-

CVE-2025-39758

In the Linux kernel, the following vulnerability has been resolved:

RDMA/siw: Fix the sendmsg byte count in siw_tcp_sendpages

Ever since commit c2ff29e99a76 ("siw: Inline do_tcp_sendpages()"),
we have been doing this:

static int siw_tcp_sendpages(struct socket *s, struct page **page, int offset,
                             size_t size)
[...]
        /* Calculate the number of bytes we need to push, for this page
         * specifically */
        size_t bytes = min_t(size_t, PAGE_SIZE - offset, size);
        /* If we can't splice it, then copy it in, as normal */
        if (!sendpage_ok(page[i]))
                msg.msg_flags &= ~MSG_SPLICE_PAGES;
        /* Set the bvec pointing to the page, with len $bytes */
        bvec_set_page(&bvec, page[i], bytes, offset);
        /* Set the iter to $size, aka the size of the whole sendpages (!!!) */
        iov_iter_bvec(&msg.msg_iter, ITER_SOURCE, &bvec, 1, size);
try_page_again:
        lock_sock(sk);
        /* Sendmsg with $size size (!!!) */
        rv = tcp_sendmsg_locked(sk, &msg, size);

This means we've been sending oversized iov_iters and tcp_sendmsg calls
for a while. This has a been a benign bug because sendpage_ok() always
returned true. With the recent slab allocator changes being slowly
introduced into next (that disallow sendpage on large kmalloc
allocations), we have recently hit out-of-bounds crashes, due to slight
differences in iov_iter behavior between the MSG_SPLICE_PAGES and
"regular" copy paths:

(MSG_SPLICE_PAGES)
skb_splice_from_iter
  iov_iter_extract_pages
    iov_iter_extract_bvec_pages
      uses i->nr_segs to correctly stop in its tracks before OoB'ing everywhere
  skb_splice_from_iter gets a "short" read

(!MSG_SPLICE_PAGES)
skb_copy_to_page_nocache copy=iov_iter_count
 [...]
   copy_from_iter
        /* this doesn't help */
        if (unlikely(iter->count < len))
                len = iter->count;
          iterate_bvec
            ... and we run off the bvecs

Fix this by properly setting the iov_iter's byte count, plus sending the
correct byte count to tcp_sendmsg_locked.

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
This information is available to logged-in users.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
VendorLinux
Product Linux
Default Statusunaffected
Version < 5661fdd218c2799001b88c17acd19f4395e4488e
Version c2ff29e99a764769eb2ce3a1a5585013633ee9a6
Status affected
Version < 673cf582fd788af12cdacfb62a6a593083542481
Version c2ff29e99a764769eb2ce3a1a5585013633ee9a6
Status affected
Version < 42ebc16d9d2563f1a1ce0f05b643ee68d54fabf8
Version c2ff29e99a764769eb2ce3a1a5585013633ee9a6
Status affected
Version < edf82bc8150570167a33a7d54627d66614cbf841
Version c2ff29e99a764769eb2ce3a1a5585013633ee9a6
Status affected
Version < c18646248fed07683d4cee8a8af933fc4fe83c0d
Version c2ff29e99a764769eb2ce3a1a5585013633ee9a6
Status affected
VendorLinux
Product Linux
Default Statusaffected
Version 6.5
Status affected
Version < 6.5
Version 0
Status unaffected
Version <= 6.6.*
Version 6.6.103
Status unaffected
Version <= 6.12.*
Version 6.12.43
Status unaffected
Version <= 6.15.*
Version 6.15.11
Status unaffected
Version <= 6.16.*
Version 6.16.2
Status unaffected
Version <= *
Version 6.17-rc1
Status unaffected
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.02% 0.047
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string