GHSA-4753-MHW2-5G7R
Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-05-27 15:33In the Linux kernel, the following vulnerability has been resolved:
drm/amdkfd: Fix watch_id bounds checking in debug address watch v2
The address watch clear code receives watch_id as an unsigned value (u32), but some helper functions were using a signed int and checked bits by shifting with watch_id.
If a very large watch_id is passed from userspace, it can be converted to a negative value. This can cause invalid shifts and may access memory outside the watch_points array.
drm/amdkfd: Fix watch_id bounds checking in debug address watch v2
Fix this by checking that watch_id is within MAX_WATCH_ADDRESSES before using it. Also use BIT(watch_id) to test and clear bits safely.
This keeps the behavior unchanged for valid watch IDs and avoids undefined behavior for invalid ones.
Fixes the below: drivers/gpu/drm/amd/amdgpu/../amdkfd/kfd_debug.c:448 kfd_dbg_trap_clear_dev_address_watch() error: buffer overflow 'pdd->watch_points' 4 <= u32max user_rl='0-3,2147483648-u32max' uncapped
drivers/gpu/drm/amd/amdgpu/../amdkfd/kfd_debug.c 433 int kfd_dbg_trap_clear_dev_address_watch(struct kfd_process_device *pdd, 434 uint32_t watch_id) 435 { 436 int r; 437 438 if (!kfd_dbg_owns_dev_watch_id(pdd, watch_id))
kfd_dbg_owns_dev_watch_id() doesn't check for negative values so if watch_id is larger than INT_MAX it leads to a buffer overflow. (Negative shifts are undefined).
439 return -EINVAL;
440
441 if (!pdd->dev->kfd->shared_resources.enable_mes) {
442 r = debug_lock_and_unmap(pdd->dev->dqm);
443 if (r)
444 return r;
445 }
446
447 amdgpu_gfx_off_ctrl(pdd->dev->adev, false);
--> 448 pdd->watch_points[watch_id] = pdd->dev->kfd2kgd->clear_address_watch( 449 pdd->dev->adev, 450 watch_id);
v2: (as per, Jonathan Kim) - Add early watch_id >= MAX_WATCH_ADDRESSES validation in the set path to match the clear path. - Drop the redundant bounds check in kfd_dbg_owns_dev_watch_id().
{
"affected": [],
"aliases": [
"CVE-2026-45878"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-27T14:17:01Z",
"severity": null
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix watch_id bounds checking in debug address watch v2\n\nThe address watch clear code receives watch_id as an unsigned value\n(u32), but some helper functions were using a signed int and checked\nbits by shifting with watch_id.\n\nIf a very large watch_id is passed from userspace, it can be converted\nto a negative value. This can cause invalid shifts and may access\nmemory outside the watch_points array.\n\ndrm/amdkfd: Fix watch_id bounds checking in debug address watch v2\n\nFix this by checking that watch_id is within MAX_WATCH_ADDRESSES before\nusing it. Also use BIT(watch_id) to test and clear bits safely.\n\nThis keeps the behavior unchanged for valid watch IDs and avoids\nundefined behavior for invalid ones.\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../amdkfd/kfd_debug.c:448\nkfd_dbg_trap_clear_dev_address_watch() error: buffer overflow\n\u0027pdd-\u003ewatch_points\u0027 4 \u003c= u32max user_rl=\u00270-3,2147483648-u32max\u0027 uncapped\n\ndrivers/gpu/drm/amd/amdgpu/../amdkfd/kfd_debug.c\n 433 int kfd_dbg_trap_clear_dev_address_watch(struct kfd_process_device *pdd,\n 434 uint32_t watch_id)\n 435 {\n 436 int r;\n 437\n 438 if (!kfd_dbg_owns_dev_watch_id(pdd, watch_id))\n\nkfd_dbg_owns_dev_watch_id() doesn\u0027t check for negative values so if\nwatch_id is larger than INT_MAX it leads to a buffer overflow.\n(Negative shifts are undefined).\n\n 439 return -EINVAL;\n 440\n 441 if (!pdd-\u003edev-\u003ekfd-\u003eshared_resources.enable_mes) {\n 442 r = debug_lock_and_unmap(pdd-\u003edev-\u003edqm);\n 443 if (r)\n 444 return r;\n 445 }\n 446\n 447 amdgpu_gfx_off_ctrl(pdd-\u003edev-\u003eadev, false);\n--\u003e 448 pdd-\u003ewatch_points[watch_id] = pdd-\u003edev-\u003ekfd2kgd-\u003eclear_address_watch(\n 449 pdd-\u003edev-\u003eadev,\n 450 watch_id);\n\nv2: (as per, Jonathan Kim)\n - Add early watch_id \u003e= MAX_WATCH_ADDRESSES validation in the set path to\n match the clear path.\n - Drop the redundant bounds check in kfd_dbg_owns_dev_watch_id().",
"id": "GHSA-4753-mhw2-5g7r",
"modified": "2026-05-27T15:33:14Z",
"published": "2026-05-27T15:33:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45878"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2b36c0c1bcbbe15f6cfa9652084b3124c835a150"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3c38a0f07aa2bfef2b219b1f045534ad93f85afd"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5a19302cab5cec7ae7f1a60c619951e6c17d8742"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/971bf8e61e9b4abaacf9b35eaf76ec222758f9d6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a0d367e13db63a6ed76ee0d0a8c3a58c1fa98488"
}
],
"schema_version": "1.4.0",
"severity": []
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.