HIGH
drm Doorbell Overflow
CVE-2026-31766
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
KernelScan AI7.1HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate doorbell_offset in user queue creation amdgpu_userq_get_doorbell_index() passes the user-provided doorbell_offset to amdgpu_doorbell_index_on_bar() without bounds checking. An arbitrarily large doorbell_offset can cause the calculated doorbell index to fall outside the allocated doorbell BO, potentially corrupting kernel doorbell space. Validate that doorbell_offset falls within the doorbell BO before computing the BAR index, using u64 arithmetic to prevent overflow. (cherry picked from commit de1ef4ffd70e1d15f0bf584fd22b1f28cbd5e2ec)
02KernelScan AI Analysis
Risk summary
Local users with GPU access can corrupt kernel memory by providing oversized doorbell offsets during user queue creation. This can lead to system crashes or potential privilege escalation on systems with AMD GPUs.
Vulnerability analysis
The amdgpu_userq_get_doorbell_index() function fails to validate user-provided doorbell_offset values before using them to calculate doorbell indices. An attacker can supply an arbitrarily large doorbell_offset that causes the calculated index to point outside the allocated doorbell buffer object, corrupting adjacent kernel memory. The fix adds bounds checking using u64 arithmetic to prevent both buffer overflows and integer overflow conditions. Attack requires local access to AMD GPU driver interfaces, typically through /dev/dri/renderD* device files.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.22 | 3543005a42d7 |
| 6.19 | 6.19.12 | 86b732fbc37c |
| mainline | 7.0 | a018d1819f15 |