Talos Vulnerability Report

TALOS-2020-1102

AMD ATIKMDAG.SYS D3DKMTEscape handler Denial of Service Vulnerability

October 13, 2020
CVE Number

CVE-2020-12933

Summary

A denial of service vulnerability exists in the D3DKMTEscape handler functionality of AMD ATIKMDAG.SYS 26.20.15029.27017. A specially crafted D3DKMTEscape request can cause an out-of-bounds read in Windows OS kernel memory area. This vulnerability can be triggered from guest account.

Tested Versions

AMD ATIKMDAG.SYS 26.20.15029.27017

Product URLs

https://amd.com

CVSSv3 Score

7.1 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CWE

CWE-125 - Out-of-bounds Read

Details

AMD ATIKMDAG.SYS graphics driver

This vulnerability can be triggered by executing the D3DKMTEscape function with malformed data. This leads to an out-of-bounds read vulnerability in AMD ATIKMDAG.SYS driver.
An attacker can influence the read address for the movzx operation by modifying the payload for the D3DKMTEscape function, leading to an out-of-bounds read that causes a denial-of-service.

Disassembly of the affected code:

atikmdag+0x39456:
fffff800`12d49456 410fb60c02      movzx   ecx,byte ptr [r10+rax] ds:002b:000000cc`cccccc38=??
(as you can see attacker can control the read address)


.text:0000000000049451 loc_49451:                              ; CODE XREF: sub_493C0+AB¡j
.text:0000000000049451                 test    r8, r8
.text:0000000000049454                 jz      short loc_4946D
.text:0000000000049456                 movzx   ecx, byte ptr [r10+rax] ; bug, attacker can control the read address 
.text:000000000004945B                 test    cl, cl
.text:000000000004945D                 jz      short loc_4946D
.text:000000000004945F                 mov     [rax], cl
.text:0000000000049461                 dec     r8
.text:0000000000049464                 inc     rax
.text:0000000000049467                 sub     rdx, 1
.text:000000000004946B                 jnz     short loc_49451

Stack trace:

: kd> kb
  *** Stack trace for last set context - .thread/.cxr resets it
 # RetAddr           : Args to Child                                                           : Call Site
00 fffff800`12d46c44 : ffff8003`bc7cec20 fffff881`a14ed068 00000000`00000103 00000000`00000000 : atikmdag+0x39456
01 fffff800`12d48039 : ffffb088`a30487a0 fffff881`a14ecee0 fffff881`a14ecf08 fffff881`a14ed068 : atikmdag+0x36c44
02 fffff800`12d3dc8b : 00000000`00000000 00000000`00000000 fffff881`a14ed0b9 fffff801`805b0245 : atikmdag+0x38039
03 fffff800`12d372e5 : 00000000`c000000d ffffb088`9ac02000 fffff881`a14ed90c ffffb088`9ac02000 : atikmdag+0x2dc8b
04 fffff800`0b02585a : 00000000`00000001 fffff881`a14ed329 ffffb088`9ab83d40 ffffb088`9e5805c0 : atikmdag+0x272e5
05 fffff800`0b026ef1 : 00000000`00000001 ffffb088`9e5805c0 ffffb088`9eb3d000 00000000`00000000 : atikmpag+0x2585a
06 fffff800`0b025ca1 : ffffb088`9e5805c0 fffff881`a14ed400 00000000`00000000 00000000`c0000001 : atikmpag+0x26ef1
07 fffff800`0b06e465 : fffff881`a14ed90c fffff881`a14ed430 fffff881`a14ed640 ffffb088`9ba7a790 : atikmpag+0x25ca1
08 fffff800`0a382b36 : ffff8003`cabcdb00 ffffb088`9ec7c080 ffffb088`00000000 00000000`00000000 : atikmpag+0x6e465
09 fffff800`0a384c2a : ffffb088`9eb3d000 fffff881`00000000 ffffb088`9eb3d000 fffff881`a14edb80 : dxgkrnl!DXGADAPTER::DdiEscape+0x1a6
0a fffff801`805e1c18 : ffffb088`00000000 ffffb088`9ec7c080 00000000`00000000 fffff881`a14edb80 : dxgkrnl!DxgkEscape+0x7da
0b 00007ffe`83fd4b24 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x28
0c 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffe`83fd4b24

Crash Information

: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff80012d49456, Address of the instruction which caused the bugcheck
Arg3: fffff881a14ec3c0, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:
------------------


KEY_VALUES_STRING: 1

	Key  : Analysis.CPU.Sec
	Value: 3

	Key  : Analysis.DebugAnalysisProvider.CPP
	Value: Create: 8007007e on CLAB

	Key  : Analysis.DebugData
	Value: CreateObject

	Key  : Analysis.DebugModel
	Value: CreateObject

	Key  : Analysis.Elapsed.Sec
	Value: 29

	Key  : Analysis.Memory.CommitPeak.Mb
	Value: 71

	Key  : Analysis.System
	Value: CreateObject


ADDITIONAL_XML: 1

BUGCHECK_CODE:  3b

BUGCHECK_P1: c0000005

BUGCHECK_P2: fffff80012d49456

BUGCHECK_P3: fffff881a14ec3c0

BUGCHECK_P4: 0

CONTEXT:  fffff881a14ec3c0 -- (.cxr 0xfffff881a14ec3c0)
rax=ffff8003bc7cec21 rbx=ffff8003bc7cec20 rcx=ffffffffffffffff
rdx=00000000000000ff rsi=ffffb0889ac02000 rdi=0000000000000000
rip=fffff80012d49456 rsp=fffff881a14ecdb8 rbp=fffff881a14ece59
 r8=000000007ffffffe  r9=0000000000000000 r10=000080c9104fe017
r11=0000000000000100 r12=0000000000000000 r13=fffff881a14ed990
r14=fffff881a14ed9f4 r15=fffff881a14ed068
iopl=0         nv up ei pl nz na pe nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00050202
atikmdag+0x39456:
fffff800`12d49456 410fb60c02      movzx   ecx,byte ptr [r10+rax] ds:002b:000000cc`cccccc38=??
Resetting default scope

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXNTFS: 1 (!blackboxntfs)


BLACKBOXPNP: 1 (!blackboxpnp)


BLACKBOXWINLOGON: 1

PROCESS_NAME:  DeviceIoTrigger.exe

STACK_TEXT:  
fffff881`a14ecdb8 fffff800`12d46c44 : ffff8003`bc7cec20 fffff881`a14ed068 00000000`00000103 00000000`00000000 : atikmdag+0x39456
fffff881`a14ecdc0 fffff800`12d48039 : ffffb088`a30487a0 fffff881`a14ecee0 fffff881`a14ecf08 fffff881`a14ed068 : atikmdag+0x36c44
fffff881`a14ecec0 fffff800`12d3dc8b : 00000000`00000000 00000000`00000000 fffff881`a14ed0b9 fffff801`805b0245 : atikmdag+0x38039
fffff881`a14ed020 fffff800`12d372e5 : 00000000`c000000d ffffb088`9ac02000 fffff881`a14ed90c ffffb088`9ac02000 : atikmdag+0x2dc8b
fffff881`a14ed120 fffff800`0b02585a : 00000000`00000001 fffff881`a14ed329 ffffb088`9ab83d40 ffffb088`9e5805c0 : atikmdag+0x272e5
fffff881`a14ed220 fffff800`0b026ef1 : 00000000`00000001 ffffb088`9e5805c0 ffffb088`9eb3d000 00000000`00000000 : atikmpag+0x2585a
fffff881`a14ed280 fffff800`0b025ca1 : ffffb088`9e5805c0 fffff881`a14ed400 00000000`00000000 00000000`c0000001 : atikmpag+0x26ef1
fffff881`a14ed390 fffff800`0b06e465 : fffff881`a14ed90c fffff881`a14ed430 fffff881`a14ed640 ffffb088`9ba7a790 : atikmpag+0x25ca1
fffff881`a14ed3c0 fffff800`0a382b36 : ffff8003`cabcdb00 ffffb088`9ec7c080 ffffb088`00000000 00000000`00000000 : atikmpag+0x6e465
fffff881`a14ed470 fffff800`0a384c2a : ffffb088`9eb3d000 fffff881`00000000 ffffb088`9eb3d000 fffff881`a14edb80 : dxgkrnl!DXGADAPTER::DdiEscape+0x1a6
fffff881`a14ed520 fffff801`805e1c18 : ffffb088`00000000 ffffb088`9ec7c080 00000000`00000000 fffff881`a14edb80 : dxgkrnl!DxgkEscape+0x7da
fffff881`a14edb00 00007ffe`83fd4b24 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x28
000000ca`32eff778 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffe`83fd4b24


SYMBOL_NAME:  atikmdag+39456

MODULE_NAME: atikmdag

IMAGE_NAME:  atikmdag.sys

STACK_COMMAND:  .cxr 0xfffff881a14ec3c0 ; kb

BUCKET_ID_FUNC_OFFSET:  39456

FAILURE_BUCKET_ID:  0x3B_c0000005_VRF_atikmdag!unknown_function

OS_VERSION:  10.0.18362.1

BUILDLAB_STR:  19h1_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {8664d107-4f84-ae56-efe5-fb613169ae88}

Followup:     MachineOwner
---------

Timeline

2020-06-29 - Vendor Disclosure
2020-09-29 - Vendor assigned CVE-2020-12933
2020-09-30 - Disclosure deadline extended
2020-10-13 - Public Release

Credit

Discovered by Piotr Bania of Cisco Talos.