ghsa-7cp5-c68m-6w8h
Vulnerability from github
Published
2025-09-16 15:32
Modified
2025-09-16 15:32
Details

In the Linux kernel, the following vulnerability has been resolved:

net: ena: fix shift-out-of-bounds in exponential backoff

The ENA adapters on our instances occasionally reset. Once recently logged a UBSAN failure to console in the process:

UBSAN: shift-out-of-bounds in build/linux/drivers/net/ethernet/amazon/ena/ena_com.c:540:13 shift exponent 32 is too large for 32-bit type 'unsigned int' CPU: 28 PID: 70012 Comm: kworker/u72:2 Kdump: loaded not tainted 5.15.117 Hardware name: Amazon EC2 c5d.9xlarge/, BIOS 1.0 10/16/2017 Workqueue: ena ena_fw_reset_device [ena] Call Trace: dump_stack_lvl+0x4a/0x63 dump_stack+0x10/0x16 ubsan_epilogue+0x9/0x36 __ubsan_handle_shift_out_of_bounds.cold+0x61/0x10e ? __const_udelay+0x43/0x50 ena_delay_exponential_backoff_us.cold+0x16/0x1e [ena] wait_for_reset_state+0x54/0xa0 [ena] ena_com_dev_reset+0xc8/0x110 [ena] ena_down+0x3fe/0x480 [ena] ena_destroy_device+0xeb/0xf0 [ena] ena_fw_reset_device+0x30/0x50 [ena] process_one_work+0x22b/0x3d0 worker_thread+0x4d/0x3f0 ? process_one_work+0x3d0/0x3d0 kthread+0x12a/0x150 ? set_kthread_struct+0x50/0x50 ret_from_fork+0x22/0x30

Apparently, the reset delays are getting so large they can trigger a UBSAN panic.

Looking at the code, the current timeout is capped at 5000us. Using a base value of 100us, the current code will overflow after (1<<29). Even at values before 32, this function wraps around, perhaps unintentionally.

Cap the value of the exponent used for this backoff at (1<<16) which is larger than currently necessary, but large enough to support bigger values in the future.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2023-53272"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-16T08:15:36Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ena: fix shift-out-of-bounds in exponential backoff\n\nThe ENA adapters on our instances occasionally reset.  Once recently\nlogged a UBSAN failure to console in the process:\n\n  UBSAN: shift-out-of-bounds in build/linux/drivers/net/ethernet/amazon/ena/ena_com.c:540:13\n  shift exponent 32 is too large for 32-bit type \u0027unsigned int\u0027\n  CPU: 28 PID: 70012 Comm: kworker/u72:2 Kdump: loaded not tainted 5.15.117\n  Hardware name: Amazon EC2 c5d.9xlarge/, BIOS 1.0 10/16/2017\n  Workqueue: ena ena_fw_reset_device [ena]\n  Call Trace:\n  \u003cTASK\u003e\n  dump_stack_lvl+0x4a/0x63\n  dump_stack+0x10/0x16\n  ubsan_epilogue+0x9/0x36\n  __ubsan_handle_shift_out_of_bounds.cold+0x61/0x10e\n  ? __const_udelay+0x43/0x50\n  ena_delay_exponential_backoff_us.cold+0x16/0x1e [ena]\n  wait_for_reset_state+0x54/0xa0 [ena]\n  ena_com_dev_reset+0xc8/0x110 [ena]\n  ena_down+0x3fe/0x480 [ena]\n  ena_destroy_device+0xeb/0xf0 [ena]\n  ena_fw_reset_device+0x30/0x50 [ena]\n  process_one_work+0x22b/0x3d0\n  worker_thread+0x4d/0x3f0\n  ? process_one_work+0x3d0/0x3d0\n  kthread+0x12a/0x150\n  ? set_kthread_struct+0x50/0x50\n  ret_from_fork+0x22/0x30\n  \u003c/TASK\u003e\n\nApparently, the reset delays are getting so large they can trigger a\nUBSAN panic.\n\nLooking at the code, the current timeout is capped at 5000us.  Using a\nbase value of 100us, the current code will overflow after (1\u003c\u003c29).  Even\nat values before 32, this function wraps around, perhaps\nunintentionally.\n\nCap the value of the exponent used for this backoff at (1\u003c\u003c16) which is\nlarger than currently necessary, but large enough to support bigger\nvalues in the future.",
  "id": "GHSA-7cp5-c68m-6w8h",
  "modified": "2025-09-16T15:32:32Z",
  "published": "2025-09-16T15:32:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53272"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0939c264729d4a081ff88efce2ffdf85dc5331e0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1e760b2d18bf129b3da052c2946c02758e97d15e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1e9cb763e9bacf0c932aa948f50dcfca6f519a26"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3e36cc94d6e60a27f27498adf1c71eeba769ab33"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/90947ebf8794e3c229fb2e16e37f1bfea6877f14"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.