CVE-2022-3108: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-3108 is a vulnerability discovered in the Linux kernel through version 5.16-rc6. The issue specifically affects the kfd_parse_subtype_iolink function in drivers/gpu/drm/amd/amdkfd/kfd_crat.c, where it fails to check the return value of kmemdup(). This vulnerability was discovered by Jiasheng Jiang and was publicly disclosed on December 14, 2022. The vulnerability affects the HSA Linux kernel driver for AMD Radeon GPU devices (Ubuntu Security, NVD).

The vulnerability stems from a missing null pointer check after a kmemdup() call in the kfd_parse_subtype_iolink function. The CVSS v3.1 base score for this vulnerability is 5.5 (Medium), with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The technical issue relates to memory allocation handling, where the code fails to verify if the memory duplication operation was successful before dereferencing the pointer (NVD, Kernel Commit).

The vulnerability can lead to a null pointer dereference, which could result in a denial of service condition through a system crash. The impact is limited to local attacks, requiring local access to the system to exploit (Ubuntu Security).

The vulnerability was fixed in Linux kernel version 5.17-rc6. The fix involves adding a proper null pointer check after the kmemdup() call. Various Linux distributions have backported the fix to their supported kernel versions. For example, Red Hat has included the fix in their Enterprise Linux 8 and 9 updates (Red Hat Bugzilla, Kernel Commit).