HIGH
octeontx2 RingParam Overflow
CVE-2025-71137
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: fix "UBSAN: shift-out-of-bounds error" This patch ensures that the RX ring size (rx_pending) is not set below the permitted length. This avoids UBSAN shift-out-of-bounds errors when users passes small or zero ring sizes via ethtool -G.
02KernelScan AI Analysis
Risk summary
A local attacker with root privileges can cause undefined behavior in the OcteonTX2 network driver by setting invalid ring sizes through ethtool, potentially leading to system instability or crashes. The impact is limited to systems with OcteonTX2 network hardware and requires administrative access.
Vulnerability analysis
Root Cause: The otx2_set_ringparam() function in the OcteonTX2 network driver accepts user-provided RX ring size values via ethtool without proper validation. When users pass small or zero values for rx_pending, subsequent bit shift operations (likely in Q_SIZE() macro) can cause undefined behavior due to shift-out-of-bounds conditions, triggering UBSAN errors.
Attack Surface: Local attack surface requiring root privileges to use ethtool commands. The vulnerability is triggered through the ethtool interface when configuring network ring parameters on OcteonTX2 network devices.
Fix Mechanism: The patch adds input validation to reject rx_pending values below 16, which is the minimum safe ring size. It returns -EINVAL with an error message when invalid values are provided, preventing the problematic shift operations from occurring.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.248 | 5d8dfa3abb9a |
| 5.15 | 5.15.198 | 4cc4cfe4d23c |
| 6.1 | 6.1.160 | 658caf3b8aad |
| 6.12 | 6.12.64 | aa743b0d9844 |
| 6.18 | 6.18.4 | 442848e457f5 |
| 6.6 | 6.6.120 | b23a2e155894 |
| mainline | 6.19 | 85f4b0c650d9 |