Linux Kernel AMDGPU SDMA4 Unprivileged User-Triggered Kernel Panic Vulnerability

A vulnerability in the Linux kernel's AMDGPU driver for SDMA version 4.0 allows unprivileged users to cause a fatal kernel panic. This issue arises from two BUG_ON assertions in the fence emission function, which verify that fence writeback addresses are properly aligned. These assertions can be triggered by crafted DRM_IOCTL_AMDGPU_CS submissions from userspace, leading to a crash in a scheduler worker thread. The vulnerability has been addressed by replacing the BUG_ON calls with WARN_ON, allowing the kernel to log the misalignment issue without crashing. The alignment check failure indicates a driver bug, but the previous response of terminating the kernel was inappropriate, especially when the assertion could be reached from userspace.

Impact

Exploitation of this vulnerability causes a kernel panic, disrupting all processes and operations on the system.

Reproduction

The vulnerability can be reproduced by sending crafted DRM_IOCTL_AMDGPU_CS submissions from unprivileged userspace. These submissions can be designed to include misaligned fence writeback addresses, which will trigger the BUG_ON assertions in the kernel's AMDGPU driver. When the assertions are reached, the kernel will panic, causing a crash that can be observed as a disruption in system operations.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched kernel can be found on the official Linux kernel website.