CVE - CVE-2025-38100

CVE-ID
CVE-2025-38100	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
In the Linux kernel, the following vulnerability has been resolved: x86/iopl: Cure TIF_IO_BITMAP inconsistencies io_bitmap_exit() is invoked from exit_thread() when a task exists or when a fork fails. In the latter case the exit_thread() cleans up resources which were allocated during fork(). io_bitmap_exit() invokes task_update_io_bitmap(), which in turn ends up in tss_update_io_bitmap(). tss_update_io_bitmap() operates on the current task. If current has TIF_IO_BITMAP set, but no bitmap installed, tss_update_io_bitmap() crashes with a NULL pointer dereference. There are two issues, which lead to that problem: 1) io_bitmap_exit() should not invoke task_update_io_bitmap() when the task, which is cleaned up, is not the current task. That's a clear indicator for a cleanup after a failed fork(). 2) A task should not have TIF_IO_BITMAP set and neither a bitmap installed nor IOPL emulation level 3 activated. This happens when a kernel thread is created in the context of a user space thread, which has TIF_IO_BITMAP set as the thread flags are copied and the IO bitmap pointer is cleared. Other than in the failed fork() case this has no impact because kernel threads including IO workers never return to user space and therefore never invoke tss_update_io_bitmap(). Cure this by adding the missing cleanups and checks: 1) Prevent io_bitmap_exit() to invoke task_update_io_bitmap() if the to be cleaned up task is not the current task. 2) Clear TIF_IO_BITMAP in copy_thread() unconditionally. For user space forks it is set later, when the IO bitmap is inherited in io_bitmap_share(). For paranoia sake, add a warning into tss_update_io_bitmap() to catch the case, when that code is invoked with inconsistent state.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MISC:https://git.kernel.org/stable/c/2cfcbe1554c119402e7382de974c26b0549899fe URL:https://git.kernel.org/stable/c/2cfcbe1554c119402e7382de974c26b0549899fe MISC:https://git.kernel.org/stable/c/2dace5e016c991424a3dc6e83b1ae5dca8992d08 URL:https://git.kernel.org/stable/c/2dace5e016c991424a3dc6e83b1ae5dca8992d08 MISC:https://git.kernel.org/stable/c/73cfcc8445585b8af7e18be3c9246b851fdf336c URL:https://git.kernel.org/stable/c/73cfcc8445585b8af7e18be3c9246b851fdf336c MISC:https://git.kernel.org/stable/c/8b68e978718f14fdcb080c2a7791c52a0d09bc6d URL:https://git.kernel.org/stable/c/8b68e978718f14fdcb080c2a7791c52a0d09bc6d MISC:https://git.kernel.org/stable/c/aa5ce1485562f20235b4c759eee5ab0c41d2c220 URL:https://git.kernel.org/stable/c/aa5ce1485562f20235b4c759eee5ab0c41d2c220 MISC:https://git.kernel.org/stable/c/b3b3b6366dc8eb5b22edba9adc4bff3cdacfd64c URL:https://git.kernel.org/stable/c/b3b3b6366dc8eb5b22edba9adc4bff3cdacfd64c MISC:https://git.kernel.org/stable/c/d64b7b05a827f98d068f412969eef65489b0cf03 URL:https://git.kernel.org/stable/c/d64b7b05a827f98d068f412969eef65489b0cf03
Assigning CNA
kernel.org
Date Record Created
20250416	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20250416)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)