HIGH Introduced in 4.15
drm/amd/display Vector Reserve Overflow
CVE-2026-53329
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
01Description
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Use krealloc_array() in dal_vector_reserve() [Why & How] dal_vector_reserve() computes the allocation size as "capacity * vector->struct_size" using uint32_t arithmetic, which can silently wrap to a small value on overflow. This would cause krealloc to return a smaller buffer than expected, leading to heap overflows on subsequent vector appends. Replace krealloc() with krealloc_array() which performs an internal overflow check and returns NULL on wrap, preventing the issue. (cherry picked from commit 37668568641ccc4cc1dbca4923d0a16609dd5707)
02KernelScan AI Analysis
Risk summary
A privileged local user or process with access to AMD GPU display configuration can trigger an integer overflow in the display core vector reserve function, causing krealloc to return a smaller buffer than expected. Subsequent vector appends then write beyond the allocated buffer, resulting in a heap out-of-bounds write that could lead to privilege escalation, information disclosure, or kernel crash. Exploitation requires high privileges (DRM master or equivalent GPU access) and is limited to systems with AMD GPUs using the amdgpu driver.
Vulnerability analysis
The vulnerability is a heap out-of-bounds write (CWE-787) stemming from an integer overflow in dal_vector_reserve() in the AMD Display Core (DC) layer. The original code computed the reallocation size as 'capacity * vector->struct_size' using uint32_t arithmetic before passing it to krealloc(). If a caller supplies a large capacity value, the multiplication can silently wrap around to a small value, causing krealloc() to return a buffer smaller than the requested capacity. Subsequent calls that append elements to the vector will then write beyond the actual allocation boundary. The fix replaces krealloc() with krealloc_array(), which internally performs a checked multiplication (array_size(n, size)) and returns NULL on overflow, preventing the undersized allocation. The attack surface is local and requires high privileges to interact with AMD GPU display subsystem internals; it is not directly reachable from unprivileged userspace without first obtaining DRM master or equivalent privileges.
03Fix Versions
| Branch | Introduced | Fixed in | Patch commit |
|---|---|---|---|
| 5.10 | 4.15 | 5.10.260 | 9540b0a4d13e |
| 5.15 | 4.15 | 5.15.210 | 31180638a33a |
| 6.1 | 4.15 | 6.1.176 | b15825deac1a |
| 6.12 | 4.15 | 6.12.94 | a914aa802669 |
| 6.18 | 4.15 | 6.18.36 | e09689286385 |
| 6.6 | 4.15 | 6.6.143 | 201151e120f0 |
| 7.0 | 4.15 | 7.0.13 | de988c7a31f0 |
| mainline | 4.15 | 7.1 | da48bc4461b8 |