CVE-2024-38540: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq Undefined behavior is triggered when bnxt_qplib_alloc_init_hwq is called with hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0. In that case, "roundup_pow_of_two(hwq_attr->aux_stride)" gets called. roundup_pow_of_two is documented as undefined for 0. Fix it in the one caller that had this combination. The undefined behavior was detected by UBSAN: UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13 shift exponent 64 is too large for 64-bit type 'long unsigned int' CPU: 24 PID: 1075 Comm: (udev-worker) Not tainted 6.9.0-rc6+ #4 Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.7 10/25/2023 Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ubsan_epilogue+0x5/0x30 __ubsan_handle_shift_out_of_bounds.cold+0x61/0xec __roundup_pow_of_two+0x25/0x35 [bnxt_re] bnxt_qplib_alloc_init_hwq+0xa1/0x470 [bnxt_re] bnxt_qplib_create_qp+0x19e/0x840 [bnxt_re] bnxt_re_create_qp+0x9b1/0xcd0 [bnxt_re] ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? __kmalloc+0x1b6/0x4f0 ? create_qp.part.0+0x128/0x1c0 [ib_core] ? __pfx_bnxt_re_create_qp+0x10/0x10 [bnxt_re] create_qp.part.0+0x128/0x1c0 [ib_core] ib_create_qp_kernel+0x50/0xd0 [ib_core] create_mad_qp+0x8e/0xe0 [ib_core] ? __pfx_qp_event_handler+0x10/0x10 [ib_core] ib_mad_init_device+0x2be/0x680 [ib_core] add_client_context+0x10d/0x1a0 [ib_core] enable_device_and_get+0xe0/0x1d0 [ib_core] ib_register_device+0x53c/0x630 [ib_core] ? srso_alias_return_thunk+0x5/0xfbef5 bnxt_re_probe+0xbd8/0xe50 [bnxt_re] ? __pfx_bnxt_re_probe+0x10/0x10 [bnxt_re] auxiliary_bus_probe+0x49/0x80 ? driver_sysfs_add+0x57/0xc0 really_probe+0xde/0x340 ? pm_runtime_barrier+0x54/0x90 ? __pfx___driver_attach+0x10/0x10 __driver_probe_device+0x78/0x110 driver_probe_device+0x1f/0xa0 __driver_attach+0xba/0x1c0 bus_for_each_dev+0x8f/0xe0 bus_add_driver+0x146/0x220 driver_register+0x72/0xd0 __auxiliary_driver_register+0x6e/0xd0 ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re] bnxt_re_mod_init+0x3e/0xff0 [bnxt_re] ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re] do_one_initcall+0x5b/0x310 do_init_module+0x90/0x250 init_module_from_file+0x86/0xc0 idempotent_init_module+0x121/0x2b0 __x64_sys_finit_module+0x5e/0xb0 do_syscall_64+0x82/0x160 ? srso_alias_return_thunk+0x5/0xfbef5 ? syscall_exit_to_user_mode_prepare+0x149/0x170 ? srso_alias_return_thunk+0x5/0xfbef5 ? syscall_exit_to_user_mode+0x75/0x230 ? srso_alias_return_thunk+0x5/0xfbef5 ? do_syscall_64+0x8e/0x160 ? srso_alias_return_thunk+0x5/0xfbef5 ? __count_memcg_events+0x69/0x100 ? srso_alias_return_thunk+0x5/0xfbef5 ? count_memcg_events.constprop.0+0x1a/0x30 ? srso_alias_return_thunk+0x5/0xfbef5 ? handle_mm_fault+0x1f0/0x300 ? srso_alias_return_thunk+0x5/0xfbef5 ? do_user_addr_fault+0x34e/0x640 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f4e5132821d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e3 db 0c 00 f7 d8 64 89 01 48 RSP: 002b:00007ffca9c906a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 RAX: ffffffffffffffda RBX: 0000563ec8a8f130 RCX: 00007f4e5132821d RDX: 0000000000000000 RSI: 00007f4e518fa07d RDI: 000000000000003b RBP: 00007ffca9c90760 R08: 00007f4e513f6b20 R09: 00007ffca9c906f0 R10: 0000563ec8a8faa0 R11: 0000000000000246 R12: 00007f4e518fa07d R13: 0000000000020000 R14: 0000563ec8409e90 R15: 0000563ec8a8fa60 </TASK> ---[ end trace ]---
AI Analysis
Technical Summary
CVE-2024-38540 is a medium-severity vulnerability in the Linux kernel related to the Broadcom NetXtreme (bnxt_re) network driver, specifically in the function bnxt_qplib_alloc_init_hwq. The vulnerability arises from undefined behavior triggered when the function is called with hwq_attr->aux_depth set to a non-zero value and hwq_attr->aux_stride set to zero. Under these conditions, the function roundup_pow_of_two(hwq_attr->aux_stride) is invoked, which is documented as undefined behavior when the argument is zero. This results in a shift operation with an out-of-bounds exponent, detected by the Undefined Behavior Sanitizer (UBSAN) as a shift-out-of-bounds error. The issue manifests as a kernel warning or crash due to invalid bit-shift operations, potentially leading to denial of service (DoS) by crashing the kernel or causing instability. The vulnerability requires local privileges with high privileges (PR:H) to exploit, no user interaction is needed, and the attack vector is local (AV:L), meaning an attacker must have access to the system to trigger the flaw. The vulnerability does not impact confidentiality or integrity but affects availability due to possible kernel crashes. The problem is fixed by correcting the caller that had the problematic combination of parameters, preventing the undefined behavior. The vulnerability affects Linux kernel versions including the commit referenced (0c4dcd602817502bb3dced7a834a13ef717d65a4) and likely kernels around version 6.9.0-rc6+ where the bnxt_re driver is present. The bnxt_re driver is used for Broadcom NetXtreme network cards, common in server environments. No known exploits are reported in the wild at this time.
Potential Impact
For European organizations, the primary impact of CVE-2024-38540 is the risk of local denial of service on Linux servers using affected Broadcom NetXtreme network cards. This could lead to unexpected kernel crashes, causing service interruptions in critical infrastructure, data centers, and enterprise environments that rely on these network adapters. While the vulnerability does not allow privilege escalation or data compromise, the availability impact could disrupt business operations, especially in sectors with high uptime requirements such as finance, telecommunications, and cloud service providers. Organizations running Linux kernels with the affected bnxt_re driver and using Broadcom network hardware are at risk. The requirement for local high privileges to exploit limits the attack surface to insiders or attackers who have already gained elevated access, reducing the likelihood of remote exploitation but not eliminating risk from insider threats or compromised accounts. Given the widespread use of Linux in European enterprise and public sector environments, especially in server and cloud infrastructure, this vulnerability warrants prompt attention to maintain service reliability.
Mitigation Recommendations
1. Apply the official Linux kernel patches that fix the bnxt_re driver to prevent the undefined behavior. Monitor Linux kernel updates and deploy updated kernels or backported patches from trusted Linux distribution vendors promptly. 2. Identify systems with Broadcom NetXtreme network cards using bnxt_re drivers by querying hardware inventory and kernel modules. 3. Restrict local administrative access to trusted personnel only, minimizing the risk of exploitation by unauthorized users with high privileges. 4. Implement strict access controls and monitoring on systems with affected hardware to detect suspicious activities that could lead to exploitation attempts. 5. For environments where immediate patching is not feasible, consider disabling or blacklisting the bnxt_re driver if network functionality allows, or isolate affected systems to reduce risk. 6. Employ kernel hardening techniques and runtime protections such as Kernel Address Space Layout Randomization (KASLR) and control flow integrity to reduce the impact of kernel-level faults. 7. Maintain regular backups and disaster recovery plans to quickly restore services in case of a denial of service caused by this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2024-38540: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq Undefined behavior is triggered when bnxt_qplib_alloc_init_hwq is called with hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0. In that case, "roundup_pow_of_two(hwq_attr->aux_stride)" gets called. roundup_pow_of_two is documented as undefined for 0. Fix it in the one caller that had this combination. The undefined behavior was detected by UBSAN: UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13 shift exponent 64 is too large for 64-bit type 'long unsigned int' CPU: 24 PID: 1075 Comm: (udev-worker) Not tainted 6.9.0-rc6+ #4 Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.7 10/25/2023 Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ubsan_epilogue+0x5/0x30 __ubsan_handle_shift_out_of_bounds.cold+0x61/0xec __roundup_pow_of_two+0x25/0x35 [bnxt_re] bnxt_qplib_alloc_init_hwq+0xa1/0x470 [bnxt_re] bnxt_qplib_create_qp+0x19e/0x840 [bnxt_re] bnxt_re_create_qp+0x9b1/0xcd0 [bnxt_re] ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? __kmalloc+0x1b6/0x4f0 ? create_qp.part.0+0x128/0x1c0 [ib_core] ? __pfx_bnxt_re_create_qp+0x10/0x10 [bnxt_re] create_qp.part.0+0x128/0x1c0 [ib_core] ib_create_qp_kernel+0x50/0xd0 [ib_core] create_mad_qp+0x8e/0xe0 [ib_core] ? __pfx_qp_event_handler+0x10/0x10 [ib_core] ib_mad_init_device+0x2be/0x680 [ib_core] add_client_context+0x10d/0x1a0 [ib_core] enable_device_and_get+0xe0/0x1d0 [ib_core] ib_register_device+0x53c/0x630 [ib_core] ? srso_alias_return_thunk+0x5/0xfbef5 bnxt_re_probe+0xbd8/0xe50 [bnxt_re] ? __pfx_bnxt_re_probe+0x10/0x10 [bnxt_re] auxiliary_bus_probe+0x49/0x80 ? driver_sysfs_add+0x57/0xc0 really_probe+0xde/0x340 ? pm_runtime_barrier+0x54/0x90 ? __pfx___driver_attach+0x10/0x10 __driver_probe_device+0x78/0x110 driver_probe_device+0x1f/0xa0 __driver_attach+0xba/0x1c0 bus_for_each_dev+0x8f/0xe0 bus_add_driver+0x146/0x220 driver_register+0x72/0xd0 __auxiliary_driver_register+0x6e/0xd0 ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re] bnxt_re_mod_init+0x3e/0xff0 [bnxt_re] ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re] do_one_initcall+0x5b/0x310 do_init_module+0x90/0x250 init_module_from_file+0x86/0xc0 idempotent_init_module+0x121/0x2b0 __x64_sys_finit_module+0x5e/0xb0 do_syscall_64+0x82/0x160 ? srso_alias_return_thunk+0x5/0xfbef5 ? syscall_exit_to_user_mode_prepare+0x149/0x170 ? srso_alias_return_thunk+0x5/0xfbef5 ? syscall_exit_to_user_mode+0x75/0x230 ? srso_alias_return_thunk+0x5/0xfbef5 ? do_syscall_64+0x8e/0x160 ? srso_alias_return_thunk+0x5/0xfbef5 ? __count_memcg_events+0x69/0x100 ? srso_alias_return_thunk+0x5/0xfbef5 ? count_memcg_events.constprop.0+0x1a/0x30 ? srso_alias_return_thunk+0x5/0xfbef5 ? handle_mm_fault+0x1f0/0x300 ? srso_alias_return_thunk+0x5/0xfbef5 ? do_user_addr_fault+0x34e/0x640 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f4e5132821d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e3 db 0c 00 f7 d8 64 89 01 48 RSP: 002b:00007ffca9c906a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 RAX: ffffffffffffffda RBX: 0000563ec8a8f130 RCX: 00007f4e5132821d RDX: 0000000000000000 RSI: 00007f4e518fa07d RDI: 000000000000003b RBP: 00007ffca9c90760 R08: 00007f4e513f6b20 R09: 00007ffca9c906f0 R10: 0000563ec8a8faa0 R11: 0000000000000246 R12: 00007f4e518fa07d R13: 0000000000020000 R14: 0000563ec8409e90 R15: 0000563ec8a8fa60 </TASK> ---[ end trace ]---
AI-Powered Analysis
Technical Analysis
CVE-2024-38540 is a medium-severity vulnerability in the Linux kernel related to the Broadcom NetXtreme (bnxt_re) network driver, specifically in the function bnxt_qplib_alloc_init_hwq. The vulnerability arises from undefined behavior triggered when the function is called with hwq_attr->aux_depth set to a non-zero value and hwq_attr->aux_stride set to zero. Under these conditions, the function roundup_pow_of_two(hwq_attr->aux_stride) is invoked, which is documented as undefined behavior when the argument is zero. This results in a shift operation with an out-of-bounds exponent, detected by the Undefined Behavior Sanitizer (UBSAN) as a shift-out-of-bounds error. The issue manifests as a kernel warning or crash due to invalid bit-shift operations, potentially leading to denial of service (DoS) by crashing the kernel or causing instability. The vulnerability requires local privileges with high privileges (PR:H) to exploit, no user interaction is needed, and the attack vector is local (AV:L), meaning an attacker must have access to the system to trigger the flaw. The vulnerability does not impact confidentiality or integrity but affects availability due to possible kernel crashes. The problem is fixed by correcting the caller that had the problematic combination of parameters, preventing the undefined behavior. The vulnerability affects Linux kernel versions including the commit referenced (0c4dcd602817502bb3dced7a834a13ef717d65a4) and likely kernels around version 6.9.0-rc6+ where the bnxt_re driver is present. The bnxt_re driver is used for Broadcom NetXtreme network cards, common in server environments. No known exploits are reported in the wild at this time.
Potential Impact
For European organizations, the primary impact of CVE-2024-38540 is the risk of local denial of service on Linux servers using affected Broadcom NetXtreme network cards. This could lead to unexpected kernel crashes, causing service interruptions in critical infrastructure, data centers, and enterprise environments that rely on these network adapters. While the vulnerability does not allow privilege escalation or data compromise, the availability impact could disrupt business operations, especially in sectors with high uptime requirements such as finance, telecommunications, and cloud service providers. Organizations running Linux kernels with the affected bnxt_re driver and using Broadcom network hardware are at risk. The requirement for local high privileges to exploit limits the attack surface to insiders or attackers who have already gained elevated access, reducing the likelihood of remote exploitation but not eliminating risk from insider threats or compromised accounts. Given the widespread use of Linux in European enterprise and public sector environments, especially in server and cloud infrastructure, this vulnerability warrants prompt attention to maintain service reliability.
Mitigation Recommendations
1. Apply the official Linux kernel patches that fix the bnxt_re driver to prevent the undefined behavior. Monitor Linux kernel updates and deploy updated kernels or backported patches from trusted Linux distribution vendors promptly. 2. Identify systems with Broadcom NetXtreme network cards using bnxt_re drivers by querying hardware inventory and kernel modules. 3. Restrict local administrative access to trusted personnel only, minimizing the risk of exploitation by unauthorized users with high privileges. 4. Implement strict access controls and monitoring on systems with affected hardware to detect suspicious activities that could lead to exploitation attempts. 5. For environments where immediate patching is not feasible, consider disabling or blacklisting the bnxt_re driver if network functionality allows, or isolate affected systems to reduce risk. 6. Employ kernel hardening techniques and runtime protections such as Kernel Address Space Layout Randomization (KASLR) and control flow integrity to reduce the impact of kernel-level faults. 7. Maintain regular backups and disaster recovery plans to quickly restore services in case of a denial of service caused by this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-06-18T19:36:34.918Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d981ac4522896dcbd8e23
Added to database: 5/21/2025, 9:08:42 AM
Last enriched: 7/5/2025, 9:56:24 AM
Last updated: 8/4/2025, 6:54:04 AM
Views: 15
Related Threats
CVE-2025-9008: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-9007: Buffer Overflow in Tenda CH22
HighCVE-2025-9006: Buffer Overflow in Tenda CH22
HighCVE-2025-9005: Information Exposure Through Error Message in mtons mblog
MediumCVE-2025-9004: Improper Restriction of Excessive Authentication Attempts in mtons mblog
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.