{"uuid": "aba20988-8575-402a-b5b4-8bbc2a20afd3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-21682", "type": "seen", "source": "https://t.me/cvedetector/16938", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2025-21682 - \"Broadcom bnxt: Null-dereference Vulnerability in XDP Handling\"\", \n  \"Content\": \"CVE ID : CVE-2025-21682 \nPublished : Jan. 31, 2025, 12:15 p.m. | 1\u00a0hour, 34\u00a0minutes ago \nDescription : In the Linux kernel, the following vulnerability has been resolved:  \n  \neth: bnxt: always recalculate features after XDP clearing, fix null-deref  \n  \nRecalculate features when XDP is detached.  \n  \nBefore:  \n  # ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp  \n  # ip li set dev eth0 xdp off  \n  # ethtool -k eth0 | grep gro  \n  rx-gro-hw: off [requested on]  \n  \nAfter:  \n  # ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp  \n  # ip li set dev eth0 xdp off  \n  # ethtool -k eth0 | grep gro  \n  rx-gro-hw: on  \n  \nThe fact that HW-GRO doesn't get re-enabled automatically is just  \na minor annoyance. The real issue is that the features will randomly  \ncome back during another reconfiguration which just happens to invoke  \nnetdev_update_features(). The driver doesn't handle reconfiguring  \ntwo things at a time very robustly.  \n  \nStarting with commit 98ba1d931f61 (\"bnxt_en: Fix RSS logic in  \n__bnxt_reserve_rings()\") we only reconfigure the RSS hash table  \nif the \"effective\" number of Rx rings has changed. If HW-GRO is  \nenabled \"effective\" number of rings is 2x what user sees.  \nSo if we are in the bad state, with HW-GRO re-enablement \"pending\"  \nafter XDP off, and we lower the rings by / 2 - the HW-GRO rings  \ndoing 2x and the ethtool -L doing / 2 may cancel each other out,  \nand the:  \n  \n  if (old_rx_rings != bp->hw_resc.resv_rx_rings &&  \n  \ncondition in __bnxt_reserve_rings() will be false.  \nThe RSS map won't get updated, and we'll crash with:  \n  \n  BUG: kernel NULL pointer dereference, address: 0000000000000168  \n  RIP: 0010:__bnxt_hwrm_vnic_set_rss+0x13a/0x1a0  \n    bnxt_hwrm_vnic_rss_cfg_p5+0x47/0x180  \n    __bnxt_setup_vnic_p5+0x58/0x110  \n    bnxt_init_nic+0xb72/0xf50  \n    __bnxt_open_nic+0x40d/0xab0  \n    bnxt_open_nic+0x2b/0x60  \n    ethtool_set_channels+0x18c/0x1d0  \n  \nAs we try to access a freed ring.  \n  \nThe issue is present since XDP support was added, really, but  \nprior to commit 98ba1d931f61 (\"bnxt_en: Fix RSS logic in  \n__bnxt_reserve_rings()\") it wasn't causing major issues. \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"31 Jan 2025\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2025-01-31T15:22:34.000000Z"}