Vulnerability-Lookup

GHSA-H5R4-F5WX-726X

Vulnerability from github – Published: 2024-06-19 15:30 – Updated: 2025-11-04 00:30

Details

In the Linux kernel, the following vulnerability has been resolved:

bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq

Undefined behavior is triggered when bnxt_qplib_alloc_init_hwq is called with hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0. In that case, "roundup_pow_of_two(hwq_attr->aux_stride)" gets called. roundup_pow_of_two is documented as undefined for 0.

Fix it in the one caller that had this combination.

The undefined behavior was detected by UBSAN: UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13 shift exponent 64 is too large for 64-bit type 'long unsigned int' CPU: 24 PID: 1075 Comm: (udev-worker) Not tainted 6.9.0-rc6+ #4 Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.7 10/25/2023 Call Trace: dump_stack_lvl+0x5d/0x80 ubsan_epilogue+0x5/0x30 __ubsan_handle_shift_out_of_bounds.cold+0x61/0xec __roundup_pow_of_two+0x25/0x35 [bnxt_re] bnxt_qplib_alloc_init_hwq+0xa1/0x470 [bnxt_re] bnxt_qplib_create_qp+0x19e/0x840 [bnxt_re] bnxt_re_create_qp+0x9b1/0xcd0 [bnxt_re] ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? __kmalloc+0x1b6/0x4f0 ? create_qp.part.0+0x128/0x1c0 [ib_core] ? __pfx_bnxt_re_create_qp+0x10/0x10 [bnxt_re] create_qp.part.0+0x128/0x1c0 [ib_core] ib_create_qp_kernel+0x50/0xd0 [ib_core] create_mad_qp+0x8e/0xe0 [ib_core] ? __pfx_qp_event_handler+0x10/0x10 [ib_core] ib_mad_init_device+0x2be/0x680 [ib_core] add_client_context+0x10d/0x1a0 [ib_core] enable_device_and_get+0xe0/0x1d0 [ib_core] ib_register_device+0x53c/0x630 [ib_core] ? srso_alias_return_thunk+0x5/0xfbef5 bnxt_re_probe+0xbd8/0xe50 [bnxt_re] ? __pfx_bnxt_re_probe+0x10/0x10 [bnxt_re] auxiliary_bus_probe+0x49/0x80 ? driver_sysfs_add+0x57/0xc0 really_probe+0xde/0x340 ? pm_runtime_barrier+0x54/0x90 ? __pfxdriverattach+0x10/0x10 driver_probe_device+0x78/0x110 driver_probe_device+0x1f/0xa0 __driver_attach+0xba/0x1c0 bus_for_each_dev+0x8f/0xe0 bus_add_driver+0x146/0x220 driver_register+0x72/0xd0 __auxiliary_driver_register+0x6e/0xd0 ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re] bnxt_re_mod_init+0x3e/0xff0 [bnxt_re] ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re] do_one_initcall+0x5b/0x310 do_init_module+0x90/0x250 init_module_from_file+0x86/0xc0 idempotent_init_module+0x121/0x2b0 __x64_sys_finit_module+0x5e/0xb0 do_syscall_64+0x82/0x160 ? srso_alias_return_thunk+0x5/0xfbef5 ? syscall_exit_to_user_mode_prepare+0x149/0x170 ? srso_alias_return_thunk+0x5/0xfbef5 ? syscall_exit_to_user_mode+0x75/0x230 ? srso_alias_return_thunk+0x5/0xfbef5 ? do_syscall_64+0x8e/0x160 ? srso_alias_return_thunk+0x5/0xfbef5 ? __count_memcg_events+0x69/0x100 ? srso_alias_return_thunk+0x5/0xfbef5 ? count_memcg_events.constprop.0+0x1a/0x30 ? srso_alias_return_thunk+0x5/0xfbef5 ? handle_mm_fault+0x1f0/0x300 ? srso_alias_return_thunk+0x5/0xfbef5 ? do_user_addr_fault+0x34e/0x640 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f4e5132821d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e3 db 0c 00 f7 d8 64 89 01 48 RSP: 002b:00007ffca9c906a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 RAX: ffffffffffffffda RBX: 0000563ec8a8f130 RCX: 00007f4e5132821d RDX: 0000000000000000 RSI: 00007f4e518fa07d RDI: 000000000000003b RBP: 00007ffca9c90760 R08: 00007f4e513f6b20 R09: 00007ffca9c906f0 R10: 0000563ec8a8faa0 R11: 0000000000000246 R12: 00007f4e518fa07d R13: 0000000000020000 R14: 0000563ec8409e90 R15: 0000563ec8a8fa60 ---[ end trace ]---

Severity ?

4.4 (Medium)


                  
                    CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2024-38540"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-19T14:15:14Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq\n\nUndefined behavior is triggered when bnxt_qplib_alloc_init_hwq is called\nwith hwq_attr-\u003eaux_depth != 0 and hwq_attr-\u003eaux_stride == 0.\nIn that case, \"roundup_pow_of_two(hwq_attr-\u003eaux_stride)\" gets called.\nroundup_pow_of_two is documented as undefined for 0.\n\nFix it in the one caller that had this combination.\n\nThe undefined behavior was detected by UBSAN:\n  UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13\n  shift exponent 64 is too large for 64-bit type \u0027long unsigned int\u0027\n  CPU: 24 PID: 1075 Comm: (udev-worker) Not tainted 6.9.0-rc6+ #4\n  Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.7 10/25/2023\n  Call Trace:\n   \u003cTASK\u003e\n   dump_stack_lvl+0x5d/0x80\n   ubsan_epilogue+0x5/0x30\n   __ubsan_handle_shift_out_of_bounds.cold+0x61/0xec\n   __roundup_pow_of_two+0x25/0x35 [bnxt_re]\n   bnxt_qplib_alloc_init_hwq+0xa1/0x470 [bnxt_re]\n   bnxt_qplib_create_qp+0x19e/0x840 [bnxt_re]\n   bnxt_re_create_qp+0x9b1/0xcd0 [bnxt_re]\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? __kmalloc+0x1b6/0x4f0\n   ? create_qp.part.0+0x128/0x1c0 [ib_core]\n   ? __pfx_bnxt_re_create_qp+0x10/0x10 [bnxt_re]\n   create_qp.part.0+0x128/0x1c0 [ib_core]\n   ib_create_qp_kernel+0x50/0xd0 [ib_core]\n   create_mad_qp+0x8e/0xe0 [ib_core]\n   ? __pfx_qp_event_handler+0x10/0x10 [ib_core]\n   ib_mad_init_device+0x2be/0x680 [ib_core]\n   add_client_context+0x10d/0x1a0 [ib_core]\n   enable_device_and_get+0xe0/0x1d0 [ib_core]\n   ib_register_device+0x53c/0x630 [ib_core]\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   bnxt_re_probe+0xbd8/0xe50 [bnxt_re]\n   ? __pfx_bnxt_re_probe+0x10/0x10 [bnxt_re]\n   auxiliary_bus_probe+0x49/0x80\n   ? driver_sysfs_add+0x57/0xc0\n   really_probe+0xde/0x340\n   ? pm_runtime_barrier+0x54/0x90\n   ? __pfx___driver_attach+0x10/0x10\n   __driver_probe_device+0x78/0x110\n   driver_probe_device+0x1f/0xa0\n   __driver_attach+0xba/0x1c0\n   bus_for_each_dev+0x8f/0xe0\n   bus_add_driver+0x146/0x220\n   driver_register+0x72/0xd0\n   __auxiliary_driver_register+0x6e/0xd0\n   ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]\n   bnxt_re_mod_init+0x3e/0xff0 [bnxt_re]\n   ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]\n   do_one_initcall+0x5b/0x310\n   do_init_module+0x90/0x250\n   init_module_from_file+0x86/0xc0\n   idempotent_init_module+0x121/0x2b0\n   __x64_sys_finit_module+0x5e/0xb0\n   do_syscall_64+0x82/0x160\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? syscall_exit_to_user_mode_prepare+0x149/0x170\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? syscall_exit_to_user_mode+0x75/0x230\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? do_syscall_64+0x8e/0x160\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? __count_memcg_events+0x69/0x100\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? count_memcg_events.constprop.0+0x1a/0x30\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? handle_mm_fault+0x1f0/0x300\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? do_user_addr_fault+0x34e/0x640\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   entry_SYSCALL_64_after_hwframe+0x76/0x7e\n  RIP: 0033:0x7f4e5132821d\n  Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d e3 db 0c 00 f7 d8 64 89 01 48\n  RSP: 002b:00007ffca9c906a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139\n  RAX: ffffffffffffffda RBX: 0000563ec8a8f130 RCX: 00007f4e5132821d\n  RDX: 0000000000000000 RSI: 00007f4e518fa07d RDI: 000000000000003b\n  RBP: 00007ffca9c90760 R08: 00007f4e513f6b20 R09: 00007ffca9c906f0\n  R10: 0000563ec8a8faa0 R11: 0000000000000246 R12: 00007f4e518fa07d\n  R13: 0000000000020000 R14: 0000563ec8409e90 R15: 0000563ec8a8fa60\n   \u003c/TASK\u003e\n  ---[ end trace ]---",
  "id": "GHSA-h5r4-f5wx-726x",
  "modified": "2025-11-04T00:30:49Z",
  "published": "2024-06-19T15:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38540"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/627493443f3a8458cb55cdae1da254a7001123bc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/66a9937187ac9b5c5ffff07b8b284483e56804d1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/78cfd17142ef70599d6409cbd709d94b3da58659"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/84d2f29152184f0d72ed7c9648c4ee6927df4e59"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8b799c00cea6fcfe5b501bbaeb228c8821acb753"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a658f011d89dd20cf2c7cb4760ffd79201700b98"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

CVE-2024-38540 (GCVE-0-2024-38540)

Vulnerability from cvelistv5 – Published: 2024-06-19 13:35 – Updated: 2025-11-03 21:55

Title

bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq

Summary

In the Linux kernel, the following vulnerability has been resolved: bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq Undefined behavior is triggered when bnxt_qplib_alloc_init_hwq is called with hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0. In that case, "roundup_pow_of_two(hwq_attr->aux_stride)" gets called. roundup_pow_of_two is documented as undefined for 0. Fix it in the one caller that had this combination. The undefined behavior was detected by UBSAN: UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13 shift exponent 64 is too large for 64-bit type 'long unsigned int' CPU: 24 PID: 1075 Comm: (udev-worker) Not tainted 6.9.0-rc6+ #4 Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.7 10/25/2023 Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ubsan_epilogue+0x5/0x30 __ubsan_handle_shift_out_of_bounds.cold+0x61/0xec __roundup_pow_of_two+0x25/0x35 [bnxt_re] bnxt_qplib_alloc_init_hwq+0xa1/0x470 [bnxt_re] bnxt_qplib_create_qp+0x19e/0x840 [bnxt_re] bnxt_re_create_qp+0x9b1/0xcd0 [bnxt_re] ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? __kmalloc+0x1b6/0x4f0 ? create_qp.part.0+0x128/0x1c0 [ib_core] ? __pfx_bnxt_re_create_qp+0x10/0x10 [bnxt_re] create_qp.part.0+0x128/0x1c0 [ib_core] ib_create_qp_kernel+0x50/0xd0 [ib_core] create_mad_qp+0x8e/0xe0 [ib_core] ? __pfx_qp_event_handler+0x10/0x10 [ib_core] ib_mad_init_device+0x2be/0x680 [ib_core] add_client_context+0x10d/0x1a0 [ib_core] enable_device_and_get+0xe0/0x1d0 [ib_core] ib_register_device+0x53c/0x630 [ib_core] ? srso_alias_return_thunk+0x5/0xfbef5 bnxt_re_probe+0xbd8/0xe50 [bnxt_re] ? __pfx_bnxt_re_probe+0x10/0x10 [bnxt_re] auxiliary_bus_probe+0x49/0x80 ? driver_sysfs_add+0x57/0xc0 really_probe+0xde/0x340 ? pm_runtime_barrier+0x54/0x90 ? __pfx___driver_attach+0x10/0x10 __driver_probe_device+0x78/0x110 driver_probe_device+0x1f/0xa0 __driver_attach+0xba/0x1c0 bus_for_each_dev+0x8f/0xe0 bus_add_driver+0x146/0x220 driver_register+0x72/0xd0 __auxiliary_driver_register+0x6e/0xd0 ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re] bnxt_re_mod_init+0x3e/0xff0 [bnxt_re] ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re] do_one_initcall+0x5b/0x310 do_init_module+0x90/0x250 init_module_from_file+0x86/0xc0 idempotent_init_module+0x121/0x2b0 __x64_sys_finit_module+0x5e/0xb0 do_syscall_64+0x82/0x160 ? srso_alias_return_thunk+0x5/0xfbef5 ? syscall_exit_to_user_mode_prepare+0x149/0x170 ? srso_alias_return_thunk+0x5/0xfbef5 ? syscall_exit_to_user_mode+0x75/0x230 ? srso_alias_return_thunk+0x5/0xfbef5 ? do_syscall_64+0x8e/0x160 ? srso_alias_return_thunk+0x5/0xfbef5 ? __count_memcg_events+0x69/0x100 ? srso_alias_return_thunk+0x5/0xfbef5 ? count_memcg_events.constprop.0+0x1a/0x30 ? srso_alias_return_thunk+0x5/0xfbef5 ? handle_mm_fault+0x1f0/0x300 ? srso_alias_return_thunk+0x5/0xfbef5 ? do_user_addr_fault+0x34e/0x640 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f4e5132821d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e3 db 0c 00 f7 d8 64 89 01 48 RSP: 002b:00007ffca9c906a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 RAX: ffffffffffffffda RBX: 0000563ec8a8f130 RCX: 00007f4e5132821d RDX: 0000000000000000 RSI: 00007f4e518fa07d RDI: 000000000000003b RBP: 00007ffca9c90760 R08: 00007f4e513f6b20 R09: 00007ffca9c906f0 R10: 0000563ec8a8faa0 R11: 0000000000000246 R12: 00007f4e518fa07d R13: 0000000000020000 R14: 0000563ec8409e90 R15: 0000563ec8a8fa60 </TASK> ---[ end trace ]---

Severity ?

4.4 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-noinfo Not enough information

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/66a9937187ac9b5c5…
	https://git.kernel.org/stable/c/84d2f29152184f0d7…
	https://git.kernel.org/stable/c/a658f011d89dd20cf…
	https://git.kernel.org/stable/c/627493443f3a8458c…
	https://git.kernel.org/stable/c/8b799c00cea6fcfe5…
	https://git.kernel.org/stable/c/78cfd17142ef70599…

Impacted products

Vendor

Product

Version

Linux

Affected: 0c4dcd602817502bb3dced7a834a13ef717d65a4 , < 66a9937187ac9b5c5ffff07b8b284483e56804d1 (git)
Affected: 0c4dcd602817502bb3dced7a834a13ef717d65a4 , < 84d2f29152184f0d72ed7c9648c4ee6927df4e59 (git)
Affected: 0c4dcd602817502bb3dced7a834a13ef717d65a4 , < a658f011d89dd20cf2c7cb4760ffd79201700b98 (git)
Affected: 0c4dcd602817502bb3dced7a834a13ef717d65a4 , < 627493443f3a8458cb55cdae1da254a7001123bc (git)
Affected: 0c4dcd602817502bb3dced7a834a13ef717d65a4 , < 8b799c00cea6fcfe5b501bbaeb228c8821acb753 (git)
Affected: 0c4dcd602817502bb3dced7a834a13ef717d65a4 , < 78cfd17142ef70599d6409cbd709d94b3da58659 (git)

Linux

Affected: 5.7
Unaffected: 0 , < 5.7 (semver)
Unaffected: 5.15.181 , ≤ 5.15.* (semver)
Unaffected: 6.1.117 , ≤ 6.1.* (semver)
Unaffected: 6.6.33 , ≤ 6.6.* (semver)
Unaffected: 6.8.12 , ≤ 6.8.* (semver)
Unaffected: 6.9.3 , ≤ 6.9.* (semver)
Unaffected: 6.10 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 4.4,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "HIGH",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-38540",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-24T15:37:42.492444Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "description": "CWE-noinfo Not enough information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-07T19:54:28.166Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T21:55:46.119Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/a658f011d89dd20cf2c7cb4760ffd79201700b98"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/627493443f3a8458cb55cdae1da254a7001123bc"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/8b799c00cea6fcfe5b501bbaeb228c8821acb753"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/78cfd17142ef70599d6409cbd709d94b3da58659"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/bnxt_re/qplib_fp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "66a9937187ac9b5c5ffff07b8b284483e56804d1",
              "status": "affected",
              "version": "0c4dcd602817502bb3dced7a834a13ef717d65a4",
              "versionType": "git"
            },
            {
              "lessThan": "84d2f29152184f0d72ed7c9648c4ee6927df4e59",
              "status": "affected",
              "version": "0c4dcd602817502bb3dced7a834a13ef717d65a4",
              "versionType": "git"
            },
            {
              "lessThan": "a658f011d89dd20cf2c7cb4760ffd79201700b98",
              "status": "affected",
              "version": "0c4dcd602817502bb3dced7a834a13ef717d65a4",
              "versionType": "git"
            },
            {
              "lessThan": "627493443f3a8458cb55cdae1da254a7001123bc",
              "status": "affected",
              "version": "0c4dcd602817502bb3dced7a834a13ef717d65a4",
              "versionType": "git"
            },
            {
              "lessThan": "8b799c00cea6fcfe5b501bbaeb228c8821acb753",
              "status": "affected",
              "version": "0c4dcd602817502bb3dced7a834a13ef717d65a4",
              "versionType": "git"
            },
            {
              "lessThan": "78cfd17142ef70599d6409cbd709d94b3da58659",
              "status": "affected",
              "version": "0c4dcd602817502bb3dced7a834a13ef717d65a4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/bnxt_re/qplib_fp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.7"
            },
            {
              "lessThan": "5.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.33",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.9.*",
              "status": "unaffected",
              "version": "6.9.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.10",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.117",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.33",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8.12",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.9.3",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.10",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq\n\nUndefined behavior is triggered when bnxt_qplib_alloc_init_hwq is called\nwith hwq_attr-\u003eaux_depth != 0 and hwq_attr-\u003eaux_stride == 0.\nIn that case, \"roundup_pow_of_two(hwq_attr-\u003eaux_stride)\" gets called.\nroundup_pow_of_two is documented as undefined for 0.\n\nFix it in the one caller that had this combination.\n\nThe undefined behavior was detected by UBSAN:\n  UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13\n  shift exponent 64 is too large for 64-bit type \u0027long unsigned int\u0027\n  CPU: 24 PID: 1075 Comm: (udev-worker) Not tainted 6.9.0-rc6+ #4\n  Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.7 10/25/2023\n  Call Trace:\n   \u003cTASK\u003e\n   dump_stack_lvl+0x5d/0x80\n   ubsan_epilogue+0x5/0x30\n   __ubsan_handle_shift_out_of_bounds.cold+0x61/0xec\n   __roundup_pow_of_two+0x25/0x35 [bnxt_re]\n   bnxt_qplib_alloc_init_hwq+0xa1/0x470 [bnxt_re]\n   bnxt_qplib_create_qp+0x19e/0x840 [bnxt_re]\n   bnxt_re_create_qp+0x9b1/0xcd0 [bnxt_re]\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? __kmalloc+0x1b6/0x4f0\n   ? create_qp.part.0+0x128/0x1c0 [ib_core]\n   ? __pfx_bnxt_re_create_qp+0x10/0x10 [bnxt_re]\n   create_qp.part.0+0x128/0x1c0 [ib_core]\n   ib_create_qp_kernel+0x50/0xd0 [ib_core]\n   create_mad_qp+0x8e/0xe0 [ib_core]\n   ? __pfx_qp_event_handler+0x10/0x10 [ib_core]\n   ib_mad_init_device+0x2be/0x680 [ib_core]\n   add_client_context+0x10d/0x1a0 [ib_core]\n   enable_device_and_get+0xe0/0x1d0 [ib_core]\n   ib_register_device+0x53c/0x630 [ib_core]\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   bnxt_re_probe+0xbd8/0xe50 [bnxt_re]\n   ? __pfx_bnxt_re_probe+0x10/0x10 [bnxt_re]\n   auxiliary_bus_probe+0x49/0x80\n   ? driver_sysfs_add+0x57/0xc0\n   really_probe+0xde/0x340\n   ? pm_runtime_barrier+0x54/0x90\n   ? __pfx___driver_attach+0x10/0x10\n   __driver_probe_device+0x78/0x110\n   driver_probe_device+0x1f/0xa0\n   __driver_attach+0xba/0x1c0\n   bus_for_each_dev+0x8f/0xe0\n   bus_add_driver+0x146/0x220\n   driver_register+0x72/0xd0\n   __auxiliary_driver_register+0x6e/0xd0\n   ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]\n   bnxt_re_mod_init+0x3e/0xff0 [bnxt_re]\n   ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]\n   do_one_initcall+0x5b/0x310\n   do_init_module+0x90/0x250\n   init_module_from_file+0x86/0xc0\n   idempotent_init_module+0x121/0x2b0\n   __x64_sys_finit_module+0x5e/0xb0\n   do_syscall_64+0x82/0x160\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? syscall_exit_to_user_mode_prepare+0x149/0x170\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? syscall_exit_to_user_mode+0x75/0x230\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? do_syscall_64+0x8e/0x160\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? __count_memcg_events+0x69/0x100\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? count_memcg_events.constprop.0+0x1a/0x30\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? handle_mm_fault+0x1f0/0x300\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? do_user_addr_fault+0x34e/0x640\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   entry_SYSCALL_64_after_hwframe+0x76/0x7e\n  RIP: 0033:0x7f4e5132821d\n  Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d e3 db 0c 00 f7 d8 64 89 01 48\n  RSP: 002b:00007ffca9c906a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139\n  RAX: ffffffffffffffda RBX: 0000563ec8a8f130 RCX: 00007f4e5132821d\n  RDX: 0000000000000000 RSI: 00007f4e518fa07d RDI: 000000000000003b\n  RBP: 00007ffca9c90760 R08: 00007f4e513f6b20 R09: 00007ffca9c906f0\n  R10: 0000563ec8a8faa0 R11: 0000000000000246 R12: 00007f4e518fa07d\n  R13: 0000000000020000 R14: 0000563ec8409e90 R15: 0000563ec8a8fa60\n   \u003c/TASK\u003e\n  ---[ end trace ]---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:13:35.237Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/66a9937187ac9b5c5ffff07b8b284483e56804d1"
        },
        {
          "url": "https://git.kernel.org/stable/c/84d2f29152184f0d72ed7c9648c4ee6927df4e59"
        },
        {
          "url": "https://git.kernel.org/stable/c/a658f011d89dd20cf2c7cb4760ffd79201700b98"
        },
        {
          "url": "https://git.kernel.org/stable/c/627493443f3a8458cb55cdae1da254a7001123bc"
        },
        {
          "url": "https://git.kernel.org/stable/c/8b799c00cea6fcfe5b501bbaeb228c8821acb753"
        },
        {
          "url": "https://git.kernel.org/stable/c/78cfd17142ef70599d6409cbd709d94b3da58659"
        }
      ],
      "title": "bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-38540",
    "datePublished": "2024-06-19T13:35:15.823Z",
    "dateReserved": "2024-06-18T19:36:34.918Z",
    "dateUpdated": "2025-11-03T21:55:46.119Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-H5R4-F5WX-726X

CVE-2024-38540 (GCVE-0-2024-38540)

Tags

Sightings

Nomenclature