cve/published/2025/CVE-2025-37991.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-37991: parisc: Fix double SIGFPE crash

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 parisc: Fix double SIGFPE crash

 Camm noticed that on parisc a SIGFPE exception will crash an application with
 a second SIGFPE in the signal handler.  Dave analyzed it, and it happens
 because glibc uses a double-word floating-point store to atomically update
 function descriptors. As a result of lazy binding, we hit a floating-point
 store in fpe_func almost immediately.

 When the T bit is set, an assist exception trap occurs when when the
 co-processor encounters *any* floating-point instruction except for a double
 store of register %fr0.  The latter cancels all pending traps.  Let's fix this
 by clearing the Trap (T) bit in the FP status register before returning to the
 signal handler in userspace.

 The issue can be reproduced with this test program:

 root@parisc:~# cat fpe.c

 static void fpe_func(int sig, siginfo_t *i, void *v) {
         sigset_t set;
         sigemptyset(&set);
         sigaddset(&set, SIGFPE);
         sigprocmask(SIG_UNBLOCK, &set, NULL);
         printf("GOT signal %d with si_code %ld\n", sig, i->si_code);
 }

 int main() {
         struct sigaction action = {
                 .sa_sigaction = fpe_func,
                 .sa_flags = SA_RESTART|SA_SIGINFO };
         sigaction(SIGFPE, &action, 0);
         feenableexcept(FE_OVERFLOW);
         return printf("%lf\n",1.7976931348623158E308*1.7976931348623158E308);
 }

 root@parisc:~# gcc fpe.c -lm
 root@parisc:~# ./a.out
  Floating point exception

 root@parisc:~# strace -f ./a.out
  execve("./a.out", ["./a.out"], 0xf9ac7034 /* 20 vars */) = 0
  getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM_INFINITY}) = 0
  ...
  rt_sigaction(SIGFPE, {sa_handler=0x1110a, sa_mask=[], sa_flags=SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
  --- SIGFPE {si_signo=SIGFPE, si_code=FPE_FLTOVF, si_addr=0x1078f} ---
  --- SIGFPE {si_signo=SIGFPE, si_code=FPE_FLTOVF, si_addr=0xf8f21237} ---
  +++ killed by SIGFPE +++
  Floating point exception

 The Linux kernel CVE team has assigned CVE-2025-37991 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 5.4.294 with commit 2a1aff3616b3b57aa4a5f8a7762cce1e82493fe6
 	Fixed in 5.10.238 with commit 757ba4d17b868482837c566cfefca59e2296c608
 	Fixed in 5.15.182 with commit ec4584495868bd465fe60a3f771915c0e7ce7951
 	Fixed in 6.1.138 with commit 6c639af49e9e5615a8395981eaf5943fb40acd6f
 	Fixed in 6.6.90 with commit 6a098c51d18ec99485668da44294565c43dbc106
 	Fixed in 6.12.28 with commit cf21e890f56b7d0038ddaf25224e4f4c69ecd143
 	Fixed in 6.14.6 with commit df3592e493d7f29bae4ffde9a9325de50ddf962e
 	Fixed in 6.15 with commit de3629baf5a33af1919dec7136d643b0662e85ef

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-37991
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/parisc/math-emu/driver.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/2a1aff3616b3b57aa4a5f8a7762cce1e82493fe6
 	https://git.kernel.org/stable/c/757ba4d17b868482837c566cfefca59e2296c608
 	https://git.kernel.org/stable/c/ec4584495868bd465fe60a3f771915c0e7ce7951
 	https://git.kernel.org/stable/c/6c639af49e9e5615a8395981eaf5943fb40acd6f
 	https://git.kernel.org/stable/c/6a098c51d18ec99485668da44294565c43dbc106
 	https://git.kernel.org/stable/c/cf21e890f56b7d0038ddaf25224e4f4c69ecd143
 	https://git.kernel.org/stable/c/df3592e493d7f29bae4ffde9a9325de50ddf962e
 	https://git.kernel.org/stable/c/de3629baf5a33af1919dec7136d643b0662e85ef
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-37991: parisc: Fix double SIGFPE crash

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	parisc: Fix double SIGFPE crash

	Camm noticed that on parisc a SIGFPE exception will crash an application with
	a second SIGFPE in the signal handler. Dave analyzed it, and it happens
	because glibc uses a double-word floating-point store to atomically update
	function descriptors. As a result of lazy binding, we hit a floating-point
	store in fpe_func almost immediately.

	When the T bit is set, an assist exception trap occurs when when the
	co-processor encounters any floating-point instruction except for a double
	store of register %fr0. The latter cancels all pending traps. Let's fix this
	by clearing the Trap (T) bit in the FP status register before returning to the
	signal handler in userspace.

	The issue can be reproduced with this test program:

	root@parisc:~# cat fpe.c

	static void fpe_func(int sig, siginfo_t i, void v) {
	sigset_t set;
	sigemptyset(&set);
	sigaddset(&set, SIGFPE);
	sigprocmask(SIG_UNBLOCK, &set, NULL);
	printf("GOT signal %d with si_code %ld\n", sig, i->si_code);
	}

	int main() {
	struct sigaction action = {
	.sa_sigaction = fpe_func,
	.sa_flags = SA_RESTART\|SA_SIGINFO };
	sigaction(SIGFPE, &action, 0);
	feenableexcept(FE_OVERFLOW);
	return printf("%lf\n",1.7976931348623158E308*1.7976931348623158E308);
	}

	root@parisc:~# gcc fpe.c -lm
	root@parisc:~# ./a.out
	Floating point exception

	root@parisc:~# strace -f ./a.out
	execve("./a.out", ["./a.out"], 0xf9ac7034 /* 20 vars */) = 0
	getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM_INFINITY}) = 0
	...
	rt_sigaction(SIGFPE, {sa_handler=0x1110a, sa_mask=[], sa_flags=SA_RESTART\|SA_SIGINFO}, NULL, 8) = 0
	--- SIGFPE {si_signo=SIGFPE, si_code=FPE_FLTOVF, si_addr=0x1078f} ---
	--- SIGFPE {si_signo=SIGFPE, si_code=FPE_FLTOVF, si_addr=0xf8f21237} ---
	+++ killed by SIGFPE +++
	Floating point exception

	The Linux kernel CVE team has assigned CVE-2025-37991 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 5.4.294 with commit 2a1aff3616b3b57aa4a5f8a7762cce1e82493fe6
	Fixed in 5.10.238 with commit 757ba4d17b868482837c566cfefca59e2296c608
	Fixed in 5.15.182 with commit ec4584495868bd465fe60a3f771915c0e7ce7951
	Fixed in 6.1.138 with commit 6c639af49e9e5615a8395981eaf5943fb40acd6f
	Fixed in 6.6.90 with commit 6a098c51d18ec99485668da44294565c43dbc106
	Fixed in 6.12.28 with commit cf21e890f56b7d0038ddaf25224e4f4c69ecd143
	Fixed in 6.14.6 with commit df3592e493d7f29bae4ffde9a9325de50ddf962e
	Fixed in 6.15 with commit de3629baf5a33af1919dec7136d643b0662e85ef

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-37991
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/parisc/math-emu/driver.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/2a1aff3616b3b57aa4a5f8a7762cce1e82493fe6
	https://git.kernel.org/stable/c/757ba4d17b868482837c566cfefca59e2296c608
	https://git.kernel.org/stable/c/ec4584495868bd465fe60a3f771915c0e7ce7951
	https://git.kernel.org/stable/c/6c639af49e9e5615a8395981eaf5943fb40acd6f
	https://git.kernel.org/stable/c/6a098c51d18ec99485668da44294565c43dbc106
	https://git.kernel.org/stable/c/cf21e890f56b7d0038ddaf25224e4f4c69ecd143
	https://git.kernel.org/stable/c/df3592e493d7f29bae4ffde9a9325de50ddf962e
	https://git.kernel.org/stable/c/de3629baf5a33af1919dec7136d643b0662e85ef