Linux Kernel RDMA/bnxt_re Mailbox Producer Index Wraparound Vulnerability

A vulnerability in the Linux kernel's RDMA/bnxt_re driver relates to improper handling of the mailbox (mbox) producer index wraparound. The issue arises when the index reaches its maximum value, causing a wraparound that is not correctly managed. Specifically, bit 31 of the producer index register, which is meant to be set only once for the initial command, becomes problematic. After a prolonged period, the producer index overflow can inadvertently trigger a firmware (FW) initialization sequence, leading to a hang. The vulnerability affects several versions of the Linux kernel.

Impact

The incorrect wraparound management can cause the firmware to hang by inadvertently triggering an initialization sequence that disrupts normal operations.

Reproduction

The vulnerability can be reproduced by allowing the mailbox producer index to reach its maximum value, causing an overflow that sets bit 31. This can be done by sending a continuous stream of commands that increment the producer index until it overflows. Once bit 31 is set, the firmware will enter an initialization sequence, causing a hang.

Remediation

The vulnerability has been addressed by modifying the driver to correctly wrap around the mailbox producer index once it reaches its maximum value. Users can apply the latest patches available in the Linux kernel stable tree to mitigate this issue.