CVE-2024-44933 (GCVE-0-2024-44933)

Vulnerability from cvelistv5 – Published: 2024-08-26 10:11 – Updated: 2026-05-11 20:32
VLAI
Title
bnxt_en : Fix memory out-of-bounds in bnxt_fill_hw_rss_tbl()
Summary
In the Linux kernel, the following vulnerability has been resolved: bnxt_en : Fix memory out-of-bounds in bnxt_fill_hw_rss_tbl() A recent commit has modified the code in __bnxt_reserve_rings() to set the default RSS indirection table to default only when the number of RX rings is changing. While this works for newer firmware that requires RX ring reservations, it causes the regression on older firmware not requiring RX ring resrvations (BNXT_NEW_RM() returns false). With older firmware, RX ring reservations are not required and so hw_resc->resv_rx_rings is not always set to the proper value. The comparison: if (old_rx_rings != bp->hw_resc.resv_rx_rings) in __bnxt_reserve_rings() may be false even when the RX rings are changing. This will cause __bnxt_reserve_rings() to skip setting the default RSS indirection table to default to match the current number of RX rings. This may later cause bnxt_fill_hw_rss_tbl() to use an out-of-range index. We already have bnxt_check_rss_tbl_no_rmgr() to handle exactly this scenario. We just need to move it up in bnxt_need_reserve_rings() to be called unconditionally when using older firmware. Without the fix, if the TX rings are changing, we'll skip the bnxt_check_rss_tbl_no_rmgr() call and __bnxt_reserve_rings() may also skip the bnxt_set_dflt_rss_indir_tbl() call for the reason explained in the last paragraph. Without setting the default RSS indirection table to default, it causes the regression: BUG: KASAN: slab-out-of-bounds in __bnxt_hwrm_vnic_set_rss+0xb79/0xe40 Read of size 2 at addr ffff8881c5809618 by task ethtool/31525 Call Trace: __bnxt_hwrm_vnic_set_rss+0xb79/0xe40 bnxt_hwrm_vnic_rss_cfg_p5+0xf7/0x460 __bnxt_setup_vnic_p5+0x12e/0x270 __bnxt_open_nic+0x2262/0x2f30 bnxt_open_nic+0x5d/0xf0 ethnl_set_channels+0x5d4/0xb30 ethnl_default_set_doit+0x2f1/0x620
Severity
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: bc57f879a420d19bb5ecdb480f858371554f2258 , < abd573e9ad2ba64eaa6418a5f4eec819de28f205 (git)
Affected: 98ba1d931f611e8f8f519c0405fa0a1a76554bfa , < da03f5d1b2c319a2b74fe76edeadcd8fa5f44376 (git)
Create a notification for this product.
Linux Linux Affected: 6.10.4 , < 6.10.5 (semver)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-44933",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T15:27:54.693041Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-12T17:32:56.097Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/broadcom/bnxt/bnxt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "abd573e9ad2ba64eaa6418a5f4eec819de28f205",
              "status": "affected",
              "version": "bc57f879a420d19bb5ecdb480f858371554f2258",
              "versionType": "git"
            },
            {
              "lessThan": "da03f5d1b2c319a2b74fe76edeadcd8fa5f44376",
              "status": "affected",
              "version": "98ba1d931f611e8f8f519c0405fa0a1a76554bfa",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/broadcom/bnxt/bnxt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6.10.5",
              "status": "affected",
              "version": "6.10.4",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.10.5",
                  "versionStartIncluding": "6.10.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en : Fix memory out-of-bounds in bnxt_fill_hw_rss_tbl()\n\nA recent commit has modified the code in __bnxt_reserve_rings() to\nset the default RSS indirection table to default only when the number\nof RX rings is changing.  While this works for newer firmware that\nrequires RX ring reservations, it causes the regression on older\nfirmware not requiring RX ring resrvations (BNXT_NEW_RM() returns\nfalse).\n\nWith older firmware, RX ring reservations are not required and so\nhw_resc-\u003eresv_rx_rings is not always set to the proper value.  The\ncomparison:\n\nif (old_rx_rings != bp-\u003ehw_resc.resv_rx_rings)\n\nin __bnxt_reserve_rings() may be false even when the RX rings are\nchanging.  This will cause __bnxt_reserve_rings() to skip setting\nthe default RSS indirection table to default to match the current\nnumber of RX rings.  This may later cause bnxt_fill_hw_rss_tbl() to\nuse an out-of-range index.\n\nWe already have bnxt_check_rss_tbl_no_rmgr() to handle exactly this\nscenario.  We just need to move it up in bnxt_need_reserve_rings()\nto be called unconditionally when using older firmware.  Without the\nfix, if the TX rings are changing, we\u0027ll skip the\nbnxt_check_rss_tbl_no_rmgr() call and __bnxt_reserve_rings() may also\nskip the bnxt_set_dflt_rss_indir_tbl() call for the reason explained\nin the last paragraph.  Without setting the default RSS indirection\ntable to default, it causes the regression:\n\nBUG: KASAN: slab-out-of-bounds in __bnxt_hwrm_vnic_set_rss+0xb79/0xe40\nRead of size 2 at addr ffff8881c5809618 by task ethtool/31525\nCall Trace:\n__bnxt_hwrm_vnic_set_rss+0xb79/0xe40\n bnxt_hwrm_vnic_rss_cfg_p5+0xf7/0x460\n __bnxt_setup_vnic_p5+0x12e/0x270\n __bnxt_open_nic+0x2262/0x2f30\n bnxt_open_nic+0x5d/0xf0\n ethnl_set_channels+0x5d4/0xb30\n ethnl_default_set_doit+0x2f1/0x620"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T20:32:16.863Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/abd573e9ad2ba64eaa6418a5f4eec819de28f205"
        },
        {
          "url": "https://git.kernel.org/stable/c/da03f5d1b2c319a2b74fe76edeadcd8fa5f44376"
        }
      ],
      "title": "bnxt_en : Fix memory out-of-bounds in bnxt_fill_hw_rss_tbl()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-44933",
    "datePublished": "2024-08-26T10:11:24.675Z",
    "dateReserved": "2024-08-21T05:34:56.664Z",
    "dateUpdated": "2026-05-11T20:32:16.863Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-44933",
      "date": "2026-05-27",
      "epss": "0.00031",
      "percentile": "0.09207"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:6.10.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"00FEED69-9465-4F0C-870C-DE98C3FFFD94\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*\", \"matchCriteriaId\": \"4DEB27E7-30AA-45CC-8934-B89263EF3551\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbnxt_en : Fix memory out-of-bounds in bnxt_fill_hw_rss_tbl()\\n\\nA recent commit has modified the code in __bnxt_reserve_rings() to\\nset the default RSS indirection table to default only when the number\\nof RX rings is changing.  While this works for newer firmware that\\nrequires RX ring reservations, it causes the regression on older\\nfirmware not requiring RX ring resrvations (BNXT_NEW_RM() returns\\nfalse).\\n\\nWith older firmware, RX ring reservations are not required and so\\nhw_resc-\u003eresv_rx_rings is not always set to the proper value.  The\\ncomparison:\\n\\nif (old_rx_rings != bp-\u003ehw_resc.resv_rx_rings)\\n\\nin __bnxt_reserve_rings() may be false even when the RX rings are\\nchanging.  This will cause __bnxt_reserve_rings() to skip setting\\nthe default RSS indirection table to default to match the current\\nnumber of RX rings.  This may later cause bnxt_fill_hw_rss_tbl() to\\nuse an out-of-range index.\\n\\nWe already have bnxt_check_rss_tbl_no_rmgr() to handle exactly this\\nscenario.  We just need to move it up in bnxt_need_reserve_rings()\\nto be called unconditionally when using older firmware.  Without the\\nfix, if the TX rings are changing, we\u0027ll skip the\\nbnxt_check_rss_tbl_no_rmgr() call and __bnxt_reserve_rings() may also\\nskip the bnxt_set_dflt_rss_indir_tbl() call for the reason explained\\nin the last paragraph.  Without setting the default RSS indirection\\ntable to default, it causes the regression:\\n\\nBUG: KASAN: slab-out-of-bounds in __bnxt_hwrm_vnic_set_rss+0xb79/0xe40\\nRead of size 2 at addr ffff8881c5809618 by task ethtool/31525\\nCall Trace:\\n__bnxt_hwrm_vnic_set_rss+0xb79/0xe40\\n bnxt_hwrm_vnic_rss_cfg_p5+0xf7/0x460\\n __bnxt_setup_vnic_p5+0x12e/0x270\\n __bnxt_open_nic+0x2262/0x2f30\\n bnxt_open_nic+0x5d/0xf0\\n ethnl_set_channels+0x5d4/0xb30\\n ethnl_default_set_doit+0x2f1/0x620\"}, {\"lang\": \"es\", \"value\": \"En el kernel de Linux, se resolvi\\u00f3 la siguiente vulnerabilidad: bnxt_en: corrige la memoria fuera de los l\\u00edmites en bnxt_fill_hw_rss_tbl() Una confirmaci\\u00f3n reciente modific\\u00f3 el c\\u00f3digo en __bnxt_reserve_rings() para configurar la tabla de direccionamiento indirecto RSS predeterminada solo cuando el n\\u00famero de Los anillos RX est\\u00e1n cambiando. Si bien esto funciona para firmware m\\u00e1s nuevo que requiere reservas de anillo RX, provoca la regresi\\u00f3n en firmware m\\u00e1s antiguo que no requiere reservas de anillo RX (BNXT_NEW_RM() devuelve falso). Con firmware anterior, no se requieren reservas de anillo RX y, por lo tanto, hw_resc-\u0026gt;resv_rx_rings no siempre est\\u00e1 configurado en el valor adecuado. La comparaci\\u00f3n: if (old_rx_rings != bp-\u0026gt;hw_resc.resv_rx_rings) en __bnxt_reserve_rings() puede ser falso incluso cuando los anillos RX est\\u00e1n cambiando. Esto har\\u00e1 que __bnxt_reserve_rings() omita la configuraci\\u00f3n de la tabla de direccionamiento indirecto RSS predeterminada para que coincida con el n\\u00famero actual de anillos RX. Posteriormente, esto puede provocar que bnxt_fill_hw_rss_tbl() utilice un \\u00edndice fuera de rango. Ya tenemos bnxt_check_rss_tbl_no_rmgr() para manejar exactamente este escenario. Solo necesitamos moverlo hacia arriba en bnxt_need_reserve_rings() para que se llame incondicionalmente cuando usemos firmware anterior. Sin la soluci\\u00f3n, si los anillos TX est\\u00e1n cambiando, omitiremos la llamada a bnxt_check_rss_tbl_no_rmgr() y __bnxt_reserve_rings() tambi\\u00e9n puede omitir la llamada a bnxt_set_dflt_rss_indir_tbl() por el motivo explicado en el \\u00faltimo p\\u00e1rrafo. Sin configurar la tabla de direccionamiento indirecto RSS predeterminada, se produce la regresi\\u00f3n: ERROR: KASAN: slab-out-of-bounds in __bnxt_hwrm_vnic_set_rss+0xb79/0xe40 Lectura de tama\\u00f1o 2 en la direcci\\u00f3n ffff8881c5809618 mediante la tarea ethtool/31525 Call Trace: __bnxt_hwrm_vnic_set_rss+0 xb79 /0xe40 bnxt_hwrm_vnic_rss_cfg_p5+0xf7/0x460 __bnxt_setup_vnic_p5+0x12e/0x270 __bnxt_open_nic+0x2262/0x2f30 bnxt_open_nic+0x5d/0xf0 ethnl_set_channels+0x5d4/0 xb30 ethnl_default_set_doit+0x2f1/0x620\"}]",
      "id": "CVE-2024-44933",
      "lastModified": "2024-08-27T16:08:38.973",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 5.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 3.6}]}",
      "published": "2024-08-26T11:15:05.547",
      "references": "[{\"url\": \"https://git.kernel.org/stable/c/abd573e9ad2ba64eaa6418a5f4eec819de28f205\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/da03f5d1b2c319a2b74fe76edeadcd8fa5f44376\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}]",
      "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "vulnStatus": "Analyzed",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-787\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-44933\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-08-26T11:15:05.547\",\"lastModified\":\"2024-08-27T16:08:38.973\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbnxt_en : Fix memory out-of-bounds in bnxt_fill_hw_rss_tbl()\\n\\nA recent commit has modified the code in __bnxt_reserve_rings() to\\nset the default RSS indirection table to default only when the number\\nof RX rings is changing.  While this works for newer firmware that\\nrequires RX ring reservations, it causes the regression on older\\nfirmware not requiring RX ring resrvations (BNXT_NEW_RM() returns\\nfalse).\\n\\nWith older firmware, RX ring reservations are not required and so\\nhw_resc-\u003eresv_rx_rings is not always set to the proper value.  The\\ncomparison:\\n\\nif (old_rx_rings != bp-\u003ehw_resc.resv_rx_rings)\\n\\nin __bnxt_reserve_rings() may be false even when the RX rings are\\nchanging.  This will cause __bnxt_reserve_rings() to skip setting\\nthe default RSS indirection table to default to match the current\\nnumber of RX rings.  This may later cause bnxt_fill_hw_rss_tbl() to\\nuse an out-of-range index.\\n\\nWe already have bnxt_check_rss_tbl_no_rmgr() to handle exactly this\\nscenario.  We just need to move it up in bnxt_need_reserve_rings()\\nto be called unconditionally when using older firmware.  Without the\\nfix, if the TX rings are changing, we\u0027ll skip the\\nbnxt_check_rss_tbl_no_rmgr() call and __bnxt_reserve_rings() may also\\nskip the bnxt_set_dflt_rss_indir_tbl() call for the reason explained\\nin the last paragraph.  Without setting the default RSS indirection\\ntable to default, it causes the regression:\\n\\nBUG: KASAN: slab-out-of-bounds in __bnxt_hwrm_vnic_set_rss+0xb79/0xe40\\nRead of size 2 at addr ffff8881c5809618 by task ethtool/31525\\nCall Trace:\\n__bnxt_hwrm_vnic_set_rss+0xb79/0xe40\\n bnxt_hwrm_vnic_rss_cfg_p5+0xf7/0x460\\n __bnxt_setup_vnic_p5+0x12e/0x270\\n __bnxt_open_nic+0x2262/0x2f30\\n bnxt_open_nic+0x5d/0xf0\\n ethnl_set_channels+0x5d4/0xb30\\n ethnl_default_set_doit+0x2f1/0x620\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: bnxt_en: corrige la memoria fuera de los l\u00edmites en bnxt_fill_hw_rss_tbl() Una confirmaci\u00f3n reciente modific\u00f3 el c\u00f3digo en __bnxt_reserve_rings() para configurar la tabla de direccionamiento indirecto RSS predeterminada solo cuando el n\u00famero de Los anillos RX est\u00e1n cambiando. Si bien esto funciona para firmware m\u00e1s nuevo que requiere reservas de anillo RX, provoca la regresi\u00f3n en firmware m\u00e1s antiguo que no requiere reservas de anillo RX (BNXT_NEW_RM() devuelve falso). Con firmware anterior, no se requieren reservas de anillo RX y, por lo tanto, hw_resc-\u0026gt;resv_rx_rings no siempre est\u00e1 configurado en el valor adecuado. La comparaci\u00f3n: if (old_rx_rings != bp-\u0026gt;hw_resc.resv_rx_rings) en __bnxt_reserve_rings() puede ser falso incluso cuando los anillos RX est\u00e1n cambiando. Esto har\u00e1 que __bnxt_reserve_rings() omita la configuraci\u00f3n de la tabla de direccionamiento indirecto RSS predeterminada para que coincida con el n\u00famero actual de anillos RX. Posteriormente, esto puede provocar que bnxt_fill_hw_rss_tbl() utilice un \u00edndice fuera de rango. Ya tenemos bnxt_check_rss_tbl_no_rmgr() para manejar exactamente este escenario. Solo necesitamos moverlo hacia arriba en bnxt_need_reserve_rings() para que se llame incondicionalmente cuando usemos firmware anterior. Sin la soluci\u00f3n, si los anillos TX est\u00e1n cambiando, omitiremos la llamada a bnxt_check_rss_tbl_no_rmgr() y __bnxt_reserve_rings() tambi\u00e9n puede omitir la llamada a bnxt_set_dflt_rss_indir_tbl() por el motivo explicado en el \u00faltimo p\u00e1rrafo. Sin configurar la tabla de direccionamiento indirecto RSS predeterminada, se produce la regresi\u00f3n: ERROR: KASAN: slab-out-of-bounds in __bnxt_hwrm_vnic_set_rss+0xb79/0xe40 Lectura de tama\u00f1o 2 en la direcci\u00f3n ffff8881c5809618 mediante la tarea ethtool/31525 Call Trace: __bnxt_hwrm_vnic_set_rss+0 xb79 /0xe40 bnxt_hwrm_vnic_rss_cfg_p5+0xf7/0x460 __bnxt_setup_vnic_p5+0x12e/0x270 __bnxt_open_nic+0x2262/0x2f30 bnxt_open_nic+0x5d/0xf0 ethnl_set_channels+0x5d4/0 xb30 ethnl_default_set_doit+0x2f1/0x620\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-787\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.10.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"00FEED69-9465-4F0C-870C-DE98C3FFFD94\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"4DEB27E7-30AA-45CC-8934-B89263EF3551\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/abd573e9ad2ba64eaa6418a5f4eec819de28f205\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/da03f5d1b2c319a2b74fe76edeadcd8fa5f44376\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-44933\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-10T15:27:54.693041Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-11T12:42:12.323Z\"}}], \"cna\": {\"title\": \"bnxt_en : Fix memory out-of-bounds in bnxt_fill_hw_rss_tbl()\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"bc57f879a420d19bb5ecdb480f858371554f2258\", \"lessThan\": \"abd573e9ad2ba64eaa6418a5f4eec819de28f205\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"98ba1d931f611e8f8f519c0405fa0a1a76554bfa\", \"lessThan\": \"da03f5d1b2c319a2b74fe76edeadcd8fa5f44376\", \"versionType\": \"git\"}], \"programFiles\": [\"drivers/net/ethernet/broadcom/bnxt/bnxt.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"6.10.4\", \"lessThan\": \"6.10.5\", \"versionType\": \"semver\"}], \"programFiles\": [\"drivers/net/ethernet/broadcom/bnxt/bnxt.c\"], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/abd573e9ad2ba64eaa6418a5f4eec819de28f205\"}, {\"url\": \"https://git.kernel.org/stable/c/da03f5d1b2c319a2b74fe76edeadcd8fa5f44376\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbnxt_en : Fix memory out-of-bounds in bnxt_fill_hw_rss_tbl()\\n\\nA recent commit has modified the code in __bnxt_reserve_rings() to\\nset the default RSS indirection table to default only when the number\\nof RX rings is changing.  While this works for newer firmware that\\nrequires RX ring reservations, it causes the regression on older\\nfirmware not requiring RX ring resrvations (BNXT_NEW_RM() returns\\nfalse).\\n\\nWith older firmware, RX ring reservations are not required and so\\nhw_resc-\u003eresv_rx_rings is not always set to the proper value.  The\\ncomparison:\\n\\nif (old_rx_rings != bp-\u003ehw_resc.resv_rx_rings)\\n\\nin __bnxt_reserve_rings() may be false even when the RX rings are\\nchanging.  This will cause __bnxt_reserve_rings() to skip setting\\nthe default RSS indirection table to default to match the current\\nnumber of RX rings.  This may later cause bnxt_fill_hw_rss_tbl() to\\nuse an out-of-range index.\\n\\nWe already have bnxt_check_rss_tbl_no_rmgr() to handle exactly this\\nscenario.  We just need to move it up in bnxt_need_reserve_rings()\\nto be called unconditionally when using older firmware.  Without the\\nfix, if the TX rings are changing, we\u0027ll skip the\\nbnxt_check_rss_tbl_no_rmgr() call and __bnxt_reserve_rings() may also\\nskip the bnxt_set_dflt_rss_indir_tbl() call for the reason explained\\nin the last paragraph.  Without setting the default RSS indirection\\ntable to default, it causes the regression:\\n\\nBUG: KASAN: slab-out-of-bounds in __bnxt_hwrm_vnic_set_rss+0xb79/0xe40\\nRead of size 2 at addr ffff8881c5809618 by task ethtool/31525\\nCall Trace:\\n__bnxt_hwrm_vnic_set_rss+0xb79/0xe40\\n bnxt_hwrm_vnic_rss_cfg_p5+0xf7/0x460\\n __bnxt_setup_vnic_p5+0x12e/0x270\\n __bnxt_open_nic+0x2262/0x2f30\\n bnxt_open_nic+0x5d/0xf0\\n ethnl_set_channels+0x5d4/0xb30\\n ethnl_default_set_doit+0x2f1/0x620\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.10.5\", \"versionStartIncluding\": \"6.10.4\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2026-05-11T20:32:16.863Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-44933\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-11T20:32:16.863Z\", \"dateReserved\": \"2024-08-21T05:34:56.664Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-08-26T10:11:24.675Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.