0x82/0x160 ?
srso_alias_return_thunk+0x5/0xfbef5 ?
syscall_exit_to_user_mode_prepare+0x149/0x170 ?
srso_alias_return_thunk+0x5/0xfbef5 ? syscall_exit_to_user_mode+0x75/0x230
? srso_alias_return_thunk+0x5/0xfbef5 ? do_syscall_64+0x8e/0x160 ?
srso_alias_return_thunk+0x5/0xfbef5 ? __count_memcg_events+0x69/0x100 ?
srso_alias_return_thunk+0x5/0xfbef5 ?
count_memcg_events.constprop.0+0x1a/0x30 ?
srso_alias_return_thunk+0x5/0xfbef5 ? handle_mm_fault+0x1f0/0x300 ?
srso_alias_return_thunk+0x5/0xfbef5 ? do_user_addr_fault+0x34e/0x640 ?
srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5
entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f4e5132821d Code: ff
c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6
48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01
c3 48 8b 0d e3 db 0c 00 f7 d8 64 89 01 48 RSP: 002b:00007ffca9c906a8
EFLAGS: 00000246 ORIG_RAX: 0000000000000139 RAX: ffffffffffffffda RBX:
0000563ec8a8f130 RCX: 00007f4e5132821d RDX: 0000000000000000 RSI:
00007f4e518fa07d RDI: 000000000000003b RBP: 00007ffca9c90760 R08:
00007f4e513f6b20 R09: 00007ffca9c906f0 R10: 0000563ec8a8faa0 R11:
0000000000000246 R12: 00007f4e518fa07d R13: 0000000000020000 R14:
0000563ec8409e90 R15: 0000563ec8a8fa60 </TASK> —[ end trace ]—