[PATCH 1/1] VF Resource State Inconsistency Vulnerability in Linux bnxt

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH 1/1] VF Resource State Inconsistency Vulnerability in Linux bnxt_en Driver
@ 2025-08-26 16:25 qianjiaru77
  2025-08-26 23:32 ` Michael Chan
  2025-08-27  0:02 ` Jakub Kicinski
  0 siblings, 2 replies; 3+ messages in thread
From: qianjiaru77 @ 2025-08-26 16:25 UTC (permalink / raw)
  To: michael.chan, pavan.chebbi, davem, edumazet, kuba, pabeni,
	andrew+netdev
  Cc: netdev, linux-kernel, qianjiaru

From: qianjiaru <qianjiaru77@gmail.com>

A state management vulnerability exists in the 
`bnxt_hwrm_reserve_vf_rings()` function of the Linux kernel's
bnxt_en network driver. The vulnerability causes incomplete 
resource state updates in SR-IOV Virtual Function (VF) environments,
potentially leading to system instability and resource allocation
 failures in virtualized deployments.

## Root Cause Analysis

The vulnerability exists in the VF resource reservation logic 
where older firmware versions receive incomplete state updates.

## Vulnerability Mechanism

1. **Incomplete State Update**: 
Old firmware path only updates `resv_tx_rings`, 
ignoring other critical fields
2. **Missing Hardware Sync**:
 No call to `bnxt_hwrm_get_rings()` to sync complete state  
3. **Inconsistent Resource Records**: 
`bp->hw_resc` structure contains stale/inconsistent values
4. **False Success**: 
Returns success without performing actual hardware resource reservation

## Missing State Updates

The vulnerable code fails to update these critical fields:

```c
struct bnxt_hw_resc {
    u16 resv_rx_rings;      // NOT UPDATED - stale value
    u16 resv_vnics;         // NOT UPDATED - stale value  
    u16 resv_rsscos_ctxs;   // NOT UPDATED - stale value
    u16 resv_cp_rings;      // NOT UPDATED - stale value
    u16 resv_hw_ring_grps;  // NOT UPDATED - stale value
    u16 resv_tx_rings;      // ONLY field updated
    // ... other resource fields also not updated
};
```

### Attack Scenario

1. **VF Configuration**:
 Administrator reconfigures VF network resources (RX/TX rings)
2. **Partial Update**: 
`bnxt_hwrm_reserve_vf_rings()` only updates TX ring count in `bp->hw_resc`
3. **State Inconsistency**: 
Other resource counters (RX, VNICs, RSS contexts) remain stale
4. **Subsequent Operations**: 
Other driver functions rely on incorrect resource state information
5. **Resource Allocation Failure**: 
Attempts to use resources based on stale state information fail
6. **System Impact**: 
VF network functionality degraded or system crashes

## Comparison with Similar Vulnerabilities

This vulnerability is part of the same 
**firmware compatibility anti-pattern** family as:

- **CVE-2024-44933**:
RSS table mismanagement due to firmware-specific logic
- **bnxt_rfs_capable() bypass**: 
Validation bypassed for old firmware versions

All share the common flaw:
incomplete logic paths for older firmware versions
that compromise system state integrity.

The pattern appears to be systematic in the bnxt driver
where legacy firmware support consistently introduces
 security vulnerabilities.

## Proposed Fix

The vulnerability should be fixed by 
ensuring complete state management 
for all firmware versions:

```c
// Current vulnerable code:
if (!BNXT_NEW_RM(bp)) {
    bp->hw_resc.resv_tx_rings = hwr->tx;
    return 0;
}

// Proposed secure fix:
if (!BNXT_NEW_RM(bp)) {
    // Update all relevant resource state, not just TX rings
    bp->hw_resc.resv_tx_rings = hwr->tx;
    bp->hw_resc.resv_rx_rings = hwr->rx;
    bp->hw_resc.resv_vnics = hwr->vnic;
    bp->hw_resc.resv_rsscos_ctxs = hwr->rss_ctx;
    bp->hw_resc.resv_cp_rings = hwr->cp;
    bp->hw_resc.resv_hw_ring_grps = hwr->grp;
    return 0;
}
```

## References

- **Related CVE**: 
CVE-2024-44933 (bnxt resource management)
- **Linux SR-IOV Documentation**: 
`Documentation/networking/sriov.rst`
- **Broadcom bnxt Driver**: 
`drivers/net/ethernet/broadcom/bnxt/`
- **PCI SR-IOV Specification**: 
PCI-SIG SR-IOV 1.1 specification

Signed-off-by: qianjiaru <qianjiaru77@gmail.com>
---
 drivers/net/ethernet/broadcom/bnxt/bnxt.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
index 207a8bb36..2d06b0ddc 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
@@ -7801,7 +7801,13 @@ bnxt_hwrm_reserve_vf_rings(struct bnxt *bp, struct bnxt_hw_rings *hwr)
 	int rc;

 	if (!BNXT_NEW_RM(bp)) {
+		// Update all relevant resource state, not just TX rings
 		bp->hw_resc.resv_tx_rings = hwr->tx;
+		bp->hw_resc.resv_rx_rings = hwr->rx;
+		bp->hw_resc.resv_vnics = hwr->vnic;
+		bp->hw_resc.resv_rsscos_ctxs = hwr->rss_ctx;
+		bp->hw_resc.resv_cp_rings = hwr->cp;
+		bp->hw_resc.resv_hw_ring_grps = hwr->grp;
 		return 0;
 	}

-- 
2.34.1

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH 1/1] VF Resource State Inconsistency Vulnerability in Linux bnxt_en Driver
  2025-08-26 16:25 [PATCH 1/1] VF Resource State Inconsistency Vulnerability in Linux bnxt_en Driver qianjiaru77
@ 2025-08-26 23:32 ` Michael Chan
  2025-08-27  0:02 ` Jakub Kicinski
  1 sibling, 0 replies; 3+ messages in thread
From: Michael Chan @ 2025-08-26 23:32 UTC (permalink / raw)
  To: qianjiaru77
  Cc: pavan.chebbi, davem, edumazet, kuba, pabeni, andrew+netdev,
	netdev, linux-kernel

[-- Attachment #1: Type: text/plain, Size: 983 bytes --]

On Tue, Aug 26, 2025 at 9:25 AM <qianjiaru77@gmail.com> wrote:

> ## Root Cause Analysis
>
> The vulnerability exists in the VF resource reservation logic
> where older firmware versions receive incomplete state updates.
>
> ## Vulnerability Mechanism
>
> 1. **Incomplete State Update**:
> Old firmware path only updates `resv_tx_rings`,
> ignoring other critical fields
> 2. **Missing Hardware Sync**:
>  No call to `bnxt_hwrm_get_rings()` to sync complete state
> 3. **Inconsistent Resource Records**:
> `bp->hw_resc` structure contains stale/inconsistent values
> 4. **False Success**:
> Returns success without performing actual hardware resource reservation
>

I will review the driver's code path (!BNXT_NEW_RM(bp)) to support the
older FW that only requires reservations for the TX rings.  This FW is
generally about 7 years old.  More recently added code may not handle
this code path correctly and may have the issue that you pointed out.
Thanks.

[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4196 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH 1/1] VF Resource State Inconsistency Vulnerability in Linux bnxt_en Driver
  2025-08-26 16:25 [PATCH 1/1] VF Resource State Inconsistency Vulnerability in Linux bnxt_en Driver qianjiaru77
  2025-08-26 23:32 ` Michael Chan
@ 2025-08-27  0:02 ` Jakub Kicinski
  1 sibling, 0 replies; 3+ messages in thread
From: Jakub Kicinski @ 2025-08-27  0:02 UTC (permalink / raw)
  To: qianjiaru77
  Cc: michael.chan, pavan.chebbi, davem, edumazet, pabeni,
	andrew+netdev, netdev, linux-kernel

On Wed, 27 Aug 2025 00:25:41 +0800 qianjiaru77@gmail.com wrote:
> Subject: [PATCH 1/1] VF Resource State Inconsistency Vulnerability in Linux bnxt_en Driver

If you want this to be merged please read process documentation, 
or at least git history for the relevant code and format the commit
message correctly. I'm dropping your 3 submissions from networking
patch review.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2025-08-27  0:02 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-08-26 16:25 [PATCH 1/1] VF Resource State Inconsistency Vulnerability in Linux bnxt_en Driver qianjiaru77
2025-08-26 23:32 ` Michael Chan
2025-08-27  0:02 ` Jakub Kicinski

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).