We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-37991

parisc: Fix double SIGFPE crash



Description

In the Linux kernel, the following vulnerability has been resolved: parisc: Fix double SIGFPE crash Camm noticed that on parisc a SIGFPE exception will crash an application with a second SIGFPE in the signal handler. Dave analyzed it, and it happens because glibc uses a double-word floating-point store to atomically update function descriptors. As a result of lazy binding, we hit a floating-point store in fpe_func almost immediately. When the T bit is set, an assist exception trap occurs when when the co-processor encounters *any* floating-point instruction except for a double store of register %fr0. The latter cancels all pending traps. Let's fix this by clearing the Trap (T) bit in the FP status register before returning to the signal handler in userspace. The issue can be reproduced with this test program: root@parisc:~# cat fpe.c static void fpe_func(int sig, siginfo_t *i, void *v) { sigset_t set; sigemptyset(&set); sigaddset(&set, SIGFPE); sigprocmask(SIG_UNBLOCK, &set, NULL); printf("GOT signal %d with si_code %ld\n", sig, i->si_code); } int main() { struct sigaction action = { .sa_sigaction = fpe_func, .sa_flags = SA_RESTART|SA_SIGINFO }; sigaction(SIGFPE, &action, 0); feenableexcept(FE_OVERFLOW); return printf("%lf\n",1.7976931348623158E308*1.7976931348623158E308); } root@parisc:~# gcc fpe.c -lm root@parisc:~# ./a.out Floating point exception root@parisc:~# strace -f ./a.out execve("./a.out", ["./a.out"], 0xf9ac7034 /* 20 vars */) = 0 getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM_INFINITY}) = 0 ... rt_sigaction(SIGFPE, {sa_handler=0x1110a, sa_mask=[], sa_flags=SA_RESTART|SA_SIGINFO}, NULL, 8) = 0 --- SIGFPE {si_signo=SIGFPE, si_code=FPE_FLTOVF, si_addr=0x1078f} --- --- SIGFPE {si_signo=SIGFPE, si_code=FPE_FLTOVF, si_addr=0xf8f21237} --- +++ killed by SIGFPE +++ Floating point exception

Reserved 2025-04-16 | Published 2025-05-20 | Updated 2025-05-26 | Assigner Linux

Product status

Default status
unaffected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before ec4584495868bd465fe60a3f771915c0e7ce7951
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 6c639af49e9e5615a8395981eaf5943fb40acd6f
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 6a098c51d18ec99485668da44294565c43dbc106
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before cf21e890f56b7d0038ddaf25224e4f4c69ecd143
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before df3592e493d7f29bae4ffde9a9325de50ddf962e
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before de3629baf5a33af1919dec7136d643b0662e85ef
affected

Default status
affected

5.15.182
unaffected

6.1.138
unaffected

6.6.90
unaffected

6.12.28
unaffected

6.14.6
unaffected

6.15
unaffected

References

git.kernel.org/...c/ec4584495868bd465fe60a3f771915c0e7ce7951

git.kernel.org/...c/6c639af49e9e5615a8395981eaf5943fb40acd6f

git.kernel.org/...c/6a098c51d18ec99485668da44294565c43dbc106

git.kernel.org/...c/cf21e890f56b7d0038ddaf25224e4f4c69ecd143

git.kernel.org/...c/df3592e493d7f29bae4ffde9a9325de50ddf962e

git.kernel.org/...c/de3629baf5a33af1919dec7136d643b0662e85ef

cve.org (CVE-2025-37991)

nvd.nist.gov (CVE-2025-37991)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-37991

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.