Linux Kernel HID AMD SFH Shift-Out-Of-Bounds Vulnerability

A shift-out-of-bounds vulnerability has been identified in the Linux kernel's HID AMD SFH driver. This issue arises because the shift operation of the 'exp' and 'shift' variables exceeds the maximum allowable shift values in the u32 range, leading to undefined behavior. The vulnerability was detected in the AMD Birman-PHX hardware, specifically within the AMD SFH HID driver version 6.4.0amd_1-next-20230519-dirty.

Impact

Exploitation of this vulnerability causes a shift-out-of-bounds error, which can lead to undefined behavior in the kernel.

Reproduction

The vulnerability can be reproduced by triggering the AMD SFH HID driver to process input that causes the 'exp' variable to exceed its maximum shift limit. This can be done by sending a HID report that includes a shift exponent larger than 63, which is the maximum valid shift value for a 64-bit type.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. The specific commit that addresses this issue is available in the Linux kernel stable tree.