Joonkyo Jung

**Name of the Vulnerable Software and Affected Versions** NVIDIA GPU driver for Windows and Linux (affected versions not specified) **Description** The issue is related to an out-of-bounds write in the NVIDIA GPU driver, which can be exploited by a user. A successful exploit might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.28 **Description** A use-after-free bug has been identified in the Linux kernel, specifically in the AMDGPU DRM driver. This bug can be triggered by sending a single `amdgpu gem userptr ioctl` to the AMDGPU DRM driver with an invalid address and size. The issue arises from a failure in `amdgpu hmm register`, which still calls `amdgpu hmm unregister` into `amdgpu gem object free`, resulting in access to a bad address. The bug was reported by Joonkyo Jung and can be reproduced with a specific code example. **Recommendations** To resolve this issue, update the Linux kernel to version 6.6.28 or later. As a temporary workaround, consider disabling the `amdgpu gem userptr ioctl` function until a patch is available. Restrict access to the vulnerable `amdgpu` module to minimize the risk of exploitation. Avoid using the `addr` and `size` parameters in the affected `amdgpu gem userptr ioctl` API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.7.0 **Description** The vulnerability is a null pointer dereference in the `drm sched entity init` function, which can be triggered by sending an `amdgpu cs wait ioctl` to the AMDGPU DRM driver on any ASICs with valid context. The bug was reported by Joonkyo Jung. The change fixes the null pointer dereference in the init entity, and the stack demonstrates the error condition. The `amdgpu cs wait ioctl` can be used to exploit this vulnerability. The `amdgpu ctx get entity` function is also involved in the call trace. The vulnerability can cause a kernel NULL pointer dereference, which can lead to a denial of service. **Recommendations** To resolve this issue, update the Linux kernel to a version that includes the fix for the null pointer dereference in the `drm sched entity init` function. As a temporary workaround, consider disabling the `amdgpu cs wait ioctl` function until a patch is available. Note: The provided information does not include specific details about the fixed version or the patchday that contains the fix for the vulnerability. Therefore, the recommendation is to update to the latest available version of the Linux kernel. At the moment, there is no information about a newer version that contains a fix for this vulnerability.