Wind River Support Network

HomeDefectsLIN1022-16297
Acknowledged

LIN1022-16297 : Security Advisory - linux - CVE-2025-38100

Created: Jul 3, 2025    Updated: Jul 8, 2025
Found In Version: 10.22.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 22
Component/s: Kernel

Description

In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]x86/iopl: Cure TIF_IO_BITMAP inconsistencies[EOL][EOL]io_bitmap_exit() is invoked from exit_thread() when a task exists or[EOL]when a fork fails. In the latter case the exit_thread() cleans up[EOL]resources which were allocated during fork().[EOL][EOL]io_bitmap_exit() invokes task_update_io_bitmap(), which in turn ends up[EOL]in tss_update_io_bitmap(). tss_update_io_bitmap() operates on the[EOL]current task. If current has TIF_IO_BITMAP set, but no bitmap installed,[EOL]tss_update_io_bitmap() crashes with a NULL pointer dereference.[EOL][EOL]There are two issues, which lead to that problem:[EOL][EOL]  1) io_bitmap_exit() should not invoke task_update_io_bitmap() when[EOL]     the task, which is cleaned up, is not the current task. That's a[EOL]     clear indicator for a cleanup after a failed fork().[EOL][EOL]  2) A task should not have TIF_IO_BITMAP set and neither a bitmap[EOL]     installed nor IOPL emulation level 3 activated.[EOL][EOL]     This happens when a kernel thread is created in the context of[EOL]     a user space thread, which has TIF_IO_BITMAP set as the thread[EOL]     flags are copied and the IO bitmap pointer is cleared.[EOL][EOL]     Other than in the failed fork() case this has no impact because[EOL]     kernel threads including IO workers never return to user space and[EOL]     therefore never invoke tss_update_io_bitmap().[EOL][EOL]Cure this by adding the missing cleanups and checks:[EOL][EOL]  1) Prevent io_bitmap_exit() to invoke task_update_io_bitmap() if[EOL]     the to be cleaned up task is not the current task.[EOL][EOL]  2) Clear TIF_IO_BITMAP in copy_thread() unconditionally. For user[EOL]     space forks it is set later, when the IO bitmap is inherited in[EOL]     io_bitmap_share().[EOL][EOL]For paranoia sake, add a warning into tss_update_io_bitmap() to catch[EOL]the case, when that code is invoked with inconsistent state.

CREATE(Triage):(User=lchen-cn) [CVE-2025-38100 (https://nvd.nist.gov/vuln/detail/CVE-2025-38100)
Live chat
Online
  • Linkedin
  • Facebook
  • Twitter
  • Youtube