CVE-2025-37991 Information

May 21, 2025 cve

Description

In the Linux kernel the following vulnerability has been resolved:

parisc: Fix double SIGFPE crash

Camm noticed that on parisc a SIGFPE exception will crash an application with a second SIGFPE in the signal handler. Dave analyzed it and it happens because glibc uses a double-word floating-point store to atomically update function descriptors. As a result of lazy binding we hit a floating-point store in fpe_func almost immediately.

When the T bit is set an assist exception trap occurs when when the co-processor encounters any floating-point instruction except for a double store of register %fr0. The latter cancels all pending traps. Let’s fix this by clearing the Trap (T) bit in the FP status register before returning to the signal handler in userspace.

The issue can be reproduced with this test program:

root@parisc:~ cat fpe.c

static void fpe_func(int sig siginfo_t i void v) sigset_t set; sigemptyset(&set); sigaddset(&set SIGFPE); sigprocmask(SIG_UNBLOCK &set NULL); printf(\GOT signal %d with si_code %ld\n\ sig i->si_code);

int main() struct sigaction action = .sa_sigaction = fpe_func .sa_flags = SA_RESTART|SA_SIGINFO ; sigaction(SIGFPE &action 0); feenableexcept(FE_OVERFLOW); return printf(%lf\n\1.7976931348623158E3081.7976931348623158E308);

root@parisc:~ gcc fpe.c -lm root@parisc:~ ./a.out Floating point exception

root@parisc:~ strace -f ./a.out execve(./a.out\ [./a.out] 0xf9ac7034 / 20 vars /) = 0 getrlimit(RLIMIT_STACK rlim_cur=81921024 rlim_max=RLIM_INFINITY) = 0 … rt_sigaction(SIGFPE sa_handler=0x1110a sa_mask=[] sa_flags=SA_RESTART|SA_SIGINFO NULL 8) = 0 — SIGFPE si_signo=SIGFPE si_code=FPE_FLTOVF si_addr=0x1078f — — SIGFPE si_signo=SIGFPE si_code=FPE_FLTOVF si_addr=0xf8f21237 — +++ killed by SIGFPE +++ Floating point exception

Reference

https://git.kernel.org/stable/c/6a098c51d18ec99485668da44294565c43dbc106 https://git.kernel.org/stable/c/6c639af49e9e5615a8395981eaf5943fb40acd6f https://git.kernel.org/stable/c/cf21e890f56b7d0038ddaf25224e4f4c69ecd143 https://git.kernel.org/stable/c/de3629baf5a33af1919dec7136d643b0662e85ef https://git.kernel.org/stable/c/df3592e493d7f29bae4ffde9a9325de50ddf962e https://git.kernel.org/stable/c/ec4584495868bd465fe60a3f771915c0e7ce7951

Share on: