x86/iopl: Cure TIF_IO_BITMAP inconsistencies

Summary

CVE	CVE-2025-38100
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2025-07-03 09:15:23 UTC
Updated	2026-05-12 13:16:42 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: x86/iopl: Cure TIF_IO_BITMAP inconsistencies io_bitmap_exit() is invoked from exit_thread() when a task exists or when a fork fails. In the latter case the exit_thread() cleans up resources which were allocated during fork(). io_bitmap_exit() invokes task_update_io_bitmap(), which in turn ends up in tss_update_io_bitmap(). tss_update_io_bitmap() operates on the current task. If current has TIF_IO_BITMAP set, but no bitmap installed, tss_update_io_bitmap() crashes with a NULL pointer dereference. There are two issues, which lead to that problem: 1) io_bitmap_exit() should not invoke task_update_io_bitmap() when the task, which is cleaned up, is not the current task. That's a clear indicator for a cleanup after a failed fork(). 2) A task should not have TIF_IO_BITMAP set and neither a bitmap installed nor IOPL emulation level 3 activated. This happens when a kernel thread is created in the context of a user space thread, which has TIF_IO_BITMAP set as the thread flags are copied and the IO bitmap pointer is cleared. Other than in the failed fork() case this has no impact because kernel threads including IO workers never return to user space and therefore never invoke tss_update_io_bitmap(). Cure this by adding the missing cleanups and checks: 1) Prevent io_bitmap_exit() to invoke task_update_io_bitmap() if the to be cleaned up task is not the current task. 2) Clear TIF_IO_BITMAP in copy_thread() unconditionally. For user space forks it is set later, when the IO bitmap is inherited in io_bitmap_share(). For paranoia sake, add a warning into tss_update_io_bitmap() to catch the case, when that code is invoked with inconsistent state.

Risk And Classification

Primary CVSS: v3.1 5.5 MEDIUM from [email protected]

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Problem Types: CWE-476

CVSS v3.1 Breakdown

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Linux	Linux Kernel	All	All	All	All

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected ea5f1cd7ab494f65f50f338299eabb40ad6a1767 d64b7b05a827f98d068f412969eef65489b0cf03 git	Not specified
CNA	Linux	Linux	affected ea5f1cd7ab494f65f50f338299eabb40ad6a1767 2dace5e016c991424a3dc6e83b1ae5dca8992d08 git	Not specified
CNA	Linux	Linux	affected ea5f1cd7ab494f65f50f338299eabb40ad6a1767 aa5ce1485562f20235b4c759eee5ab0c41d2c220 git	Not specified
CNA	Linux	Linux	affected ea5f1cd7ab494f65f50f338299eabb40ad6a1767 2cfcbe1554c119402e7382de974c26b0549899fe git	Not specified
CNA	Linux	Linux	affected ea5f1cd7ab494f65f50f338299eabb40ad6a1767 b3b3b6366dc8eb5b22edba9adc4bff3cdacfd64c git	Not specified
CNA	Linux	Linux	affected ea5f1cd7ab494f65f50f338299eabb40ad6a1767 73cfcc8445585b8af7e18be3c9246b851fdf336c git	Not specified
CNA	Linux	Linux	affected ea5f1cd7ab494f65f50f338299eabb40ad6a1767 8b68e978718f14fdcb080c2a7791c52a0d09bc6d git	Not specified
CNA	Linux	Linux	affected 5.5	Not specified
CNA	Linux	Linux	unaffected 5.5 semver	Not specified
CNA	Linux	Linux	unaffected 5.10.239 5.10.* semver	Not specified
CNA	Linux	Linux	unaffected 5.15.186 5.15.* semver	Not specified
CNA	Linux	Linux	unaffected 6.1.142 6.1.* semver	Not specified
CNA	Linux	Linux	unaffected 6.6.94 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.12.34 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.15.3 6.15.* semver	Not specified
CNA	Linux	Linux	unaffected 6.16 * original_commit_for_fix	Not specified
ADP	Siemens	SIMATIC S7-1500 CPU 1518-4 PN/DP MFP	affected V3.1.5 * custom	Not specified
ADP	Siemens	SIMATIC S7-1500 CPU 1518-4 PN/DP MFP	affected V3.1.5 * custom	Not specified
ADP	Siemens	SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP	affected V3.1.5 * custom	Not specified
ADP	Siemens	SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP	affected V3.1.5 * custom	Not specified
ADP	Siemens	SIPLUS S7-1500 CPU 1518-4 PN/DP MFP	affected V3.1.5 * custom	Not specified

References

Reference	Source	Link	Tags
git.kernel.org/stable/c/aa5ce1485562f20235b4c759eee5ab0c41d2c220	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/d64b7b05a827f98d068f412969eef65489b0cf03	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
lists.debian.org/debian-lts-announce/2025/10/msg00008.html	af854a3a-2127-422b-91ae-364da2661108	lists.debian.org	Mailing List, Third Party Advisory
cert-portal.siemens.com/productcert/html/ssa-082556.html	0b142b55-0307-4c5a-b3c9-f314f3fb7c5e	cert-portal.siemens.com
git.kernel.org/stable/c/2cfcbe1554c119402e7382de974c26b0549899fe	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/b3b3b6366dc8eb5b22edba9adc4bff3cdacfd64c	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/2dace5e016c991424a3dc6e83b1ae5dca8992d08	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/8b68e978718f14fdcb080c2a7791c52a0d09bc6d	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/73cfcc8445585b8af7e18be3c9246b851fdf336c	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
lists.debian.org/debian-lts-announce/2025/10/msg00007.html	af854a3a-2127-422b-91ae-364da2661108	lists.debian.org	Mailing List, Third Party Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.