Linux Kernel AMDGPU Driver Null Dereference Vulnerability

A vulnerability in the Linux kernel's AMDGPU driver can lead to a null pointer dereference. This issue arises when the CPU updates page tables, leaving virtual machine update fences unused. The vulnerability is present in the Linux kernel stable tree. The root cause is the failure to properly initialize fence pointers, which can result in a null dereference when the 'dma_fence_wait()' function is called. The vulnerability can be exploited by manipulating the virtual machine's page table update process, creating a scenario where the null pointer is dereferenced, potentially leading to a crash or undefined behavior.

Impact

Exploitation of this vulnerability causes a null pointer dereference, which can lead to a system crash or instability.

Reproduction

The vulnerability can be reproduced by adding a buffer object virtual address (BO VA) to a virtual machine (VM) context using the 'amdgpu_vm_bo_add' function. This process should be done when the VM is configured to use the CPU for page table updates. The 'last_update' fence pointer will be set to null, creating a condition where a null dereference can occur when 'dma_fence_wait()' is called. This can be automated with a script that interacts with the AMDGPU driver and manages VM contexts and page table updates.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for downloading the patched version are available on the Linux kernel official website.