[Public] > -----Original Message----- > From: Clement, Sunday <[email protected]> > Sent: Monday, February 2, 2026 1:26 PM > To: [email protected]; Deucher, Alexander > <[email protected]> > Cc: Kuehling, Felix <[email protected]>; Clement, Sunday > <[email protected]> > Subject: [PATCH] drm/amdkfd: Fix out-of-bounds write in > kfd_event_page_set() > > The kfd_event_page_set() function writes KFD_SIGNAL_EVENT_LIMIT * 8 > bytes via memset without checking the buffer size parameter. This allows > unprivileged userspace to trigger an out-of bounds kernel memory write by > passing a small buffer, leading to potential privilege escalation. > > Signed-off-by: Sunday Clement <[email protected]>
Reviewed-by: Alex Deucher <[email protected]> > --- > drivers/gpu/drm/amd/amdkfd/kfd_events.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_events.c > b/drivers/gpu/drm/amd/amdkfd/kfd_events.c > index 1ad312af8ff0..bd93a28f1026 100644 > --- a/drivers/gpu/drm/amd/amdkfd/kfd_events.c > +++ b/drivers/gpu/drm/amd/amdkfd/kfd_events.c > @@ -331,6 +331,12 @@ static int kfd_event_page_set(struct kfd_process *p, > void *kernel_address, > if (p->signal_page) > return -EBUSY; > > + if(size < KFD_SIGNAL_EVENT_LIMIT * 8) { > + pr_err("Event page size %llu is too small, need at least %lu > bytes\n", > + size, KFD_SIGNAL_EVENT_LIMIT * 8); > + return -EINVAL; > + } > + > page = kzalloc(sizeof(*page), GFP_KERNEL); > if (!page) > return -ENOMEM; > -- > 2.43.0
