On Tue, May 27, 2025 at 11:13:32PM +0200, Mikael Wessel wrote:
The ETHTOOL_SETEEPROM ioctl copies user data into a kmalloc'ed buffer without validating eeprom->len and eeprom->offset. A CAP_NET_ADMIN user can overflow the heap and crash the kernel or gain code execution.
Validate length and offset before kmalloc() to avoid leaking eeprom_buff.
Fixes: bc7f75fa9788 ("[E1000E]: New pci-express e1000 driver (currently for ICH9 devices only)") Reported-by: Mikael Wessel post@mikaelkw.online Signed-off-by: Mikael Wessel post@mikaelkw.online Cc: stable@vger.kernel.org
drivers/net/ethernet/intel/e1000e/ethtool.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ethernet/intel/e1000e/ethtool.c b/drivers/net/ethernet/intel/e1000e/ethtool.c index 98e541e39730..d04e59528619 100644 --- a/drivers/net/ethernet/intel/e1000e/ethtool.c +++ b/drivers/net/ethernet/intel/e1000e/ethtool.c @@ -561,7 +561,7 @@ static int e1000_set_eeprom(struct net_device *netdev, return -EOPNOTSUPP; if (eeprom->magic !=
(adapter->pdev->vendor | (adapter->pdev->device << 16)))
(adapter->pdev->vendor | (adapter->pdev->device << 16)))
That look like a white space change, which should not be part of a fix.
Please also take a read of
https://www.kernel.org/doc/html/latest/process/maintainer-netdev.html
You need to set the tree in the Subject line.
Andrew
--- pw-bot: cr