Commit 8a70a26c authored Feb 02, 2026 by Sunday Clement Committed by Alex Deucher Feb 05, 2026

drm/amdkfd: Fix out-of-bounds write in kfd_event_page_set()



The kfd_event_page_set() function writes KFD_SIGNAL_EVENT_LIMIT * 8
bytes via memset without checking the buffer size parameter. This allows
unprivileged userspace to trigger an out-of bounds kernel memory write
by passing a small buffer, leading to  potential privilege
escalation.

Signed-off-by: Sunday Clement <Sunday.Clement@amd.com>
Reviewed-by: Alexander Deucher <Alexander.Deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org

parent 56423871

drivers/gpu/drm/amd/amdkfd/kfd_events.c

+6 −0

Original line number	Diff line number	Diff line
		@@ -331,6 +331,12 @@ static int kfd_event_page_set(struct kfd_process p, void kernel_address,
		if (p->signal_page)
		return -EBUSY;

		if (size < KFD_SIGNAL_EVENT_LIMIT * 8) {
		pr_err("Event page size %llu is too small, need at least %lu bytes\n",
		size, (unsigned long)(KFD_SIGNAL_EVENT_LIMIT * 8));
		return -EINVAL;
		}

		page = kzalloc(sizeof(*page), GFP_KERNEL);
		if (!page)
		return -ENOMEM;