| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250827135021.5882-1-qianjiaru77@gmail.com>
Date: Wed, 27 Aug 2025 21:50:21 +0800
From: qianjiaru77@...il.com
To: michael.chan@...adcom.com,
pavan.chebbi@...adcom.com,
davem@...emloft.net,
edumazet@...gle.com,
kuba@...nel.org,
pabeni@...hat.com,
andrew+netdev@...n.ch
Cc: netdev@...r.kernel.org,
linux-kernel@...r.kernel.org,
qianjiaru <qianjiaru77@...il.com>
Subject: [PATCH v2 1/1] RFS Capability Bypass Vulnerability in Linux bnxt_en Driver
From: qianjiaru <qianjiaru77@...il.com>
A logic vulnerability exists in the `bnxt_rfs_capable()` function of the
Linux kernel's bnxt_en network driver. The vulnerability allows the driver
to incorrectly report RFS (Receive Flow Steering) capability on older
firmware versions without performing necessary resource validation,
potentially leading to system crashes when RFS features are enabled.
The vulnerability exists in the RFS capability check logic where older
firmware versions bypass essential resource validation.
Signed-off-by: qianjiaru <qianjiaru77@...il.com>
---
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
index 207a8bb36..b59ce7f45 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
@@ -13610,8 +13610,11 @@ bool bnxt_rfs_capable(struct bnxt *bp, bool new_rss_ctx)
return false;
}
- if (!BNXT_NEW_RM(bp))
- return true;
+ // FIXED: Apply consistent validation for all firmware versions
+ if (!BNXT_NEW_RM(bp)) {
+ // Basic validation even for old firmware
+ return (hwr.vnic <= max_vnics && hwr.rss_ctx <= max_rss_ctxs);
+ }
/* Do not reduce VNIC and RSS ctx reservations. There is a FW
* issue that will mess up the default VNIC if we reduce the
--
2.34.1
Powered by blists - more mailing lists