CVE-2024-56656

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.12.0-rc2+

Description The Linux kernel has a vulnerability in the bnxt en driver, specifically in the HW GRO/LRO interface of the 5760X (P7) chip. The aggregation ID fields in the completion structures on P7 have been redefined from 16 bits to 12 bits, but the aggregation ID mask was not modified when adding support for P7 chips. This can cause the driver to store or fetch the packet header of GRO/LRO packets in the wrong TPA buffer, leading to a kernel BUG. The issue is related to the eth type trans function and the skb pull function.

Recommendations To resolve the issue, redefine the aggregation ID mask for P5 PLUS chips to be 12 bits. This will work because the maximum aggregation ID is less than 4096 on all P5 PLUS chips. As a temporary workaround, consider disabling the bnxt tpa end function until a patch is available. Restrict access to the vulnerable bnxt en driver to minimize the risk of exploitation. Avoid using the bnxt rx pkt function in the affected API endpoint until the issue is resolved.