CVE-2021-47015

Summary

In the Linux kernel, the following vulnerability has been resolved:

bnxt_en: Fix RX consumer index logic in the error path.

In bnxt_rx_pkt(), the RX buffers are expected to complete in order. If the RX consumer index indicates an out of order buffer completion, it means we are hitting a hardware bug and the driver will abort all remaining RX packets and reset the RX ring. The RX consumer index that we pass to bnxt_discard_rx() is not correct. We should be passing the current index (tmp_raw_cons) instead of the old index (raw_cons). This bug can cause us to be at the wrong index when trying to abort the next RX packet. It can crash like this:

#0 [ffff9bbcdf5c39a8] machine_kexec at ffffffff9b05e007 #1 [ffff9bbcdf5c3a00] __crash_kexec at ffffffff9b111232 #2 [ffff9bbcdf5c3ad0] panic at ffffffff9b07d61e #3 [ffff9bbcdf5c3b50] oops_end at ffffffff9b030978 #4 [ffff9bbcdf5c3b78] no_context at ffffffff9b06aaf0 #5 [ffff9bbcdf5c3bd8] __bad_area_nosemaphore at ffffffff9b06ae2e #6 [ffff9bbcdf5c3c28] bad_area_nosemaphore at ffffffff9b06af24 #7 [ffff9bbcdf5c3c38] __do_page_fault at ffffffff9b06b67e #8 [ffff9bbcdf5c3cb0] do_page_fault at ffffffff9b06bb12 #9 [ffff9bbcdf5c3ce0] page_fault at ffffffff9bc015c5 [exception RIP: bnxt_rx_pkt+237] RIP: ffffffffc0259cdd RSP: ffff9bbcdf5c3d98 RFLAGS: 00010213 RAX: 000000005dd8097f RBX: ffff9ba4cb11b7e0 RCX: ffffa923cf6e9000 RDX: 0000000000000fff RSI: 0000000000000627 RDI: 0000000000001000 RBP: ffff9bbcdf5c3e60 R8: 0000000000420003 R9: 000000000000020d R10: ffffa923cf6ec138 R11: ffff9bbcdf5c3e83 R12: ffff9ba4d6f928c0 R13: ffff9ba4cac28080 R14: ffff9ba4cb11b7f0 R15: ffff9ba4d5a30000 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxa1b0e4e684e9c300b9e759b46cb7a0147e61ddff < b1523e4ba293b2a32d9fabaf70c1dcaa6e3e2847affected
LinuxLinuxa1b0e4e684e9c300b9e759b46cb7a0147e61ddff < 4fcaad2b7dac3f16704f8118c7e481024ddbd3edaffected
LinuxLinuxa1b0e4e684e9c300b9e759b46cb7a0147e61ddff < e187ef83c04a5d23e68d39cfdff1a1931e29890caffected
LinuxLinuxa1b0e4e684e9c300b9e759b46cb7a0147e61ddff < 3fbc5bc651d688fbea2a59cdc91520a2f5334d0aaffected
LinuxLinuxa1b0e4e684e9c300b9e759b46cb7a0147e61ddff < bbd6f0a948139970f4a615dff189d9a503681a39affected
LinuxLinux8e302e8e10b05165ed21273539a1e6a83ab93e9eaffected
LinuxLinux46281ee85b651b0df686001651b965d17b8e2c67affected
LinuxLinuxd2d055a554036b0240f296743942b8111fd4ce97affected
LinuxLinuxaecbbae850ede49183fa0b73c7445531a47669cfaffected
LinuxLinux4.9.169 < 4.10affected
LinuxLinux4.14.112 < 4.15affected
LinuxLinux4.19.35 < 4.20affected
LinuxLinux5.0.8 < 5.1affected
LinuxLinux5.1affected
LinuxLinux0 < 5.1unaffected
LinuxLinux5.4.119 <= 5.4.*unaffected
LinuxLinux5.10.37 <= 5.10.*unaffected
LinuxLinux5.11.21 <= 5.11.*unaffected
LinuxLinux5.12.4 <= 5.12.*unaffected
LinuxLinux5.13 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References