amdgpu: use-after-free in amdgpu (CVE-2023-52921) #shorts #breaking

CVE

This CVE involves a use-after-free vulnerability found in the AMD GPU driver of the Linux kernel. Specifically, it occurs within the amdgpu_cs_pass1() function when handling chunk data. The issue arises because the gang_size check is not properly coordinated with the data parsing loop, leading to potential misuse of memory after it has been released. Although not classified as a zero-day vulnerability, it can still pose a risk, particularly to Linux users with AMD GPUs, by enabling attackers to cause a denial of service. This issue has been identified and reported by Ye Zhang from Baidu Security and has since been addressed in updated versions of the Linux kernel.

Watch the full video on YouTube: CVE-2023-52921

Remediation and exploitation details

This chain involves the following actors

This following systems are involved

Attack entry point

Remediation actions

Exploitation actions

Related Content

NOTE: The following related content has not been vetted and may be unsafe.

CVE database technical details

CVE ID
CVE-2023-52921
Description
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix possible UAF in amdgpu_cs_pass1() Since the gang_size check is outside of chunk parsing loop, we need to reset i before we free the chunk data. Suggested by Ye Zhang (@VAR10CK) of Baidu Security.
Provider
Linux
CWE / problem types
Affected Software Versions
Linux:Linux:[{'version': '1da177e4c3f41524e886b7f1b8a0c1fc7321cac2', 'lessThan': '9a2393af1f35d1975204fc00035c64a1c792b278', 'status': 'affected', 'versionType': 'git'}, {'version': '1da177e4c3f41524e886b7f1b8a0c1fc7321cac2', 'lessThan': 'e08e9dd09809b16f8f8cee8c466841b33d24ed96', 'status': 'affected', 'versionType': 'git'}, {'version': '1da177e4c3f41524e886b7f1b8a0c1fc7321cac2', 'lessThan': '90e065677e0362a777b9db97ea21d43a39211399', 'status': 'affected', 'versionType': 'git'}],Linux:Linux:[{'version': '6.1.46', 'lessThanOrEqual': '6.1.*', 'status': 'unaffected', 'versionType': 'semver'}, {'version': '6.4.11', 'lessThanOrEqual': '6.4.*', 'status': 'unaffected', 'versionType': 'semver'}, {'version': '6.5', 'lessThanOrEqual': '*', 'status': 'unaffected', 'versionType': 'original_commit_for_fix'}]
Date Published
2024-11-19T01:26:30.495Z
Last Updated
2025-05-04T07:46:02.752Z