CVE-2021-47015 in Linuxinfo

Summary

by MITRE • 02/28/2024

In the Linux kernel, the following vulnerability has been resolved:

bnxt_en: Fix RX consumer index logic in the error path.

In bnxt_rx_pkt(), the RX buffers are expected to complete in order. If the RX consumer index indicates an out of order buffer completion, it means we are hitting a hardware bug and the driver will abort all remaining RX packets and reset the RX ring. The RX consumer index that we pass to bnxt_discard_rx() is not correct. We should be passing the current index (tmp_raw_cons) instead of the old index (raw_cons). This bug can cause us to be at the wrong index when trying to abort the next RX packet. It can crash like this:

#0 [ffff9bbcdf5c39a8] machine_kexec at ffffffff9b05e007
#1 [ffff9bbcdf5c3a00] __crash_kexec at ffffffff9b111232
#2 [ffff9bbcdf5c3ad0] panic at ffffffff9b07d61e
#3 [ffff9bbcdf5c3b50] oops_end at ffffffff9b030978
#4 [ffff9bbcdf5c3b78] no_context at ffffffff9b06aaf0
#5 [ffff9bbcdf5c3bd8] __bad_area_nosemaphore at ffffffff9b06ae2e
#6 [ffff9bbcdf5c3c28] bad_area_nosemaphore at ffffffff9b06af24
#7 [ffff9bbcdf5c3c38] __do_page_fault at ffffffff9b06b67e
#8 [ffff9bbcdf5c3cb0] do_page_fault at ffffffff9b06bb12
#9 [ffff9bbcdf5c3ce0] page_fault at ffffffff9bc015c5
[exception RIP: bnxt_rx_pkt+237]
RIP: ffffffffc0259cdd RSP: ffff9bbcdf5c3d98 RFLAGS: 00010213 RAX: 000000005dd8097f RBX: ffff9ba4cb11b7e0 RCX: ffffa923cf6e9000 RDX: 0000000000000fff RSI: 0000000000000627 RDI: 0000000000001000 RBP: ffff9bbcdf5c3e60 R8: 0000000000420003 R9: 000000000000020d R10: ffffa923cf6ec138 R11: ffff9bbcdf5c3e83 R12: ffff9ba4d6f928c0 R13: ffff9ba4cac28080 R14: ffff9ba4cb11b7f0 R15: ffff9ba4d5a30000 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 06/21/2025

The vulnerability identified as CVE-2021-47015 affects the Linux kernel's bnxt_en driver, which manages NetXtreme II network adapters from Broadcom. This flaw resides in the receive packet processing logic and represents a critical issue that can lead to system crashes and potential denial of service conditions. The vulnerability specifically impacts the handling of RX consumer index values during error path processing, creating a scenario where incorrect index management can cause kernel panics and system instability.

The technical flaw occurs within the bnxt_rx_pkt() function where the driver expects RX buffers to complete in sequential order. When an out-of-order buffer completion is detected, the driver should abort all remaining RX packets and reset the RX ring to maintain system integrity. However, the implementation contains a critical error in how the consumer index is passed to the bnxt_discard_rx() function. Instead of passing the current index (tmp_raw_cons), the driver incorrectly passes the old index (raw_cons), which results in the driver operating at an incorrect index position when attempting to abort subsequent RX packets.

This incorrect index handling creates a memory access violation scenario that can lead to kernel crashes and system instability. The crash manifestation occurs through the standard kernel oops mechanism where the system encounters a page fault while attempting to access memory at an incorrect address. The stack trace reveals the execution path leading to the fault, with the fault occurring in the bnxt_rx_pkt function at offset 237, indicating that the memory corruption happens during the packet processing logic when the driver attempts to manage the RX ring state incorrectly.

The operational impact of this vulnerability extends beyond simple system crashes, as it can potentially be exploited to cause persistent denial of service conditions on systems running affected kernel versions. Network adapters utilizing the bnxt_en driver become vulnerable to intermittent crashes that can disrupt network connectivity and potentially allow attackers to force system reboots through sustained network traffic patterns that trigger the faulty logic path. This vulnerability affects systems using the Broadcom NetXtreme II network adapters and demonstrates the critical importance of proper index management in kernel network drivers.

From a cybersecurity perspective, this vulnerability aligns with CWE-129, which addresses improper validation of array indices, and represents a classic case of incorrect state management in kernel space operations. The issue can be mapped to ATT&CK technique T1499.004, which covers network disruption through kernel-level manipulation, and T1070.006, involving system network configuration modification. The vulnerability represents a privilege escalation vector since it can be triggered through normal network operations and can cause complete system instability.

Mitigation strategies for CVE-2021-47015 require immediate kernel updates from vendors such as Red Hat, SUSE, and Ubuntu, which have released patches addressing the incorrect index handling in the bnxt_en driver. System administrators should prioritize applying these patches to all affected systems, particularly those running network-intensive workloads. Additionally, implementing network monitoring solutions that can detect unusual packet processing patterns may help identify systems that have been affected by this vulnerability before complete system crashes occur. The fix involves correcting the consumer index value passed to the discard function, ensuring that the current index is used instead of the stale index value that was causing the memory access violations.

Reservation

02/27/2024

Disclosure

02/28/2024

Moderation

accepted

CPE

ready

EPSS

0.00250

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!