Re: CVE-2025-39898: e1000e: fix heap overflow in e1000_set_eeprom

Next message: Sami Tolvanen: "Re: [PATCH 2/3] ARM: Select ARCH_USES_CFI_GENERIC_LLVM_PASS"
Previous message: Ilpo J&#xE4;rvinen: "Re: [PATCH v2] platform: x86: Kconfig: fix minor typo in help for WIRELESS_HOTKEY"
In reply to: Andrew Lunn: "Re: CVE-2025-39898: e1000e: fix heap overflow in e1000_set_eeprom"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Tony Nguyen

Date: Tue Oct 28 2025 - 14:14:40 EST

On 10/27/2025 2:46 PM, Andrew Lunn wrote:

we believe that this CVE is invalid since the sole caller is
`net/ethtool/ioctl.c:ethtool_set_eeprom()`, which already does all the
necessary checks before invoking a driver specific implementation.

It is either invalid, or the fix is only fixing e1000, and very
likely, the same issue exists in lots of other drivers, so the fix is
wrong and should be done somewhere else...

This fix adds to the e1000e driver:

+ if (check_add_overflow(eeprom->offset, eeprom->len, &total_len) ||
+ total_len > max_len)
+ return -EFBIG;

In the core, ethtool_set_eeprom() we have:

/* Check for wrap and zero */
if (eeprom.offset + eeprom.len <= eeprom.offset)
return -EINVAL;

/* Check for exceeding total eeprom len */
if (eeprom.offset + eeprom.len > ops->get_eeprom_len(dev))
return -EINVAL;

Are they equivalent? Is the core broken?

The checks in ethtool_set_eeprom() look to be equivalent to what we were adding to e1000e so I think core checks are sufficient, and the e1000e ones, unneeded.

Thanks,
Tony

I will leave it to somebody who understands wraparound to decide.

Andrew