Linux Kernel Backing Store Type Mismanagement Vulnerability in bnxt_en Driver

A vulnerability exists in the Linux kernel's bnxt_en Ethernet driver, specifically within the function bnxt_hwrm_func_backing_store_qcaps_v2(). The issue arises because the function improperly sets the backing store type by relying on a response from the firmware, which can lead to incorrect indexing of backing-store metadata arrays. This mismanagement can cause the driver to reference invalid or unchanged entries, potentially leading to undefined behavior or errors in network operations.

Impact

Exploitation of this vulnerability could result in the Ethernet driver mismanaging backing store types, which may lead to incorrect metadata handling and potential disruptions in network operations.

Reproduction

The vulnerability can be reproduced by invoking the bnxt_hwrm_func_backing_store_qcaps_v2() function within the bnxt_en driver. This can be done by triggering a backing store query that prompts the driver to process firmware responses. The function will incorrectly set the backing store type based on the firmware response, rather than using the current loop variable, which can disrupt the proper indexing of metadata arrays.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. The specific commit that resolves this issue is 29732b68a6816a815d58e9ab229844c23617e1e0.