We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-38100

x86/iopl: Cure TIF_IO_BITMAP inconsistencies



Description

In the Linux kernel, the following vulnerability has been resolved: x86/iopl: Cure TIF_IO_BITMAP inconsistencies io_bitmap_exit() is invoked from exit_thread() when a task exists or when a fork fails. In the latter case the exit_thread() cleans up resources which were allocated during fork(). io_bitmap_exit() invokes task_update_io_bitmap(), which in turn ends up in tss_update_io_bitmap(). tss_update_io_bitmap() operates on the current task. If current has TIF_IO_BITMAP set, but no bitmap installed, tss_update_io_bitmap() crashes with a NULL pointer dereference. There are two issues, which lead to that problem: 1) io_bitmap_exit() should not invoke task_update_io_bitmap() when the task, which is cleaned up, is not the current task. That's a clear indicator for a cleanup after a failed fork(). 2) A task should not have TIF_IO_BITMAP set and neither a bitmap installed nor IOPL emulation level 3 activated. This happens when a kernel thread is created in the context of a user space thread, which has TIF_IO_BITMAP set as the thread flags are copied and the IO bitmap pointer is cleared. Other than in the failed fork() case this has no impact because kernel threads including IO workers never return to user space and therefore never invoke tss_update_io_bitmap(). Cure this by adding the missing cleanups and checks: 1) Prevent io_bitmap_exit() to invoke task_update_io_bitmap() if the to be cleaned up task is not the current task. 2) Clear TIF_IO_BITMAP in copy_thread() unconditionally. For user space forks it is set later, when the IO bitmap is inherited in io_bitmap_share(). For paranoia sake, add a warning into tss_update_io_bitmap() to catch the case, when that code is invoked with inconsistent state.

Reserved 2025-04-16 | Published 2025-07-03 | Updated 2025-07-03 | Assigner Linux

Product status

Default status
unaffected

ea5f1cd7ab494f65f50f338299eabb40ad6a1767 before d64b7b05a827f98d068f412969eef65489b0cf03
affected

ea5f1cd7ab494f65f50f338299eabb40ad6a1767 before 2dace5e016c991424a3dc6e83b1ae5dca8992d08
affected

ea5f1cd7ab494f65f50f338299eabb40ad6a1767 before aa5ce1485562f20235b4c759eee5ab0c41d2c220
affected

ea5f1cd7ab494f65f50f338299eabb40ad6a1767 before 2cfcbe1554c119402e7382de974c26b0549899fe
affected

ea5f1cd7ab494f65f50f338299eabb40ad6a1767 before b3b3b6366dc8eb5b22edba9adc4bff3cdacfd64c
affected

ea5f1cd7ab494f65f50f338299eabb40ad6a1767 before 73cfcc8445585b8af7e18be3c9246b851fdf336c
affected

ea5f1cd7ab494f65f50f338299eabb40ad6a1767 before 8b68e978718f14fdcb080c2a7791c52a0d09bc6d
affected

Default status
affected

5.5
affected

Any version before 5.5
unaffected

5.10.239
unaffected

5.15.186
unaffected

6.1.142
unaffected

6.6.94
unaffected

6.12.34
unaffected

6.15.3
unaffected

6.16-rc1
unaffected

References

git.kernel.org/...c/d64b7b05a827f98d068f412969eef65489b0cf03

git.kernel.org/...c/2dace5e016c991424a3dc6e83b1ae5dca8992d08

git.kernel.org/...c/aa5ce1485562f20235b4c759eee5ab0c41d2c220

git.kernel.org/...c/2cfcbe1554c119402e7382de974c26b0549899fe

git.kernel.org/...c/b3b3b6366dc8eb5b22edba9adc4bff3cdacfd64c

git.kernel.org/...c/73cfcc8445585b8af7e18be3c9246b851fdf336c

git.kernel.org/...c/8b68e978718f14fdcb080c2a7791c52a0d09bc6d

cve.org (CVE-2025-38100)

nvd.nist.gov (CVE-2025-38100)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-38100

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.