CVE-2023-53707

Vulnerability

Overview

In the Linux kernel's AMDGPU driver, the function amdgpu_cs_pass1 contains an integer overflow vulnerability. The variable size is declared as unsigned int, and when multiplied by sizeof(uint32_t) (4 bytes), a value of 0x40000000 (1,073,741,824) causes the multiplication to overflow, resulting in size becoming zero. This overflow leads to insufficient memory allocation, and subsequent operations reference uninitialized memory [1].

Exploitation

An attacker with local access and the ability to submit a crafted GPU command submission (CS) IOCTL can trigger this vulnerability. By providing a size value of 0x40000000 or larger, the integer overflow occurs, causing the driver to allocate a smaller buffer than expected. The attacker does not require special privileges beyond the ability to interact with the DRM subsystem, which is typically available to unprivileged users in many configurations.

Impact

Successful exploitation results in the kernel referencing uninitialized memory, which could lead to information disclosure (leaking sensitive kernel data) or a system crash (denial of service). The exact impact depends on the memory contents at the time of the operation.

Mitigation

The vulnerability was fixed in the Linux kernel by adding a check to prevent the integer overflow. The patch ensures that the multiplication does not overflow and that the allocated size is correct. Users should update to a kernel version containing the fix commit 87c2213e85bd81e4a9a4d0880c256568794ae388 [1].