]> git.ipfire.org Git - thirdparty/kernel/stable.git/commit
projects / thirdparty / kernel / stable.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: d58f8d4) | patch
drm/amdkfd: Fix out-of-bounds write in kfd_event_page_set()
authorSunday Clement <Sunday.Clement@amd.com>
Mon, 2 Feb 2026 17:41:39 +0000 (12:41 -0500)
committerSasha Levin <sashal@kernel.org>
Wed, 4 Mar 2026 12:21:24 +0000 (07:21 -0500)
commitbfcd6b53e1f4feb182952f4ff9a137c36ceaf20b
treedd2ef9c0cd7986ba3e6f4f6c27fa8a9722879311tree | snapshot
parentd58f8d4dcfb1c81c15afc3b8bbfd34846ae84982commit | diff
drm/amdkfd: Fix out-of-bounds write in kfd_event_page_set()

[ Upstream commit 8a70a26c9f34baea6c3199a9862ddaff4554a96d ]

The kfd_event_page_set() function writes KFD_SIGNAL_EVENT_LIMIT * 8
bytes via memset without checking the buffer size parameter. This allows
unprivileged userspace to trigger an out-of bounds kernel memory write
by passing a small buffer, leading to  potential privilege
escalation.

Signed-off-by: Sunday Clement <Sunday.Clement@amd.com>
Reviewed-by: Alexander Deucher <Alexander.Deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
drivers/gpu/drm/amd/amdkfd/kfd_events.c diff | blob | blame | history
Mirror https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git