Talos Vulnerability Report

TALOS-2021-1438

NVIDIA nvwgf2umx_cfg.dll shader DCL_RESOURCE_STRUCTURED memory corruption vulnerability

May 17, 2022
CVE Number

CVE-2022-28182

Summary

A memory corruption vulnerability exists in the shader DCL_RESOURCE_STRUCTURED functionality of NVIDIA D3D10 Driver, version 496.76, 30.0.14.9676. A specially-crafted executable/shader file can lead to an out-of-bounds write. This vulnerability potentially could be triggered from guest machines running virtualization environments (i.e. VMware, qemu, VirtualBox etc.) in order to perform guest-to-host escape, as it was demonstrated before (TALOS-2018-0533, TALOS-2018-0568, etc.). Theoretically this vulnerability could be also triggered from web browser (using webGL and webassembly).

Tested Versions

NVIDIA D3D10 Driver 496.76, 30.0.14.9676

Product URLs

D3D10 Driver - https://nvidia.com

CVSSv3 Score

8.5 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-787 - Out-of-bounds Write

Details

NVIDIA Graphics drivers is software for NVIDIA Graphics GPU installed on the PC. It is used to communicate between the operating system and the GPU device. This software is required in most cases for the hardware device to function properly.

We were able to trigger this vulnerability from HYPER-V guest using the RemoteFX feature, leading to executing the vulnerable code on the HYPER-V host (inside of the rdvgm.exe process). While the RemoteFX was recently deprecated by Microsoft some older machines may still use this software (for example, those running an older version of Windows Server).

This vulnerability can be triggered by supplying a malformed compute shader. This leads to a memory corruption problem in NVIDIA driver.

Example of compute shader triggering the bug:

cs_5_0
dcl_global_flags refactoringAllowed
dcl_constant_buffer cb0[2].xyzw, immediateIndexed
dcl_resource_structured resource[-858993460]
...

By modifying the dcl_resource_structured opcode operands, an attacker is able to trigger a memory corruption vulnerability in the NVIDIA graphics driver. The attacker can partially control the destination address by modifying the shader’s bytecode.

00007FFAF45B1DA9 | 49:6BFF 34               | imul rdi,r15,34                                  |
00007FFAF45B1DAD | 0F1000                   | movups xmm0,xmmword ptr ds:[rax]                 |
00007FFAF45B1DB0 | 8B8424 A8000000          | mov eax,dword ptr ss:[rsp+A8]                    |
00007FFAF45B1DB7 | 44:8BBC24 A0000000       | mov r15d,dword ptr ss:[rsp+A0]                   |
00007FFAF45B1DBF | 0F114439 04              | movups xmmword ptr ds:[rcx+rdi+4],xmm0           |

R15 register above is based on the data from the shader file. It is later used for calculating a memory destination address used by the movups instruction.
The attacker can control the memory write address.

nvwgf2umx+0x71dbf:
00007ffa`f45b1dbf 0f11443904      movups  xmmword ptr [rcx+rdi+4],xmm0 ds:00000209`6f87b0f4=????????????????????????????????

Stack trace:

0:012> kb
 # RetAddr           : Args to Child                                                           : Call Site
00 00007ffa`f4a6c47e : 00000000`cccccccc 00000000`00000001 00000213`d60cbc90 00007ffb`00000000 : nvwgf2umx+0x71dbf
01 00007ffa`f4872fff : 00007ffa`f48b8a48 0000005b`8473f280 00000213`d60cbc90 00000000`d3fb0000 : nvwgf2umx!NVDEV_Thunk+0x24883e
02 00007ffa`f4871cf3 : 00000000`d3fb00a2 0000005b`8473f280 00000000`d3fb00a2 00000213`d60eede0 : nvwgf2umx!NVDEV_Thunk+0x4f3bf
03 00007ffa`f45fb0b0 : 00000000`00000005 00000000`00000000 00000213`d5ee2290 00000000`00000000 : nvwgf2umx!NVDEV_Thunk+0x4e0b3
04 00007ffa`f45fc686 : 00000213`d60eede0 00000213`d60ad2d0 00000213`d60ad2e0 00000000`00000000 : nvwgf2umx+0xbb0b0
05 00007ffa`f49908e5 : 00000000`00000000 00000213`d60aaf20 00000000`00000000 00000000`00000000 : nvwgf2umx+0xbc686
06 00007ffa`f4990698 : 00000000`00000000 00000213`d6040c80 00000000`00000000 00000000`00000000 : nvwgf2umx!NVDEV_Thunk+0x16cca5
07 00007ffa`f4aaf87c : 00000213`d5fb8bc0 00000000`00000000 00000213`d5fb8bc0 00000000`fffffff1 : nvwgf2umx!NVDEV_Thunk+0x16ca58
08 00007ffa`f5828d58 : 00000000`00000000 00000000`00000000 00000213`d609f680 00000000`00000000 : nvwgf2umx!NVDEV_Thunk+0x28bc3c
09 00007ffb`531d7034 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx!OpenAdapter12+0x5b2f48
0a 00007ffb`53e82651 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
0b 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21

Crash Information

*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

*** WARNING: Unable to verify checksum for POC_EXEC11.exe

KEY_VALUES_STRING: 1

	Key  : AV.Fault
	Value: Write

	Key  : Analysis.CPU.Sec
	Value: 1

	Key  : Analysis.DebugAnalysisProvider.CPP
	Value: Create: 8007007e on IAMLEGION

	Key  : Analysis.DebugData
	Value: CreateObject

	Key  : Analysis.DebugModel
	Value: CreateObject

	Key  : Analysis.Elapsed.Sec
	Value: 42

	Key  : Analysis.Memory.CommitPeak.Mb
	Value: 79

	Key  : Analysis.System
	Value: CreateObject

	Key  : Timeline.OS.Boot.DeltaSec
	Value: 364352

	Key  : Timeline.Process.Start.DeltaSec
	Value: 61


NTGLOBALFLAG:  470

PROCESS_BAM_CURRENT_THROTTLED: 0

PROCESS_BAM_PREVIOUS_THROTTLED: 0

APPLICATION_VERIFIER_FLAGS:  0

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 00007ffaf45b1dbf (nvwgf2umx+0x0000000000071dbf)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000001
   Parameter[1]: 000002096f87b0f4
Attempt to write to address 000002096f87b0f4

FAULTING_THREAD:  000036a8

PROCESS_NAME:  POC_EXEC11.exe

WRITE_ADDRESS:  000002096f87b0f4 

ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo a a si  do pami ci pod adresem 0x%p. Pami   nie mo e by  %s.

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  0000000000000001

EXCEPTION_PARAMETER2:  000002096f87b0f4

STACK_TEXT:  
0000005b`8473ec60 00007ffa`f4a6c47e : 00000000`cccccccc 00000000`00000001 00000213`d60cbc90 00007ffb`00000000 : nvwgf2umx+0x71dbf
0000005b`8473ece0 00007ffa`f4872fff : 00007ffa`f48b8a48 0000005b`8473f280 00000213`d60cbc90 00000000`d3fb0000 : nvwgf2umx!NVDEV_Thunk+0x24883e
0000005b`8473ed50 00007ffa`f4871cf3 : 00000000`d3fb00a2 0000005b`8473f280 00000000`d3fb00a2 00000213`d60eede0 : nvwgf2umx!NVDEV_Thunk+0x4f3bf
0000005b`8473f200 00007ffa`f45fb0b0 : 00000000`00000005 00000000`00000000 00000213`d5ee2290 00000000`00000000 : nvwgf2umx!NVDEV_Thunk+0x4e0b3
0000005b`8473f2c0 00007ffa`f45fc686 : 00000213`d60eede0 00000213`d60ad2d0 00000213`d60ad2e0 00000000`00000000 : nvwgf2umx+0xbb0b0
0000005b`8473f3c0 00007ffa`f49908e5 : 00000000`00000000 00000213`d60aaf20 00000000`00000000 00000000`00000000 : nvwgf2umx+0xbc686
0000005b`8473f830 00007ffa`f4990698 : 00000000`00000000 00000213`d6040c80 00000000`00000000 00000000`00000000 : nvwgf2umx!NVDEV_Thunk+0x16cca5
0000005b`8473f940 00007ffa`f4aaf87c : 00000213`d5fb8bc0 00000000`00000000 00000213`d5fb8bc0 00000000`fffffff1 : nvwgf2umx!NVDEV_Thunk+0x16ca58
0000005b`8473f9f0 00007ffa`f5828d58 : 00000000`00000000 00000000`00000000 00000213`d609f680 00000000`00000000 : nvwgf2umx!NVDEV_Thunk+0x28bc3c
0000005b`8473fa40 00007ffb`531d7034 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx!OpenAdapter12+0x5b2f48
0000005b`8473fa70 00007ffb`53e82651 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
0000005b`8473faa0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21


SYMBOL_NAME:  nvwgf2umx+71dbf

MODULE_NAME: nvwgf2umx

IMAGE_NAME:  nvwgf2umx.dll

STACK_COMMAND:  ~12s ; .cxr ; kb

FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_c0000005_nvwgf2umx.dll!Unknown

BUCKET_ID_MODPRIVATE: 1

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {4468a1dc-4a01-79b1-d906-401b585901d4}

Followup:     MachineOwner
---------

Timeline

2022-01-13 - Vendor Disclosure
2022-05-16 - Public Release
2022-05-16 - Vendor Patch Release

Credit

Discovered by Piotr Bania of Cisco Talos.