The kfd_parse_crat_table() function does not validate that CRAT subtype entries fit within the table boundaries before accessing them, allowing potential out-of-bounds reads of kernel memory.
This check previously existed but was removed during code cleanup, reintroducing the vulnerability. Add back the validation to check that sub_type_hdr->length is non-zero and that the full subtype fits within the buffer before processing. Signed-off-by: William Palacek <[email protected]> --- drivers/gpu/drm/amd/amdkfd/kfd_crat.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_crat.c b/drivers/gpu/drm/amd/amdkfd/kfd_crat.c index cf7b1b038d5f..3b39acb6baff 100644 --- a/drivers/gpu/drm/amd/amdkfd/kfd_crat.c +++ b/drivers/gpu/drm/amd/amdkfd/kfd_crat.c @@ -1404,6 +1404,11 @@ int kfd_parse_crat_table(void *crat_image, struct list_head *device_list, sub_type_hdr = (struct crat_subtype_generic *)(crat_table+1); while ((char *)sub_type_hdr + sizeof(struct crat_subtype_generic) < ((char *)crat_image) + image_len) { + if (sub_type_hdr->length == 0 || + (char *)sub_type_hdr + sub_type_hdr->length > + (char *)crat_image + image_len) + break; + if (sub_type_hdr->flags & CRAT_SUBTYPE_FLAGS_ENABLED) { ret = kfd_parse_subtype(sub_type_hdr, device_list); if (ret) -- 2.34.1
