In the Linux kernel, the following vulnerability has been resolved:

e1000: fix OOB in e1000tbishould_accept()

In e1000tbishouldaccept() we read the last byte of the frame via 'data[length - 1]' to evaluate the TBI workaround. If the descriptor- reported length is zero or larger than the actual RX buffer size, this read goes out of bounds and can hit unrelated slab objects. The issue is observed from the NAPI receive path (e1000cleanrxirq):

================================================================== BUG: KASAN: slab-out-of-bounds in e1000tbishould_accept+0x610/0x790 Read of size 1 at addr ffff888014114e54 by task sshd/363

CPU: 0 PID: 363 Comm: sshd Not tainted 5.18.0-rc1 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 Call Trace: <IRQ> dumpstacklvl+0x5a/0x74 printaddressdescription+0x7b/0x440 printreport+0x101/0x200 kasanreport+0xc1/0xf0 e1000tbishouldaccept+0x610/0x790 e1000cleanrxirq+0xa8c/0x1110 e1000_clean+0xde2/0x3c10 __napipoll+0x98/0x380 netrx_action+0x491/0xa20 __dosoftirq+0x2c9/0x61d dosoftirq+0xd1/0x120 </IRQ> <TASK> __localbhenableip+0xfe/0x130 ipfinish_output2+0x7d5/0xb00 __ipqueuexmit+0xe24/0x1ab0 __tcptransmitskb+0x1bcb/0x3340 tcpwritexmit+0x175d/0x6bd0 __tcppushpending_frames+0x7b/0x280 tcpsendmsglocked+0x2e4f/0x32d0 tcpsendmsg+0x24/0x40 sockwriteiter+0x322/0x430 vfswrite+0x56c/0xa60 ksyswrite+0xd1/0x190 dosyscall64+0x43/0x90 entrySYSCALL64afterhwframe+0x44/0xae RIP: 0033:0x7f511b476b10 Code: 73 01 c3 48 8b 0d 88 d3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d f9 2b 2c 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 8e 9b 01 00 48 89 04 24 RSP: 002b:00007ffc9211d4e8 EFLAGS: 00000246 ORIGRAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000004024 RCX: 00007f511b476b10 RDX: 0000000000004024 RSI: 0000559a9385962c RDI: 0000000000000003 RBP: 0000559a9383a400 R08: fffffffffffffff0 R09: 0000000000004f00 R10: 0000000000000070 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffc9211d57f R14: 0000559a9347bde7 R15: 0000000000000003 </TASK> Allocated by task 1: __kasankrealloc+0x131/0x1c0 krealloc+0x90/0xc0 addsysfsparam+0xcb/0x8a0 kerneladdsysfsparam+0x81/0xd4 paramsysfsbuiltin+0x138/0x1a6 paramsysfsinit+0x57/0x5b dooneinitcall+0x104/0x250 doinitcalllevel+0x102/0x132 doinitcalls+0x46/0x74 kernelinitfreeable+0x28f/0x393 kernelinit+0x14/0x1a0 retfromfork+0x22/0x30 The buggy address belongs to the object at ffff888014114000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 1620 bytes to the right of 2048-byte region [ffff888014114000, ffff888014114800] The buggy address belongs to the physical page: page:ffffea0000504400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14110 head:ffffea0000504400 order:3 compoundmapcount:0 compoundpincount:0 flags: 0x100000000010200(slab|head|node=0|zone=1) raw: 0100000000010200 0000000000000000 dead000000000001 ffff888013442000 raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000

page dumped because: kasan: bad access detected

This happens because the TBI check unconditionally dereferences the last byte without validating the reported length first:

u8 last_byte = *(data + length - 1);

Fix by rejecting the frame early if the length is zero, or if it exceeds adapter->rxbufferlen. This preserves the TBI workaround semantics for valid frames and prevents touching memory beyond the RX buffer.