Linux Kernel RDMA/SIW Sendmsg Byte Count Vulnerability in TCP Sendpages

A vulnerability in the Linux kernel's RDMA/SIW implementation has been addressed. The issue arose in the 'siw_tcp_sendpages' function, where an incorrect byte count was sent during message transmission over TCP. This error became problematic due to recent changes in the slab allocator that restrict certain memory operations, leading to out-of-bounds crashes. The vulnerability was caused by sending oversized I/O vector iterations and TCP message sizes, which were not properly aligned with the actual data being transmitted.

Impact

The vulnerability could lead to out-of-bounds crashes, disrupting normal operation and potentially causing application or system-level failures.

Reproduction

The vulnerability can be reproduced by using the RDMA/SIW (Software iWarp) protocol in the Linux kernel. The 'siw_tcp_sendpages' function will send an incorrect byte count, leading to an out-of-bounds error. This can be triggered by the recent slab allocator changes that disallow certain memory operations, causing the 'sendpage' function to fail on large allocations. When the 'sendpage' operation is not successful, the 'siw_tcp_sendpages' function attempts to splice the pages, but the logic incorrectly calculates the number of bytes, resulting in an overflow.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.