* Re: CVE-2025-39898: e1000e: fix heap overflow in e1000_set_eeprom
[not found] <2025100116-CVE-2025-39898-d844@gregkh>
@ 2025-10-24 10:53 ` Steffen Jaeckel
2025-10-24 11:26 ` Greg Kroah-Hartman
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: Steffen Jaeckel @ 2025-10-24 10:53 UTC (permalink / raw)
To: cve, linux-kernel, linux-cve-announce
Cc: Greg Kroah-Hartman, anthony.l.nguyen, Vitaly Lifshits,
dima.ruinskiy, Mikael Wessel, Mor Bar-Gabay, davem, kuba, pabeni,
edumazet, andrew+netdev
Hi Greg,
On 2025-10-01 09:43, Greg Kroah-Hartman wrote:
> From: Greg Kroah-Hartman <gregkh@kernel.org>
>
> Description
> ===========
>
> In the Linux kernel, the following vulnerability has been resolved:
>
> e1000e: fix heap overflow in e1000_set_eeprom
>
> Fix a possible heap overflow in e1000_set_eeprom function by adding
> input validation for the requested length of the change in the EEPROM.
> In addition, change the variable type from int to size_t for better
> code practices and rearrange declarations to RCT.
>
> The Linux kernel CVE team has assigned CVE-2025-39898 to this issue.
>
>
> Affected and fixed versions
> ===========================
>
> Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 5.4.299 with commit ea832ec0583e2398ea0c5ed8d902c923e16f53c4
> Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 5.10.243 with commit ce8829d3d44b8622741bccca9f4408bc3da30b2b
> Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 5.15.192 with commit 99a8772611e2d7ec318be7f0f072037914a1f509
> Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 6.1.151 with commit b48adcacc34fbbc49046a7ee8a97839bef369c85
> Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 6.6.105 with commit 50a84d5c814039ad2abe2748aec3e89324a548a7
> Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 6.12.46 with commit b370f7b1f470a8d5485cc1e40e8ff663bb55d712
> Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 6.16.6 with commit 0aec3211283482cfcdd606d1345e1f9acbcabd31
> Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 6.17 with commit 90fb7db49c6dbac961c6b8ebfd741141ffbc8545
>
> [...]
we believe that this CVE is invalid since the sole caller is
`net/ethtool/ioctl.c:ethtool_set_eeprom()`, which already does all the
necessary checks before invoking a driver specific implementation.
Cheers
Steffen
--
Steffen Jaeckel Kernel Network Engineer
sjaeckel@suse.de
SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: CVE-2025-39898: e1000e: fix heap overflow in e1000_set_eeprom
2025-10-24 10:53 ` CVE-2025-39898: e1000e: fix heap overflow in e1000_set_eeprom Steffen Jaeckel
@ 2025-10-24 11:26 ` Greg Kroah-Hartman
2025-10-24 17:04 ` Tony Nguyen
2025-10-24 12:27 ` David Laight
2025-10-27 21:46 ` Andrew Lunn
2 siblings, 1 reply; 8+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-24 11:26 UTC (permalink / raw)
To: Steffen Jaeckel
Cc: cve, linux-kernel, linux-cve-announce, anthony.l.nguyen,
Vitaly Lifshits, dima.ruinskiy, Mikael Wessel, Mor Bar-Gabay,
davem, kuba, pabeni, edumazet, andrew+netdev
On Fri, Oct 24, 2025 at 12:53:44PM +0200, Steffen Jaeckel wrote:
> Hi Greg,
>
> On 2025-10-01 09:43, Greg Kroah-Hartman wrote:
> > From: Greg Kroah-Hartman <gregkh@kernel.org>
> >
> > Description
> > ===========
> >
> > In the Linux kernel, the following vulnerability has been resolved:
> >
> > e1000e: fix heap overflow in e1000_set_eeprom
> >
> > Fix a possible heap overflow in e1000_set_eeprom function by adding
> > input validation for the requested length of the change in the EEPROM.
> > In addition, change the variable type from int to size_t for better
> > code practices and rearrange declarations to RCT.
> >
> > The Linux kernel CVE team has assigned CVE-2025-39898 to this issue.
> >
> >
> > Affected and fixed versions
> > ===========================
> >
> > Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 5.4.299 with commit ea832ec0583e2398ea0c5ed8d902c923e16f53c4
> > Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 5.10.243 with commit ce8829d3d44b8622741bccca9f4408bc3da30b2b
> > Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 5.15.192 with commit 99a8772611e2d7ec318be7f0f072037914a1f509
> > Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 6.1.151 with commit b48adcacc34fbbc49046a7ee8a97839bef369c85
> > Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 6.6.105 with commit 50a84d5c814039ad2abe2748aec3e89324a548a7
> > Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 6.12.46 with commit b370f7b1f470a8d5485cc1e40e8ff663bb55d712
> > Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 6.16.6 with commit 0aec3211283482cfcdd606d1345e1f9acbcabd31
> > Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 6.17 with commit 90fb7db49c6dbac961c6b8ebfd741141ffbc8545
> >
> > [...]
>
> we believe that this CVE is invalid since the sole caller is
> `net/ethtool/ioctl.c:ethtool_set_eeprom()`, which already does all the
> necessary checks before invoking a driver specific implementation.
Great, will this commit then be reverted? I'll go revoke this cve now,
thanks for the review.
greg k-h
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: CVE-2025-39898: e1000e: fix heap overflow in e1000_set_eeprom
2025-10-24 10:53 ` CVE-2025-39898: e1000e: fix heap overflow in e1000_set_eeprom Steffen Jaeckel
2025-10-24 11:26 ` Greg Kroah-Hartman
@ 2025-10-24 12:27 ` David Laight
2025-10-24 12:40 ` Greg Kroah-Hartman
2025-10-27 21:46 ` Andrew Lunn
2 siblings, 1 reply; 8+ messages in thread
From: David Laight @ 2025-10-24 12:27 UTC (permalink / raw)
To: Steffen Jaeckel
Cc: cve, linux-kernel, linux-cve-announce, Greg Kroah-Hartman,
anthony.l.nguyen, Vitaly Lifshits, dima.ruinskiy, Mikael Wessel,
Mor Bar-Gabay, davem, kuba, pabeni, edumazet, andrew+netdev
On Fri, 24 Oct 2025 12:53:44 +0200
Steffen Jaeckel <sjaeckel@suse.de> wrote:
> Hi Greg,
>
> On 2025-10-01 09:43, Greg Kroah-Hartman wrote:
> > From: Greg Kroah-Hartman <gregkh@kernel.org>
> >
> > Description
> > ===========
> >
> > In the Linux kernel, the following vulnerability has been resolved:
> >
> > e1000e: fix heap overflow in e1000_set_eeprom
> >
> > Fix a possible heap overflow in e1000_set_eeprom function by adding
> > input validation for the requested length of the change in the EEPROM.
> > In addition, change the variable type from int to size_t for better
> > code practices and rearrange declarations to RCT.
> >
> > The Linux kernel CVE team has assigned CVE-2025-39898 to this issue.
> >
> >
> > Affected and fixed versions
> > ===========================
> >
> > Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 5.4.299 with commit ea832ec0583e2398ea0c5ed8d902c923e16f53c4
> > Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 5.10.243 with commit ce8829d3d44b8622741bccca9f4408bc3da30b2b
> > Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 5.15.192 with commit 99a8772611e2d7ec318be7f0f072037914a1f509
> > Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 6.1.151 with commit b48adcacc34fbbc49046a7ee8a97839bef369c85
> > Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 6.6.105 with commit 50a84d5c814039ad2abe2748aec3e89324a548a7
> > Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 6.12.46 with commit b370f7b1f470a8d5485cc1e40e8ff663bb55d712
> > Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 6.16.6 with commit 0aec3211283482cfcdd606d1345e1f9acbcabd31
> > Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 6.17 with commit 90fb7db49c6dbac961c6b8ebfd741141ffbc8545
> >
> > [...]
>
> we believe that this CVE is invalid since the sole caller is
> `net/ethtool/ioctl.c:ethtool_set_eeprom()`, which already does all the
> necessary checks before invoking a driver specific implementation.
Nothing stops an attacker-written program doing the ioctl.
David
>
>
> Cheers
> Steffen
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: CVE-2025-39898: e1000e: fix heap overflow in e1000_set_eeprom
2025-10-24 12:27 ` David Laight
@ 2025-10-24 12:40 ` Greg Kroah-Hartman
2025-10-24 14:11 ` David Laight
0 siblings, 1 reply; 8+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-24 12:40 UTC (permalink / raw)
To: David Laight
Cc: Steffen Jaeckel, cve, linux-kernel, linux-cve-announce,
anthony.l.nguyen, Vitaly Lifshits, dima.ruinskiy, Mikael Wessel,
Mor Bar-Gabay, davem, kuba, pabeni, edumazet, andrew+netdev
On Fri, Oct 24, 2025 at 01:27:34PM +0100, David Laight wrote:
> On Fri, 24 Oct 2025 12:53:44 +0200
> Steffen Jaeckel <sjaeckel@suse.de> wrote:
>
> > Hi Greg,
> >
> > On 2025-10-01 09:43, Greg Kroah-Hartman wrote:
> > > From: Greg Kroah-Hartman <gregkh@kernel.org>
> > >
> > > Description
> > > ===========
> > >
> > > In the Linux kernel, the following vulnerability has been resolved:
> > >
> > > e1000e: fix heap overflow in e1000_set_eeprom
> > >
> > > Fix a possible heap overflow in e1000_set_eeprom function by adding
> > > input validation for the requested length of the change in the EEPROM.
> > > In addition, change the variable type from int to size_t for better
> > > code practices and rearrange declarations to RCT.
> > >
> > > The Linux kernel CVE team has assigned CVE-2025-39898 to this issue.
> > >
> > >
> > > Affected and fixed versions
> > > ===========================
> > >
> > > Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 5.4.299 with commit ea832ec0583e2398ea0c5ed8d902c923e16f53c4
> > > Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 5.10.243 with commit ce8829d3d44b8622741bccca9f4408bc3da30b2b
> > > Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 5.15.192 with commit 99a8772611e2d7ec318be7f0f072037914a1f509
> > > Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 6.1.151 with commit b48adcacc34fbbc49046a7ee8a97839bef369c85
> > > Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 6.6.105 with commit 50a84d5c814039ad2abe2748aec3e89324a548a7
> > > Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 6.12.46 with commit b370f7b1f470a8d5485cc1e40e8ff663bb55d712
> > > Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 6.16.6 with commit 0aec3211283482cfcdd606d1345e1f9acbcabd31
> > > Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 6.17 with commit 90fb7db49c6dbac961c6b8ebfd741141ffbc8545
> > >
> > > [...]
> >
> > we believe that this CVE is invalid since the sole caller is
> > `net/ethtool/ioctl.c:ethtool_set_eeprom()`, which already does all the
> > necessary checks before invoking a driver specific implementation.
>
> Nothing stops an attacker-written program doing the ioctl.
How exactly would that happen given that this all goes through the
ethtool "wrapper" for the ioctl function?
And if that is true, then the other set eeprom callbacks also need to
have this same "fix" for them, so it's either one or the other :)
thanks,
greg k-h
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: CVE-2025-39898: e1000e: fix heap overflow in e1000_set_eeprom
2025-10-24 12:40 ` Greg Kroah-Hartman
@ 2025-10-24 14:11 ` David Laight
0 siblings, 0 replies; 8+ messages in thread
From: David Laight @ 2025-10-24 14:11 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: Steffen Jaeckel, cve, linux-kernel, linux-cve-announce,
anthony.l.nguyen, Vitaly Lifshits, dima.ruinskiy, Mikael Wessel,
Mor Bar-Gabay, davem, kuba, pabeni, edumazet, andrew+netdev
On Fri, 24 Oct 2025 14:40:01 +0200
Greg Kroah-Hartman <gregkh@kernel.org> wrote:
> On Fri, Oct 24, 2025 at 01:27:34PM +0100, David Laight wrote:
> > On Fri, 24 Oct 2025 12:53:44 +0200
> > Steffen Jaeckel <sjaeckel@suse.de> wrote:
> >
> > > Hi Greg,
> > >
> > > On 2025-10-01 09:43, Greg Kroah-Hartman wrote:
> > > > From: Greg Kroah-Hartman <gregkh@kernel.org>
> > > >
> > > > Description
> > > > ===========
> > > >
> > > > In the Linux kernel, the following vulnerability has been resolved:
> > > >
> > > > e1000e: fix heap overflow in e1000_set_eeprom
> > > >
> > > > Fix a possible heap overflow in e1000_set_eeprom function by adding
> > > > input validation for the requested length of the change in the EEPROM.
> > > > In addition, change the variable type from int to size_t for better
> > > > code practices and rearrange declarations to RCT.
> > > >
> > > > The Linux kernel CVE team has assigned CVE-2025-39898 to this issue.
> > > >
> > > >
> > > > Affected and fixed versions
> > > > ===========================
> > > >
> > > > Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 5.4.299 with commit ea832ec0583e2398ea0c5ed8d902c923e16f53c4
> > > > Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 5.10.243 with commit ce8829d3d44b8622741bccca9f4408bc3da30b2b
> > > > Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 5.15.192 with commit 99a8772611e2d7ec318be7f0f072037914a1f509
> > > > Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 6.1.151 with commit b48adcacc34fbbc49046a7ee8a97839bef369c85
> > > > Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 6.6.105 with commit 50a84d5c814039ad2abe2748aec3e89324a548a7
> > > > Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 6.12.46 with commit b370f7b1f470a8d5485cc1e40e8ff663bb55d712
> > > > Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 6.16.6 with commit 0aec3211283482cfcdd606d1345e1f9acbcabd31
> > > > Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 6.17 with commit 90fb7db49c6dbac961c6b8ebfd741141ffbc8545
> > > >
> > > > [...]
> > >
> > > we believe that this CVE is invalid since the sole caller is
> > > `net/ethtool/ioctl.c:ethtool_set_eeprom()`, which already does all the
> > > necessary checks before invoking a driver specific implementation.
> >
> > Nothing stops an attacker-written program doing the ioctl.
>
> How exactly would that happen given that this all goes through the
> ethtool "wrapper" for the ioctl function?
I'm confused again :-)
>
> And if that is true, then the other set eeprom callbacks also need to
> have this same "fix" for them, so it's either one or the other :)
>
> thanks,
>
> greg k-h
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: CVE-2025-39898: e1000e: fix heap overflow in e1000_set_eeprom
2025-10-24 11:26 ` Greg Kroah-Hartman
@ 2025-10-24 17:04 ` Tony Nguyen
0 siblings, 0 replies; 8+ messages in thread
From: Tony Nguyen @ 2025-10-24 17:04 UTC (permalink / raw)
To: Greg Kroah-Hartman, Steffen Jaeckel
Cc: cve, linux-kernel, linux-cve-announce, Vitaly Lifshits,
dima.ruinskiy, Mikael Wessel, Mor Bar-Gabay, davem, kuba, pabeni,
edumazet, andrew+netdev
On 10/24/2025 4:26 AM, Greg Kroah-Hartman wrote:
> On Fri, Oct 24, 2025 at 12:53:44PM +0200, Steffen Jaeckel wrote:
>> Hi Greg,
>>
>> On 2025-10-01 09:43, Greg Kroah-Hartman wrote:
>>> From: Greg Kroah-Hartman <gregkh@kernel.org>
>>>
>>> Description
>>> ===========
>>>
>>> In the Linux kernel, the following vulnerability has been resolved:
>>>
>>> e1000e: fix heap overflow in e1000_set_eeprom
>>>
>>> Fix a possible heap overflow in e1000_set_eeprom function by adding
>>> input validation for the requested length of the change in the EEPROM.
>>> In addition, change the variable type from int to size_t for better
>>> code practices and rearrange declarations to RCT.
>>>
>>> The Linux kernel CVE team has assigned CVE-2025-39898 to this issue.
>>>
>>>
>>> Affected and fixed versions
>>> ===========================
>>>
>>> Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 5.4.299 with commit ea832ec0583e2398ea0c5ed8d902c923e16f53c4
>>> Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 5.10.243 with commit ce8829d3d44b8622741bccca9f4408bc3da30b2b
>>> Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 5.15.192 with commit 99a8772611e2d7ec318be7f0f072037914a1f509
>>> Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 6.1.151 with commit b48adcacc34fbbc49046a7ee8a97839bef369c85
>>> Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 6.6.105 with commit 50a84d5c814039ad2abe2748aec3e89324a548a7
>>> Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 6.12.46 with commit b370f7b1f470a8d5485cc1e40e8ff663bb55d712
>>> Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 6.16.6 with commit 0aec3211283482cfcdd606d1345e1f9acbcabd31
>>> Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 6.17 with commit 90fb7db49c6dbac961c6b8ebfd741141ffbc8545
>>>
>>> [...]
>>
>> we believe that this CVE is invalid since the sole caller is
>> `net/ethtool/ioctl.c:ethtool_set_eeprom()`, which already does all the
>> necessary checks before invoking a driver specific implementation.
>
> Great, will this commit then be reverted? I'll go revoke this cve now,
> thanks for the review.
We'll prepare a revert for this.
Thanks,
Tony
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: CVE-2025-39898: e1000e: fix heap overflow in e1000_set_eeprom
2025-10-24 10:53 ` CVE-2025-39898: e1000e: fix heap overflow in e1000_set_eeprom Steffen Jaeckel
2025-10-24 11:26 ` Greg Kroah-Hartman
2025-10-24 12:27 ` David Laight
@ 2025-10-27 21:46 ` Andrew Lunn
2025-10-28 18:14 ` Tony Nguyen
2 siblings, 1 reply; 8+ messages in thread
From: Andrew Lunn @ 2025-10-27 21:46 UTC (permalink / raw)
To: Steffen Jaeckel
Cc: cve, linux-kernel, linux-cve-announce, Greg Kroah-Hartman,
anthony.l.nguyen, Vitaly Lifshits, dima.ruinskiy, Mikael Wessel,
Mor Bar-Gabay, davem, kuba, pabeni, edumazet, andrew+netdev
> we believe that this CVE is invalid since the sole caller is
> `net/ethtool/ioctl.c:ethtool_set_eeprom()`, which already does all the
> necessary checks before invoking a driver specific implementation.
It is either invalid, or the fix is only fixing e1000, and very
likely, the same issue exists in lots of other drivers, so the fix is
wrong and should be done somewhere else...
This fix adds to the e1000e driver:
+ if (check_add_overflow(eeprom->offset, eeprom->len, &total_len) ||
+ total_len > max_len)
+ return -EFBIG;
In the core, ethtool_set_eeprom() we have:
/* Check for wrap and zero */
if (eeprom.offset + eeprom.len <= eeprom.offset)
return -EINVAL;
/* Check for exceeding total eeprom len */
if (eeprom.offset + eeprom.len > ops->get_eeprom_len(dev))
return -EINVAL;
Are they equivalent? Is the core broken?
I will leave it to somebody who understands wraparound to decide.
Andrew
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: CVE-2025-39898: e1000e: fix heap overflow in e1000_set_eeprom
2025-10-27 21:46 ` Andrew Lunn
@ 2025-10-28 18:14 ` Tony Nguyen
0 siblings, 0 replies; 8+ messages in thread
From: Tony Nguyen @ 2025-10-28 18:14 UTC (permalink / raw)
To: Andrew Lunn, Steffen Jaeckel
Cc: cve, linux-kernel, linux-cve-announce, Greg Kroah-Hartman,
Vitaly Lifshits, dima.ruinskiy, Mikael Wessel, Mor Bar-Gabay,
davem, kuba, pabeni, edumazet, andrew+netdev
On 10/27/2025 2:46 PM, Andrew Lunn wrote:
>> we believe that this CVE is invalid since the sole caller is
>> `net/ethtool/ioctl.c:ethtool_set_eeprom()`, which already does all the
>> necessary checks before invoking a driver specific implementation.
>
> It is either invalid, or the fix is only fixing e1000, and very
> likely, the same issue exists in lots of other drivers, so the fix is
> wrong and should be done somewhere else...
>
> This fix adds to the e1000e driver:
>
> + if (check_add_overflow(eeprom->offset, eeprom->len, &total_len) ||
> + total_len > max_len)
> + return -EFBIG;
>
> In the core, ethtool_set_eeprom() we have:
>
> /* Check for wrap and zero */
> if (eeprom.offset + eeprom.len <= eeprom.offset)
> return -EINVAL;
>
> /* Check for exceeding total eeprom len */
> if (eeprom.offset + eeprom.len > ops->get_eeprom_len(dev))
> return -EINVAL;
>
> Are they equivalent? Is the core broken?
The checks in ethtool_set_eeprom() look to be equivalent to what we were
adding to e1000e so I think core checks are sufficient, and the e1000e
ones, unneeded.
Thanks,
Tony
>
> I will leave it to somebody who understands wraparound to decide.
>
> Andrew
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2025-10-28 18:14 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <2025100116-CVE-2025-39898-d844@gregkh>
2025-10-24 10:53 ` CVE-2025-39898: e1000e: fix heap overflow in e1000_set_eeprom Steffen Jaeckel
2025-10-24 11:26 ` Greg Kroah-Hartman
2025-10-24 17:04 ` Tony Nguyen
2025-10-24 12:27 ` David Laight
2025-10-24 12:40 ` Greg Kroah-Hartman
2025-10-24 14:11 ` David Laight
2025-10-27 21:46 ` Andrew Lunn
2025-10-28 18:14 ` Tony Nguyen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox