Re: CVE-2025-39898: e1000e: fix heap overflow in e1000_set_eeprom

From: Tony Nguyen
Date: Fri Oct 24 2025 - 13:05:21 EST

Next message: Daniel Golle: "[PATCH net-next 06/13] dt-bindings: net: dsa: lantiq,gswip: add support for MII delay properties"
Previous message: Daniel Golle: "[PATCH net-next 05/13] net: dsa: lantiq_gswip: define and use GSWIP_TABLE_MAC_BRIDGE_VAL1_VALID"
In reply to: Greg Kroah-Hartman: "Re: CVE-2025-39898: e1000e: fix heap overflow in e1000_set_eeprom"
Next in thread: David Laight: "Re: CVE-2025-39898: e1000e: fix heap overflow in e1000_set_eeprom"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 10/24/2025 4:26 AM, Greg Kroah-Hartman wrote:

On Fri, Oct 24, 2025 at 12:53:44PM +0200, Steffen Jaeckel wrote:

Hi Greg,

On 2025-10-01 09:43, Greg Kroah-Hartman wrote:

From: Greg Kroah-Hartman <gregkh@xxxxxxxxxx>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

e1000e: fix heap overflow in e1000_set_eeprom

Fix a possible heap overflow in e1000_set_eeprom function by adding
input validation for the requested length of the change in the EEPROM.
In addition, change the variable type from int to size_t for better
code practices and rearrange declarations to RCT.

The Linux kernel CVE team has assigned CVE-2025-39898 to this issue.

Affected and fixed versions
===========================

Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 5.4.299 with commit ea832ec0583e2398ea0c5ed8d902c923e16f53c4
Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 5.10.243 with commit ce8829d3d44b8622741bccca9f4408bc3da30b2b
Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 5.15.192 with commit 99a8772611e2d7ec318be7f0f072037914a1f509
Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 6.1.151 with commit b48adcacc34fbbc49046a7ee8a97839bef369c85
Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 6.6.105 with commit 50a84d5c814039ad2abe2748aec3e89324a548a7
Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 6.12.46 with commit b370f7b1f470a8d5485cc1e40e8ff663bb55d712
Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 6.16.6 with commit 0aec3211283482cfcdd606d1345e1f9acbcabd31
Issue introduced in 2.6.24 with commit bc7f75fa97884d41efbfde1397b621fefb2550b4 and fixed in 6.17 with commit 90fb7db49c6dbac961c6b8ebfd741141ffbc8545

[...]

we believe that this CVE is invalid since the sole caller is
`net/ethtool/ioctl.c:ethtool_set_eeprom()`, which already does all the
necessary checks before invoking a driver specific implementation.

Great, will this commit then be reverted? I'll go revoke this cve now,
thanks for the review.

We'll prepare a revert for this.

Thanks,
Tony

Next message: Daniel Golle: "[PATCH net-next 06/13] dt-bindings: net: dsa: lantiq,gswip: add support for MII delay properties"
Previous message: Daniel Golle: "[PATCH net-next 05/13] net: dsa: lantiq_gswip: define and use GSWIP_TABLE_MAC_BRIDGE_VAL1_VALID"
In reply to: Greg Kroah-Hartman: "Re: CVE-2025-39898: e1000e: fix heap overflow in e1000_set_eeprom"
Next in thread: David Laight: "Re: CVE-2025-39898: e1000e: fix heap overflow in e1000_set_eeprom"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]