CVE-2024-42148

一、漏洞信息
 漏洞编号：[CVE-2024-42148](https://nvd.nist.gov/vuln/detail/CVE-2024-42148)
 漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)
 漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.0,6.1.14,6.1.19,6.1.5,6.1.6,6.1.8,6.4.0,6.6.0
 CVSS V3.0分值：
  BaseScore：7.8 High
  Vector：CVSS：3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
 漏洞简述：
  In the Linux kernel, the following vulnerability has been resolved:bnx2x: Fix multiple UBSAN array-index-out-of-boundsFix UBSAN warnings that occur when using a system with 32 physicalcpu cores or more, or when the user defines a number of Ethernetqueues greater than or equal to FP_SB_MAX_E1x using the num_queuesmodule parameter.Currently there is a read/write out of bounds that occurs on the array struct stats_query_entry query  present inside the  bnx2x_fw_stats_req struct in  drivers/net/ethernet/broadcom/bnx2x/bnx2x.h .Looking at the definition of the  struct stats_query_entry query  array:struct stats_query_entry query[FP_SB_MAX_E1x+         BNX2X_FIRST_QUEUE_QUERY_IDX];FP_SB_MAX_E1x is defined as the maximum number of fast path interrupts andhas a value of 16, while BNX2X_FIRST_QUEUE_QUERY_IDX has a value of 3meaning the array has a total size of 19.Since accesses to  struct stats_query_entry query  are offset-ted byBNX2X_FIRST_QUEUE_QUERY_IDX, that means that the total number of Ethernetqueues should not exceed FP_SB_MAX_E1x (16). However one of these queuesis reserved for FCOE and thus the number of Ethernet queues should be setto [FP_SB_MAX_E1x -1] (15) if FCOE is enabled or [FP_SB_MAX_E1x] (16) ifit is not.This is also described in a comment in the source code indrivers/net/ethernet/broadcom/bnx2x/bnx2x.h just above the Macro definitionof FP_SB_MAX_E1x. Below is the part of this explanation that it importantfor this patch/*  * The total number of L2 queues, MSIX vectors and HW contexts (CIDs) is  * control by the number of fast-path status blocks supported by the  * device (HW/FW). Each fast-path status block (FP-SB) aka non-default  * status block represents an independent interrupts context that can  * serve a regular L2 networking queue. However special L2 queues such  * as the FCoE queue do not require a FP-SB and other components like  * the CNIC may consume FP-SB reducing the number of possible L2 queues  *  * If the maximum number of FP-SB available is X then:  * a. If CNIC is supported it consumes 1 FP-SB thus the max number of  *    regular L2 queues is Y=X-1  * b. In MF mode the actual number of L2 queues is Y= (X-1/MF_factor)  * c. If the FCoE L2 queue is supported the actual number of L2 queues  *    is Y+1  * d. The number of irqs (MSIX vectors) is either Y+1 (one extra for  *    slow-path interrupts) or Y+2 if CNIC is supported (one additional  *    FP interrupt context for the CNIC).  * e. The number of HW context (CID count) is always X or X+1 if FCoE  *    L2 queue is supported. The cid for the FCoE L2 queue is always X.  */However this driver also supports NICs that use the E2 controller which canhandle more queues due to having more FP-SB represented by FP_SB_MAX_E2.Looking at the commits when the E2 support was added, it was originallyusing the E1x parameters: commit f2e0899f0f27 ( bnx2x: Add 57712 support ).Back then FP_SB_MAX_E2 was set to 16 the same as E1x. However the driverwas later updated to take full advantage of the E2 instead of having it belimited to the capabilities of the E1x. But as far as we can tell, thearray  stats_query_entry query  was still limited to using the FP-SBavailable to the E1x cards as part of an oversignt when the driver wasupdated to take full advantage of the E2, and now with the driver beingaware of the greater queue size supported by E2 NICs, it causes the UBSANwarnings seen in the stack traces below.This patch increases the size of the  stats_query_entry query  array byreplacing FP_SB_MAX_E1x with FP_SB_MAX_E2 to be large enough to handleboth types of NICs.Stack traces:UBSAN: array-index-out-of-bounds in       drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.c:1529:11index 20 is out of range for type  stats_query_entry [19] CPU: 12 PID: 858 Comm: systemd-network Not tainted 6.9.0-060900rc7-generic	     #202405052133Hardware name: HP ProLiant DL360 Gen9/ProLiant DL360 ---truncated---
 漏洞公开时间：2024-07-30 16:15:06
 漏洞创建时间：2024-07-30 23:55:55
 漏洞详情参考链接：
  https://nvd.nist.gov/vuln/detail/CVE-2024-42148
<details>
<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |
| ------- | -------- | -------- |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/0edae06b4c227bcfaf3ce21208d49191e1009d3b |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/134061163ee5ca4759de5c24ca3bd71608891ba7 |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/8b17cec33892a66bbd71f8d9a70a45e2072ae84f |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/9504a1550686f53b0bab4cab31d435383b1ee2ce |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/b9ea38e767459111a511ed4fb74abc37db95a59d |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/cbe53087026ad929cd3950508397e8892a6a2a0f |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/cfb04472ce33bee2579caf4dc9f4242522f6e26e |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/f1313ea92f82451923e28ab45a4aaa0e70e80b98 |  |
| suse_bugzilla | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-42148 | https://bugzilla.suse.com/show_bug.cgi?id=1228487 |
| suse_bugzilla | https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2024/CVE-2024-42148.mbox | https://bugzilla.suse.com/show_bug.cgi?id=1228487 |
| suse_bugzilla | https://git.kernel.org/stable/c/cfb04472ce33bee2579caf4dc9f4242522f6e26e | https://bugzilla.suse.com/show_bug.cgi?id=1228487 |
| suse_bugzilla | https://git.kernel.org/stable/c/cbe53087026ad929cd3950508397e8892a6a2a0f | https://bugzilla.suse.com/show_bug.cgi?id=1228487 |
| suse_bugzilla | https://git.kernel.org/stable/c/8b17cec33892a66bbd71f8d9a70a45e2072ae84f | https://bugzilla.suse.com/show_bug.cgi?id=1228487 |
| suse_bugzilla | https://git.kernel.org/stable/c/0edae06b4c227bcfaf3ce21208d49191e1009d3b | https://bugzilla.suse.com/show_bug.cgi?id=1228487 |
| suse_bugzilla | https://git.kernel.org/stable/c/9504a1550686f53b0bab4cab31d435383b1ee2ce | https://bugzilla.suse.com/show_bug.cgi?id=1228487 |
| suse_bugzilla | https://git.kernel.org/stable/c/f1313ea92f82451923e28ab45a4aaa0e70e80b98 | https://bugzilla.suse.com/show_bug.cgi?id=1228487 |
| suse_bugzilla | https://git.kernel.org/stable/c/b9ea38e767459111a511ed4fb74abc37db95a59d | https://bugzilla.suse.com/show_bug.cgi?id=1228487 |
| suse_bugzilla | https://git.kernel.org/stable/c/134061163ee5ca4759de5c24ca3bd71608891ba7 | https://bugzilla.suse.com/show_bug.cgi?id=1228487 |
| redhat_bugzilla | https://lore.kernel.org/linux-cve-announce/2024073032-CVE-2024-42148-a8e8@gregkh/T | https://bugzilla.redhat.com/show_bug.cgi?id=2301515 |
| ubuntu | https://www.cve.org/CVERecord?id=CVE-2024-42148 | https://ubuntu.com/security/CVE-2024-42148 |
| ubuntu | https://git.kernel.org/linus/134061163ee5ca4759de5c24ca3bd71608891ba7 (6.10-rc7) | https://ubuntu.com/security/CVE-2024-42148 |
| ubuntu | https://git.kernel.org/stable/c/cfb04472ce33bee2579caf4dc9f4242522f6e26e | https://ubuntu.com/security/CVE-2024-42148 |
| ubuntu | https://git.kernel.org/stable/c/cbe53087026ad929cd3950508397e8892a6a2a0f | https://ubuntu.com/security/CVE-2024-42148 |
| ubuntu | https://git.kernel.org/stable/c/8b17cec33892a66bbd71f8d9a70a45e2072ae84f | https://ubuntu.com/security/CVE-2024-42148 |
| ubuntu | https://git.kernel.org/stable/c/0edae06b4c227bcfaf3ce21208d49191e1009d3b | https://ubuntu.com/security/CVE-2024-42148 |
| ubuntu | https://git.kernel.org/stable/c/9504a1550686f53b0bab4cab31d435383b1ee2ce | https://ubuntu.com/security/CVE-2024-42148 |
| ubuntu | https://git.kernel.org/stable/c/f1313ea92f82451923e28ab45a4aaa0e70e80b98 | https://ubuntu.com/security/CVE-2024-42148 |
| ubuntu | https://git.kernel.org/stable/c/b9ea38e767459111a511ed4fb74abc37db95a59d | https://ubuntu.com/security/CVE-2024-42148 |
| ubuntu | https://git.kernel.org/stable/c/134061163ee5ca4759de5c24ca3bd71608891ba7 | https://ubuntu.com/security/CVE-2024-42148 |
| ubuntu | https://ubuntu.com/security/notices/USN-6999-1 | https://ubuntu.com/security/CVE-2024-42148 |
| ubuntu | https://ubuntu.com/security/notices/USN-7003-1 | https://ubuntu.com/security/CVE-2024-42148 |
| ubuntu | https://ubuntu.com/security/notices/USN-7003-2 | https://ubuntu.com/security/CVE-2024-42148 |
| ubuntu | https://ubuntu.com/security/notices/USN-7004-1 | https://ubuntu.com/security/CVE-2024-42148 |
| ubuntu | https://ubuntu.com/security/notices/USN-7005-1 | https://ubuntu.com/security/CVE-2024-42148 |
| ubuntu | https://ubuntu.com/security/notices/USN-7006-1 | https://ubuntu.com/security/CVE-2024-42148 |
| ubuntu | https://nvd.nist.gov/vuln/detail/CVE-2024-42148 | https://ubuntu.com/security/CVE-2024-42148 |
| ubuntu | https://launchpad.net/bugs/cve/CVE-2024-42148 | https://ubuntu.com/security/CVE-2024-42148 |
| ubuntu | https://security-tracker.debian.org/tracker/CVE-2024-42148 | https://ubuntu.com/security/CVE-2024-42148 |
| debian |  | https://security-tracker.debian.org/tracker/CVE-2024-42148 |
| anolis |  | https://anas.openanolis.cn/cves/detail/CVE-2024-42148 |
| mageia |  | http://advisories.mageia.org/MGASA-2024-0278.html |

</details>

漏洞分析指导链接：
  https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
 漏洞数据来源:
  其它
 漏洞补丁信息：
  <details>
<summary>详情(点击展开)</summary>

| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源  |
| ------- | -------- | ------- | -------- | --------- |
|  |  | https://git.kernel.org/stable/c/0edae06b4c227bcfaf3ce21208d49191e1009d3b |  | nvd |
|  |  | https://git.kernel.org/stable/c/134061163ee5ca4759de5c24ca3bd71608891ba7 |  | nvd |
|  |  | https://git.kernel.org/stable/c/8b17cec33892a66bbd71f8d9a70a45e2072ae84f |  | nvd |
|  |  | https://git.kernel.org/stable/c/9504a1550686f53b0bab4cab31d435383b1ee2ce |  | nvd |
|  |  | https://git.kernel.org/stable/c/b9ea38e767459111a511ed4fb74abc37db95a59d |  | nvd |
|  |  | https://git.kernel.org/stable/c/cbe53087026ad929cd3950508397e8892a6a2a0f |  | nvd |
|  |  | https://git.kernel.org/stable/c/cfb04472ce33bee2579caf4dc9f4242522f6e26e |  | nvd |
|  |  | https://git.kernel.org/stable/c/f1313ea92f82451923e28ab45a4aaa0e70e80b98 |  | nvd |
| linux |  | https://git.kernel.org/linus/134061163ee5ca4759de5c24ca3bd71608891ba7 | https://git.kernel.org/linus/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 | ubuntu |

</details>

二、漏洞分析结构反馈
 影响性分析说明：
  Reserved.
 openEuler评分：
  7.8
 Vector：CVSS：3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
 受影响版本排查(受影响/不受影响)：
  1.openEuler-20.03-LTS-SP4(4.19.90):受影响
2.openEuler-22.03-LTS-SP3(5.10.0):受影响
3.openEuler-22.03-LTS-SP4(5.10.0):受影响
4.openEuler-24.03-LTS(6.6.0):受影响
5.master:不受影响
6.openEuler-24.03-LTS-Next(6.6.0):不受影响
7.openEuler-24.03-LTS-SP1(6.6.0):不受影响

修复是否涉及abi变化(是/否)：
  1.openEuler-20.03-LTS-SP4(4.19.90):否
2.openEuler-22.03-LTS-SP1(5.10.0):否
3.openEuler-22.03-LTS-SP3(5.10.0):否
4.master:否
5.openEuler-24.03-LTS(6.6.0):否
6.openEuler-24.03-LTS-Next(6.6.0):否
7.openEuler-22.03-LTS-SP4(5.10.0):否
8.openEuler-24.03-LTS-SP1(6.6.0):否

原因说明：
  1.openEuler-20.03-LTS-SP4(4.19.90):正常修复
2.openEuler-22.03-LTS-SP3(5.10.0):正常修复
3.openEuler-22.03-LTS-SP4(5.10.0):正常修复
4.openEuler-24.03-LTS(6.6.0):正常修复
5.master:不受影响-漏洞代码不能被攻击者触发
6.openEuler-24.03-LTS-Next(6.6.0):不受影响-漏洞代码不能被攻击者触发
7.openEuler-24.03-LTS-SP1(6.6.0):不受影响-漏洞代码不存在

三、漏洞修复
安全公告链接：https://www.openeuler.org/zh/security/safety-bulletin/detail/?id=openEuler-SA-2025-1078

Hi openeuler-ci-bot, welcome to the openEuler Community.
I'm the Bot here serving you. You can find the instructions on how to interact with me at Here.
If you have any questions, please contact the SIG: Kernel, and any of the maintainers.

@yangyingliang ,@jiaoff ,@guohaocs2c ,@hanjun-guo ,@woqidaideshi ,@newbeats ,@zhangyi089 ,@colyli ,@thundertown ,@htforge ,@chiqijun ,@lengchao ,@zhujianwei001 ,@kylin-mayukun ,@wangxiongfeng ,@wkfxxx ,@SuperSix173 ,@jentlestea ,@oskernel0719 ,@gasonchen 
**issue处理注意事项:** 
**1. 当前issue受影响的分支提交pr时, 须在pr描述中填写当前issue编号进行关联, 否则无法关闭当前issue;**
**2. 模板内容需要填写完整, 无论是受影响或者不受影响都需要填写完整内容,未引入的分支不需要填写, 否则无法关闭当前issue;**
**3. 以下为模板中需要填写完整的内容, 请复制到评论区回复, 注: 内容的标题名称(影响性分析说明, openEuler评分, 受影响版本排查(受影响/不受影响), 修复是否涉及abi变化(是/否))不能省略,省略后cve-manager将无法正常解析填写内容.**
************************************************************************
影响性分析说明:

openEuler评分: (评分和向量)

受影响版本排查(受影响/不受影响): 
1.master(6.1.0):
2.openEuler-20.03-LTS-SP4(4.19.90):
3.openEuler-22.03-LTS-SP1(5.10.0):
4.openEuler-22.03-LTS-SP3(5.10.0):
5.openEuler-22.03-LTS-SP4(5.10.0):
6.openEuler-24.03-LTS(6.6.0):
7.openEuler-24.03-LTS-Next(6.6.0):

修复是否涉及abi变化(是/否)：
1.master(6.1.0):
2.openEuler-20.03-LTS-SP4(4.19.90):
3.openEuler-22.03-LTS-SP1(5.10.0):
4.openEuler-22.03-LTS-SP3(5.10.0):
5.openEuler-22.03-LTS-SP4(5.10.0):
6.openEuler-24.03-LTS(6.6.0):
7.openEuler-24.03-LTS-Next(6.6.0):

-----------------------------------------------------------------------
issue处理具体操作请参考: 
https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
pr关联issue具体操作请参考:
https://gitee.com/help/articles/4142

参考网址	关联pr	状态	补丁链接
https://nvd.nist.gov/vuln/detail/CVE-2024-42148	None	None	https://git.kernel.org/stable/c/cfb04472ce33bee2579caf4dc9f4242522f6e26e https://git.kernel.org/stable/c/cbe53087026ad929cd3950508397e8892a6a2a0f https://git.kernel.org/stable/c/b9ea38e767459111a511ed4fb74abc37db95a59d https://git.kernel.org/stable/c/f1313ea92f82451923e28ab45a4aaa0e70e80b98 https://git.kernel.org/stable/c/9504a1550686f53b0bab4cab31d435383b1ee2ce https://git.kernel.org/stable/c/0edae06b4c227bcfaf3ce21208d49191e1009d3b https://git.kernel.org/stable/c/8b17cec33892a66bbd71f8d9a70a45e2072ae84f https://git.kernel.org/stable/c/134061163ee5ca4759de5c24ca3bd71608891ba7
https://ubuntu.com/security/CVE-2024-42148
https://www.opencve.io/cve/CVE-2024-42148	None	None	https://git.kernel.org/stable/c/cfb04472ce33bee2579caf4dc9f4242522f6e26e https://git.kernel.org/stable/c/cbe53087026ad929cd3950508397e8892a6a2a0f https://git.kernel.org/stable/c/b9ea38e767459111a511ed4fb74abc37db95a59d https://git.kernel.org/stable/c/f1313ea92f82451923e28ab45a4aaa0e70e80b98 https://git.kernel.org/stable/c/9504a1550686f53b0bab4cab31d435383b1ee2ce https://git.kernel.org/stable/c/0edae06b4c227bcfaf3ce21208d49191e1009d3b https://git.kernel.org/stable/c/8b17cec33892a66bbd71f8d9a70a45e2072ae84f https://git.kernel.org/stable/c/134061163ee5ca4759de5c24ca3bd71608891ba7
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2024-42148
https://security-tracker.debian.org/tracker/CVE-2024-42148	None	None	https://git.kernel.org/linus/134061163ee5ca4759de5c24ca3bd71608891ba7

说明：补丁链接仅供初步排查参考，实际可用性请人工再次确认，补丁下载验证可使用CVE补丁工具。
若补丁不准确，烦请在此issue下评论 '/report-patch 参考网址补丁链接1,补丁链接2' 反馈正确信息，便于我们不断优化工具，不胜感激。
如 /report-patch https://security-tracker.debian.org/tracker/CVE-2021-3997 https://github.com/systemd/systemd/commit/5b1cf7a9be37e20133c0208005274ce4a5b5c6a1

CVE-2024-42148

影响性分析说明：
In the Linux kernel, the following vulnerability has been resolved:

bnx2x: Fix multiple UBSAN array-index-out-of-bounds

Fix UBSAN warnings that occur when using a system with 32 physical
cpu cores or more, or when the user defines a number of Ethernet
queues greater than or equal to FP_SB_MAX_E1x using the num_queues
module parameter.

Currently there is a read/write out of bounds that occurs on the array
&#34;struct stats_query_entry query&#34; present inside the &#34;bnx2x_fw_stats_req&#34;
struct in &#34;drivers/net/ethernet/broadcom/bnx2x/bnx2x.h&#34;.
Looking at the definition of the &#34;struct stats_query_entry query&#34; array:

struct stats_query_entry query[FP_SB_MAX_E1x+
         BNX2X_FIRST_QUEUE_QUERY_IDX];

FP_SB_MAX_E1x is defined as the maximum number of fast path interrupts and
has a value of 16, while BNX2X_FIRST_QUEUE_QUERY_IDX has a value of 3
meaning the array has a total size of 19.
Since accesses to &#34;struct stats_query_entry query&#34; are offset-ted by
BNX2X_FIRST_QUEUE_QUERY_IDX, that means that the total number of Ethernet
queues should not exceed FP_SB_MAX_E1x (16). However one of these queues
is reserved for FCOE and thus the number of Ethernet queues should be set
to [FP_SB_MAX_E1x -1] (15) if FCOE is enabled or [FP_SB_MAX_E1x] (16) if
it is not.

This is also described in a comment in the source code in
drivers/net/ethernet/broadcom/bnx2x/bnx2x.h just above the Macro definition
of FP_SB_MAX_E1x. Below is the part of this explanation that it important
for this patch

/*
  * The total number of L2 queues, MSIX vectors and HW contexts (CIDs) is
  * control by the number of fast-path status blocks supported by the
  * device (HW/FW). Each fast-path status block (FP-SB) aka non-default
  * status block represents an independent interrupts context that can
  * serve a regular L2 networking queue. However special L2 queues such
  * as the FCoE queue do not require a FP-SB and other components like
  * the CNIC may consume FP-SB reducing the number of possible L2 queues
  *
  * If the maximum number of FP-SB available is X then:
  * a. If CNIC is supported it consumes 1 FP-SB thus the max number of
  *    regular L2 queues is Y=X-1
  * b. In MF mode the actual number of L2 queues is Y= (X-1/MF_factor)
  * c. If the FCoE L2 queue is supported the actual number of L2 queues
  *    is Y+1
  * d. The number of irqs (MSIX vectors) is either Y+1 (one extra for
  *    slow-path interrupts) or Y+2 if CNIC is supported (one additional
  *    FP interrupt context for the CNIC).
  * e. The number of HW context (CID count) is always X or X+1 if FCoE
  *    L2 queue is supported. The cid for the FCoE L2 queue is always X.
  */

However this driver also supports NICs that use the E2 controller which can
handle more queues due to having more FP-SB represented by FP_SB_MAX_E2.
Looking at the commits when the E2 support was added, it was originally
using the E1x parameters: commit f2e0899f0f27 (&#34;bnx2x: Add 57712 support&#34;).
Back then FP_SB_MAX_E2 was set to 16 the same as E1x. However the driver
was later updated to take full advantage of the E2 instead of having it be
limited to the capabilities of the E1x. But as far as we can tell, the
array &#34;stats_query_entry query&#34; was still limited to using the FP-SB
available to the E1x cards as part of an oversignt when the driver was
updated to take full advantage of the E2, and now with the driver being
aware of the greater queue size supported by E2 NICs, it causes the UBSAN
warnings seen in the stack traces below.

This patch increases the size of the &#34;stats_query_entry query&#34; array by
replacing FP_SB_MAX_E1x with FP_SB_MAX_E2 to be large enough to handle
both types of NICs.

Stack traces:

UBSAN: array-index-out-of-bounds in
       drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.c:1529:11
index 20 is out of range for type &#39;stats_query_entry [19]&#39;
CPU: 12 PID: 858 Comm: systemd-network Not tainted 6.9.0-060900rc7-generic
	     #202405052133
Hardware name: HP ProLiant DL360 Gen9/ProLiant DL360 Gen9,
	       BIOS P89 10/21/2019
Call Trace:
 &lt;TASK&gt;
 dump_stack_lvl+0x76/0xa0
 dump_stack+0x10/0x20
 __ubsan_handle_out_of_bounds+0xcb/0x110
 bnx2x_prep_fw_stats_req+0x2e1/0x310 [bnx2x]
 bnx2x_stats_init+0x156/0x320 [bnx2x]
 bnx2x_post_irq_nic_init+0x81/0x1a0 [bnx2x]
 bnx2x_nic_load+0x8e8/0x19e0 [bnx2x]
 bnx2x_open+0x16b/0x290 [bnx2x]
 __dev_open+0x10e/0x1d0
RIP: 0033:0x736223927a0a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca
      64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 &lt;48&gt; 3d 00
      f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89
RSP: 002b:00007ffc0bb2ada8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000583df50f9c78 RCX: 0000736223927a0a
RDX: 0000000000000020 RSI: 0000583df50ee510 RDI: 0000000000000003
RBP: 0000583df50d4940 R08: 00007ffc0bb2adb0 R09: 0000000000000080
R10: 0000000000000000 R11: 0000000000000246 R12: 0000583df5103ae0
R13: 000000000000035a R14: 0000583df50f9c30 R15: 0000583ddddddf00
&lt;/TASK&gt;
---[ end trace ]---
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in
       drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.c:1546:11
index 28 is out of range for type &#39;stats_query_entry [19]&#39;
CPU: 12 PID: 858 Comm: systemd-network Not tainted 6.9.0-060900rc7-generic
	     #202405052133
Hardware name: HP ProLiant DL360 Gen9/ProLiant DL360 Gen9,
	       BIOS P89 10/21/2019
Call Trace:
&lt;TASK&gt;
dump_stack_lvl+0x76/0xa0
dump_stack+0x10/0x20
__ubsan_handle_out_of_bounds+0xcb/0x110
bnx2x_prep_fw_stats_req+0x2fd/0x310 [bnx2x]
bnx2x_stats_init+0x156/0x320 [bnx2x]
bnx2x_post_irq_nic_init+0x81/0x1a0 [bnx2x]
bnx2x_nic_load+0x8e8/0x19e0 [bnx2x]
bnx2x_open+0x16b/0x290 [bnx2x]
__dev_open+0x10e/0x1d0
RIP: 0033:0x736223927a0a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca
      64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 &lt;48&gt; 3d 00
      f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89
RSP: 002b:00007ffc0bb2ada8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000583df50f9c78 RCX: 0000736223927a0a
RDX: 0000000000000020 RSI: 0000583df50ee510 RDI: 0000000000000003
RBP: 0000583df50d4940 R08: 00007ffc0bb2adb0 R09: 0000000000000080
R10: 0000000000000000 R11: 0000000000000246 R12: 0000583df5103ae0
R13: 000000000000035a R14: 0000583df50f9c30 R15: 0000583ddddddf00
 &lt;/TASK&gt;
---[ end trace ]---
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in
       drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c:1895:8
index 29 is out of range for type &#39;stats_query_entry [19]&#39;
CPU: 13 PID: 163 Comm: kworker/u96:1 Not tainted 6.9.0-060900rc7-generic
	     #202405052133
Hardware name: HP ProLiant DL360 Gen9/ProLiant DL360 Gen9,
	       BIOS P89 10/21/2019
Workqueue: bnx2x bnx2x_sp_task [bnx2x]
Call Trace:
 &lt;TASK&gt;
 dump_stack_lvl+0x76/0xa0
 dump_stack+0x10/0x20
 __ubsan_handle_out_of_bounds+0xcb/0x110
 bnx2x_iov_adjust_stats_req+0x3c4/0x3d0 [bnx2x]
 bnx2x_storm_stats_post.part.0+0x4a/0x330 [bnx2x]
 ? bnx2x_hw_stats_post+0x231/0x250 [bnx2x]
 bnx2x_stats_start+0x44/0x70 [bnx2x]
 bnx2x_stats_handle+0x149/0x350 [bnx2x]
 bnx2x_attn_int_asserted+0x998/0x9b0 [bnx2x]
 bnx2x_sp_task+0x491/0x5c0 [bnx2x]
 process_one_work+0x18d/0x3f0
 &lt;/TASK&gt;
---[ end trace ]---

The Linux kernel CVE team has assigned CVE-2024-42148 to this issue.

openEuler评分:(评分和向量)
5.5
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

受影响版本排查(受影响/不受影响):
1.openEuler-20.03-LTS-SP4:受影响
2.openEuler-22.03-LTS-SP1:受影响
3.openEuler-22.03-LTS-SP3:受影响
4.openEuler-22.03-LTS-SP4:受影响
5.master(6.1.0):不受影响
6.openEuler-24.03-LTS:受影响
7.openEuler-24.03-LTS-Next:不受影响

修复是否涉及abi变化(是/否)：
1.openEuler-20.03-LTS-SP4:否
2.openEuler-22.03-LTS-SP1:否
3.openEuler-22.03-LTS-SP3:否
4.master(6.1.0):否
5.openEuler-24.03-LTS:否
6.openEuler-24.03-LTS-Next:否
7.openEuler-22.03-LTS-SP4:否

@ 经过 cve-manager 解析, 已分析的内容如下表所示:
| 状态  | 需分析 | 内容 |
|:--:|:--:|---------|
|已分析|1.影响性分析说明|In the Linux kernel, the following vulnerability has been resolved:bnx2x: Fix multiple UBSAN array-index-out-of-boundsFix UBSAN warnings that occur when using a system with 32 physicalcpu cores or more, or when the user defines a number of Ethernetqueues greater than or equal to FP_SB_MAX_E1x using the num_queuesmodule parameter.Currently there is a read/write out of bounds that occurs on the array&#34;struct stats_query_entry query&#34; present inside the &#34;bnx2x_fw_stats_req&#34;struct in &#34;drivers/net/ethernet/broadcom/bnx2x/bnx2x.h&#34;.Looking at the definition of the &#34;struct stats_query_entry query&#34; array:struct stats_query_entry query[FP_SB_MAX_E1x+         BNX2X_FIRST_QUEUE_QUERY_IDX];FP_SB_MAX_E1x is defined as the maximum number of fast path interrupts andhas a value of 16, while BNX2X_FIRST_QUEUE_QUERY_IDX has a value of 3meaning the array has a total size of 19.Since accesses to &#34;struct stats_query_entry query&#34; are offset-ted byBNX2X_FIRST_QUEUE_QUERY_IDX, that means that the total number of Ethernetqueues should not exceed FP_SB_MAX_E1x (16). However one of these queuesis reserved for FCOE and thus the number of Ethernet queues should be setto [FP_SB_MAX_E1x -1] (15) if FCOE is enabled or [FP_SB_MAX_E1x] (16) ifit is not.This is also described in a comment in the source code indrivers/net/ethernet/broadcom/bnx2x/bnx2x.h just above the Macro definitionof FP_SB_MAX_E1x. Below is the part of this explanation that it importantfor this patch/*  * The total number of L2 queues, MSIX vectors and HW contexts (CIDs) is  * control by the number of fast-path status blocks supported by the  * device (HW/FW). Each fast-path status block (FP-SB) aka non-default  * status block represents an independent interrupts context that can  * serve a regular L2 networking queue. However special L2 queues such  * as the FCoE queue do not require a FP-SB and other components like  * the CNIC may consume FP-SB reducing the number of possible L2 queues  *  * If the maximum number of FP-SB available is X then:  * a. If CNIC is supported it consumes 1 FP-SB thus the max number of  *    regular L2 queues is Y=X-1  * b. In MF mode the actual number of L2 queues is Y= (X-1/MF_factor)  * c. If the FCoE L2 queue is supported the actual number of L2 queues  *    is Y+1  * d. The number of irqs (MSIX vectors) is either Y+1 (one extra for  *    slow-path interrupts) or Y+2 if CNIC is supported (one additional  *    FP interrupt context for the CNIC).  * e. The number of HW context (CID count) is always X or X+1 if FCoE  *    L2 queue is supported. The cid for the FCoE L2 queue is always X.  */However this driver also supports NICs that use the E2 controller which canhandle more queues due to having more FP-SB represented by FP_SB_MAX_E2.Looking at the commits when the E2 support was added, it was originallyusing the E1x parameters: commit f2e0899f0f27 (&#34;bnx2x: Add 57712 support&#34;).Back then FP_SB_MAX_E2 was set to 16 the same as E1x. However the driverwas later updated to take full advantage of the E2 instead of having it belimited to the capabilities of the E1x. But as far as we can tell, thearray &#34;stats_query_entry query&#34; was still limited to using the FP-SBavailable to the E1x cards as part of an oversignt when the driver wasupdated to take full advantage of the E2, and now with the driver beingaware of the greater queue size supported by E2 NICs, it causes the UBSANwarnings seen in the stack traces below.This patch increases the size of the &#34;stats_query_entry query&#34; array byreplacing FP_SB_MAX_E1x with FP_SB_MAX_E2 to be large enough to handleboth types of NICs.Stack traces:UBSAN: array-index-out-of-bounds in       drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.c:1529:11index 20 is out of range for type &#39;stats_query_entry [19]&#39;CPU: 12 PID: 858 Comm: systemd-network Not tainted 6.9.0-060900rc7-generic     #202405052133Hardware name: HP ProLiant DL360 Gen9/ProLiant DL360 Gen9,       BIOS P89 10/21/2019Call Trace: &lt;TASK&gt; dump_stack_lvl+0x76/0xa0 dump_stack+0x10/0x20 __ubsan_handle_out_of_bounds+0xcb/0x110 bnx2x_prep_fw_stats_req+0x2e1/0x310 [bnx2x] bnx2x_stats_init+0x156/0x320 [bnx2x] bnx2x_post_irq_nic_init+0x81/0x1a0 [bnx2x] bnx2x_nic_load+0x8e8/0x19e0 [bnx2x] bnx2x_open+0x16b/0x290 [bnx2x] __dev_open+0x10e/0x1d0RIP: 0033:0x736223927a0aCode: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca      64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 &lt;48&gt; 3d 00      f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89RSP: 002b:00007ffc0bb2ada8 EFLAGS: 00000246 ORIG_RAX: 000000000000002cRAX: ffffffffffffffda RBX: 0000583df50f9c78 RCX: 0000736223927a0aRDX: 0000000000000020 RSI: 0000583df50ee510 RDI: 0000000000000003RBP: 0000583df50d4940 R08: 00007ffc0bb2adb0 R09: 0000000000000080R10: 0000000000000000 R11: 0000000000000246 R12: 0000583df5103ae0R13: 000000000000035a R14: 0000583df50f9c30 R15: 0000583ddddddf00&lt;/TASK&gt;---[ end trace ]---------------[ cut here ]------------UBSAN: array-index-out-of-bounds in       drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.c:1546:11index 28 is out of range for type &#39;stats_query_entry [19]&#39;CPU: 12 PID: 858 Comm: systemd-network Not tainted 6.9.0-060900rc7-generic     #202405052133Hardware name: HP ProLiant DL360 Gen9/ProLiant DL360 Gen9,       BIOS P89 10/21/2019Call Trace:&lt;TASK&gt;dump_stack_lvl+0x76/0xa0dump_stack+0x10/0x20__ubsan_handle_out_of_bounds+0xcb/0x110bnx2x_prep_fw_stats_req+0x2fd/0x310 [bnx2x]bnx2x_stats_init+0x156/0x320 [bnx2x]bnx2x_post_irq_nic_init+0x81/0x1a0 [bnx2x]bnx2x_nic_load+0x8e8/0x19e0 [bnx2x]bnx2x_open+0x16b/0x290 [bnx2x]__dev_open+0x10e/0x1d0RIP: 0033:0x736223927a0aCode: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca      64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 &lt;48&gt; 3d 00      f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89RSP: 002b:00007ffc0bb2ada8 EFLAGS: 00000246 ORIG_RAX: 000000000000002cRAX: ffffffffffffffda RBX: 0000583df50f9c78 RCX: 0000736223927a0aRDX: 0000000000000020 RSI: 0000583df50ee510 RDI: 0000000000000003RBP: 0000583df50d4940 R08: 00007ffc0bb2adb0 R09: 0000000000000080R10: 0000000000000000 R11: 0000000000000246 R12: 0000583df5103ae0R13: 000000000000035a R14: 0000583df50f9c30 R15: 0000583ddddddf00 &lt;/TASK&gt;---[ end trace ]---------------[ cut here ]------------UBSAN: array-index-out-of-bounds in       drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c:1895:8index 29 is out of range for type &#39;stats_query_entry [19]&#39;CPU: 13 PID: 163 Comm: kworker/u96:1 Not tainted 6.9.0-060900rc7-generic     #202405052133Hardware name: HP ProLiant DL360 Gen9/ProLiant DL360 Gen9,       BIOS P89 10/21/2019Workqueue: bnx2x bnx2x_sp_task [bnx2x]Call Trace: &lt;TASK&gt; dump_stack_lvl+0x76/0xa0 dump_stack+0x10/0x20 __ubsan_handle_out_of_bounds+0xcb/0x110 bnx2x_iov_adjust_stats_req+0x3c4/0x3d0 [bnx2x] bnx2x_storm_stats_post.part.0+0x4a/0x330 [bnx2x] ? bnx2x_hw_stats_post+0x231/0x250 [bnx2x] bnx2x_stats_start+0x44/0x70 [bnx2x] bnx2x_stats_handle+0x149/0x350 [bnx2x] bnx2x_attn_int_asserted+0x998/0x9b0 [bnx2x] bnx2x_sp_task+0x491/0x5c0 [bnx2x] process_one_work+0x18d/0x3f0 &lt;/TASK&gt;---[ end trace ]---The Linux kernel CVE team has assigned CVE-2024-42148 to this issue.|
|已分析|2.openEulerScore|5.5|
|已分析|3.openEulerVector|AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H|
|已分析|4.受影响版本排查|openEuler-20.03-LTS-SP4:受影响,openEuler-22.03-LTS-SP1:受影响,openEuler-22.03-LTS-SP3:受影响,openEuler-22.03-LTS-SP4:受影响,openEuler-24.03-LTS:受影响,master:不受影响,openEuler-24.03-LTS-Next:不受影响|
|已分析|5.修复是否涉及abi变化|openEuler-20.03-LTS-SP4:否,openEuler-22.03-LTS-SP1:否,openEuler-22.03-LTS-SP3:否,master:否,openEuler-24.03-LTS:否,openEuler-24.03-LTS-Next:否,openEuler-22.03-LTS-SP4:否|

**请确认分析内容的准确性, 确认无误后, 您可以进行后续步骤, 否则您可以继续分析.**