CVE-2024-56656 in Linux
Summary
by MITRE • 12/27/2024
In the Linux kernel, the following vulnerability has been resolved:
bnxt_en: Fix aggregation ID mask to prevent oops on 5760X chips
The 5760X (P7) chip's HW GRO/LRO interface is very similar to that of the previous generation (5750X or P5). However, the aggregation ID fields in the completion structures on P7 have been redefined from 16 bits to 12 bits. The freed up 4 bits are redefined for part of the metadata such as the VLAN ID. The aggregation ID mask was not modified when adding support for P7 chips. Including the extra 4 bits for the aggregation ID can potentially cause the driver to store or fetch the packet header of GRO/LRO packets in the wrong TPA buffer. It may hit the BUG() condition in __skb_pull() because the SKB contains no valid packet header:
kernel BUG at include/linux/skbuff.h:2766! Oops: invalid opcode: 0000 1 PREEMPT SMP NOPTI CPU: 4 UID: 0 PID: 0 Comm: swapper/4 Kdump: loaded Tainted: G OE 6.12.0-rc2+ #7 Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Hardware name: Dell Inc. PowerEdge R760/0VRV9X, BIOS 1.0.1 12/27/2022 RIP: 0010:eth_type_trans+0xda/0x140 Code: 80 00 00 00 eb c1 8b 47 70 2b 47 74 48 8b 97 d0 00 00 00 83 f8 01 7e 1b 48 85 d2 74 06 66 83 3a ff 74 09 b8 00 04 00 00 eb a5 0b b8 00 01 00 00 eb 9c 48 85 ff 74 eb 31 f6 b9 02 00 00 00 48 RSP: 0018:ff615003803fcc28 EFLAGS: 00010283 RAX: 00000000000022d2 RBX: 0000000000000003 RCX: ff2e8c25da334040 RDX: 0000000000000040 RSI: ff2e8c25c1ce8000 RDI: ff2e8c25869f9000 RBP: ff2e8c258c31c000 R08: ff2e8c25da334000 R09: 0000000000000001 R10: ff2e8c25da3342c0 R11: ff2e8c25c1ce89c0 R12: ff2e8c258e0990b0 R13: ff2e8c25bb120000 R14: ff2e8c25c1ce89c0 R15: ff2e8c25869f9000 FS: 0000000000000000(0000) GS:ff2e8c34be300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055f05317e4c8 CR3: 000000108bac6006 CR4: 0000000000773ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: ? die+0x33/0x90 ? do_trap+0xd9/0x100 ? eth_type_trans+0xda/0x140 ? do_error_trap+0x65/0x80 ? eth_type_trans+0xda/0x140 ? exc_invalid_op+0x4e/0x70 ? eth_type_trans+0xda/0x140 ? asm_exc_invalid_op+0x16/0x20 ? eth_type_trans+0xda/0x140 bnxt_tpa_end+0x10b/0x6b0 [bnxt_en]
? bnxt_tpa_start+0x195/0x320 [bnxt_en]
bnxt_rx_pkt+0x902/0xd90 [bnxt_en]
? __bnxt_tx_int.constprop.0+0x89/0x300 [bnxt_en]
? kmem_cache_free+0x343/0x440 ? __bnxt_tx_int.constprop.0+0x24f/0x300 [bnxt_en]
__bnxt_poll_work+0x193/0x370 [bnxt_en]
bnxt_poll_p5+0x9a/0x300 [bnxt_en]
? try_to_wake_up+0x209/0x670 __napi_poll+0x29/0x1b0
Fix it by redefining the aggregation ID mask for P5_PLUS chips to be 12 bits. This will work because the maximum aggregation ID is less than 4096 on all P5_PLUS chips.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/12/2026
The vulnerability CVE-2024-56656 affects the Linux kernel's bnxt_en driver, specifically targeting the Broadcom NetXtreme-E series network adapters, particularly the 5760X (P7) chip generation. This issue stems from a hardware interface change in the newer P7 chips where the aggregation ID field in the completion structures was reduced from 16 bits to 12 bits, with the remaining 4 bits repurposed for metadata such as VLAN ID information. The driver's existing implementation failed to account for this hardware evolution, leading to incorrect handling of packet aggregation data structures. When the driver processes GRO/LRO packets, it incorrectly interprets the aggregation ID by including the previously unused 4 bits, which causes the driver to store or fetch packet headers into incorrect TPA buffers. This misalignment results in a kernel BUG condition within the __skb_pull() function, as the SKB (socket buffer) contains no valid packet header, triggering an invalid opcode error and ultimately causing system crashes or oops conditions. The vulnerability manifests during network packet processing when the driver attempts to handle aggregated packets, particularly affecting systems using the 5760X chip architecture.
The technical flaw resides in the driver's aggregation ID mask handling, which is a direct violation of proper hardware abstraction principles and can be categorized under CWE-129, "Improper Validation of Array Index." The driver's failure to properly mask the aggregation ID field for P7 chips creates a condition where the upper 4 bits of the aggregation ID field are incorrectly interpreted as part of the actual aggregation ID value. This error directly impacts the packet processing pipeline, specifically in the bnxt_tpa_end function where packet headers are pulled from buffers, and ultimately leads to kernel panics. The issue is further classified under ATT&CK technique T1547.001, "Registry Run Keys / Startup Folder," as the crash occurs during kernel-level packet processing, though the primary concern is the buffer management and memory corruption rather than persistence mechanisms. The root cause demonstrates a lack of proper hardware variant handling in the driver code, where the same code path was used for both P5 and P7 chip generations without appropriate conditional logic to handle the differing hardware interfaces.
The operational impact of this vulnerability is significant for systems utilizing the bnxt_en driver with 5760X (P7) network adapters, as it can lead to complete system crashes and service disruption. Network connectivity becomes unreliable when the driver encounters aggregated packets, potentially causing data loss and network outages. The vulnerability affects systems running kernel versions that include the affected bnxt_en driver, particularly those with hardware configurations using the 5760X chip. The crash occurs at kernel level during network packet processing, making it a critical issue that can impact production environments, cloud infrastructure, and enterprise network deployments. Organizations using Dell PowerEdge R760 servers or similar hardware configurations with the affected network adapters are at risk, as the vulnerability can cause the system to become unresponsive, requiring manual intervention or system reboot to restore functionality. The intermittent nature of the crash, dependent on packet aggregation patterns, makes it particularly challenging to detect and diagnose in production environments.
The mitigation for CVE-2024-56656 involves updating the Linux kernel to a version that includes the fix for the bnxt_en driver. The solution implements a proper aggregation ID mask redefinition specifically for P5_PLUS chips, setting the mask to 12 bits to align with the hardware specification of the 5760X (P7) chips. This change ensures that the driver correctly handles the reduced bit width of the aggregation ID field and prevents the incorrect buffer access that leads to the kernel BUG condition. System administrators should apply the kernel update immediately, particularly in production environments where network reliability is critical. Additionally, monitoring for system crashes or oops conditions related to the bnxt_en driver should be implemented to detect potential exploitation attempts or incomplete patch application. Organizations should also verify that their hardware configurations match the patched kernel versions and that all network interface cards using the 5760X chip are properly updated to prevent future occurrences of this vulnerability. The fix represents a hardware abstraction improvement that ensures proper handling of variant chip interfaces and prevents memory corruption through correct bit field masking.