CVE-2025-37991

Summary

In the Linux kernel, the following vulnerability has been resolved:

parisc: Fix double SIGFPE crash

Camm noticed that on parisc a SIGFPE exception will crash an application with a second SIGFPE in the signal handler. Dave analyzed it, and it happens because glibc uses a double-word floating-point store to atomically update function descriptors. As a result of lazy binding, we hit a floating-point store in fpe_func almost immediately.

When the T bit is set, an assist exception trap occurs when when the co-processor encounters any floating-point instruction except for a double store of register %fr0. The latter cancels all pending traps. Let's fix this by clearing the Trap (T) bit in the FP status register before returning to the signal handler in userspace.

The issue can be reproduced with this test program:

root@parisc:~# cat fpe.c

static void fpe_func(int sig, siginfo_t *i, void *v) { sigset_t set; sigemptyset(&set); sigaddset(&set, SIGFPE); sigprocmask(SIG_UNBLOCK, &set, NULL); printf("GOT signal %d with si_code %ld\n", sig, i->si_code); }

int main() { struct sigaction action = { .sa_sigaction = fpe_func, .sa_flags = SA_RESTART|SA_SIGINFO }; sigaction(SIGFPE, &action, 0); feenableexcept(FE_OVERFLOW); return printf("%lf\n",1.7976931348623158E308*1.7976931348623158E308); }

root@parisc:# gcc fpe.c -lm root@parisc:# ./a.out Floating point exception

root@parisc:~# strace -f ./a.out execve("./a.out", ["./a.out"], 0xf9ac7034 /* 20 vars /) = 0 getrlimit(RLIMIT_STACK, {rlim_cur=81921024, rlim_max=RLIM_INFINITY}) = 0 … rt_sigaction(SIGFPE, {sa_handler=0x1110a, sa_mask=[], sa_flags=SA_RESTART|SA_SIGINFO}, NULL, 8) = 0 — SIGFPE {si_signo=SIGFPE, si_code=FPE_FLTOVF, si_addr=0x1078f} — — SIGFPE {si_signo=SIGFPE, si_code=FPE_FLTOVF, si_addr=0xf8f21237} — +++ killed by SIGFPE +++ Floating point exception

Affected Software

VendorProductVersion RangeStatus
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 2a1aff3616b3b57aa4a5f8a7762cce1e82493fe6affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 757ba4d17b868482837c566cfefca59e2296c608affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < ec4584495868bd465fe60a3f771915c0e7ce7951affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 6c639af49e9e5615a8395981eaf5943fb40acd6faffected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 6a098c51d18ec99485668da44294565c43dbc106affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < cf21e890f56b7d0038ddaf25224e4f4c69ecd143affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < df3592e493d7f29bae4ffde9a9325de50ddf962eaffected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < de3629baf5a33af1919dec7136d643b0662e85efaffected
LinuxLinux2.6.12affected
LinuxLinux0 < 2.6.12unaffected
LinuxLinux5.4.294 <= 5.4.*unaffected
LinuxLinux5.10.238 <= 5.10.*unaffected
LinuxLinux5.15.182 <= 5.15.*unaffected
LinuxLinux6.1.138 <= 6.1.*unaffected
LinuxLinux6.6.90 <= 6.6.*unaffected
LinuxLinux6.12.28 <= 6.12.*unaffected
LinuxLinux6.14.6 <= 6.14.*unaffected
LinuxLinux6.15 <= *unaffected

Weaknesses

ADP Enrichment

CVE Program Container

Additional References

References