[AMD GPU debugfs] Heap Overflow due to Unrestricted Copy into Fixed Size Buffer

We discussed this vulnerability during Episode 98 on 09 November 2021

Heap overflow in the AMD GPU driver’s debugfs write handler for display port test patterns. The driver allocates a 100 byte write buffer to copy data into, but uses the debugfs handler’s size parameter for the actual copy. This size is never checked to ensure it’s within 100 bytes and thus it’s possible to overflow in the kmalloc-128 cache. This bug was powerful enough to full chain and bypass modern mitigations by exploiting the bug twice. It was abused first for an infoleak via triggering an out-of-bounds read by smashing a setup msg_msg object, and again to corrupt the freelist to get an arbitrary write. The infoleak was used to leak the address of modprobe_path, and the arbitrary write was used to smash the path to point to an attacker-controlled script.

It’s worth noting this bug depends on the GPU driver’s debugfs being accessible to the attacker and CONFIG_SLAB_FREELIST_HARDENED=n.