| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <SJ0PR11MB5866A289E030C3305C80CE11E564A@SJ0PR11MB5866.namprd11.prod.outlook.com>
Date: Tue, 27 May 2025 14:37:58 +0000
From: "Loktionov, Aleksandr" <aleksandr.loktionov@...el.com>
To: Mikael Wessel <post@...aelkw.online>, "netdev@...r.kernel.org"
<netdev@...r.kernel.org>
CC: "intel-wired-lan@...ts.osuosl.org" <intel-wired-lan@...ts.osuosl.org>,
"torvalds@...uxfoundation.org" <torvalds@...uxfoundation.org>, "Nguyen,
Anthony L" <anthony.l.nguyen@...el.com>, "Kitszel, Przemyslaw"
<przemyslaw.kitszel@...el.com>, "andrew@...n.ch" <andrew@...n.ch>,
"kuba@...nel.org" <kuba@...nel.org>, "pabeni@...hat.com" <pabeni@...hat.com>,
"security@...nel.org" <security@...nel.org>, "stable@...r.kernel.org"
<stable@...r.kernel.org>, "davem@...emloft.net" <davem@...emloft.net>,
"edumazet@...gle.com" <edumazet@...gle.com>, "linux-kernel@...r.kernel.org"
<linux-kernel@...r.kernel.org>
Subject: RE: [Intel-wired-lan] [PATCH v2 1/1] e1000e: fix heap overflow in
e1000_set_eeprom()
> -----Original Message-----
> From: Intel-wired-lan <intel-wired-lan-bounces@...osl.org> On Behalf
> Of Mikael Wessel
> Sent: Tuesday, May 27, 2025 10:56 AM
> To: netdev@...r.kernel.org
> Cc: intel-wired-lan@...ts.osuosl.org; torvalds@...uxfoundation.org;
> Nguyen, Anthony L <anthony.l.nguyen@...el.com>; Kitszel, Przemyslaw
> <przemyslaw.kitszel@...el.com>; andrew@...n.ch; kuba@...nel.org;
> pabeni@...hat.com; security@...nel.org; stable@...r.kernel.org;
> davem@...emloft.net; edumazet@...gle.com; linux-
> kernel@...r.kernel.org; Mikael Wessel <post@...aelkw.online>
> Subject: [Intel-wired-lan] [PATCH v2 1/1] e1000e: fix heap overflow in
> e1000_set_eeprom()
>
> The ETHTOOL_SETEEPROM ioctl copies user data into a kmalloc'ed buffer
> without validating eeprom->len and eeprom->offset. A CAP_NET_ADMIN
> user can overflow the heap and crash the kernel or gain code
> execution.
>
> Validate length and offset before memcpy().
>
> Fixes: bc7f75fa9788 ("[E1000E]: New pci-express e1000 driver
> (currently for ICH9 devices only)")
> Reported-by: Mikael Wessel <post@...aelkw.online>
> Signed-off-by: Mikael Wessel <post@...aelkw.online>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@...el.com>
> Cc: stable@...r.kernel.org
> ---
> drivers/net/ethernet/intel/e1000e/ethtool.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/net/ethernet/intel/e1000e/ethtool.c
> b/drivers/net/ethernet/intel/e1000e/ethtool.c
> index 9364bc2b4eb1..98e541e39730 100644
> --- a/drivers/net/ethernet/intel/e1000e/ethtool.c
> +++ b/drivers/net/ethernet/intel/e1000e/ethtool.c
> @@ -596,6 +596,9 @@ static int e1000_set_eeprom(struct net_device
> *netdev,
> for (i = 0; i < last_word - first_word + 1; i++)
> le16_to_cpus(&eeprom_buff[i]);
>
> + if (eeprom->len > max_len ||
> + eeprom->offset > max_len - eeprom->len)
> + return -EINVAL;
> memcpy(ptr, bytes, eeprom->len);
>
> for (i = 0; i < last_word - first_word + 1; i++)
> --
> 2.48.1
Powered by blists - more mailing lists