CVE-2025-71092

Summary

In the Linux kernel, the following vulnerability has been resolved:

RDMA/bnxt_re: Fix OOB write in bnxt_re_copy_err_stats()

Commit ef56081d1864 ("RDMA/bnxt_re: RoCE related hardware counters update") added three new counters and placed them after BNXT_RE_OUT_OF_SEQ_ERR.

BNXT_RE_OUT_OF_SEQ_ERR acts as a boundary marker for allocating hardware statistics with different num_counters values on chip_gen_p5_p7 devices.

As a result, BNXT_RE_NUM_STD_COUNTERS are used when allocating hw_stats, which leads to an out-of-bounds write in bnxt_re_copy_err_stats().

The counters BNXT_RE_REQ_CQE_ERROR, BNXT_RE_RESP_CQE_ERROR, and BNXT_RE_RESP_REMOTE_ACCESS_ERRS are applicable to generic hardware, not only p5/p7 devices.

Fix this by moving these counters before BNXT_RE_OUT_OF_SEQ_ERR so they are included in the generic counter set.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxef56081d1864582a6db50710733416c0510b7826 < 369a161c48723f60f06f3510b82ea7d96d0499abaffected
LinuxLinuxef56081d1864582a6db50710733416c0510b7826 < 9b68a1cc966bc947d00e4c0df7722d118125aa37affected
LinuxLinux6.18affected
LinuxLinux0 < 6.18unaffected
LinuxLinux6.18.4 <= 6.18.*unaffected
LinuxLinux6.19 <= *unaffected

Weaknesses

References