Linux Kernel e1000 Driver Out-of-Bounds Read Vulnerability in TBI Acceptance Function

A vulnerability has been identified in the Linux kernel's e1000 network driver, specifically within the TBI acceptance function. This issue arises when the function reads the last byte of a frame to apply a TBI workaround. If the reported length is zero or exceeds the actual receive buffer size, this operation can lead to an out-of-bounds read, potentially accessing unrelated memory areas. The vulnerability was detected in the NAPI receive path, during the processing of incoming network interrupts.

Impact

Exploitation of this vulnerability causes a slab-out-of-bounds error, where the kernel's memory safety mechanism detects an invalid memory access. This type of error can often be exploited to manipulate memory in a way that leads to more severe consequences, such as executing arbitrary code or causing a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by sending network frames with a descriptor-reported length that is either zero or greater than the actual receive buffer size. This can be done in a controlled environment, such as a virtual machine running QEMU, where the Linux kernel version is 5.18.0-rc1.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed. The specific commit that fixes this issue is available in the Linux kernel stable tree.