Linux Kernel SIGFPE Exception Handling Vulnerability on parisc Architecture

A vulnerability in the Linux kernel's handling of SIGFPE exceptions on parisc architecture can lead to a double SIGFPE crash. This issue arises because glibc uses a double-word floating-point store to atomically update function descriptors. Due to lazy binding, a floating-point store in the signal handler is encountered almost immediately after a SIGFPE is raised. When the Trap bit is set, an assist exception trap occurs with any floating-point instruction, except for a double store of register %fr0, which cancels pending traps. The vulnerability can be reproduced by creating a program that intentionally triggers a floating-point exception, causing the application to crash with a second SIGFPE in the signal handler.

Impact

The vulnerability causes applications to crash due to unhandled SIGFPE exceptions, disrupting normal operation and potentially leading to denial of service.

Reproduction

The vulnerability can be reproduced by compiling and running a program that triggers a floating-point overflow exception while the SIGFPE signal handler is set to catch and report the exception. This can be done by enabling floating-point exceptions, causing the program to receive a SIGFPE signal, which then leads to a crash when the signal handler is invoked a second time.