In the Linux kernel, the following vulnerability has been resolved:
bnx2x: Fix multiple UBSAN array-index-out-of-bounds
Fix UBSAN warnings that occur when using a system with 32 physical
cpu cores or more, or when the user defines a number of Ethernet
queues greater than or equal to FP_SB_MAX_E1x using the num_queues
module parameter.
Currently there is a read/write out of bounds that occurs on the array
“struct stats_query_entry query” present inside the “bnx2x_fw_stats_req”
struct in “drivers/net/ethernet/broadcom/bnx2x/bnx2x.h”.
Looking at the definition of the “struct stats_query_entry query” array:
struct stats_query_entry query[FP_SB_MAX_E1x+
BNX2X_FIRST_QUEUE_QUERY_IDX];
FP_SB_MAX_E1x is defined as the maximum number of fast path interrupts and
has a value of 16, while BNX2X_FIRST_QUEUE_QUERY_IDX has a value of 3
meaning the array has a total size of 19.
Since accesses to “struct stats_query_entry query” are offset-ted by
BNX2X_FIRST_QUEUE_QUERY_IDX, that means that the total number of Ethernet
queues should not exceed FP_SB_MAX_E1x (16). However one of these queues
is reserved for FCOE and thus the number of Ethernet queues should be set
to [FP_SB_MAX_E1x -1] (15) if FCOE is enabled or [FP_SB_MAX_E1x] (16) if
it is not.
This is also described in a comment in the source code in
drivers/net/ethernet/broadcom/bnx2x/bnx2x.h just above the Macro definition
of FP_SB_MAX_E1x. Below is the part of this explanation that it important
for this patch
/*
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 24.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 14.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 16.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 18.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 24.04 | noarch | linux-aws | < any | UNKNOWN |
git.kernel.org/linus/134061163ee5ca4759de5c24ca3bd71608891ba7 (6.10-rc7)
git.kernel.org/stable/c/0edae06b4c227bcfaf3ce21208d49191e1009d3b
git.kernel.org/stable/c/134061163ee5ca4759de5c24ca3bd71608891ba7
git.kernel.org/stable/c/8b17cec33892a66bbd71f8d9a70a45e2072ae84f
git.kernel.org/stable/c/9504a1550686f53b0bab4cab31d435383b1ee2ce
git.kernel.org/stable/c/b9ea38e767459111a511ed4fb74abc37db95a59d
git.kernel.org/stable/c/cbe53087026ad929cd3950508397e8892a6a2a0f
git.kernel.org/stable/c/cfb04472ce33bee2579caf4dc9f4242522f6e26e
git.kernel.org/stable/c/f1313ea92f82451923e28ab45a4aaa0e70e80b98
launchpad.net/bugs/cve/CVE-2024-42148
nvd.nist.gov/vuln/detail/CVE-2024-42148
security-tracker.debian.org/tracker/CVE-2024-42148
www.cve.org/CVERecord?id=CVE-2024-42148