CVE-2024-53209 in Linux
Summary
by MITRE • 12/27/2024
In the Linux kernel, the following vulnerability has been resolved:
bnxt_en: Fix receive ring space parameters when XDP is active
The MTU setting at the time an XDP multi-buffer is attached determines whether the aggregation ring will be used and the rx_skb_func handler. This is done in bnxt_set_rx_skb_mode().
If the MTU is later changed, the aggregation ring setting may need to be changed and it may become out-of-sync with the settings initially done in bnxt_set_rx_skb_mode(). This may result in random memory corruption and crashes as the HW may DMA data larger than the allocated buffer size, such as:
BUG: kernel NULL pointer dereference, address: 00000000000003c0 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 17 PID: 0 Comm: swapper/17 Kdump: loaded Tainted: G S OE 6.1.0-226bf9805506 #1 Hardware name: Wiwynn Delta Lake PVT BZA.02601.0150/Delta Lake-Class1, BIOS F0E_3A12 08/26/2021 RIP: 0010:bnxt_rx_pkt+0xe97/0x1ae0 [bnxt_en]
Code: 8b 95 70 ff ff ff 4c 8b 9d 48 ff ff ff 66 41 89 87 b4 00 00 00 e9 0b f7 ff ff 0f b7 43 0a 49 8b 95 a8 04 00 00 25 ff 0f 00 00 b7 14 42 48 c1 e2 06 49 03 95 a0 04 00 00 0f b6 42 33f RSP: 0018:ffffa19f40cc0d18 EFLAGS: 00010202 RAX: 00000000000001e0 RBX: ffff8e2c805c6100 RCX: 00000000000007ff RDX: 0000000000000000 RSI: ffff8e2c271ab990 RDI: ffff8e2c84f12380 RBP: ffffa19f40cc0e48 R08: 000000000001000d R09: 974ea2fcddfa4cbf R10: 0000000000000000 R11: ffffa19f40cc0ff8 R12: ffff8e2c94b58980 R13: ffff8e2c952d6600 R14: 0000000000000016 R15: ffff8e2c271ab990 FS: 0000000000000000(0000) GS:ffff8e3b3f840000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000003c0 CR3: 0000000e8580a004 CR4: 00000000007706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: __bnxt_poll_work+0x1c2/0x3e0 [bnxt_en]
To address the issue, we now call bnxt_set_rx_skb_mode() within bnxt_change_mtu() to properly set the AGG rings configuration and update rx_skb_func based on the new MTU value. Additionally, BNXT_FLAG_NO_AGG_RINGS is cleared at the beginning of bnxt_set_rx_skb_mode() to make sure it gets set or cleared based on the current MTU.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 12/15/2025
The vulnerability described in CVE-2024-53209 affects the Linux kernel's bnxt_en driver, which manages Broadcom network adapters. This issue arises from improper handling of receive ring space parameters when XDP (eXpress Data Path) is active, creating a critical memory corruption risk that can lead to system crashes and potential exploitation. The flaw stems from the driver's inability to properly synchronize receive ring configurations when the MTU (Maximum Transmission Unit) is modified after XDP multi-buffer attachment has occurred. The root cause lies in the bnxt_set_rx_skb_mode() function, which establishes initial aggregation ring settings and rx_skb_func handlers based on the MTU value present at XDP attachment time. When subsequent MTU changes occur, the driver fails to update these critical parameters, resulting in a misalignment between hardware DMA operations and allocated buffer sizes.
The technical implementation of this vulnerability involves a race condition between hardware data transfer and software buffer management. When XDP is active, the driver configures specific receive ring parameters that assume a fixed MTU value. However, during runtime MTU modifications, the aggregation ring settings become stale and out-of-sync with current network parameters. This mismatch causes the hardware to perform DMA operations with data sizes exceeding allocated buffer boundaries, leading to memory corruption patterns that manifest as kernel NULL pointer dereferences. The crash trace shows execution flow through bnxt_rx_pkt function where the kernel attempts to access invalid memory addresses, specifically at offset 0x3c0, indicating corrupted data structures. The hardware page directory (PGD) and page table entry structures show invalid memory mappings consistent with memory corruption from buffer overruns.
The operational impact of this vulnerability extends beyond simple system instability to potential security implications within network infrastructure environments. Systems utilizing Broadcom network adapters with XDP enabled and dynamic MTU configuration are at risk of experiencing random crashes, network connectivity loss, and potential privilege escalation if exploited. The vulnerability specifically targets network virtualization and high-performance networking scenarios where XDP is commonly deployed for packet processing acceleration. According to CWE classification, this represents a CWE-121: Stack-based Buffer Overflow, though the actual manifestation occurs through memory corruption rather than traditional stack overflow patterns. The ATT&CK framework categorizes this under T1059.001: Command and Scripting Interpreter - PowerShell, as exploitation could involve automated network disruption attacks through controlled MTU manipulation, though the primary vector is kernel-level memory corruption.
The mitigation strategy implemented in the fix involves modifying the bnxt_change_mtu() function to invoke bnxt_set_rx_skb_mode() whenever MTU changes occur, ensuring that aggregation ring configurations and rx_skb_func handlers are properly updated according to the new MTU value. Additionally, the fix clears the BNXT_FLAG_NO_AGG_RINGS flag at the start of bnxt_set_rx_skb_mode() to guarantee that the aggregation ring state accurately reflects current MTU conditions. This approach directly addresses the synchronization problem by forcing re-evaluation of all receive ring parameters during MTU transitions, preventing the hardware from DMAing data larger than allocated buffers. The solution follows established kernel security practices for maintaining consistency between hardware configuration and software buffer management, preventing the memory corruption patterns that lead to kernel panics and system instability. This fix ensures that dynamic network configuration changes do not introduce persistent state inconsistencies that could be exploited by malicious actors or lead to unpredictable system behavior in production environments.