[PATCH] e1000e: fix heap overflow in e1000_set

linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] e1000e: fix heap overflow in e1000_set_eeprom()
@ 2025-05-27 21:13 Mikael Wessel
  2025-05-27 21:42 ` Andrew Lunn
  2025-05-28 15:33 ` Tony Nguyen
  0 siblings, 2 replies; 3+ messages in thread
From: Mikael Wessel @ 2025-05-27 21:13 UTC (permalink / raw)
  To: netdev
  Cc: intel-wired-lan, torvalds, anthony.l.nguyen, przemyslaw.kitszel,
	andrew, kuba, pabeni, security, stable, davem, edumazet,
	linux-kernel, Mikael Wessel

The ETHTOOL_SETEEPROM ioctl copies user data into a kmalloc'ed buffer
without validating eeprom->len and eeprom->offset. A CAP_NET_ADMIN
user can overflow the heap and crash the kernel or gain code execution.

Validate length and offset before kmalloc() to avoid leaking eeprom_buff.

Fixes: bc7f75fa9788 ("[E1000E]: New pci-express e1000 driver (currently for ICH9 devices only)")
Reported-by: Mikael Wessel <post@mikaelkw.online>
Signed-off-by: Mikael Wessel <post@mikaelkw.online>
Cc: stable@vger.kernel.org
---
 drivers/net/ethernet/intel/e1000e/ethtool.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/drivers/net/ethernet/intel/e1000e/ethtool.c b/drivers/net/ethernet/intel/e1000e/ethtool.c
index 98e541e39730..d04e59528619 100644
--- a/drivers/net/ethernet/intel/e1000e/ethtool.c
+++ b/drivers/net/ethernet/intel/e1000e/ethtool.c
@@ -561,7 +561,7 @@ static int e1000_set_eeprom(struct net_device *netdev,
 		return -EOPNOTSUPP;
 
 	if (eeprom->magic !=
-	    (adapter->pdev->vendor | (adapter->pdev->device << 16)))
+		(adapter->pdev->vendor | (adapter->pdev->device << 16)))
 		return -EFAULT;
 
 	if (adapter->flags & FLAG_READ_ONLY_NVM)
@@ -569,6 +569,10 @@ static int e1000_set_eeprom(struct net_device *netdev,
 
 	max_len = hw->nvm.word_size * 2;
 
+	/* bounds check: offset + len must not exceed EEPROM size */
+	if (eeprom->offset + eeprom->len > max_len)
+		return -EINVAL;
+
 	first_word = eeprom->offset >> 1;
 	last_word = (eeprom->offset + eeprom->len - 1) >> 1;
 	eeprom_buff = kmalloc(max_len, GFP_KERNEL);
@@ -596,9 +600,6 @@ static int e1000_set_eeprom(struct net_device *netdev,
 	for (i = 0; i < last_word - first_word + 1; i++)
 		le16_to_cpus(&eeprom_buff[i]);
 
-        if (eeprom->len > max_len ||
-            eeprom->offset > max_len - eeprom->len)
-                return -EINVAL;
 	memcpy(ptr, bytes, eeprom->len);
 
 	for (i = 0; i < last_word - first_word + 1; i++)
-- 
2.48.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] e1000e: fix heap overflow in e1000_set_eeprom()
  2025-05-27 21:13 [PATCH] e1000e: fix heap overflow in e1000_set_eeprom() Mikael Wessel
@ 2025-05-27 21:42 ` Andrew Lunn
  2025-05-28 15:33 ` Tony Nguyen
  1 sibling, 0 replies; 3+ messages in thread
From: Andrew Lunn @ 2025-05-27 21:42 UTC (permalink / raw)
  To: Mikael Wessel
  Cc: netdev, intel-wired-lan, torvalds, anthony.l.nguyen,
	przemyslaw.kitszel, kuba, pabeni, security, stable, davem,
	edumazet, linux-kernel

On Tue, May 27, 2025 at 11:13:32PM +0200, Mikael Wessel wrote:
> The ETHTOOL_SETEEPROM ioctl copies user data into a kmalloc'ed buffer
> without validating eeprom->len and eeprom->offset. A CAP_NET_ADMIN
> user can overflow the heap and crash the kernel or gain code execution.
> 
> Validate length and offset before kmalloc() to avoid leaking eeprom_buff.
> 
> Fixes: bc7f75fa9788 ("[E1000E]: New pci-express e1000 driver (currently for ICH9 devices only)")
> Reported-by: Mikael Wessel <post@mikaelkw.online>
> Signed-off-by: Mikael Wessel <post@mikaelkw.online>
> Cc: stable@vger.kernel.org
> ---
>  drivers/net/ethernet/intel/e1000e/ethtool.c | 9 +++++----
>  1 file changed, 5 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/net/ethernet/intel/e1000e/ethtool.c b/drivers/net/ethernet/intel/e1000e/ethtool.c
> index 98e541e39730..d04e59528619 100644
> --- a/drivers/net/ethernet/intel/e1000e/ethtool.c
> +++ b/drivers/net/ethernet/intel/e1000e/ethtool.c
> @@ -561,7 +561,7 @@ static int e1000_set_eeprom(struct net_device *netdev,
>  		return -EOPNOTSUPP;
>  
>  	if (eeprom->magic !=
> -	    (adapter->pdev->vendor | (adapter->pdev->device << 16)))
> +		(adapter->pdev->vendor | (adapter->pdev->device << 16)))
>  		return -EFAULT;

That look like a white space change, which should not be part of a
fix.

Please also take a read of

https://www.kernel.org/doc/html/latest/process/maintainer-netdev.html

You need to set the tree in the Subject line.

    Andrew

---
pw-bot: cr
	

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] e1000e: fix heap overflow in e1000_set_eeprom()
  2025-05-27 21:13 [PATCH] e1000e: fix heap overflow in e1000_set_eeprom() Mikael Wessel
  2025-05-27 21:42 ` Andrew Lunn
@ 2025-05-28 15:33 ` Tony Nguyen
  1 sibling, 0 replies; 3+ messages in thread
From: Tony Nguyen @ 2025-05-28 15:33 UTC (permalink / raw)
  To: Mikael Wessel, netdev
  Cc: intel-wired-lan, torvalds, przemyslaw.kitszel, andrew, kuba,
	pabeni, security, stable, davem, edumazet, linux-kernel



On 5/27/2025 2:13 PM, Mikael Wessel wrote:
> The ETHTOOL_SETEEPROM ioctl copies user data into a kmalloc'ed buffer
> without validating eeprom->len and eeprom->offset. A CAP_NET_ADMIN
> user can overflow the heap and crash the kernel or gain code execution.
> 
> Validate length and offset before kmalloc() to avoid leaking eeprom_buff.
> 
> Fixes: bc7f75fa9788 ("[E1000E]: New pci-express e1000 driver (currently for ICH9 devices only)")
> Reported-by: Mikael Wessel <post@mikaelkw.online>
> Signed-off-by: Mikael Wessel <post@mikaelkw.online>
> Cc: stable@vger.kernel.org
> ---
>   drivers/net/ethernet/intel/e1000e/ethtool.c | 9 +++++----
>   1 file changed, 5 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/net/ethernet/intel/e1000e/ethtool.c b/drivers/net/ethernet/intel/e1000e/ethtool.c
> index 98e541e39730..d04e59528619 100644
> --- a/drivers/net/ethernet/intel/e1000e/ethtool.c
> +++ b/drivers/net/ethernet/intel/e1000e/ethtool.c
> @@ -561,7 +561,7 @@ static int e1000_set_eeprom(struct net_device *netdev,
>   		return -EOPNOTSUPP;
>   
>   	if (eeprom->magic !=
> -	    (adapter->pdev->vendor | (adapter->pdev->device << 16)))
> +		(adapter->pdev->vendor | (adapter->pdev->device << 16)))

As Andrew already pointed out, please omit.

>   		return -EFAULT;
>   
>   	if (adapter->flags & FLAG_READ_ONLY_NVM)
> @@ -569,6 +569,10 @@ static int e1000_set_eeprom(struct net_device *netdev,
>   
>   	max_len = hw->nvm.word_size * 2;
>   
> +	/* bounds check: offset + len must not exceed EEPROM size */
> +	if (eeprom->offset + eeprom->len > max_len)
> +		return -EINVAL;
> +
>   	first_word = eeprom->offset >> 1;
>   	last_word = (eeprom->offset + eeprom->len - 1) >> 1;
>   	eeprom_buff = kmalloc(max_len, GFP_KERNEL);
> @@ -596,9 +600,6 @@ static int e1000_set_eeprom(struct net_device *netdev,
>   	for (i = 0; i < last_word - first_word + 1; i++)
>   		le16_to_cpus(&eeprom_buff[i]);
>   
> -        if (eeprom->len > max_len ||
> -            eeprom->offset > max_len - eeprom->len)
> -                return -EINVAL;

Seems like this patch is based on top of your previous version?
https://lore.kernel.org/all/20250527085612.11354-2-post@mikaelkw.online/

Please a provide a patch that can apply without need for previous versions.

Thanks,
Tony


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2025-05-28 15:34 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-05-27 21:13 [PATCH] e1000e: fix heap overflow in e1000_set_eeprom() Mikael Wessel
2025-05-27 21:42 ` Andrew Lunn
2025-05-28 15:33 ` Tony Nguyen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).