drivers/net/ethernet/intel/e1000e/ethtool.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-)
The ETHTOOL_SETEEPROM ioctl copies user data into a kmalloc'ed buffer
without validating eeprom->len and eeprom->offset. A CAP_NET_ADMIN
user can overflow the heap and crash the kernel or gain code execution.
Validate length and offset before kmalloc() to avoid leaking eeprom_buff.
Fixes: bc7f75fa9788 ("[E1000E]: New pci-express e1000 driver (currently for ICH9 devices only)")
Reported-by: Mikael Wessel <post@mikaelkw.online>
Signed-off-by: Mikael Wessel <post@mikaelkw.online>
Cc: stable@vger.kernel.org
---
drivers/net/ethernet/intel/e1000e/ethtool.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ethernet/intel/e1000e/ethtool.c b/drivers/net/ethernet/intel/e1000e/ethtool.c
index 98e541e39730..d04e59528619 100644
--- a/drivers/net/ethernet/intel/e1000e/ethtool.c
+++ b/drivers/net/ethernet/intel/e1000e/ethtool.c
@@ -561,7 +561,7 @@ static int e1000_set_eeprom(struct net_device *netdev,
return -EOPNOTSUPP;
if (eeprom->magic !=
- (adapter->pdev->vendor | (adapter->pdev->device << 16)))
+ (adapter->pdev->vendor | (adapter->pdev->device << 16)))
return -EFAULT;
if (adapter->flags & FLAG_READ_ONLY_NVM)
@@ -569,6 +569,10 @@ static int e1000_set_eeprom(struct net_device *netdev,
max_len = hw->nvm.word_size * 2;
+ /* bounds check: offset + len must not exceed EEPROM size */
+ if (eeprom->offset + eeprom->len > max_len)
+ return -EINVAL;
+
first_word = eeprom->offset >> 1;
last_word = (eeprom->offset + eeprom->len - 1) >> 1;
eeprom_buff = kmalloc(max_len, GFP_KERNEL);
@@ -596,9 +600,6 @@ static int e1000_set_eeprom(struct net_device *netdev,
for (i = 0; i < last_word - first_word + 1; i++)
le16_to_cpus(&eeprom_buff[i]);
- if (eeprom->len > max_len ||
- eeprom->offset > max_len - eeprom->len)
- return -EINVAL;
memcpy(ptr, bytes, eeprom->len);
for (i = 0; i < last_word - first_word + 1; i++)
--
2.48.1
On 5/27/2025 2:13 PM, Mikael Wessel wrote:
> The ETHTOOL_SETEEPROM ioctl copies user data into a kmalloc'ed buffer
> without validating eeprom->len and eeprom->offset. A CAP_NET_ADMIN
> user can overflow the heap and crash the kernel or gain code execution.
>
> Validate length and offset before kmalloc() to avoid leaking eeprom_buff.
>
> Fixes: bc7f75fa9788 ("[E1000E]: New pci-express e1000 driver (currently for ICH9 devices only)")
> Reported-by: Mikael Wessel <post@mikaelkw.online>
> Signed-off-by: Mikael Wessel <post@mikaelkw.online>
> Cc: stable@vger.kernel.org
> ---
> drivers/net/ethernet/intel/e1000e/ethtool.c | 9 +++++----
> 1 file changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/net/ethernet/intel/e1000e/ethtool.c b/drivers/net/ethernet/intel/e1000e/ethtool.c
> index 98e541e39730..d04e59528619 100644
> --- a/drivers/net/ethernet/intel/e1000e/ethtool.c
> +++ b/drivers/net/ethernet/intel/e1000e/ethtool.c
> @@ -561,7 +561,7 @@ static int e1000_set_eeprom(struct net_device *netdev,
> return -EOPNOTSUPP;
>
> if (eeprom->magic !=
> - (adapter->pdev->vendor | (adapter->pdev->device << 16)))
> + (adapter->pdev->vendor | (adapter->pdev->device << 16)))
As Andrew already pointed out, please omit.
> return -EFAULT;
>
> if (adapter->flags & FLAG_READ_ONLY_NVM)
> @@ -569,6 +569,10 @@ static int e1000_set_eeprom(struct net_device *netdev,
>
> max_len = hw->nvm.word_size * 2;
>
> + /* bounds check: offset + len must not exceed EEPROM size */
> + if (eeprom->offset + eeprom->len > max_len)
> + return -EINVAL;
> +
> first_word = eeprom->offset >> 1;
> last_word = (eeprom->offset + eeprom->len - 1) >> 1;
> eeprom_buff = kmalloc(max_len, GFP_KERNEL);
> @@ -596,9 +600,6 @@ static int e1000_set_eeprom(struct net_device *netdev,
> for (i = 0; i < last_word - first_word + 1; i++)
> le16_to_cpus(&eeprom_buff[i]);
>
> - if (eeprom->len > max_len ||
> - eeprom->offset > max_len - eeprom->len)
> - return -EINVAL;
Seems like this patch is based on top of your previous version?
https://lore.kernel.org/all/20250527085612.11354-2-post@mikaelkw.online/
Please a provide a patch that can apply without need for previous versions.
Thanks,
Tony
On Tue, May 27, 2025 at 11:13:32PM +0200, Mikael Wessel wrote:
> The ETHTOOL_SETEEPROM ioctl copies user data into a kmalloc'ed buffer
> without validating eeprom->len and eeprom->offset. A CAP_NET_ADMIN
> user can overflow the heap and crash the kernel or gain code execution.
>
> Validate length and offset before kmalloc() to avoid leaking eeprom_buff.
>
> Fixes: bc7f75fa9788 ("[E1000E]: New pci-express e1000 driver (currently for ICH9 devices only)")
> Reported-by: Mikael Wessel <post@mikaelkw.online>
> Signed-off-by: Mikael Wessel <post@mikaelkw.online>
> Cc: stable@vger.kernel.org
> ---
> drivers/net/ethernet/intel/e1000e/ethtool.c | 9 +++++----
> 1 file changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/net/ethernet/intel/e1000e/ethtool.c b/drivers/net/ethernet/intel/e1000e/ethtool.c
> index 98e541e39730..d04e59528619 100644
> --- a/drivers/net/ethernet/intel/e1000e/ethtool.c
> +++ b/drivers/net/ethernet/intel/e1000e/ethtool.c
> @@ -561,7 +561,7 @@ static int e1000_set_eeprom(struct net_device *netdev,
> return -EOPNOTSUPP;
>
> if (eeprom->magic !=
> - (adapter->pdev->vendor | (adapter->pdev->device << 16)))
> + (adapter->pdev->vendor | (adapter->pdev->device << 16)))
> return -EFAULT;
That look like a white space change, which should not be part of a
fix.
Please also take a read of
https://www.kernel.org/doc/html/latest/process/maintainer-netdev.html
You need to set the tree in the Subject line.
Andrew
---
pw-bot: cr
© 2016 - 2026 Red Hat, Inc.