Re: CVE-2025-39898: e1000e: fix heap overflow in e1000_set_eeprom

Next message: Florian Fainelli: "Re: [PATCH 6.6 00/84] 6.6.115-rc1 review"
Previous message: Justin Tee: "Re: [PATCH v3 0/4] nvme-fc: fix blktests nvme/041"
In reply to: David Laight: "Re: CVE-2025-39898: e1000e: fix heap overflow in e1000_set_eeprom"
Next in thread: Tony Nguyen: "Re: CVE-2025-39898: e1000e: fix heap overflow in e1000_set_eeprom"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Andrew Lunn

Date: Mon Oct 27 2025 - 17:47:00 EST

> we believe that this CVE is invalid since the sole caller is
> `net/ethtool/ioctl.c:ethtool_set_eeprom()`, which already does all the
> necessary checks before invoking a driver specific implementation.

It is either invalid, or the fix is only fixing e1000, and very
likely, the same issue exists in lots of other drivers, so the fix is
wrong and should be done somewhere else...

This fix adds to the e1000e driver:

+ if (check_add_overflow(eeprom->offset, eeprom->len, &total_len) ||
+ total_len > max_len)
+ return -EFBIG;

In the core, ethtool_set_eeprom() we have:

/* Check for wrap and zero */
if (eeprom.offset + eeprom.len <= eeprom.offset)
return -EINVAL;

/* Check for exceeding total eeprom len */
if (eeprom.offset + eeprom.len > ops->get_eeprom_len(dev))
return -EINVAL;

Are they equivalent? Is the core broken?

I will leave it to somebody who understands wraparound to decide.

Andrew