CVE-2024-50208: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-50208 is a vulnerability in the Linux kernel's RDMA/bnxtre driver that was discovered and disclosed on November 8, 2024. The vulnerability affects Linux kernel versions from 5.7 through 6.11.6, including various release candidates of version 6.12. The issue involves a bug in setting up Level-2 PBL pages that could lead to memory corruption when handling non-MR resources with numpages greater than 256K (NVD).

The vulnerability occurs in the RDMA/bnxtre driver when setting up Level-2 PBL pages for non-MR resources. The issue arises when numpages exceeds 256K, where there is a single PDE page address (contiguous pages in the case of > PAGE_SIZE), but the existing logic incorrectly assumes multiple pages. This leads to invalid memory access after 256K PBL entries in the PDE. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H and is classified as CWE-125 (Out-of-bounds Read) (NVD).

The vulnerability can result in memory corruption and invalid memory access in the Linux kernel's RDMA subsystem. This could potentially lead to system instability or denial of service conditions when handling large page allocations in the affected driver (NVD).

The vulnerability has been fixed in the Linux kernel through a patch that modifies the PBL page setup logic. The fix involves simplifying the page allocation process to properly handle single PDE page addresses. Multiple stable kernel versions have received the fix, including updates to version 5.15.0-133.144 for Ubuntu 22.04 LTS and corresponding fixes for other affected kernel versions (Ubuntu).