Linux Kernel AMD GPU Doorbell Offset Validation Vulnerability

A vulnerability in the Linux kernel's AMD GPU driver allows for potential corruption of the kernel's doorbell space. The issue arises in the user queue creation process, where the function 'amdgpu_userq_get_doorbell_index' accepts a user-defined 'doorbell_offset' without proper bounds checking. This lack of validation can lead to the calculated doorbell index exceeding the limits of the allocated doorbell buffer object, causing unintended interference with the kernel's doorbell management. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability could lead to unauthorized modification of the kernel's doorbell space, potentially causing instability or unexpected behavior in the system's graphics processing.

Reproduction

To reproduce this vulnerability, create a user queue in the AMD GPU driver while specifying a 'doorbell_offset' that exceeds the bounds of the allocated doorbell buffer object. The 'amdgpu_userq_get_doorbell_index' function will process the offset without validation, allowing the doorbell index to fall outside the allocated range and corrupt the kernel's doorbell space.

Remediation

The vulnerability has been addressed by adding validation to ensure that the 'doorbell_offset' is within the bounds of the allocated doorbell buffer object before calculating the corresponding index. Users should update to the latest version of the Linux kernel where this fix has been applied.