{ "threat_severity" : "Moderate", "public_date" : "2024-06-19T00:00:00Z", "bugzilla" : { "description" : "kernel: bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq", "id" : "2293459", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2293459" }, "cvss3" : { "cvss3_base_score" : "4.4", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-125", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nbnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq\nUndefined behavior is triggered when bnxt_qplib_alloc_init_hwq is called\nwith hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0.\nIn that case, \"roundup_pow_of_two(hwq_attr->aux_stride)\" gets called.\nroundup_pow_of_two is documented as undefined for 0.\nFix it in the one caller that had this combination.\nThe undefined behavior was detected by UBSAN:\nUBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13\nshift exponent 64 is too large for 64-bit type 'long unsigned int'\nCPU: 24 PID: 1075 Comm: (udev-worker) Not tainted 6.9.0-rc6+ #4\nHardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.7 10/25/2023\nCall Trace:\n\ndump_stack_lvl+0x5d/0x80\nubsan_epilogue+0x5/0x30\n__ubsan_handle_shift_out_of_bounds.cold+0x61/0xec\n__roundup_pow_of_two+0x25/0x35 [bnxt_re]\nbnxt_qplib_alloc_init_hwq+0xa1/0x470 [bnxt_re]\nbnxt_qplib_create_qp+0x19e/0x840 [bnxt_re]\nbnxt_re_create_qp+0x9b1/0xcd0 [bnxt_re]\n? srso_alias_return_thunk+0x5/0xfbef5\n? srso_alias_return_thunk+0x5/0xfbef5\n? __kmalloc+0x1b6/0x4f0\n? create_qp.part.0+0x128/0x1c0 [ib_core]\n? __pfx_bnxt_re_create_qp+0x10/0x10 [bnxt_re]\ncreate_qp.part.0+0x128/0x1c0 [ib_core]\nib_create_qp_kernel+0x50/0xd0 [ib_core]\ncreate_mad_qp+0x8e/0xe0 [ib_core]\n? __pfx_qp_event_handler+0x10/0x10 [ib_core]\nib_mad_init_device+0x2be/0x680 [ib_core]\nadd_client_context+0x10d/0x1a0 [ib_core]\nenable_device_and_get+0xe0/0x1d0 [ib_core]\nib_register_device+0x53c/0x630 [ib_core]\n? srso_alias_return_thunk+0x5/0xfbef5\nbnxt_re_probe+0xbd8/0xe50 [bnxt_re]\n? __pfx_bnxt_re_probe+0x10/0x10 [bnxt_re]\nauxiliary_bus_probe+0x49/0x80\n? driver_sysfs_add+0x57/0xc0\nreally_probe+0xde/0x340\n? pm_runtime_barrier+0x54/0x90\n? __pfx___driver_attach+0x10/0x10\n__driver_probe_device+0x78/0x110\ndriver_probe_device+0x1f/0xa0\n__driver_attach+0xba/0x1c0\nbus_for_each_dev+0x8f/0xe0\nbus_add_driver+0x146/0x220\ndriver_register+0x72/0xd0\n__auxiliary_driver_register+0x6e/0xd0\n? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]\nbnxt_re_mod_init+0x3e/0xff0 [bnxt_re]\n? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]\ndo_one_initcall+0x5b/0x310\ndo_init_module+0x90/0x250\ninit_module_from_file+0x86/0xc0\nidempotent_init_module+0x121/0x2b0\n__x64_sys_finit_module+0x5e/0xb0\ndo_syscall_64+0x82/0x160\n? srso_alias_return_thunk+0x5/0xfbef5\n? syscall_exit_to_user_mode_prepare+0x149/0x170\n? srso_alias_return_thunk+0x5/0xfbef5\n? syscall_exit_to_user_mode+0x75/0x230\n? srso_alias_return_thunk+0x5/0xfbef5\n? do_syscall_64+0x8e/0x160\n? srso_alias_return_thunk+0x5/0xfbef5\n? __count_memcg_events+0x69/0x100\n? srso_alias_return_thunk+0x5/0xfbef5\n? count_memcg_events.constprop.0+0x1a/0x30\n? srso_alias_return_thunk+0x5/0xfbef5\n? handle_mm_fault+0x1f0/0x300\n? srso_alias_return_thunk+0x5/0xfbef5\n? do_user_addr_fault+0x34e/0x640\n? srso_alias_return_thunk+0x5/0xfbef5\n? srso_alias_return_thunk+0x5/0xfbef5\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7f4e5132821d\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e3 db 0c 00 f7 d8 64 89 01 48\nRSP: 002b:00007ffca9c906a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139\nRAX: ffffffffffffffda RBX: 0000563ec8a8f130 RCX: 00007f4e5132821d\nRDX: 0000000000000000 RSI: 00007f4e518fa07d RDI: 000000000000003b\nRBP: 00007ffca9c90760 R08: 00007f4e513f6b20 R09: 00007ffca9c906f0\nR10: 0000563ec8a8faa0 R11: 0000000000000246 R12: 00007f4e518fa07d\nR13: 0000000000020000 R14: 0000563ec8409e90 R15: 0000563ec8a8fa60\n\n---[ end trace ]---", "in linux kernel, shift undefined behavior occurs in bnxt_qplib_alloc_init_hwq with hwq_attr->aux_depth of nonzero and hwq_attr->aux_stride of zero." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-11-05T00:00:00Z", "advisory" : "RHSA-2024:8870", "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv", "package" : "kernel-rt-0:4.18.0-553.27.1.rt7.368.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-11-05T00:00:00Z", "advisory" : "RHSA-2024:8856", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-553.27.1.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date" : "2024-09-04T00:00:00Z", "advisory" : "RHSA-2024:6297", "cpe" : "cpe:/o:redhat:rhel_aus:8.6", "package" : "kernel-0:4.18.0-372.121.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date" : "2024-09-04T00:00:00Z", "advisory" : "RHSA-2024:6297", "cpe" : "cpe:/o:redhat:rhel_tus:8.6", "package" : "kernel-0:4.18.0-372.121.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date" : "2024-09-04T00:00:00Z", "advisory" : "RHSA-2024:6297", "cpe" : "cpe:/o:redhat:rhel_e4s:8.6", "package" : "kernel-0:4.18.0-372.121.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date" : "2024-09-03T00:00:00Z", "advisory" : "RHSA-2024:6206", "cpe" : "cpe:/o:redhat:rhel_eus:8.8", "package" : "kernel-0:4.18.0-477.70.1.el8_8" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-08-28T00:00:00Z", "advisory" : "RHSA-2024:5928", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.33.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-08-28T00:00:00Z", "advisory" : "RHSA-2024:5928", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.33.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date" : "2024-09-04T00:00:00Z", "advisory" : "RHSA-2024:6267", "cpe" : "cpe:/a:redhat:rhel_eus:9.2", "package" : "kernel-0:5.14.0-284.82.1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date" : "2024-09-04T00:00:00Z", "advisory" : "RHSA-2024:6268", "cpe" : "cpe:/a:redhat:rhel_eus:9.2::nfv", "package" : "kernel-rt-0:5.14.0-284.82.1.rt14.367.el9_2" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-38540\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-38540\nhttps://lore.kernel.org/linux-cve-announce/2024061947-CVE-2024-38540-1d0a@gregkh/T" ], "name" : "CVE-2024-38540", "csaw" : false }