Talos Vulnerability Report

TALOS-2019-0971

NVIDIA NVWGF2UMX_CFG.DLL shader functionality denial-of-service vulnerability

June 24, 2020
CVE Number

CVE-2020-5965

Summary

An exploitable denial of service vulnerability exists in NVIDIA NVWGF2UMX_CFG.DLL (version 26.21.14.4128 and 26.21.14.4166 on NVIDIA D3D10 and version 441.28 and 441.66 on NVIDIA Quadro K620). A specially crafted pixel shader can cause denial of service issues. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability can be triggered from VMware guest and VMware host will be affected (leading to vmware-vmx.exe process crash on host).

Tested Versions

NVWGF2UMX_CFG.DLL (version 26.21.14.4128 and 26.21.14.4166) NVIDIA D3D10 Driver, Version 441.28 and 441.66 on NVIDIA Quadro K620 VMware Workstation 15 (15.5.1 build-15018445) with Windows 10 x64 as guestVM

Product URLs

http://nvidia.com http://vmware.com

CVSSv3 Score

8.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CWE

CWE-476: NULL Pointer Dereference

Details

This vulnerability can be triggered by supplying a malformed pixel shader (inside VMware guest OS). Such an attack can be triggered from from VMware guest usermode to cause denial of service attack due to null pointer dereference on vmware-vmx.exe process on host, or theoretically through WEBGL (remote website).

By modifying the pixel shader instruction (opcode) from:

div r53.x, l(1, 1, 1, 1), r6.xxxx

to:

ld r53.x, l(1065353216, 1065353216, 1065353216, 1065353216), r6.xxxx

it is possible to cause denial of service in nvidia drivers due to a null pointer dereference:

00007ffb`ae536745 488b8380000000 mov     rax, qword ptr [rbx+80h]
00007ffb`ae53674c 418bd0         mov     edx, r8d
00007ffb`ae53674f 81e2ffffff00   and     edx, 0FFFFFFh
00007ffb`ae536755 488b4840       mov     rcx, qword ptr [rax+40h]
00007ffb`ae536759 4c8b0cd1       mov     r9, qword ptr [rcx+rdx*8]
00007ffb`ae53675d 418b412c       mov     eax, dword ptr [r9+2Ch]        ; r9 = NULL

VMware release mode crash dump fragment:

0:023> .ecxr
rax=0000025afd3e3608 rbx=0000025afd6540f0 rcx=0000025afd487e40
rdx=0000000000028900 rsi=0000000000000005 rdi=0000025afd42e3c8
rip=00007ffac5006bed rsp=000000e164bf7260 rbp=0000000000000005
 r8=0000000060028900  r9=0000000000000000 r10=0000025afd42e3e0
r11=0000000060004302 r12=0000000000000009 r13=00000000000000ff
r14=0000000000000000 r15=0000000000000001
iopl=0         nv up ei pl nz na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
nvwgf2umx_cfg!OpenAdapter12+0x51375d:
00007ffa`c5006bed 418b412c        mov     eax,dword ptr [r9+2Ch] ds:00000000`0000002c=????????

Crash Information

0:023> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************


KEY_VALUES_STRING: 1

    Key  : AV.Dereference
    Value: NullClassPtr

    Key  : AV.Fault
    Value: Read

    Key  : Analysis.CPU.Sec
    Value: 1

    Key  : Analysis.DebugAnalysisProvider.CPP
    Value: Create: 8007007e on CLAB

    Key  : Analysis.DebugData
    Value: CreateObject

    Key  : Analysis.DebugModel
    Value: CreateObject

    Key  : Analysis.Elapsed.Sec
    Value: 14

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 166

    Key  : Analysis.System
    Value: CreateObject

    Key  : Timeline.Process.Start.DeltaSec
    Value: 165


APPLICATION_VERIFIER_FLAGS:  0

CONTEXT:  (.ecxr)
rax=0000025afd3e3608 rbx=0000025afd6540f0 rcx=0000025afd487e40
rdx=0000000000028900 rsi=0000000000000005 rdi=0000025afd42e3c8
rip=00007ffac5006bed rsp=000000e164bf7260 rbp=0000000000000005
 r8=0000000060028900  r9=0000000000000000 r10=0000025afd42e3e0
r11=0000000060004302 r12=0000000000000009 r13=00000000000000ff
r14=0000000000000000 r15=0000000000000001
iopl=0         nv up ei pl nz na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
nvwgf2umx_cfg!OpenAdapter12+0x51375d:
00007ffa`c5006bed 418b412c        mov     eax,dword ptr [r9+2Ch] ds:00000000`0000002c=????????
Resetting default scope

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 00007ffac5006bed (nvwgf2umx_cfg!OpenAdapter12+0x000000000051375d)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: 000000000000002c
Attempt to read from address 000000000000002c

PROCESS_NAME:  vmware-vmx.exe

READ_ADDRESS:  000000000000002c 

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  0000000000000000

EXCEPTION_PARAMETER2:  000000000000002c

STACK_TEXT:  
000000e1`64bf7260 00007ffa`c5009c00 : 00000000`000000ff 00000000`00000000 00000000`000002ea 0000025a`fd42e3c8 : nvwgf2umx_cfg!OpenAdapter12+0x51375d
000000e1`64bf72c0 00007ffa`c500ba7d : 0000025a`fd3e8400 00000000`00000000 00000000`000002ea 00007ffa`00000000 : nvwgf2umx_cfg!OpenAdapter12+0x516770
000000e1`64bf7380 00007ffa`c500e566 : 00000000`00000020 0000025a`fd3e84d0 0000025a`fd3e6b88 0000025a`fd3e84d0 : nvwgf2umx_cfg!OpenAdapter12+0x5185ed
000000e1`64bf75d0 00007ffa`c500e202 : 0000025a`fd6540f0 0000025a`fd3e6b88 0000025a`fd3e84d0 00007ffa`c6186950 : nvwgf2umx_cfg!OpenAdapter12+0x51b0d6
000000e1`64bf7600 00007ffa`c509cb88 : 0000025a`fd3e3608 00000000`00000004 00007ffa`c61d5b74 0000025a`fd3f6ec8 : nvwgf2umx_cfg!OpenAdapter12+0x51ad72
000000e1`64bf7650 00007ffa`c4edf4b3 : 0000025a`fd3e3608 000000e1`64bf8c20 0000025a`fd3e3608 0000025a`f7c759e8 : nvwgf2umx_cfg!OpenAdapter12+0x5a96f8
000000e1`64bf76a0 00007ffa`c4edf52f : 00000000`00000000 0000025a`fd3d8458 0000025a`fd3e3608 0000025a`fd3ef4b0 : nvwgf2umx_cfg!OpenAdapter12+0x3ec023
000000e1`64bf8af0 00007ffa`c4e0e855 : 00000259`670a7190 00000259`670a7190 0000025a`f7c759e8 00000259`670a7190 : nvwgf2umx_cfg!OpenAdapter12+0x3ec09f
000000e1`64bf8b20 00007ffa`c4d49e6a : 000000e1`64bf8ed0 7d08b274`e67c652c 0000025a`f7c759e8 3304cd42`bf81f00b : nvwgf2umx_cfg!OpenAdapter12+0x31b3c5
000000e1`64bf8e10 00007ffa`c4b366a2 : 00000000`00000000 0000025a`f7c759e8 3304cd42`bf81f00b 0000025a`f7c759d0 : nvwgf2umx_cfg!OpenAdapter12+0x2569da
000000e1`64bf8e50 00007ffa`c5824754 : 00000000`00000000 00000259`6703fa80 00000000`00000000 00000000`00000019 : nvwgf2umx_cfg!OpenAdapter12+0x43212
000000e1`64bf8ea0 00007ffa`c5790f5b : 0000025a`f7bc07f0 000000e1`64bf9b90 0000025a`f7bc07f0 000000e1`64bf90f8 : nvwgf2umx_cfg!NVAPI_Thunk+0x343b24
000000e1`64bf8f60 00007ffa`c4cf9aa7 : 00000000`00000000 00000000`00000000 00000000`00000000 0000025a`f80b7280 : nvwgf2umx_cfg!NVAPI_Thunk+0x2b032b
000000e1`64bf9040 00007ffa`c4b0b6ea : 0000025a`f7b795c8 0000025a`f7b795c8 000000e1`64bf9190 00000000`00000000 : nvwgf2umx_cfg!OpenAdapter12+0x206617
000000e1`64bf9090 00007ffa`c4cfaf7b : 0000025a`f7b795c8 000000e1`64bf9c20 00000000`00000000 0000025a`f7c856d0 : nvwgf2umx_cfg!OpenAdapter12+0x1825a
000000e1`64bf9b20 00007ffa`c5845ec1 : 0000025a`00000000 00000000`00003408 00000000`00000000 0000025a`f81697b0 : nvwgf2umx_cfg!OpenAdapter12+0x207aeb
000000e1`64bf9ce0 00007ffa`c5842116 : 0000025a`f7b795c8 00000000`00000001 00000000`00000001 00000000`00000000 : nvwgf2umx_cfg!NVAPI_Thunk+0x365291
000000e1`64bf9e50 00007ffa`c4d4c19f : 0000025a`f7da2530 00000259`670afe18 000000e1`64bfa400 0000025a`f7da1130 : nvwgf2umx_cfg!NVAPI_Thunk+0x3614e6
000000e1`64bfa350 00007ffa`c4d501b1 : 00000259`670c2650 00007ffa`cccd7333 000000e1`64bfa4a8 000000e1`64bfa4a8 : nvwgf2umx_cfg!OpenAdapter12+0x258d0f
000000e1`64bfa390 00007ffa`cccb8edc : 00000000`00000000 0000025a`f7b795b8 00000259`670c2650 00007ffa`d2a9ba17 : nvwgf2umx_cfg!OpenAdapter12+0x25cd21
000000e1`64bfa3d0 00007ffa`cccc295f : 000000e1`00000001 00000259`670cc568 0000025a`f7b795b8 00000259`670c2650 : d3d11!CPixelShader::CLS::FinalConstruct+0x23c
000000e1`64bfa630 00007ffa`cccc289a : 000000e1`64bfad10 00007ffa`cce72388 0000025a`f7b79480 00000000`00000000 : d3d11!CLayeredObjectWithCLS<CPixelShader>::FinalConstruct+0xa3
000000e1`64bfa6c0 00007ffa`cccaee58 : 0000025a`f7b794a8 000000e1`64bfad10 000000e1`64bfad40 00007ffa`cce72388 : d3d11!CLayeredObjectWithCLS<CPixelShader>::CreateInstance+0x152
000000e1`64bfa720 00007ffa`cccbb17d : 00000000`00000000 0000025a`f7b79480 00000000`00000000 00000259`640d0000 : d3d11!CDevice::CreateLayeredChild+0xc88
000000e1`64bfab60 00007ffa`cccbb950 : 0000025a`f7b79480 00000000`00000009 00000000`00000188 00000000`00000030 : d3d11!NDXGI::CDevice::CreateLayeredChild+0x6d
000000e1`64bfacd0 00007ffa`ccca14f4 : 00000259`670af5e0 00007ffa`00000009 0000025a`f81b3af0 00000259`670afe18 : d3d11!NOutermost::CDevice::CreateLayeredChild+0x1b0
000000e1`64bfaec0 00007ffa`ccca1463 : 0000025a`f81b3af0 00000000`0000b000 000000e1`64bfb220 00000000`00021c60 : d3d11!CDevice::CreateAndRecreateLayeredChild<SD3D11LayeredPixelShaderCreationArgs>+0x64
000000e1`64bfaf20 00007ffa`ccca11e8 : 00000259`670afe18 0000025a`f81b3af0 00000000`00003464 00000000`00000000 : d3d11!CDevice::CreatePixelShader_Worker+0x203
000000e1`64bfb0d0 00007ff6`f1d5ef93 : 00000000`00000000 000000e1`64bfb220 0000025a`ed5c79d0 00000000`00000000 : d3d11!CDevice::CreatePixelShader+0x28
000000e1`64bfb120 00007ff6`f1d60b46 : 00000000`00000000 000000e1`64bff350 0000025a`f8164ec0 0000025a`ed5c79d0 : vmware_vmx+0x2bef93
000000e1`64bfb280 00007ff6`f1d5fc19 : 00007ff6`f1aa0000 0000025a`f79fd330 0000025a`f79fd330 00000000`00005000 : vmware_vmx+0x2c0b46
000000e1`64bff250 00007ff6`f1d5cbb1 : 0000025a`f814d810 00007ff6`f1aa0000 00000000`0000502b 00000000`0000502b : vmware_vmx+0x2bfc19
000000e1`64bff790 00007ff6`f1d8ec5e : 0000025a`f814d770 00000000`00000007 0000025a`f81532d8 00000000`00000007 : vmware_vmx+0x2bcbb1
000000e1`64bff7d0 00007ff6`f1c92d8b : 00000000`00000100 000000e1`64bff990 00000000`00000880 0000025a`f814d760 : vmware_vmx+0x2eec5e
000000e1`64bff820 00007ff6`f1c11782 : 00000000`00004f01 00000000`00000100 00000000`00000000 00000000`00000a68 : vmware_vmx+0x1f2d8b
000000e1`64bff890 00007ff6`f1c0f398 : 00000000`00000000 00000000`00000001 000000e1`64bffabc 00000000`00000040 : vmware_vmx+0x171782
000000e1`64bffa50 00007ff6`f1b5b4aa : 00000000`00000000 00000000`00000002 00000000`00000002 00000259`00000000 : vmware_vmx+0x16f398
000000e1`64bffa80 00007ff6`f20a4fe9 : 0000025a`ed337160 00007ff6`f1b5b1c0 ffffffff`ffffffff 00000000`00000000 : vmware_vmx+0xbb4aa
000000e1`64bffaf0 00007ffa`d14e7bd4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : vmware_vmx+0x604fe9
000000e1`64bffbb0 00007ffa`d2acced1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0x14
000000e1`64bffbe0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21


SYMBOL_NAME:  nvwgf2umx_cfg!OpenAdapter12+51375d

MODULE_NAME: nvwgf2umx_cfg

IMAGE_NAME:  nvwgf2umx_cfg.dll

STACK_COMMAND:  ~23s ; .ecxr ; kb

FAILURE_BUCKET_ID:  NULL_CLASS_PTR_READ_c0000005_nvwgf2umx_cfg.dll!OpenAdapter12

BUCKET_ID_MODPRIVATE: 1

OS_VERSION:  10.0.18362.1

BUILDLAB_STR:  19h1_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {ab69b94c-7a35-d483-6d8e-dc2a5c7fc3d7}

Followup:     MachineOwner
---------

Timeline

2019-12-19 - Vendor Disclosure
2019-06-24 - Vendor Patched
2019-06-24 - Public Release

Credit

Discovered by Piotr Bania of Cisco Talos.