HIGH
bnxt_re Counter OOB
CVE-2025-71092
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: RDMA/bnxt_re: Fix OOB write in bnxt_re_copy_err_stats() Commit ef56081d1864 ("RDMA/bnxt_re: RoCE related hardware counters update") added three new counters and placed them after BNXT_RE_OUT_OF_SEQ_ERR. BNXT_RE_OUT_OF_SEQ_ERR acts as a boundary marker for allocating hardware statistics with different num_counters values on chip_gen_p5_p7 devices. As a result, BNXT_RE_NUM_STD_COUNTERS are used when allocating hw_stats, which leads to an out-of-bounds write in bnxt_re_copy_err_stats(). The counters BNXT_RE_REQ_CQE_ERROR, BNXT_RE_RESP_CQE_ERROR, and BNXT_RE_RESP_REMOTE_ACCESS_ERRS are applicable to generic hardware, not only p5/p7 devices. Fix this by moving these counters before BNXT_RE_OUT_OF_SEQ_ERR so they are included in the generic counter set.
02KernelScan AI Analysis
Risk summary
This vulnerability allows out-of-bounds memory writes in the kernel when using Broadcom RoCE network adapters. An attacker with local access who can trigger RDMA operations could potentially corrupt kernel memory, leading to system crashes or privilege escalation. The risk is elevated on systems running RDMA workloads with Broadcom NetXtreme-E hardware.
Vulnerability analysis
Root Cause: The vulnerability stems from a mismatch between hardware statistics counter allocation and usage in the Broadcom NetXtreme-E RoCE driver. The BNXT_RE_OUT_OF_SEQ_ERR enum value acts as a boundary marker that determines how many counters are allocated for hw_stats on chip_gen_p5_p7 devices using BNXT_RE_NUM_STD_COUNTERS. However, commit ef56081d1864 added three new counters (BNXT_RE_REQ_CQE_ERROR, BNXT_RE_RESP_CQE_ERROR, BNXT_RE_RESP_REMOTE_ACCESS_ERRS) after this boundary marker, causing the allocation size to be smaller than the actual number of counters being written.
Attack Surface: This vulnerability affects systems using Broadcom NetXtreme-E RoCE (RDMA over Converged Ethernet) hardware. The attack surface is primarily local, requiring access to RDMA operations that trigger hardware statistics collection. The vulnerability occurs during normal driver operation when copying error statistics, making it potentially triggerable through legitimate RDMA workloads on affected hardware.
Fix Mechanism: The fix reorders the enum values by moving the three problematic counters (BNXT_RE_REQ_CQE_ERROR, BNXT_RE_RESP_CQE_ERROR, BNXT_RE_RESP_REMOTE_ACCESS_ERRS) before the BNXT_RE_OUT_OF_SEQ_ERR boundary marker. This ensures they are included in the standard counter set allocation, preventing the out-of-bounds write in bnxt_re_copy_err_stats(). The counters are moved because they apply to generic hardware, not just p5/p7 devices.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.4 | 369a161c4872 |
| mainline | 6.19 | 9b68a1cc966b |