{"id":"CVE-2025-39758","summary":"RDMA/siw: Fix the sendmsg byte count in siw_tcp_sendpages","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/siw: Fix the sendmsg byte count in siw_tcp_sendpages\n\nEver since commit c2ff29e99a76 (\"siw: Inline do_tcp_sendpages()\"),\nwe have been doing this:\n\nstatic int siw_tcp_sendpages(struct socket *s, struct page **page, int offset,\n size_t size)\n[...]\n /* Calculate the number of bytes we need to push, for this page\n * specifically */\n size_t bytes = min_t(size_t, PAGE_SIZE - offset, size);\n /* If we can't splice it, then copy it in, as normal */\n if (!sendpage_ok(page[i]))\n msg.msg_flags &= ~MSG_SPLICE_PAGES;\n /* Set the bvec pointing to the page, with len $bytes */\n bvec_set_page(&bvec, page[i], bytes, offset);\n /* Set the iter to $size, aka the size of the whole sendpages (!!!) */\n iov_iter_bvec(&msg.msg_iter, ITER_SOURCE, &bvec, 1, size);\ntry_page_again:\n lock_sock(sk);\n /* Sendmsg with $size size (!!!) */\n rv = tcp_sendmsg_locked(sk, &msg, size);\n\nThis means we've been sending oversized iov_iters and tcp_sendmsg calls\nfor a while. This has a been a benign bug because sendpage_ok() always\nreturned true. With the recent slab allocator changes being slowly\nintroduced into next (that disallow sendpage on large kmalloc\nallocations), we have recently hit out-of-bounds crashes, due to slight\ndifferences in iov_iter behavior between the MSG_SPLICE_PAGES and\n\"regular\" copy paths:\n\n(MSG_SPLICE_PAGES)\nskb_splice_from_iter\n iov_iter_extract_pages\n iov_iter_extract_bvec_pages\n uses i-\u003enr_segs to correctly stop in its tracks before OoB'ing everywhere\n skb_splice_from_iter gets a \"short\" read\n\n(!MSG_SPLICE_PAGES)\nskb_copy_to_page_nocache copy=iov_iter_count\n [...]\n copy_from_iter\n /* this doesn't help */\n if (unlikely(iter-\u003ecount \u003c len))\n len = iter-\u003ecount;\n iterate_bvec\n ... and we run off the bvecs\n\nFix this by properly setting the iov_iter's byte count, plus sending the\ncorrect byte count to tcp_sendmsg_locked.","modified":"2026-03-20T12:43:02.218208Z","published":"2025-09-11T16:52:27.598Z","related":["SUSE-SU-2025:03600-1","SUSE-SU-2025:03634-1","SUSE-SU-2025:20851-1","SUSE-SU-2025:20861-1","SUSE-SU-2025:20870-1","SUSE-SU-2025:20898-1","SUSE-SU-2025:21074-1","SUSE-SU-2025:21139-1","SUSE-SU-2025:21179-1","SUSE-SU-2025:3751-1","SUSE-SU-2025:4057-1","SUSE-SU-2025:4132-1","SUSE-SU-2025:4141-1","openSUSE-SU-2025:20081-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39758.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/42ebc16d9d2563f1a1ce0f05b643ee68d54fabf8"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5661fdd218c2799001b88c17acd19f4395e4488e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/673cf582fd788af12cdacfb62a6a593083542481"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c18646248fed07683d4cee8a8af933fc4fe83c0d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/edf82bc8150570167a33a7d54627d66614cbf841"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39758.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-39758"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"c2ff29e99a764769eb2ce3a1a5585013633ee9a6"},{"fixed":"5661fdd218c2799001b88c17acd19f4395e4488e"},{"fixed":"673cf582fd788af12cdacfb62a6a593083542481"},{"fixed":"42ebc16d9d2563f1a1ce0f05b643ee68d54fabf8"},{"fixed":"edf82bc8150570167a33a7d54627d66614cbf841"},{"fixed":"c18646248fed07683d4cee8a8af933fc4fe83c0d"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-39758.json"}}],"schema_version":"1.7.5"}