| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025052059-CVE-2025-37911-3da7@gregkh> Date: Tue, 20 May 2025 17:22:08 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-37911: bnxt_en: Fix out-of-bound memcpy() during ethtool -w From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix out-of-bound memcpy() during ethtool -w When retrieving the FW coredump using ethtool, it can sometimes cause memory corruption: BUG: KFENCE: memory corruption in __bnxt_get_coredump+0x3ef/0x670 [bnxt_en] Corrupted memory at 0x000000008f0f30e8 [ ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ] (in kfence-#45): __bnxt_get_coredump+0x3ef/0x670 [bnxt_en] ethtool_get_dump_data+0xdc/0x1a0 __dev_ethtool+0xa1e/0x1af0 dev_ethtool+0xa8/0x170 dev_ioctl+0x1b5/0x580 sock_do_ioctl+0xab/0xf0 sock_ioctl+0x1ce/0x2e0 __x64_sys_ioctl+0x87/0xc0 do_syscall_64+0x5c/0xf0 entry_SYSCALL_64_after_hwframe+0x78/0x80 ... This happens when copying the coredump segment list in bnxt_hwrm_dbg_dma_data() with the HWRM_DBG_COREDUMP_LIST FW command. The info->dest_buf buffer is allocated based on the number of coredump segments returned by the FW. The segment list is then DMA'ed by the FW and the length of the DMA is returned by FW. The driver then copies this DMA'ed segment list to info->dest_buf. In some cases, this DMA length may exceed the info->dest_buf length and cause the above BUG condition. Fix it by capping the copy length to not exceed the length of info->dest_buf. The extra DMA data contains no useful information. This code path is shared for the HWRM_DBG_COREDUMP_LIST and the HWRM_DBG_COREDUMP_RETRIEVE FW commands. The buffering is different for these 2 FW commands. To simplify the logic, we need to move the line to adjust the buffer length for HWRM_DBG_COREDUMP_RETRIEVE up, so that the new check to cap the copy length will work for both commands. The Linux kernel CVE team has assigned CVE-2025-37911 to this issue. Affected and fixed versions =========================== Issue introduced in 5.5 with commit c74751f4c39232c31214ec6a3bc1c7e62f5c728b and fixed in 5.15.182 with commit 69b10dd23ab826d0c7f2d9ab311842251978d0c1 Issue introduced in 5.5 with commit c74751f4c39232c31214ec6a3bc1c7e62f5c728b and fixed in 6.1.138 with commit 43292b83424158fa6ec458799f3cb9c54d18c484 Issue introduced in 5.5 with commit c74751f4c39232c31214ec6a3bc1c7e62f5c728b and fixed in 6.6.90 with commit 4d69864915a3a052538e4ba76cd6fd77cfc64ebe Issue introduced in 5.5 with commit c74751f4c39232c31214ec6a3bc1c7e62f5c728b and fixed in 6.12.28 with commit 44807af79efd0d78fa36383dd865ddfe7992c0a6 Issue introduced in 5.5 with commit c74751f4c39232c31214ec6a3bc1c7e62f5c728b and fixed in 6.14.6 with commit 44d81a9ebf0cad92512e0ffdf7412bfe20db66ec Issue introduced in 5.5 with commit c74751f4c39232c31214ec6a3bc1c7e62f5c728b and fixed in 6.15-rc5 with commit 6b87bd94f34370bbf1dfa59352bed8efab5bf419 Issue introduced in 4.19.95 with commit 4bf973a1f84aefb64750bdb3afe72d54de3199d7 Issue introduced in 5.4.8 with commit a76837dd731b68cc3b5690470bc9efa2a8e3801a Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-37911 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/net/ethernet/broadcom/bnxt/bnxt_coredump.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/69b10dd23ab826d0c7f2d9ab311842251978d0c1 https://git.kernel.org/stable/c/43292b83424158fa6ec458799f3cb9c54d18c484 https://git.kernel.org/stable/c/4d69864915a3a052538e4ba76cd6fd77cfc64ebe https://git.kernel.org/stable/c/44807af79efd0d78fa36383dd865ddfe7992c0a6 https://git.kernel.org/stable/c/44d81a9ebf0cad92512e0ffdf7412bfe20db66ec https://git.kernel.org/stable/c/6b87bd94f34370bbf1dfa59352bed8efab5bf419
Powered by blists - more mailing lists