Linux Kernel Shift-Out-Of-Bounds Vulnerability in AMD KFD Driver

A vulnerability in the Linux kernel's AMD KFD (Kernel Fusion Driver) has been addressed. The issue arose because the functions 'get_num_sdma_queues' and 'get_num_xgmi_sdma_queues' could return 0, leading to a shift operation where the number of bits shifted was equal to the number of bits in the operand, creating undefined behavior. The vulnerability has been fixed by setting 'num_sdma_queues' or 'num_xgmi_sdma_queues' to ULLONG_MAX' if the count was greater than or equal to the number of bits in the operand.

Impact

Exploitation of this vulnerability could lead to undefined behavior in the kernel, potentially causing a shift-out-of-bounds error, which could be exploited to manipulate memory or cause other unintended effects.

Reproduction

The vulnerability can be reproduced by invoking the 'get_num_sdma_queues' or 'get_num_xgmi_sdma_queues' functions in the AMD KFD driver when they return 0. This can be done by creating a scenario where the functions do not detect any available queues, such as using a GPU that is not fully initialized or supported.

Remediation

Users can upgrade to the patched version of the Linux kernel where this vulnerability has been addressed. The specific commit containing the fix is '50e2fc36e72d4ad672032ebf646cecb48656efe0', which is available in the Linux kernel stable tree.