From: Tony Nguyen <anthony.l.nguyen@intel.com>
To: Guangshuo Li <lgs201920130244@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Florian Westphal <fw@strlen.de>,
<intel-wired-lan@lists.osuosl.org>, <netdev@vger.kernel.org>,
<linux-kernel@vger.kernel.org>
Cc: <stable@vger.kernel.org>
Subject: Re: [Intel-wired-lan] [PATCH] e1000: fix OOB in e1000_tbi_should_accept()
Date: Mon, 17 Nov 2025 15:24:05 -0800 [thread overview]
Message-ID: <b53c3a7e-6833-4e87-ae24-c344f2c3c5a1@intel.com> (raw)
In-Reply-To: <20251104082801.994195-1-lgs201920130244@gmail.com>
On 11/4/2025 12:28 AM, Guangshuo Li wrote:
> In e1000_tbi_should_accept() we read the last byte of the frame via
> 'data[length - 1]' to evaluate the TBI workaround. If the descriptor-
> reported length is zero or larger than the actual RX buffer size, this
> read goes out of bounds and can hit unrelated slab objects. The issue
> is observed from the NAPI receive path (e1000_clean_rx_irq):
...
> --- a/drivers/net/ethernet/intel/e1000/e1000_main.c
> +++ b/drivers/net/ethernet/intel/e1000/e1000_main.c
> @@ -4090,6 +4090,12 @@ static bool e1000_tbi_should_accept(struct e1000_adapter *adapter,
> u8 status, u8 errors,
> u32 length, const u8 *data)
> {
> + /* Guard against OOB on data[length - 1] */
> + if (unlikely(!length))
> + return false;
> + /* Upper bound: length must not exceed rx_buffer_len */
> + if (unlikely(length > adapter->rx_buffer_len))
> + return false;
The change itself looks fine, however, the declarations should be at the
beginning of the function so this should be moved to be after that.
> struct e1000_hw *hw = &adapter->hw;
> u8 last_byte = *(data + length - 1);
Also, since last_byte uses length, this should be broken up and the
assignment moved after the added checks.
Thanks,
Tony
next prev parent reply other threads:[~2025-11-17 23:24 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-04 8:28 [Intel-wired-lan] [PATCH] e1000: fix OOB in e1000_tbi_should_accept() Guangshuo Li
2025-11-05 7:25 ` Loktionov, Aleksandr
2025-11-17 23:24 ` Tony Nguyen [this message]
2025-11-24 3:40 ` Guangshuo Li
2025-11-24 3:45 ` Guangshuo Li
2025-11-25 22:43 ` Tony Nguyen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b53c3a7e-6833-4e87-ae24-c344f2c3c5a1@intel.com \
--to=anthony.l.nguyen@intel.com \
--cc=davem@davemloft.net \
--cc=fw@strlen.de \
--cc=intel-wired-lan@lists.osuosl.org \
--cc=kuba@kernel.org \
--cc=lgs201920130244@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox