CVE-2020-6100
An exploitable memory corruption vulnerability exists in AMD atidxx64.dll graphics driver. A specially crafted pixel shader can cause memory corruption vulnerability. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability potentially could be triggered from guest machines running virtualization environments (ie. VMware, qemu, VirtualBox etc.) in order to perform guest-to-host escape - as it was demonstrated before (TALOS-2018-0533, TALOS-2018-0568, etc.). Theoretically this vulnerability could be also triggered from web browser (using webGL and webassembly). We were able to trigger this vulnerability from HYPER-V guest using RemoteFX feature leading to executing the vulnerable code on the HYPER-V host (inside of the rdvgm.exe process).
AMD atidxx64.dll (26.20.15019.19000)
8.5 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE-787: Out-of-bounds Write
AMD Graphics drivers is a software for AMD Graphics GPU installed on the PC. It is a software used to communicate between the operating system and the GPU device. This software is required in most cases for the hardware device to function properly.
This vulnerability can be triggered by supplying a malformed pixel shader. This leads to memory corruption problem in AMD graphics driver:
example of pixel shader triggering the bug: ps_4_1 dcl_global_flags refactoringAllowed dcl_constant_buffer cb0[1].xyzw, immediateIndexed dcl_input_ps_siv linear noperspective v0.xy, position dcl_output o0.xyzw dcl_temps 3 … mov o385613824.w, l(), r ret
By modifying the “mov” Output Register operand in the mov instruction attacker is able to trigger a memory corruption vulnerability in the AMD graphics driver. Typically each output register operand should be declared by DLC_OUTPUT instruction. In following example output register is used out of the declared range. Attacker can control the memory address which will be used for write operation (RAX register) by modifying shader bytecode.
atidxx64!XdxQueryTlsLookupTable+0x522f1:
00007ffb`695b80e1 099c85a84e0000 or dword ptr [rbp+rax*4+4EA8h],ebx ss:000001fe`6c2c8808=????????
0:000> r
rax=00000000cccbf000 rbx=0000000000000040 rcx=0000000000000000
rdx=0000000000000000 rsi=0000000000000000 rdi=000001fb38fc7960
rip=00007ffb695b80e1 rsp=000000184fafb5d0 rbp=000001fb38fc7960
r8=0000000000000080 r9=0000000000000001 r10=0000000000000002
r11=0000000000000000 r12=0000000000000000 r13=0000000000000001
r14=000000184fafb960 r15=0000000000000004
iopl=0 nv up ei ng nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010286
atidxx64!XdxQueryTlsLookupTable+0x522f1:
00007ffb`695b80e1 099c85a84e0000 or dword ptr [rbp+rax*4+4EA8h],ebx ss:000001fe`6c2c8808=????????
stack trace:
0:000> kb
# RetAddr : Args to Child : Call Site
00 00007ffb695b7ecd : 000001fb00000040 000001fb38fcc708 0000000000000000 0000000000000000 : atidxx64!XdxQueryTlsLookupTable+0x522f1
01 00007ffb695b71b9 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : atidxx64!XdxQueryTlsLookupTable+0x520dd
02 00007ffb695b0b9b : 000001fb00000000 0000000000000000 0000000000000000 0000000000000000 : atidxx64!XdxQueryTlsLookupTable+0x513c9
03 00007ffb695c370e : 0000000000000000 000001fb3907d5f0 0000000000000001 000001fb38fc7960 : atidxx64!XdxQueryTlsLookupTable+0x4adab
04 00007ffb695abd1e : 000001fb3907d5f0 0000000000000000 0000000000000000 000000184fafc870 : atidxx64!XdxQueryTlsLookupTable+0x5d91e
05 00007ffb695abb12 : 000001fb38f31b40 000001fb3907d2c0 000000184fafc870 0000000000000000 : atidxx64!XdxQueryTlsLookupTable+0x45f2e
06 00007ffb69ee1e71 : 0000000000000000 000000184fafc870 000001fb38f31b40 000000184fafc500 : atidxx64!XdxQueryTlsLookupTable+0x45d22
07 00007ffb695ec1ea : 0000000000000000 0000000000000000 000000184fafc870 0000000000000020 : atidxx64!AmdDxGsaFreeCompiledShader+0x910971
08 00007ffb695ec033 : 000001fb3906e590 0000000000000003 0000000000000003 0000000000000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x1acea
09 00007ffb6956d3de : 0000000000000001 0000000000000000 000001fb32c20000 000001fb00000003 : atidxx64!AmdDxGsaFreeCompiledShader+0x1ab33
0a 00007ffb69d8dde5 : 00007ffb69560000 000001fb38ee0208 0000000000000000 ffffffffffffffff : atidxx64!XdxQueryTlsLookupTable+0x75ee
0b 00007ffb69d897f3 : 0000000000000000 000000184fafc780 000001fb3906c540 000001fb346d6b48 : atidxx64!AmdDxGsaFreeCompiledShader+0x7bc8e5
0c 00007ffb69df4a59 : 0000000000000000 000000184fafc870 000001fb3906bec0 000001fb32cdf3b0 : atidxx64!AmdDxGsaFreeCompiledShader+0x7b82f3
0d 00007ffb69581220 : 000001fb32cdf4c8 000001fb34c0f1f0 000001fb32caf3d8 000001fb32cb32a0 : atidxx64!AmdDxGsaFreeCompiledShader+0x823559
0e 00007ffb75588edc : 0000000000000000 000000184fafca60 000001fb32cdf4b8 000001fb32cde498 : atidxx64!XdxQueryTlsLookupTable+0x1b430
0f 00007ffb7559295f : 0000001800000001 000001fb34c0b608 000001fb32cdf4b8 000001fb34c016f0 : d3d11!CPixelShader::CLS::FinalConstruct+0x23c
10 00007ffb7559289a : 000000184fafe3f0 00007ffb1edb7a18 000001fb32cdf100 00007ffb1ed2cf20 : d3d11!CLayeredObjectWithCLS<CPixelShader>::FinalConstruct+0xa3
11 00007ffb7557ee58 : 000001fb32cdf3a8 000000184fafe3f0 000000184fafe370 00007ffb1edb7a18 : d3d11!CLayeredObjectWithCLS
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
KEY_VALUES_STRING: 1
Key : AV.Fault
Value: Write
Key : Timeline.OS.Boot.DeltaSec
Value: 2489
Key : Timeline.Process.Start.DeltaSec
Value: 108
PROCESSES_ANALYSIS: 1
SERVICE_ANALYSIS: 1
STACKHASH_ANALYSIS: 1
TIMELINE_ANALYSIS: 1
Timeline: !analyze.Start
Name: <blank>
Time: 2020-03-21T18:13:20.789Z
Diff: 789 mSec
Timeline: Dump.Current
Name: <blank>
Time: 2020-03-21T18:13:20.0Z
Diff: 0 mSec
Timeline: Process.Start
Name: <blank>
Time: 2020-03-21T18:11:32.0Z
Diff: 108000 mSec
Timeline: OS.Boot
Name: <blank>
Time: 2020-03-21T17:31:51.0Z
Diff: 2489000 mSec
DUMP_CLASS: 2
DUMP_QUALIFIER: 0
FAULTING_IP:
atidxx64!XdxQueryTlsLookupTable+522f1
00007ffb`695b80e1 099c85a84e0000 or dword ptr [rbp+rax*4+4EA8h],ebx
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 00007ffb695b80e1 (atidxx64!XdxQueryTlsLookupTable+0x00000000000522f1)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000001
Parameter[1]: 000001fe6c2c8808
Attempt to write to address 000001fe6c2c8808
FAULTING_THREAD: 00002554
PROCESS_NAME: POC_EXEC11.exe
FOLLOWUP_IP:
atidxx64!XdxQueryTlsLookupTable+522f1
00007ffb`695b80e1 099c85a84e0000 or dword ptr [rbp+rax*4+4EA8h],ebx
WRITE_ADDRESS: 000001fe6c2c8808
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 0000000000000001
EXCEPTION_PARAMETER2: 000001fe6c2c8808
WATSON_BKT_PROCSTAMP: 5e1a142e
WATSON_BKT_MODULE: atidxx64.dll
WATSON_BKT_MODSTAMP: 5e59a28f
WATSON_BKT_MODOFFSET: 580e1
WATSON_BKT_MODVER: 26.20.15019.19000
MODULE_VER_PRODUCT: Advanced Micro Devices, Inc. Radeon DirectX 11 Driver
BUILD_VERSION_STRING: 18362.1.amd64fre.19h1_release.190318-1202
MODLIST_WITH_TSCHKSUM_HASH: 576d53afe83c9dc19b47ba6e73c74c7156aa337c
MODLIST_SHA1_HASH: d750f006ba2fb2ab3fbce41eead7680b98382016
NTGLOBALFLAG: 470
PROCESS_BAM_CURRENT_THROTTLED: 0
PROCESS_BAM_PREVIOUS_THROTTLED: 0
APPLICATION_VERIFIER_FLAGS: 0
PRODUCT_TYPE: 1
SUITE_MASK: 272
DUMP_TYPE: fe
ANALYSIS_SESSION_HOST: CLAB
ANALYSIS_SESSION_TIME: 03-21-2020 19:13:20.0789
ANALYSIS_VERSION: 10.0.18362.1 amd64fre
THREAD_ATTRIBUTES:
OS_LOCALE: ENU
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_EXPLOITABLE
DEFAULT_BUCKET_ID: INVALID_POINTER_WRITE_EXPLOITABLE
PRIMARY_PROBLEM_CLASS: APPLICATION_FAULT
PROBLEM_CLASSES:
ID: [0n313]
Type: [@ACCESS_VIOLATION]
Class: Addendum
Scope: BUCKET_ID
Name: Omit
Data: Omit
PID: [Unspecified]
TID: [0x2554]
Frame: [0] : atidxx64!XdxQueryTlsLookupTable
ID: [0n286]
Type: [INVALID_POINTER_WRITE]
Class: Primary
Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
BUCKET_ID
Name: Add
Data: Omit
PID: [Unspecified]
TID: [0x2554]
Frame: [0] : atidxx64!XdxQueryTlsLookupTable
ID: [0n117]
Type: [EXPLOITABLE]
Class: Addendum
Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
BUCKET_ID
Name: Add
Data: Omit
PID: [0x1bcc]
TID: [0x2554]
Frame: [0] : atidxx64!XdxQueryTlsLookupTable
LAST_CONTROL_TRANSFER: from 00007ffb695b7ecd to 00007ffb695b80e1
STACK_TEXT:
00000018`4fafb5d0 00007ffb`695b7ecd : 000001fb`00000040 000001fb`38fcc708 00000000`00000000 00000000`00000000 : atidxx64!XdxQueryTlsLookupTable+0x522f1
00000018`4fafb660 00007ffb`695b71b9 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : atidxx64!XdxQueryTlsLookupTable+0x520dd
00000018`4fafb8d0 00007ffb`695b0b9b : 000001fb`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : atidxx64!XdxQueryTlsLookupTable+0x513c9
00000018`4fafc210 00007ffb`695c370e : 00000000`00000000 000001fb`3907d5f0 00000000`00000001 000001fb`38fc7960 : atidxx64!XdxQueryTlsLookupTable+0x4adab
00000018`4fafc2c0 00007ffb`695abd1e : 000001fb`3907d5f0 00000000`00000000 00000000`00000000 00000018`4fafc870 : atidxx64!XdxQueryTlsLookupTable+0x5d91e
00000018`4fafc2f0 00007ffb`695abb12 : 000001fb`38f31b40 000001fb`3907d2c0 00000018`4fafc870 00000000`00000000 : atidxx64!XdxQueryTlsLookupTable+0x45f2e
00000018`4fafc3d0 00007ffb`69ee1e71 : 00000000`00000000 00000018`4fafc870 000001fb`38f31b40 00000018`4fafc500 : atidxx64!XdxQueryTlsLookupTable+0x45d22
00000018`4fafc400 00007ffb`695ec1ea : 00000000`00000000 00000000`00000000 00000018`4fafc870 00000000`00000020 : atidxx64!AmdDxGsaFreeCompiledShader+0x910971
00000018`4fafc440 00007ffb`695ec033 : 000001fb`3906e590 00000000`00000003 00000000`00000003 00000000`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x1acea
00000018`4fafc480 00007ffb`6956d3de : 00000000`00000001 00000000`00000000 000001fb`32c20000 000001fb`00000003 : atidxx64!AmdDxGsaFreeCompiledShader+0x1ab33
00000018`4fafc510 00007ffb`69d8dde5 : 00007ffb`69560000 000001fb`38ee0208 00000000`00000000 ffffffff`ffffffff : atidxx64!XdxQueryTlsLookupTable+0x75ee
00000018`4fafc550 00007ffb`69d897f3 : 00000000`00000000 00000018`4fafc780 000001fb`3906c540 000001fb`346d6b48 : atidxx64!AmdDxGsaFreeCompiledShader+0x7bc8e5
00000018`4fafc680 00007ffb`69df4a59 : 00000000`00000000 00000018`4fafc870 000001fb`3906bec0 000001fb`32cdf3b0 : atidxx64!AmdDxGsaFreeCompiledShader+0x7b82f3
00000018`4fafc820 00007ffb`69581220 : 000001fb`32cdf4c8 000001fb`34c0f1f0 000001fb`32caf3d8 000001fb`32cb32a0 : atidxx64!AmdDxGsaFreeCompiledShader+0x823559
00000018`4fafc850 00007ffb`75588edc : 00000000`00000000 00000018`4fafca60 000001fb`32cdf4b8 000001fb`32cde498 : atidxx64!XdxQueryTlsLookupTable+0x1b430
00000018`4fafc960 00007ffb`7559295f : 00000018`00000001 000001fb`34c0b608 000001fb`32cdf4b8 000001fb`34c016f0 : d3d11!CPixelShader::CLS::FinalConstruct+0x23c
00000018`4fafcbc0 00007ffb`7559289a : 00000018`4fafe3f0 00007ffb`1edb7a18 000001fb`32cdf100 00007ffb`1ed2cf20 : d3d11!CLayeredObjectWithCLS<CPixelShader>::FinalConstruct+0xa3
00000018`4fafcc50 00007ffb`7557ee58 : 000001fb`32cdf3a8 00000018`4fafe3f0 00000018`4fafe370 00007ffb`1edb7a18 : d3d11!CLayeredObjectWithCLS<CPixelShader>::CreateInstance+0x152
00000018`4fafccb0 00007ffb`7558b17d : 00000000`00000036 000001fb`32cdf148 000001fb`32c20000 00000000`40000062 : d3d11!CDevice::CreateLayeredChild+0xc88
00000018`4fafd0f0 00007ffb`1ed43ade : 000001fb`32cdf148 00000000`00000000 000001fb`34c17410 00000000`00000009 : d3d11!NDXGI::CDevice::CreateLayeredChild+0x6d
00000018`4fafd260 00007ffb`1ed30d83 : 000001fb`32cdf1f8 00000000`00000000 00000000`00000000 000001fb`32cdf100 : D3D11_3SDKLayers!NDebug::CDeviceChild<ID3D11PixelShader>::FinalConstruct+0x82
00000018`4fafe2f0 00007ffb`1eceda23 : 000001fb`32cdf130 000001fb`32cdf128 000001fb`32cdf128 000001fb`32cdf100 : D3D11_3SDKLayers!CLayeredObject<NDebug::CPixelShader>::CreateInstance+0x167
00000018`4fafe3b0 00007ffb`7558b950 : 000001fb`32cdf100 00000000`00000030 00000018`4fafe4e0 000001fb`32c20000 : D3D11_3SDKLayers!NDebug::CDevice::CreateLayeredChild+0x773
00000018`4fafe4a0 00007ffb`755714f4 : 000001fb`32cad790 00000018`00000009 000001fb`32cde750 000001fb`32cae628 : d3d11!NOutermost::CDevice::CreateLayeredChild+0x1b0
00000018`4fafe690 00007ffb`75571463 : 000001fb`32cde750 00000000`0000c000 00000000`00000000 00000000`00000001 : d3d11!CDevice::CreateAndRecreateLayeredChild<SD3D11LayeredPixelShaderCreationArgs>+0x64
00000018`4fafe6f0 00007ffb`755711e8 : 000001fb`32cae628 000001fb`32cde750 00000000`00000488 00000000`00000000 : d3d11!CDevice::CreatePixelShader_Worker+0x203
00000018`4fafe8a0 00007ffb`1ed19f85 : 000001fb`32cad7e8 000001fb`00000001 000001fb`32cad7e8 000001fb`32cad7f0 : d3d11!CDevice::CreatePixelShader+0x28
00000018`4fafe8f0 00007ff6`7fbd872d : 00000000`00000000 00000000`00000000 00000018`4fafe9c8 000001fb`32cde764 : D3D11_3SDKLayers!NDebug::CDevice::CreatePixelShader+0x115
00000018`4fafe960 00007ff6`7fbd8c3c : 000001fb`32cad7f0 000001fb`32cde750 00000000`00000488 cdcdcdcd`00000000 : POC_EXEC11+0x1872d
00000018`4fafebb0 00007ff6`7fbd61b8 : 000001fb`32cad7f0 000001fb`32c5d280 000001fb`00000000 00007ff6`42de0387 : POC_EXEC11+0x18c3c
00000018`4fafebf0 00007ff6`7fbeaa50 : 000001fb`32cad7f0 000001fb`32c60030 00000000`00000000 00000000`00000000 : POC_EXEC11+0x161b8
00000018`4faff090 00007ff6`7fbe6e22 : 000001fb`32c869b0 000001fb`32c86901 00000000`00000000 00000000`00000000 : POC_EXEC11+0x2aa50
00000018`4faff330 00007ff6`7fbe319c : 000001fb`32c869b0 00310043`00000201 00780065`002e0031 fefefefe`00000065 : POC_EXEC11+0x26e22
00000018`4faff720 00007ff6`7fbd47dd : 00007ff6`00009200 00007ff6`7fbc0001 00000000`00000320 00000000`00000258 : POC_EXEC11+0x2319c
00000018`4faff920 00007ff6`7fc8354d : 00007ff6`7fbc0000 00000000`00000000 000001fb`32c23300 00007ff6`0000000a : POC_EXEC11+0x147dd
00000018`4faff9d0 00007ff6`7fc833fe : 00007ff6`7fd64000 00007ff6`7fd644d0 00000000`00000000 00000000`00000000 : POC_EXEC11+0xc354d
00000018`4faffa10 00007ff6`7fc832be : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : POC_EXEC11+0xc33fe
00000018`4faffa80 00007ff6`7fc835d9 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : POC_EXEC11+0xc32be
00000018`4faffab0 00007ffb`79ba7bd4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : POC_EXEC11+0xc35d9
00000018`4faffae0 00007ffb`7b3aced1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
00000018`4faffb10 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
STACK_COMMAND: ~0s ; .cxr ; kb
THREAD_SHA1_HASH_MOD_FUNC: db455b736689de60c4c23a4c2697e9c4f0fae1b7
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 7034d2f81960171b25c391118b283930a8ba1b74
THREAD_SHA1_HASH_MOD: 3c299b252206567cd7b1b690e455f5a3ebdf6b61
FAULT_INSTR_CODE: a8859c09
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: atidxx64!XdxQueryTlsLookupTable+522f1
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: atidxx64
IMAGE_NAME: atidxx64.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 5e59a28f
FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_EXPLOITABLE_c0000005_atidxx64.dll!XdxQueryTlsLookupTable
BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_WRITE_EXPLOITABLE_atidxx64!XdxQueryTlsLookupTable+522f1
FAILURE_EXCEPTION_CODE: c0000005
FAILURE_IMAGE_NAME: atidxx64.dll
BUCKET_ID_IMAGE_STR: atidxx64.dll
FAILURE_MODULE_NAME: atidxx64
BUCKET_ID_MODULE_STR: atidxx64
FAILURE_FUNCTION_NAME: XdxQueryTlsLookupTable
BUCKET_ID_FUNCTION_STR: XdxQueryTlsLookupTable
BUCKET_ID_OFFSET: 522f1
BUCKET_ID_MODTIMEDATESTAMP: 5e59a28f
BUCKET_ID_MODCHECKSUM: 19151d4
BUCKET_ID_MODVER_STR: 0.0.0.0
BUCKET_ID_PREFIX_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_EXPLOITABLE_
FAILURE_PROBLEM_CLASS: APPLICATION_FAULT
FAILURE_SYMBOL_NAME: atidxx64.dll!XdxQueryTlsLookupTable
TARGET_TIME: 2020-03-21T18:14:26.000Z
OSBUILD: 18363
OSSERVICEPACK: 329
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt SingleUserTS
USER_LCID: 0
OSBUILD_TIMESTAMP: unknown_date
BUILDDATESTAMP_STR: 190318-1202
BUILDLAB_STR: 19h1_release
BUILDOSVER_STR: 10.0.18362.1.amd64fre.19h1_release.190318-1202
ANALYSIS_SESSION_ELAPSED_TIME: 10068
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:invalid_pointer_write_exploitable_c0000005_atidxx64.dll!xdxquerytlslookuptable
FAILURE_ID_HASH: {e90f63d0-92d3-f76d-e643-415c3b3a001b}
Followup: MachineOwner
---------
2020-03-31 - Vendor Disclosure
2020-07-14 - Public Release
Discovered by Piotr Bania of Cisco Talos.