CVE-2022-50760

Vulnerability

In the Linux kernel's AMDGPU Direct Rendering Manager (DRM) driver, the function amdgpu_atrm_get_bios() iterates over PCI devices using pci_get_class(). According to the kernel API, pci_get_class() returns a PCI device with its reference count incremented, and it decrements the reference count of the input from parameter if it is not NULL. When the loop breaks with a non-NULL pdev, the function fails to call pci_dev_put() to release the reference, leading to a reference count leak [1].

Exploitation

This vulnerability is triggered during the boot process when the AMDGPU driver attempts to retrieve the Video BIOS (VBIOS) from a PCI device. No special privileges or user interaction are required; the bug occurs automatically in the kernel initialization path. An attacker with local access could potentially exploit the leak by repeatedly triggering the driver initialization, causing the reference count to increase without bound.

Impact

A persistent PCI device reference count leak prevents the kernel from properly releasing the device object cleanup, eventually leading to resource exhaustion. Over time, this can cause system instability, denial of service, or prevent the device from being properly released and re-enumerated. The leak does not directly allow arbitrary code execution but degrades system reliability.

Mitigation

The fix adds the missing pci_dev_put() call before returning from amdgpu_atrm_get_bios(). Patches have been applied to the stable kernel branches as of December 2024 [2][3][4]. Users should update to a kernel version containing the commit to eliminate the leak.