drm/amdkfd: Fix watch_id bounds checking in debug address watch v2

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

drm/amdkfd: Fix watch_id bounds checking in debug address watch v2

The address watch clear code receives watch_id as an unsigned value
(u32), but some helper functions were using a signed int and checked
bits by shifting with watch_id.

If a very large watch_id is passed from userspace, it can be converted
to a negative value. This can cause invalid shifts and may access
memory outside the watch_points array.

drm/amdkfd: Fix watch_id bounds checking in debug address watch v2

Fix this by checking that watch_id is within MAX_WATCH_ADDRESSES before
using it. Also use BIT(watch_id) to test and clear bits safely.

This keeps the behavior unchanged for valid watch IDs and avoids
undefined behavior for invalid ones.

Fixes the below:
drivers/gpu/drm/amd/amdgpu/../amdkfd/kfd_debug.c:448
kfd_dbg_trap_clear_dev_address_watch() error: buffer overflow
'pdd->watch_points' 4 <= u32max user_rl='0-3,2147483648-u32max' uncapped

drivers/gpu/drm/amd/amdgpu/../amdkfd/kfd_debug.c
433 int kfd_dbg_trap_clear_dev_address_watch(struct kfd_process_device *pdd,
434 uint32_t watch_id)
435 {
436 int r;
437
438 if (!kfd_dbg_owns_dev_watch_id(pdd, watch_id))

kfd_dbg_owns_dev_watch_id() doesn't check for negative values so if
watch_id is larger than INT_MAX it leads to a buffer overflow.
(Negative shifts are undefined).

439 return -EINVAL;
440
441 if (!pdd->dev->kfd->shared_resources.enable_mes) {
442 r = debug_lock_and_unmap(pdd->dev->dqm);
443 if (r)
444 return r;
445 }
446
447 amdgpu_gfx_off_ctrl(pdd->dev->adev, false);
--> 448 pdd->watch_points[watch_id] = pdd->dev->kfd2kgd->clear_address_watch(
449 pdd->dev->adev,
450 watch_id);

v2: (as per, Jonathan Kim)
- Add early watch_id >= MAX_WATCH_ADDRESSES validation in the set path to
match the clear path.
- Drop the redundant bounds check in kfd_dbg_owns_dev_watch_id().

Basic Information

ID CVE-2026-45878

Source Linux

Published May 27, 2026 at 12:16

Modified May 30, 2026 at 10:45

Affected Product

Vendor Linux

Product Linux

Version e0f85f4690d089cc1a60337decafb1acf7eec45e

Affected Versions Linux Linux e0f85f4690d089cc1a60337decafb1acf7eec45e
Linux Linux e0f85f4690d089cc1a60337decafb1acf7eec45e
Linux Linux e0f85f4690d089cc1a60337decafb1acf7eec45e
Linux Linux e0f85f4690d089cc1a60337decafb1acf7eec45e
Linux Linux e0f85f4690d089cc1a60337decafb1acf7eec45e
Linux Linux 6.5

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix watch_id bounds checking in debug address watch v2\n\nThe address watch clear code receives watch_id as an unsigned value\n(u32), but some helper functions were using a signed int and checked\nbits by shifting with watch_id.\n\nIf a very large watch_id is passed from userspace, it can be converted\nto a negative value.  This can cause invalid shifts and may access\nmemory outside the watch_points array.\n\ndrm/amdkfd: Fix watch_id bounds checking in debug address watch v2\n\nFix this by checking that watch_id is within MAX_WATCH_ADDRESSES before\nusing it.  Also use BIT(watch_id) to test and clear bits safely.\n\nThis keeps the behavior unchanged for valid watch IDs and avoids\nundefined behavior for invalid ones.\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../amdkfd/kfd_debug.c:448\nkfd_dbg_trap_clear_dev_address_watch() error: buffer overflow\n'pdd->watch_points' 4 <= u32max user_rl='0-3,2147483648-u32max' uncapped\n\ndrivers/gpu/drm/amd/amdgpu/../amdkfd/kfd_debug.c\n    433 int kfd_dbg_trap_clear_dev_address_watch(struct kfd_process_device *pdd,\n    434                                         uint32_t watch_id)\n    435 {\n    436         int r;\n    437\n    438         if (!kfd_dbg_owns_dev_watch_id(pdd, watch_id))\n\nkfd_dbg_owns_dev_watch_id() doesn't check for negative values so if\nwatch_id is larger than INT_MAX it leads to a buffer overflow.\n(Negative shifts are undefined).\n\n    439                 return -EINVAL;\n    440\n    441         if (!pdd->dev->kfd->shared_resources.enable_mes) {\n    442                 r = debug_lock_and_unmap(pdd->dev->dqm);\n    443                 if (r)\n    444                         return r;\n    445         }\n    446\n    447         amdgpu_gfx_off_ctrl(pdd->dev->adev, false);\n--> 448         pdd->watch_points[watch_id] = pdd->dev->kfd2kgd->clear_address_watch(\n    449                                                         pdd->dev->adev,\n    450                                                         watch_id);\n\nv2: (as per, Jonathan Kim)\n - Add early watch_id >= MAX_WATCH_ADDRESSES validation in the set path to\n   match the clear path.\n - Drop the redundant bounds check in kfd_dbg_owns_dev_watch_id().",
    "published": "2026-05-27T12:16:49.108Z",
    "modified": "2026-05-30T10:45:44.269Z",
    "type": "cve",
    "title": "drm/amdkfd: Fix watch_id bounds checking in debug address watch v2",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/971bf8e61e9b4abaacf9b35eaf76ec222758f9d6\nhttps://git.kernel.org/stable/c/a0d367e13db63a6ed76ee0d0a8c3a58c1fa98488\nhttps://git.kernel.org/stable/c/2b36c0c1bcbbe15f6cfa9652084b3124c835a150\nhttps://git.kernel.org/stable/c/3c38a0f07aa2bfef2b219b1f045534ad93f85afd\nhttps://git.kernel.org/stable/c/5a19302cab5cec7ae7f1a60c619951e6c17d8742",
    "id": "CVE-2026-45878",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux e0f85f4690d089cc1a60337decafb1acf7eec45e\nLinux Linux e0f85f4690d089cc1a60337decafb1acf7eec45e\nLinux Linux e0f85f4690d089cc1a60337decafb1acf7eec45e\nLinux Linux e0f85f4690d089cc1a60337decafb1acf7eec45e\nLinux Linux e0f85f4690d089cc1a60337decafb1acf7eec45e\nLinux Linux 6.5",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "e0f85f4690d089cc1a60337decafb1acf7eec45e",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

drm/amdkfd: Fix watch_id bounds checking in debug address watch v2_CVE-2026-45878

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply