2.5 KiB
CVE-2025-37991
Description
In the Linux kernel, the following vulnerability has been resolved:parisc: Fix double SIGFPE crashCamm noticed that on parisc a SIGFPE exception will crash an application witha second SIGFPE in the signal handler. Dave analyzed it, and it happensbecause glibc uses a double-word floating-point store to atomically updatefunction descriptors. As a result of lazy binding, we hit a floating-pointstore in fpe_func almost immediately.When the T bit is set, an assist exception trap occurs when when theco-processor encounters any floating-point instruction except for a doublestore of register %fr0. The latter cancels all pending traps. Let's fix thisby clearing the Trap (T) bit in the FP status register before returning to thesignal handler in userspace.The issue can be reproduced with this test program:root@parisc:# cat fpe.cstatic void fpe_func(int sig, siginfo_t *i, void v) { sigset_t set; sigemptyset(&set); sigaddset(&set, SIGFPE); sigprocmask(SIG_UNBLOCK, &set, NULL); printf("GOT signal %d with si_code %ld\n", sig, i->si_code);}int main() { struct sigaction action = { .sa_sigaction = fpe_func, .sa_flags = SA_RESTART|SA_SIGINFO }; sigaction(SIGFPE, &action, 0); feenableexcept(FE_OVERFLOW); return printf("%lf\n",1.7976931348623158E3081.7976931348623158E308);}root@parisc:# gcc fpe.c -lmroot@parisc:# ./a.out Floating point exceptionroot@parisc:# strace -f ./a.out execve("./a.out", ["./a.out"], 0xf9ac7034 /* 20 vars /) = 0 getrlimit(RLIMIT_STACK, {rlim_cur=81921024, rlim_max=RLIM_INFINITY}) = 0 ... rt_sigaction(SIGFPE, {sa_handler=0x1110a, sa_mask=[], sa_flags=SA_RESTART|SA_SIGINFO}, NULL, 8) = 0 --- SIGFPE {si_signo=SIGFPE, si_code=FPE_FLTOVF, si_addr=0x1078f} --- --- SIGFPE {si_signo=SIGFPE, si_code=FPE_FLTOVF, si_addr=0xf8f21237} --- +++ killed by SIGFPE +++ Floating point exception
POC
Reference
No PoCs from references.