CVE-2020-12933
A denial of service vulnerability exists in the D3DKMTEscape handler functionality of AMD ATIKMDAG.SYS 26.20.15029.27017. A specially crafted D3DKMTEscape request can cause an out-of-bounds read in Windows OS kernel memory area. This vulnerability can be triggered from guest account.
AMD ATIKMDAG.SYS 26.20.15029.27017
7.1 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CWE-125 - Out-of-bounds Read
AMD ATIKMDAG.SYS graphics driver
This vulnerability can be triggered by executing the D3DKMTEscape function with malformed data. This leads to an out-of-bounds read vulnerability in AMD ATIKMDAG.SYS driver.
An attacker can influence the read address for the movzx
operation by modifying the payload for the D3DKMTEscape function, leading to an out-of-bounds read that causes a denial-of-service.
Disassembly of the affected code:
atikmdag+0x39456:
fffff800`12d49456 410fb60c02 movzx ecx,byte ptr [r10+rax] ds:002b:000000cc`cccccc38=??
(as you can see attacker can control the read address)
.text:0000000000049451 loc_49451: ; CODE XREF: sub_493C0+AB¡j
.text:0000000000049451 test r8, r8
.text:0000000000049454 jz short loc_4946D
.text:0000000000049456 movzx ecx, byte ptr [r10+rax] ; bug, attacker can control the read address
.text:000000000004945B test cl, cl
.text:000000000004945D jz short loc_4946D
.text:000000000004945F mov [rax], cl
.text:0000000000049461 dec r8
.text:0000000000049464 inc rax
.text:0000000000049467 sub rdx, 1
.text:000000000004946B jnz short loc_49451
Stack trace:
: kd> kb
*** Stack trace for last set context - .thread/.cxr resets it
# RetAddr : Args to Child : Call Site
00 fffff800`12d46c44 : ffff8003`bc7cec20 fffff881`a14ed068 00000000`00000103 00000000`00000000 : atikmdag+0x39456
01 fffff800`12d48039 : ffffb088`a30487a0 fffff881`a14ecee0 fffff881`a14ecf08 fffff881`a14ed068 : atikmdag+0x36c44
02 fffff800`12d3dc8b : 00000000`00000000 00000000`00000000 fffff881`a14ed0b9 fffff801`805b0245 : atikmdag+0x38039
03 fffff800`12d372e5 : 00000000`c000000d ffffb088`9ac02000 fffff881`a14ed90c ffffb088`9ac02000 : atikmdag+0x2dc8b
04 fffff800`0b02585a : 00000000`00000001 fffff881`a14ed329 ffffb088`9ab83d40 ffffb088`9e5805c0 : atikmdag+0x272e5
05 fffff800`0b026ef1 : 00000000`00000001 ffffb088`9e5805c0 ffffb088`9eb3d000 00000000`00000000 : atikmpag+0x2585a
06 fffff800`0b025ca1 : ffffb088`9e5805c0 fffff881`a14ed400 00000000`00000000 00000000`c0000001 : atikmpag+0x26ef1
07 fffff800`0b06e465 : fffff881`a14ed90c fffff881`a14ed430 fffff881`a14ed640 ffffb088`9ba7a790 : atikmpag+0x25ca1
08 fffff800`0a382b36 : ffff8003`cabcdb00 ffffb088`9ec7c080 ffffb088`00000000 00000000`00000000 : atikmpag+0x6e465
09 fffff800`0a384c2a : ffffb088`9eb3d000 fffff881`00000000 ffffb088`9eb3d000 fffff881`a14edb80 : dxgkrnl!DXGADAPTER::DdiEscape+0x1a6
0a fffff801`805e1c18 : ffffb088`00000000 ffffb088`9ec7c080 00000000`00000000 fffff881`a14edb80 : dxgkrnl!DxgkEscape+0x7da
0b 00007ffe`83fd4b24 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x28
0c 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffe`83fd4b24
: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff80012d49456, Address of the instruction which caused the bugcheck
Arg3: fffff881a14ec3c0, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.
Debugging Details:
------------------
KEY_VALUES_STRING: 1
Key : Analysis.CPU.Sec
Value: 3
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on CLAB
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.Sec
Value: 29
Key : Analysis.Memory.CommitPeak.Mb
Value: 71
Key : Analysis.System
Value: CreateObject
ADDITIONAL_XML: 1
BUGCHECK_CODE: 3b
BUGCHECK_P1: c0000005
BUGCHECK_P2: fffff80012d49456
BUGCHECK_P3: fffff881a14ec3c0
BUGCHECK_P4: 0
CONTEXT: fffff881a14ec3c0 -- (.cxr 0xfffff881a14ec3c0)
rax=ffff8003bc7cec21 rbx=ffff8003bc7cec20 rcx=ffffffffffffffff
rdx=00000000000000ff rsi=ffffb0889ac02000 rdi=0000000000000000
rip=fffff80012d49456 rsp=fffff881a14ecdb8 rbp=fffff881a14ece59
r8=000000007ffffffe r9=0000000000000000 r10=000080c9104fe017
r11=0000000000000100 r12=0000000000000000 r13=fffff881a14ed990
r14=fffff881a14ed9f4 r15=fffff881a14ed068
iopl=0 nv up ei pl nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00050202
atikmdag+0x39456:
fffff800`12d49456 410fb60c02 movzx ecx,byte ptr [r10+rax] ds:002b:000000cc`cccccc38=??
Resetting default scope
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1
PROCESS_NAME: DeviceIoTrigger.exe
STACK_TEXT:
fffff881`a14ecdb8 fffff800`12d46c44 : ffff8003`bc7cec20 fffff881`a14ed068 00000000`00000103 00000000`00000000 : atikmdag+0x39456
fffff881`a14ecdc0 fffff800`12d48039 : ffffb088`a30487a0 fffff881`a14ecee0 fffff881`a14ecf08 fffff881`a14ed068 : atikmdag+0x36c44
fffff881`a14ecec0 fffff800`12d3dc8b : 00000000`00000000 00000000`00000000 fffff881`a14ed0b9 fffff801`805b0245 : atikmdag+0x38039
fffff881`a14ed020 fffff800`12d372e5 : 00000000`c000000d ffffb088`9ac02000 fffff881`a14ed90c ffffb088`9ac02000 : atikmdag+0x2dc8b
fffff881`a14ed120 fffff800`0b02585a : 00000000`00000001 fffff881`a14ed329 ffffb088`9ab83d40 ffffb088`9e5805c0 : atikmdag+0x272e5
fffff881`a14ed220 fffff800`0b026ef1 : 00000000`00000001 ffffb088`9e5805c0 ffffb088`9eb3d000 00000000`00000000 : atikmpag+0x2585a
fffff881`a14ed280 fffff800`0b025ca1 : ffffb088`9e5805c0 fffff881`a14ed400 00000000`00000000 00000000`c0000001 : atikmpag+0x26ef1
fffff881`a14ed390 fffff800`0b06e465 : fffff881`a14ed90c fffff881`a14ed430 fffff881`a14ed640 ffffb088`9ba7a790 : atikmpag+0x25ca1
fffff881`a14ed3c0 fffff800`0a382b36 : ffff8003`cabcdb00 ffffb088`9ec7c080 ffffb088`00000000 00000000`00000000 : atikmpag+0x6e465
fffff881`a14ed470 fffff800`0a384c2a : ffffb088`9eb3d000 fffff881`00000000 ffffb088`9eb3d000 fffff881`a14edb80 : dxgkrnl!DXGADAPTER::DdiEscape+0x1a6
fffff881`a14ed520 fffff801`805e1c18 : ffffb088`00000000 ffffb088`9ec7c080 00000000`00000000 fffff881`a14edb80 : dxgkrnl!DxgkEscape+0x7da
fffff881`a14edb00 00007ffe`83fd4b24 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x28
000000ca`32eff778 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffe`83fd4b24
SYMBOL_NAME: atikmdag+39456
MODULE_NAME: atikmdag
IMAGE_NAME: atikmdag.sys
STACK_COMMAND: .cxr 0xfffff881a14ec3c0 ; kb
BUCKET_ID_FUNC_OFFSET: 39456
FAILURE_BUCKET_ID: 0x3B_c0000005_VRF_atikmdag!unknown_function
OS_VERSION: 10.0.18362.1
BUILDLAB_STR: 19h1_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {8664d107-4f84-ae56-efe5-fb613169ae88}
Followup: MachineOwner
---------
2020-06-29 - Vendor Disclosure
2020-09-29 - Vendor assigned CVE-2020-12933
2020-09-30 - Disclosure deadline extended
2020-10-13 - Public Release
Discovered by Piotr Bania of Cisco Talos.