CVE-2025-39758

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/siw: Fix the sendmsg byte count in siw_tcp_sendpages<br /> <br /> Ever since commit c2ff29e99a76 ("siw: Inline do_tcp_sendpages()"),<br /> we have been doing this:<br /> <br /> static int siw_tcp_sendpages(struct socket *s, struct page **page, int offset,<br /> size_t size)<br /> [...]<br /> /* Calculate the number of bytes we need to push, for this page<br /> * specifically */<br /> size_t bytes = min_t(size_t, PAGE_SIZE - offset, size);<br /> /* If we can&amp;#39;t splice it, then copy it in, as normal */<br /> if (!sendpage_ok(page[i]))<br /> msg.msg_flags &amp;= ~MSG_SPLICE_PAGES;<br /> /* Set the bvec pointing to the page, with len $bytes */<br /> bvec_set_page(&amp;bvec, page[i], bytes, offset);<br /> /* Set the iter to $size, aka the size of the whole sendpages (!!!) */<br /> iov_iter_bvec(&amp;msg.msg_iter, ITER_SOURCE, &amp;bvec, 1, size);<br /> try_page_again:<br /> lock_sock(sk);<br /> /* Sendmsg with $size size (!!!) */<br /> rv = tcp_sendmsg_locked(sk, &amp;msg, size);<br /> <br /> This means we&amp;#39;ve been sending oversized iov_iters and tcp_sendmsg calls<br /> for a while. This has a been a benign bug because sendpage_ok() always<br /> returned true. With the recent slab allocator changes being slowly<br /> introduced into next (that disallow sendpage on large kmalloc<br /> allocations), we have recently hit out-of-bounds crashes, due to slight<br /> differences in iov_iter behavior between the MSG_SPLICE_PAGES and<br /> "regular" copy paths:<br /> <br /> (MSG_SPLICE_PAGES)<br /> skb_splice_from_iter<br /> iov_iter_extract_pages<br /> iov_iter_extract_bvec_pages<br /> uses i-&gt;nr_segs to correctly stop in its tracks before OoB&amp;#39;ing everywhere<br /> skb_splice_from_iter gets a "short" read<br /> <br /> (!MSG_SPLICE_PAGES)<br /> skb_copy_to_page_nocache copy=iov_iter_count<br /> [...]<br /> copy_from_iter<br /> /* this doesn&amp;#39;t help */<br /> if (unlikely(iter-&gt;count count;<br /> iterate_bvec<br /> ... and we run off the bvecs<br /> <br /> Fix this by properly setting the iov_iter&amp;#39;s byte count, plus sending the<br /> correct byte count to tcp_sendmsg_locked.