Talos Vulnerability Report

TALOS-2020-1102

AMD ATIKMDAG.SYS D3DKMTEscape handler Denial of Service Vulnerability

October 13, 2020
CVE Number

CVE-2020-12933

SUMMARY

A denial of service vulnerability exists in the D3DKMTEscape handler functionality of AMD ATIKMDAG.SYS 26.20.15029.27017. A specially crafted D3DKMTEscape request can cause an out-of-bounds read in Windows OS kernel memory area. This vulnerability can be triggered from guest account.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

AMD ATIKMDAG.SYS 26.20.15029.27017

PRODUCT URLS

ATIKMDAG.SYS - https://amd.com

CVSSv3 SCORE

7.1 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CWE

CWE-125 - Out-of-bounds Read

DETAILS

AMD ATIKMDAG.SYS graphics driver

This vulnerability can be triggered by executing the D3DKMTEscape function with malformed data. This leads to an out-of-bounds read vulnerability in AMD ATIKMDAG.SYS driver.
An attacker can influence the read address for the movzx operation by modifying the payload for the D3DKMTEscape function, leading to an out-of-bounds read that causes a denial-of-service.

Disassembly of the affected code:

atikmdag+0x39456:
fffff800`12d49456 410fb60c02      movzx   ecx,byte ptr [r10+rax] ds:002b:000000cc`cccccc38=??
(as you can see attacker can control the read address)


.text:0000000000049451 loc_49451:                              ; CODE XREF: sub_493C0+AB¡j
.text:0000000000049451                 test    r8, r8
.text:0000000000049454                 jz      short loc_4946D
.text:0000000000049456                 movzx   ecx, byte ptr [r10+rax] ; bug, attacker can control the read address 
.text:000000000004945B                 test    cl, cl
.text:000000000004945D                 jz      short loc_4946D
.text:000000000004945F                 mov     [rax], cl
.text:0000000000049461                 dec     r8
.text:0000000000049464                 inc     rax
.text:0000000000049467                 sub     rdx, 1
.text:000000000004946B                 jnz     short loc_49451

Stack trace:

: kd> kb
  *** Stack trace for last set context - .thread/.cxr resets it
 # RetAddr           : Args to Child                                                           : Call Site
00 fffff800`12d46c44 : ffff8003`bc7cec20 fffff881`a14ed068 00000000`00000103 00000000`00000000 : atikmdag+0x39456
01 fffff800`12d48039 : ffffb088`a30487a0 fffff881`a14ecee0 fffff881`a14ecf08 fffff881`a14ed068 : atikmdag+0x36c44
02 fffff800`12d3dc8b : 00000000`00000000 00000000`00000000 fffff881`a14ed0b9 fffff801`805b0245 : atikmdag+0x38039
03 fffff800`12d372e5 : 00000000`c000000d ffffb088`9ac02000 fffff881`a14ed90c ffffb088`9ac02000 : atikmdag+0x2dc8b
04 fffff800`0b02585a : 00000000`00000001 fffff881`a14ed329 ffffb088`9ab83d40 ffffb088`9e5805c0 : atikmdag+0x272e5
05 fffff800`0b026ef1 : 00000000`00000001 ffffb088`9e5805c0 ffffb088`9eb3d000 00000000`00000000 : atikmpag+0x2585a
06 fffff800`0b025ca1 : ffffb088`9e5805c0 fffff881`a14ed400 00000000`00000000 00000000`c0000001 : atikmpag+0x26ef1
07 fffff800`0b06e465 : fffff881`a14ed90c fffff881`a14ed430 fffff881`a14ed640 ffffb088`9ba7a790 : atikmpag+0x25ca1
08 fffff800`0a382b36 : ffff8003`cabcdb00 ffffb088`9ec7c080 ffffb088`00000000 00000000`00000000 : atikmpag+0x6e465
09 fffff800`0a384c2a : ffffb088`9eb3d000 fffff881`00000000 ffffb088`9eb3d000 fffff881`a14edb80 : dxgkrnl!DXGADAPTER::DdiEscape+0x1a6
0a fffff801`805e1c18 : ffffb088`00000000 ffffb088`9ec7c080 00000000`00000000 fffff881`a14edb80 : dxgkrnl!DxgkEscape+0x7da
0b 00007ffe`83fd4b24 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x28
0c 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffe`83fd4b24

Crash Information

: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff80012d49456, Address of the instruction which caused the bugcheck
Arg3: fffff881a14ec3c0, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:
------------------


KEY_VALUES_STRING: 1

	Key  : Analysis.CPU.Sec
	Value: 3

	Key  : Analysis.DebugAnalysisProvider.CPP
	Value: Create: 8007007e on CLAB

	Key  : Analysis.DebugData
	Value: CreateObject

	Key  : Analysis.DebugModel
	Value: CreateObject

	Key  : Analysis.Elapsed.Sec
	Value: 29

	Key  : Analysis.Memory.CommitPeak.Mb
	Value: 71

	Key  : Analysis.System
	Value: CreateObject


ADDITIONAL_XML: 1

BUGCHECK_CODE:  3b

BUGCHECK_P1: c0000005

BUGCHECK_P2: fffff80012d49456

BUGCHECK_P3: fffff881a14ec3c0

BUGCHECK_P4: 0

CONTEXT:  fffff881a14ec3c0 -- (.cxr 0xfffff881a14ec3c0)
rax=ffff8003bc7cec21 rbx=ffff8003bc7cec20 rcx=ffffffffffffffff
rdx=00000000000000ff rsi=ffffb0889ac02000 rdi=0000000000000000
rip=fffff80012d49456 rsp=fffff881a14ecdb8 rbp=fffff881a14ece59
 r8=000000007ffffffe  r9=0000000000000000 r10=000080c9104fe017
r11=0000000000000100 r12=0000000000000000 r13=fffff881a14ed990
r14=fffff881a14ed9f4 r15=fffff881a14ed068
iopl=0         nv up ei pl nz na pe nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00050202
atikmdag+0x39456:
fffff800`12d49456 410fb60c02      movzx   ecx,byte ptr [r10+rax] ds:002b:000000cc`cccccc38=??
Resetting default scope

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXNTFS: 1 (!blackboxntfs)


BLACKBOXPNP: 1 (!blackboxpnp)


BLACKBOXWINLOGON: 1

PROCESS_NAME:  DeviceIoTrigger.exe

STACK_TEXT:  
fffff881`a14ecdb8 fffff800`12d46c44 : ffff8003`bc7cec20 fffff881`a14ed068 00000000`00000103 00000000`00000000 : atikmdag+0x39456
fffff881`a14ecdc0 fffff800`12d48039 : ffffb088`a30487a0 fffff881`a14ecee0 fffff881`a14ecf08 fffff881`a14ed068 : atikmdag+0x36c44
fffff881`a14ecec0 fffff800`12d3dc8b : 00000000`00000000 00000000`00000000 fffff881`a14ed0b9 fffff801`805b0245 : atikmdag+0x38039
fffff881`a14ed020 fffff800`12d372e5 : 00000000`c000000d ffffb088`9ac02000 fffff881`a14ed90c ffffb088`9ac02000 : atikmdag+0x2dc8b
fffff881`a14ed120 fffff800`0b02585a : 00000000`00000001 fffff881`a14ed329 ffffb088`9ab83d40 ffffb088`9e5805c0 : atikmdag+0x272e5
fffff881`a14ed220 fffff800`0b026ef1 : 00000000`00000001 ffffb088`9e5805c0 ffffb088`9eb3d000 00000000`00000000 : atikmpag+0x2585a
fffff881`a14ed280 fffff800`0b025ca1 : ffffb088`9e5805c0 fffff881`a14ed400 00000000`00000000 00000000`c0000001 : atikmpag+0x26ef1
fffff881`a14ed390 fffff800`0b06e465 : fffff881`a14ed90c fffff881`a14ed430 fffff881`a14ed640 ffffb088`9ba7a790 : atikmpag+0x25ca1
fffff881`a14ed3c0 fffff800`0a382b36 : ffff8003`cabcdb00 ffffb088`9ec7c080 ffffb088`00000000 00000000`00000000 : atikmpag+0x6e465
fffff881`a14ed470 fffff800`0a384c2a : ffffb088`9eb3d000 fffff881`00000000 ffffb088`9eb3d000 fffff881`a14edb80 : dxgkrnl!DXGADAPTER::DdiEscape+0x1a6
fffff881`a14ed520 fffff801`805e1c18 : ffffb088`00000000 ffffb088`9ec7c080 00000000`00000000 fffff881`a14edb80 : dxgkrnl!DxgkEscape+0x7da
fffff881`a14edb00 00007ffe`83fd4b24 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x28
000000ca`32eff778 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffe`83fd4b24


SYMBOL_NAME:  atikmdag+39456

MODULE_NAME: atikmdag

IMAGE_NAME:  atikmdag.sys

STACK_COMMAND:  .cxr 0xfffff881a14ec3c0 ; kb

BUCKET_ID_FUNC_OFFSET:  39456

FAILURE_BUCKET_ID:  0x3B_c0000005_VRF_atikmdag!unknown_function

OS_VERSION:  10.0.18362.1

BUILDLAB_STR:  19h1_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {8664d107-4f84-ae56-efe5-fb613169ae88}

Followup:     MachineOwner
---------
TIMELINE

2020-06-29 - Vendor Disclosure
2020-09-29 - Vendor assigned CVE-2020-12933
2020-09-30 - Disclosure deadline extended
2020-10-13 - Public Release

Credit

Discovered by Piotr Bania of Cisco Talos.