| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <a42d374f-22e8-466f-a7a5-ef1d51ef6635@lunn.ch>
Date: Mon, 27 Oct 2025 22:46:54 +0100
From: Andrew Lunn <andrew@...n.ch>
To: Steffen Jaeckel <sjaeckel@...e.de>
Cc: cve@...nel.org, linux-kernel@...r.kernel.org,
linux-cve-announce@...r.kernel.org,
Greg Kroah-Hartman <gregkh@...nel.org>, anthony.l.nguyen@...el.com,
Vitaly Lifshits <vitaly.lifshits@...el.com>,
dima.ruinskiy@...el.com, Mikael Wessel <post@...aelkw.online>,
Mor Bar-Gabay <morx.bar.gabay@...el.com>, davem@...emloft.net,
kuba@...nel.org, pabeni@...hat.com, edumazet@...gle.com,
andrew+netdev@...n.ch
Subject: Re: CVE-2025-39898: e1000e: fix heap overflow in e1000_set_eeprom
> we believe that this CVE is invalid since the sole caller is
> `net/ethtool/ioctl.c:ethtool_set_eeprom()`, which already does all the
> necessary checks before invoking a driver specific implementation.
It is either invalid, or the fix is only fixing e1000, and very
likely, the same issue exists in lots of other drivers, so the fix is
wrong and should be done somewhere else...
This fix adds to the e1000e driver:
+ if (check_add_overflow(eeprom->offset, eeprom->len, &total_len) ||
+ total_len > max_len)
+ return -EFBIG;
In the core, ethtool_set_eeprom() we have:
/* Check for wrap and zero */
if (eeprom.offset + eeprom.len <= eeprom.offset)
return -EINVAL;
/* Check for exceeding total eeprom len */
if (eeprom.offset + eeprom.len > ops->get_eeprom_len(dev))
return -EINVAL;
Are they equivalent? Is the core broken?
I will leave it to somebody who understands wraparound to decide.
Andrew
Powered by blists - more mailing lists