CVE-2022-50527
MEDIUMCVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Description
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix size validation for non-exclusive domains (v4) Fix amdgpu_bo_validate_size() to check whether the TTM domain manager for the requested memory exists, else we get a kernel oops when dereferencing "man". v2: Make the patch standalone, i.e. not dependent on local patches. v3: Preserve old behaviour and just check that the manager pointer is not NULL. v4: Complain if GTT domain requested and it is uninitialized--most likely a bug.
Analysis
A null pointer dereference vulnerability exists in the Linux kernel's AMD GPU (amdgpu) driver in the amdgpu_bo_validate_size() function. When validating buffer object sizes for non-exclusive memory domains, the function fails to verify that the TTM (Translation Table Maps) domain manager exists before dereferencing it, leading to a kernel oops and denial of service. Local attackers with unprivileged user privileges can trigger this vulnerability to crash the system. While patches are available from the vendor, the EPSS score of 0.01% and very low exploitation probability suggest this is a low-priority issue in practice despite the denial-of-service impact.
Technical Context
The vulnerability resides in the Direct Rendering Manager (DRM) subsystem of the Linux kernel, specifically in AMD GPU driver code (amdgpu). The affected function amdgpu_bo_validate_size() is responsible for validating the size of buffer objects across different memory domains managed by TTM (Translation Table Maps), a memory management abstraction layer for GPU drivers. The root cause is classified as CWE-476 (Null Pointer Dereference), where the code dereferences a pointer to a TTM domain manager structure without first checking whether that pointer is valid. The vulnerability affects the Linux kernel across multiple versions (CPE: cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*). This is a driver-level defect that impacts systems with AMD GPUs relying on the amdgpu driver for hardware acceleration.
Affected Products
The Linux kernel across all versions utilizing the AMD GPU (amdgpu) driver is affected, as indicated by the CPE specification cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*. All Linux distributions shipping the affected kernel versions are in scope, including but not limited to Red Hat Enterprise Linux, Ubuntu, Debian, Fedora, and SUSE Linux Enterprise Server. The vulnerability impacts systems with AMD Radeon GPUs that depend on the amdgpu driver for hardware support. Vendor patches have been released and are available in the Linux kernel stable tree at the commit references provided (7554886daa31, 80546eef2168, 8ba7c55e112f).
Remediation
Update the Linux kernel to a version containing the fix, which is available in the stable kernel tree at commits 7554886daa31eacc8e7fac9e15bbce67d10b8f1f, 80546eef216854a7bd47e39e828f04b406c00599, or 8ba7c55e112f4ffd2a95b99be1cb1c891ef08ba1. Most Linux distributions will backport this fix into their kernel maintenance branches; check your distribution's security advisories for updated kernel packages (e.g., Red Hat CVE tracker, Ubuntu Security Notices, SUSE Security Updates). For immediate mitigation pending kernel update, restrict unprivileged user access to GPU-related operations through SELinux or AppArmor policies, and disable GPU driver initialization if AMD GPU acceleration is not required. The patch itself is straightforward: adding a null-pointer check before dereferencing the TTM domain manager structure, so upgrading to any kernel version released after the fix commits will resolve the issue.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today