CVE-2025-37991
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
20/05/2025
Last modified:
21/05/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
parisc: Fix double SIGFPE crash<br />
<br />
Camm noticed that on parisc a SIGFPE exception will crash an application with<br />
a second SIGFPE in the signal handler. Dave analyzed it, and it happens<br />
because glibc uses a double-word floating-point store to atomically update<br />
function descriptors. As a result of lazy binding, we hit a floating-point<br />
store in fpe_func almost immediately.<br />
<br />
When the T bit is set, an assist exception trap occurs when when the<br />
co-processor encounters *any* floating-point instruction except for a double<br />
store of register %fr0. The latter cancels all pending traps. Let&#39;s fix this<br />
by clearing the Trap (T) bit in the FP status register before returning to the<br />
signal handler in userspace.<br />
<br />
The issue can be reproduced with this test program:<br />
<br />
root@parisc:~# cat fpe.c<br />
<br />
static void fpe_func(int sig, siginfo_t *i, void *v) {<br />
sigset_t set;<br />
sigemptyset(&set);<br />
sigaddset(&set, SIGFPE);<br />
sigprocmask(SIG_UNBLOCK, &set, NULL);<br />
printf("GOT signal %d with si_code %ld\n", sig, i->si_code);<br />
}<br />
<br />
int main() {<br />
struct sigaction action = {<br />
.sa_sigaction = fpe_func,<br />
.sa_flags = SA_RESTART|SA_SIGINFO };<br />
sigaction(SIGFPE, &action, 0);<br />
feenableexcept(FE_OVERFLOW);<br />
return printf("%lf\n",1.7976931348623158E308*1.7976931348623158E308);<br />
}<br />
<br />
root@parisc:~# gcc fpe.c -lm<br />
root@parisc:~# ./a.out<br />
Floating point exception<br />
<br />
root@parisc:~# strace -f ./a.out<br />
execve("./a.out", ["./a.out"], 0xf9ac7034 /* 20 vars */) = 0<br />
getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM_INFINITY}) = 0<br />
...<br />
rt_sigaction(SIGFPE, {sa_handler=0x1110a, sa_mask=[], sa_flags=SA_RESTART|SA_SIGINFO}, NULL, 8) = 0<br />
--- SIGFPE {si_signo=SIGFPE, si_code=FPE_FLTOVF, si_addr=0x1078f} ---<br />
--- SIGFPE {si_signo=SIGFPE, si_code=FPE_FLTOVF, si_addr=0xf8f21237} ---<br />
+++ killed by SIGFPE +++<br />
Floating point exception
Impact
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/6a098c51d18ec99485668da44294565c43dbc106
- https://git.kernel.org/stable/c/6c639af49e9e5615a8395981eaf5943fb40acd6f
- https://git.kernel.org/stable/c/cf21e890f56b7d0038ddaf25224e4f4c69ecd143
- https://git.kernel.org/stable/c/de3629baf5a33af1919dec7136d643b0662e85ef
- https://git.kernel.org/stable/c/df3592e493d7f29bae4ffde9a9325de50ddf962e
- https://git.kernel.org/stable/c/ec4584495868bd465fe60a3f771915c0e7ce7951