CVE-2024-38540 in Linuxinfo

Summary

by MITRE • 06/19/2024

In the Linux kernel, the following vulnerability has been resolved:

bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq

Undefined behavior is triggered when bnxt_qplib_alloc_init_hwq is called with hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0. In that case, "roundup_pow_of_two(hwq_attr->aux_stride)" gets called. roundup_pow_of_two is documented as undefined for 0.

Fix it in the one caller that had this combination.

The undefined behavior was detected by UBSAN: UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13 shift exponent 64 is too large for 64-bit type 'long unsigned int' CPU: 24 PID: 1075 Comm: (udev-worker) Not tainted 6.9.0-rc6+ #4 Hardware name: Abacus electric, s.r.o. - [email protected] Super Server/H12SSW-iN, BIOS 2.7 10/25/2023 Call Trace: dump_stack_lvl+0x5d/0x80 ubsan_epilogue+0x5/0x30 __ubsan_handle_shift_out_of_bounds.cold+0x61/0xec __roundup_pow_of_two+0x25/0x35 [bnxt_re]
bnxt_qplib_alloc_init_hwq+0xa1/0x470 [bnxt_re]
bnxt_qplib_create_qp+0x19e/0x840 [bnxt_re]
bnxt_re_create_qp+0x9b1/0xcd0 [bnxt_re]
? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? __kmalloc+0x1b6/0x4f0 ? create_qp.part.0+0x128/0x1c0 [ib_core]
? __pfx_bnxt_re_create_qp+0x10/0x10 [bnxt_re]
create_qp.part.0+0x128/0x1c0 [ib_core]
ib_create_qp_kernel+0x50/0xd0 [ib_core]
create_mad_qp+0x8e/0xe0 [ib_core]
? __pfx_qp_event_handler+0x10/0x10 [ib_core]
ib_mad_init_device+0x2be/0x680 [ib_core]
add_client_context+0x10d/0x1a0 [ib_core]
enable_device_and_get+0xe0/0x1d0 [ib_core]
ib_register_device+0x53c/0x630 [ib_core]
? srso_alias_return_thunk+0x5/0xfbef5 bnxt_re_probe+0xbd8/0xe50 [bnxt_re]
? __pfx_bnxt_re_probe+0x10/0x10 [bnxt_re]
auxiliary_bus_probe+0x49/0x80 ? driver_sysfs_add+0x57/0xc0 really_probe+0xde/0x340 ? pm_runtime_barrier+0x54/0x90 ? __pfx___driver_attach+0x10/0x10 __driver_probe_device+0x78/0x110 driver_probe_device+0x1f/0xa0 __driver_attach+0xba/0x1c0 bus_for_each_dev+0x8f/0xe0 bus_add_driver+0x146/0x220 driver_register+0x72/0xd0 __auxiliary_driver_register+0x6e/0xd0 ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]
bnxt_re_mod_init+0x3e/0xff0 [bnxt_re]
? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]
do_one_initcall+0x5b/0x310 do_init_module+0x90/0x250 init_module_from_file+0x86/0xc0 idempotent_init_module+0x121/0x2b0 __x64_sys_finit_module+0x5e/0xb0 do_syscall_64+0x82/0x160 ? srso_alias_return_thunk+0x5/0xfbef5 ? syscall_exit_to_user_mode_prepare+0x149/0x170 ? srso_alias_return_thunk+0x5/0xfbef5 ? syscall_exit_to_user_mode+0x75/0x230 ? srso_alias_return_thunk+0x5/0xfbef5 ? do_syscall_64+0x8e/0x160 ? srso_alias_return_thunk+0x5/0xfbef5 ? __count_memcg_events+0x69/0x100 ? srso_alias_return_thunk+0x5/0xfbef5 ? count_memcg_events.constprop.0+0x1a/0x30 ? srso_alias_return_thunk+0x5/0xfbef5 ? handle_mm_fault+0x1f0/0x300 ? srso_alias_return_thunk+0x5/0xfbef5 ? do_user_addr_fault+0x34e/0x640 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f4e5132821d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 8b 0d e3 db 0c 00 f7 d8 64 89 01 48 RSP: 002b:00007ffca9c906a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 RAX: ffffffffffffffda RBX: 0000563ec8a8f130 RCX: 00007f4e5132821d RDX: 0000000000000000 RSI: 00007f4e518fa07d RDI: 000000000000003b RBP: 00007ffca9c90760 R08: 00007f4e513f6b20 R09: 00007ffca9c906f0 R10: 0000563ec8a8faa0 R11: 0000000000000246 R12: 00007f4e518fa07d R13: 0000000000020000 R14: 0000563ec8409e90 R15: 0000563ec8a8fa60 ---[ end trace ]---

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 10/04/2025

The vulnerability CVE-2024-38540 resides within the Linux kernel's bnxt_re driver, specifically in the function bnxt_qplib_alloc_init_hwq. This flaw manifests as undefined behavior when certain hardware queue attributes are improperly configured, creating a scenario where the function receives hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0. Under these conditions, the code invokes roundup_pow_of_two(hwq_attr->aux_stride), which is explicitly documented as undefined behavior when passed a value of zero. This condition triggers a shift-out-of-bounds error detected by the Undefined Behavior Sanitizer (UBSAN), indicating that the shift exponent 64 exceeds the bounds of a 64-bit type 'long unsigned int', thereby compromising system stability and potentially creating security risks through unpredictable behavior.

The technical root cause stems from improper input validation within the bnxt_re driver's hardware queue allocation logic. The function bnxt_qplib_alloc_init_hwq fails to adequately check the aux_stride parameter before passing it to roundup_pow_of_two, which expects positive integer inputs to compute the next power of two. When aux_stride equals zero, the subsequent bit-shift operations in the power-of-two calculation become invalid, leading to memory corruption or system crashes. This undefined behavior aligns with CWE-681, which addresses "Incorrect Use of a Computation Result" and specifically relates to improper handling of mathematical operations that produce undefined results. The vulnerability is particularly concerning because it can be triggered during normal device initialization sequences when the InfiniBand core attempts to create queue pairs for MAD (Management Datagram) operations, making it exploitable during routine system operation rather than requiring special conditions.

The operational impact of this vulnerability extends beyond simple system crashes, as it represents a potential pathway for denial-of-service attacks against systems utilizing the bnxt_re driver. When triggered, the undefined behavior can cause kernel panics or memory corruption, effectively halting device functionality and potentially allowing adversaries to gain unauthorized access to system resources. The vulnerability affects systems running Linux kernel versions where the bnxt_re driver is present, particularly those supporting NetExtremes network adapters. According to ATT&CK framework category T1499.004, this vulnerability could be leveraged to achieve system resource compromise through process termination or resource exhaustion, while also aligning with T1070.006 for bypassing security controls through kernel-level manipulation. The specific trigger involves the ib_mad_init_device function that calls into the bnxt_re subsystem during device initialization, making it difficult to isolate and prevent without proper kernel patches.

Mitigation strategies for CVE-2024-38540 require immediate application of the kernel patch that addresses the root cause by ensuring proper validation of aux_stride before invoking roundup_pow_of_two. The fix implemented in the bnxt_re driver specifically targets the one caller that was susceptible to this combination of parameters, preventing the undefined behavior from occurring. System administrators should prioritize updating to kernel versions that include this patch, particularly those incorporating the fix for the bnxt_re driver. Additional mitigations include monitoring for UBSAN reports and kernel panic messages that might indicate this vulnerability's exploitation, as well as implementing runtime checks that validate hardware queue parameters before they are processed. Organizations should also consider implementing network segmentation and access controls to limit exposure of systems running affected kernel versions, while maintaining regular security audits to identify potential exploitation attempts. The fix aligns with security best practices for kernel development and emphasizes the importance of input validation and proper error handling in low-level system components to prevent undefined behavior that could lead to system instability or security compromise.

Reservation

06/18/2024

Disclosure

06/19/2024

Moderation

accepted

CPE

ready

EPSS

0.00247

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!