IM
IronMonkey Threat Research

CVE-2025-21682 MEDIUM

Published: 2025-01-31 | Last Modified: 2026-07-14 | Status: Modified

Description

In the Linux kernel, the following vulnerability has been resolved: eth: bnxt: always recalculate features after XDP clearing, fix null-deref Recalculate features when XDP is detached. Before: # ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp # ip li set dev eth0 xdp off # ethtool -k eth0 | grep gro rx-gro-hw: off [requested on] After: # ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp # ip li set dev eth0 xdp off # ethtool -k eth0 | grep gro rx-gro-hw: on The fact that HW-GRO doesn't get re-enabled automatically is just a minor annoyance. The real issue is that the features will randomly come back during another reconfiguration which just happens to invoke netdev_update_features(). The driver doesn't handle reconfiguring two things at a time very robustly. Starting with commit 98ba1d931f61 ("bnxt_en: Fix RSS logic in __bnxt_reserve_rings()") we only reconfigure the RSS hash table if the "effective" number of Rx rings has changed. If HW-GRO is enabled "effective" number of rings is 2x what user sees. So if we are in the bad state, with HW-GRO re-enablement "pending" after XDP off, and we lower the rings by / 2 - the HW-GRO rings doing 2x and the ethtool -L doing / 2 may cancel each other out, and the: if (old_rx_rings != bp->hw_resc.resv_rx_rings && condition in __bnxt_reserve_rings() will be false. The RSS map won't get updated, and we'll crash with: BUG: kernel NULL pointer dereference, address: 0000000000000168 RIP: 0010:__bnxt_hwrm_vnic_set_rss+0x13a/0x1a0 bnxt_hwrm_vnic_rss_cfg_p5+0x47/0x180 __bnxt_setup_vnic_p5+0x58/0x110 bnxt_init_nic+0xb72/0xf50 __bnxt_open_nic+0x40d/0xab0 bnxt_open_nic+0x2b/0x60 ethtool_set_channels+0x18c/0x1d0 As we try to access a freed ring. The issue is present since XDP support was added, really, but prior to commit 98ba1d931f61 ("bnxt_en: Fix RSS logic in __bnxt_reserve_rings()") it wasn't causing major issues.

Additional Descriptions (1)

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: eth: bnxt: siempre recalcula las características después de borrar XDP, corrige null-deref Recalcula las características cuando se desconecta XDP. Antes: # ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp # ip li set dev eth0 xdp off # ethtool -k eth0 | grep gro rx-gro-hw: off [solicitado el] Después: # ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp # ip li set dev eth0 xdp off # ethtool -k eth0 | grep gro rx-gro-hw: on El hecho de que HW-GRO no se vuelva a habilitar automáticamente es solo una molestia menor. El problema real es que las funciones volverán de forma aleatoria durante otra reconfiguración que invoca netdev_update_features(). El controlador no gestiona la reconfiguración de dos cosas a la vez de forma muy robusta. A partir de el commit 98ba1d931f61 ("bnxt_en: Fix RSS logic in __bnxt_reserve_rings()"), solo reconfiguramos la tabla hash RSS si el número "efectivo" de anillos Rx ha cambiado. Si HW-GRO está habilitado, el número "efectivo" de anillos es el doble de lo que ve el usuario. Entonces, si estamos en un mal estado, con la rehabilitación de HW-GRO "pendiente" después de desactivar XDP, y reducimos los anillos en / 2, los anillos de HW-GRO haciendo 2x y ethtool -L haciendo / 2 pueden cancelarse entre sí, y la condición: if (old_rx_rings != bp->hw_resc.resv_rx_rings && en __bnxt_reserve_rings() será falsa. El mapa RSS no se actualizará y nos bloquearemos con: ERROR: desreferencia de puntero NULL del kernel, dirección: 0000000000000168 RIP: 0010:__bnxt_hwrm_vnic_set_rss+0x13a/0x1a0 bnxt_hwrm_vnic_rss_cfg_p5+0x47/0x180 __bnxt_setup_vnic_p5+0x58/0x110 bnxt_init_nic+0xb72/0xf50 __bnxt_open_nic+0x40d/0xab0 bnxt_open_nic+0x2b/0x60 ethtool_set_channels+0x18c/0x1d0 Cuando intentamos acceder a un anillo liberado, el problema está presente desde que se agregó la compatibilidad con XDP, pero antes de el commit 98ba1d931f61 ("bnxt_en: Fix RSS logic in __bnxt_reserve_rings()") no causaba problemas importantes.

CVSS Metrics

Base Score: 5.5 (MEDIUM)

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack VectorLOCAL
Attack ComplexityLOW
Privileges RequiredLOW
User InteractionNONE
ScopeUNCHANGED
Confidentiality ImpactNONE
Integrity ImpactNONE
Availability ImpactHIGH

Source: [email protected]

Type: Primary

Exploitability Score: 1.8

Impact Score: 3.6

Weaknesses

Source Type Description
[email protected] Primary
en CWE-476
134c704f-9b21-4f2e-91b3-4a467353bcc0 Secondary
en CWE-476

Affected Products

Vendor Product Version Update Type
linux linux_kernel * <built-in method update of dict object at 0x702bdc0d25c0> Operating System
linux linux_kernel 6.13 <built-in method update of dict object at 0x702bdc0d2e80> Operating System
linux linux_kernel 6.13 <built-in method update of dict object at 0x702ba6c53600> Operating System
linux linux_kernel 6.13 <built-in method update of dict object at 0x702bdcc9ad40> Operating System
linux linux_kernel 6.13 <built-in method update of dict object at 0x702bdc0d1980> Operating System
linux linux_kernel 6.13 <built-in method update of dict object at 0x702bdc0d2800> Operating System
linux linux_kernel 6.13 <built-in method update of dict object at 0x702bdc0d2a00> Operating System
linux linux_kernel 6.13 <built-in method update of dict object at 0x702b53f53740> Operating System

Affected Configurations

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.13:rc2:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.13:rc3:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.13:rc4:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.13:rc5:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.13:rc6:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.13:rc7:*:*:*:*:*:*

References

Notification
Message here