Linux Kernel AMDGPU Driver Use-After-Free Vulnerability in User Queue Suspension

A use-after-free vulnerability has been identified in the Linux kernel's AMDGPU driver, specifically within the user queue suspension function. This issue arises when a delayed work item, related to suspending user queues, is still pending or executing while the resources it needs are being freed during the removal of a PCI device or the closing of a file. The vulnerability was detected in Linux kernel version 6.14.0, on an ASUS ROG STRIX B550-F GAMING (WI-FI) motherboard.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, where memory that has already been freed is accessed, potentially allowing for arbitrary code execution or causing a kernel crash.

Reproduction

The vulnerability can be reproduced by loading the AMDGPU driver as a kernel module, which will trigger the 'amdgpu_pci_probe' function. This process involves the driver being initialized and registered with the PCI subsystem. Once the driver is active, the vulnerability can be triggered by removing the PCI device while a delayed work item related to suspending user queues is still pending. This can be done by manually unloading the AMDGPU module or by removing the PCI device through the sysfs interface, which will initiate the 'amdgpu_pci_remove' function. The removal process will free certain resources, but if the delayed work item has not yet started, it can still access the freed memory, causing the use-after-free condition.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been patched. The specific commit that addresses this issue is '96f663ae897b3e6ac17ced1d9b9c2ae9f165ad9a', which is available in the Linux kernel stable tree.