> -----Original Message-----
> From: Intel-wired-lan <[email protected]> On Behalf
> Of Mikael Wessel
> Sent: Tuesday, May 27, 2025 10:56 AM
> To: [email protected]
> Cc: [email protected]; [email protected];
> Nguyen, Anthony L <[email protected]>; Kitszel, Przemyslaw
> <[email protected]>; [email protected]; [email protected];
> [email protected]; [email protected]; [email protected];
> [email protected]; [email protected]; linux-
> [email protected]; Mikael Wessel <[email protected]>
> Subject: [Intel-wired-lan] [PATCH v2 1/1] e1000e: fix heap overflow in
> e1000_set_eeprom()
>
> The ETHTOOL_SETEEPROM ioctl copies user data into a kmalloc'ed buffer
> without validating eeprom->len and eeprom->offset. A CAP_NET_ADMIN
> user can overflow the heap and crash the kernel or gain code
> execution.
>
> Validate length and offset before memcpy().
>
> Fixes: bc7f75fa9788 ("[E1000E]: New pci-express e1000 driver
> (currently for ICH9 devices only)")
> Reported-by: Mikael Wessel <[email protected]>
> Signed-off-by: Mikael Wessel <[email protected]>
Reviewed-by: Aleksandr Loktionov <[email protected]>
> Cc: [email protected]
> ---
> drivers/net/ethernet/intel/e1000e/ethtool.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/net/ethernet/intel/e1000e/ethtool.c
> b/drivers/net/ethernet/intel/e1000e/ethtool.c
> index 9364bc2b4eb1..98e541e39730 100644
> --- a/drivers/net/ethernet/intel/e1000e/ethtool.c
> +++ b/drivers/net/ethernet/intel/e1000e/ethtool.c
> @@ -596,6 +596,9 @@ static int e1000_set_eeprom(struct net_device
> *netdev,
> for (i = 0; i < last_word - first_word + 1; i++)
> le16_to_cpus(&eeprom_buff[i]);
>
> + if (eeprom->len > max_len ||
> + eeprom->offset > max_len - eeprom->len)
> + return -EINVAL;
> memcpy(ptr, bytes, eeprom->len);
>
> for (i = 0; i < last_word - first_word + 1; i++)
> --
> 2.48.1
