Linux Kernel Privilege Escalation Vulnerability via Out-of-Bounds Write in AMD KFD Event Handling

A vulnerability in the Linux kernel's handling of AMD KFD (Kernel Fusion Driver) events has been identified, allowing unprivileged userspace to escalate privileges. The issue arises in the 'kfd_event_page_set()' function, which writes a fixed amount of data (KFD_SIGNAL_EVENT_LIMIT * 8 bytes) to a buffer using 'memset'. However, this function does not validate the size of the buffer before writing, creating an opportunity for a memory write that exceeds the allocated bounds. By providing a smaller buffer, an attacker could potentially manipulate kernel memory, leading to unauthorized privilege escalation.

Impact

Exploitation of this vulnerability could result in unauthorized privilege escalation, allowing a user to gain elevated rights or access within the system.

Reproduction

The vulnerability can be reproduced by invoking the 'kfd_event_page_set()' function with a buffer that is smaller than the required size of KFD_SIGNAL_EVENT_LIMIT * 8 bytes. This can be done from unprivileged userspace, where the lack of buffer size validation allows for an out-of-bounds write to occur, manipulating kernel memory and potentially escalating privileges.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. Instructions for downloading the updated kernel can be found on the official Linux kernel website.