lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250527211332.50455-1-post@mikaelkw.online>
Date: Tue, 27 May 2025 23:13:32 +0200
From: Mikael Wessel <post@...aelkw.online>
To: netdev@...r.kernel.org
Cc: intel-wired-lan@...ts.osuosl.org,
	torvalds@...uxfoundation.org,
	anthony.l.nguyen@...el.com,
	przemyslaw.kitszel@...el.com,
	andrew@...n.ch,
	kuba@...nel.org,
	pabeni@...hat.com,
	security@...nel.org,
	stable@...r.kernel.org,
	davem@...emloft.net,
	edumazet@...gle.com,
	linux-kernel@...r.kernel.org,
	Mikael Wessel <post@...aelkw.online>
Subject: [PATCH] e1000e: fix heap overflow in e1000_set_eeprom()

The ETHTOOL_SETEEPROM ioctl copies user data into a kmalloc'ed buffer
without validating eeprom->len and eeprom->offset. A CAP_NET_ADMIN
user can overflow the heap and crash the kernel or gain code execution.

Validate length and offset before kmalloc() to avoid leaking eeprom_buff.

Fixes: bc7f75fa9788 ("[E1000E]: New pci-express e1000 driver (currently for ICH9 devices only)")
Reported-by: Mikael Wessel <post@...aelkw.online>
Signed-off-by: Mikael Wessel <post@...aelkw.online>
Cc: stable@...r.kernel.org
---
 drivers/net/ethernet/intel/e1000e/ethtool.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/drivers/net/ethernet/intel/e1000e/ethtool.c b/drivers/net/ethernet/intel/e1000e/ethtool.c
index 98e541e39730..d04e59528619 100644
--- a/drivers/net/ethernet/intel/e1000e/ethtool.c
+++ b/drivers/net/ethernet/intel/e1000e/ethtool.c
@@ -561,7 +561,7 @@ static int e1000_set_eeprom(struct net_device *netdev,
 		return -EOPNOTSUPP;
 
 	if (eeprom->magic !=
-	    (adapter->pdev->vendor | (adapter->pdev->device << 16)))
+		(adapter->pdev->vendor | (adapter->pdev->device << 16)))
 		return -EFAULT;
 
 	if (adapter->flags & FLAG_READ_ONLY_NVM)
@@ -569,6 +569,10 @@ static int e1000_set_eeprom(struct net_device *netdev,
 
 	max_len = hw->nvm.word_size * 2;
 
+	/* bounds check: offset + len must not exceed EEPROM size */
+	if (eeprom->offset + eeprom->len > max_len)
+		return -EINVAL;
+
 	first_word = eeprom->offset >> 1;
 	last_word = (eeprom->offset + eeprom->len - 1) >> 1;
 	eeprom_buff = kmalloc(max_len, GFP_KERNEL);
@@ -596,9 +600,6 @@ static int e1000_set_eeprom(struct net_device *netdev,
 	for (i = 0; i < last_word - first_word + 1; i++)
 		le16_to_cpus(&eeprom_buff[i]);
 
-        if (eeprom->len > max_len ||
-            eeprom->offset > max_len - eeprom->len)
-                return -EINVAL;
 	memcpy(ptr, bytes, eeprom->len);
 
 	for (i = 0; i < last_word - first_word + 1; i++)
-- 
2.48.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ