CVE-2024-40919 - OpenCVE

In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Adjust logging of firmware messages in case of released token in __hwrm_send() In case of token is released due to token->state == BNXT_HWRM_DEFERRED, released token (set to NULL) is used in log messages. This issue is expected to be prevented by HWRM_ERR_CODE_PF_UNAVAILABLE error code. But this error code is returned by recent firmware. So some firmware may not return it. This may lead to NULL pointer dereference. Adjust this issue by adding token pointer check. Found by Linux Verification Center (linuxtesting.org) with SVACE.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://git.kernel.org/stable/c/8b65eaeae88d4e9f999e806e196dd887b90bfed9
https://git.kernel.org/stable/c/a9b9741854a9fe9df948af49ca5514e0ed0429df
https://git.kernel.org/stable/c/ca6660c956242623b4cfe9be2a1abc67907c44bf
https://git.kernel.org/stable/c/cde177fa235cd36f981012504a6376315bac03c9
https://lore.kernel.org/linux-cve-announce/2024071212-CVE-2024-40919-2997@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2024-40919
https://www.cve.org/CVERecord?id=CVE-2024-40919

History

Thu, 12 Sep 2024 20:30:00 +0000

Type	Values Removed	Values Added
Metrics	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 11 Sep 2024 13:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2024-07-12T12:25:01.521Z

Updated: 2024-09-11T17:33:03.738Z

Reserved: 2024-07-12T12:17:45.582Z

Link: CVE-2024-40919

Vulnrichment

Updated: 2024-08-02T04:39:55.976Z

NVD

Status : Awaiting Analysis

Published: 2024-07-12T13:15:14.937

Modified: 2024-07-12T16:34:58.687

Link: CVE-2024-40919

Redhat

Severity : Low

Publid Date: 2024-07-12T00:00:00Z

Links: CVE-2024-40919 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-40919", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-07-12T12:17:45.582Z", "datePublished": "2024-07-12T12:25:01.521Z", "dateUpdated": "2024-09-11T17:33:03.738Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-07-15T06:51:27.747Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Adjust logging of firmware messages in case of released token in __hwrm_send()\n\nIn case of token is released due to token->state == BNXT_HWRM_DEFERRED,\nreleased token (set to NULL) is used in log messages. This issue is\nexpected to be prevented by HWRM_ERR_CODE_PF_UNAVAILABLE error code. But\nthis error code is returned by recent firmware. So some firmware may not\nreturn it. This may lead to NULL pointer dereference.\nAdjust this issue by adding token pointer check.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.c"], "versions": [{"version": "8fa4219dba8e", "lessThan": "cde177fa235c", "status": "affected", "versionType": "git"}, {"version": "8fa4219dba8e", "lessThan": "ca6660c95624", "status": "affected", "versionType": "git"}, {"version": "8fa4219dba8e", "lessThan": "8b65eaeae88d", "status": "affected", "versionType": "git"}, {"version": "8fa4219dba8e", "lessThan": "a9b9741854a9", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.c"], "versions": [{"version": "5.17", "status": "affected"}, {"version": "0", "lessThan": "5.17", "status": "unaffected", "versionType": "custom"}, {"version": "6.1.95", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.6.35", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.9.6", "lessThanOrEqual": "6.9.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.10", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/cde177fa235cd36f981012504a6376315bac03c9"}, {"url": "https://git.kernel.org/stable/c/ca6660c956242623b4cfe9be2a1abc67907c44bf"}, {"url": "https://git.kernel.org/stable/c/8b65eaeae88d4e9f999e806e196dd887b90bfed9"}, {"url": "https://git.kernel.org/stable/c/a9b9741854a9fe9df948af49ca5514e0ed0429df"}], "title": "bnxt_en: Adjust logging of firmware messages in case of released token in __hwrm_send()", "x_generator": {"engine": "bippy-c9c4e1df01b2"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:39:55.976Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/cde177fa235cd36f981012504a6376315bac03c9", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/ca6660c956242623b4cfe9be2a1abc67907c44bf", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/8b65eaeae88d4e9f999e806e196dd887b90bfed9", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/a9b9741854a9fe9df948af49ca5514e0ed0429df", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-40919", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T17:05:36.863787Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T17:33:03.738Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/cde177fa235cd36f981012504a6376315bac03c9", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/ca6660c956242623b4cfe9be2a1abc67907c44bf", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/8b65eaeae88d4e9f999e806e196dd887b90bfed9", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/a9b9741854a9fe9df948af49ca5514e0ed0429df", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:39:55.976Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-40919", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T17:05:36.863787Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T12:42:14.313Z"}}], "cna": {"title": "bnxt_en: Adjust logging of firmware messages in case of released token in __hwrm_send()", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "8fa4219dba8e", "lessThan": "cde177fa235c", "versionType": "git"}, {"status": "affected", "version": "8fa4219dba8e", "lessThan": "ca6660c95624", "versionType": "git"}, {"status": "affected", "version": "8fa4219dba8e", "lessThan": "8b65eaeae88d", "versionType": "git"}, {"status": "affected", "version": "8fa4219dba8e", "lessThan": "a9b9741854a9", "versionType": "git"}], "programFiles": ["drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "5.17"}, {"status": "unaffected", "version": "0", "lessThan": "5.17", "versionType": "custom"}, {"status": "unaffected", "version": "6.1.95", "versionType": "custom", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.35", "versionType": "custom", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.9.6", "versionType": "custom", "lessThanOrEqual": "6.9.*"}, {"status": "unaffected", "version": "6.10", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/cde177fa235cd36f981012504a6376315bac03c9"}, {"url": "https://git.kernel.org/stable/c/ca6660c956242623b4cfe9be2a1abc67907c44bf"}, {"url": "https://git.kernel.org/stable/c/8b65eaeae88d4e9f999e806e196dd887b90bfed9"}, {"url": "https://git.kernel.org/stable/c/a9b9741854a9fe9df948af49ca5514e0ed0429df"}], "x_generator": {"engine": "bippy-c9c4e1df01b2"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Adjust logging of firmware messages in case of released token in __hwrm_send()\n\nIn case of token is released due to token->state == BNXT_HWRM_DEFERRED,\nreleased token (set to NULL) is used in log messages. This issue is\nexpected to be prevented by HWRM_ERR_CODE_PF_UNAVAILABLE error code. But\nthis error code is returned by recent firmware. So some firmware may not\nreturn it. This may lead to NULL pointer dereference.\nAdjust this issue by adding token pointer check.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-07-15T06:51:27.747Z"}}}, "cveMetadata": {"cveId": "CVE-2024-40919", "state": "PUBLISHED", "dateUpdated": "2024-09-11T17:33:03.738Z", "dateReserved": "2024-07-12T12:17:45.582Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-07-12T12:25:01.521Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"bugzilla": {"description": "kernel: bnxt_en: Adjust logging of firmware messages in case of released token in __hwrm_send()", "id": "2297503", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2297503"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.4", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-476", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nbnxt_en: Adjust logging of firmware messages in case of released token in __hwrm_send()\nIn case of token is released due to token->state == BNXT_HWRM_DEFERRED,\nreleased token (set to NULL) is used in log messages. This issue is\nexpected to be prevented by HWRM_ERR_CODE_PF_UNAVAILABLE error code. But\nthis error code is returned by recent firmware. So some firmware may not\nreturn it. This may lead to NULL pointer dereference.\nAdjust this issue by adding token pointer check.\nFound by Linux Verification Center (linuxtesting.org) with SVACE."], "name": "CVE-2024-40919", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-07-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-40919\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-40919\nhttps://lore.kernel.org/linux-cve-announce/2024071212-CVE-2024-40919-2997@gregkh/T"], "threat_severity": "Low", "upstream_fix": "kernel 6.1.95, kernel 6.6.35, kernel 6.9.6, kernel 6.10-rc4"}