CVE-2022-50619

Vulnerability

In the Linux kernel's drm/amdkfd driver, the function kfd_mem_dmamap_userptr() contains a memory leak vulnerability. When the number of pages from a userptr buffer object (BO) differs from the scatter-gather (SG) BO, the allocated memory for the SG table is not freed before the function returns an -EINVAL error. This oversight can lead to a memory leak in certain error paths [1].

Exploitation

The vulnerability is triggered during the DMA mapping of userptr BOs, specifically when the page count mismatch occurs. An attacker would need to be able to trigger this specific error path, likely by providing a userptr BO with a page count that does not match the corresponding SG BO. This requires local access to the system and the ability to interact with the amdkfd driver, typically through the AMD ROCm or similar compute stack [1].

Impact

If exploited, the memory leak could gradually exhaust system memory, potentially leading to denial of service (DoS) conditions. The leak is limited to the kernel memory allocated for SG tables, which could degrade system performance or cause instability over time [1].

Mitigation

The fix, introduced in Linux kernel commit 304a10161696... (and backported as commit 90bfee...), resolves the issue by checking the number of pages before allocating memory for the SG table, ensuring that the allocation only occurs when the page counts match. Users should update to a kernel version containing this fix [1][2].