Talos Vulnerability Report

TALOS-2022-1514

Microsoft DirectComposition CCompositionSurfaceBitmapMarshaler null pointer dereference vulnerability

August 16, 2022
CVE Number

CVE-2022-40732

SUMMARY

An access violation vulnerability exists in the DirectComposition functionality win32kbase.sys driver version 10.0.22000.593 as part of Windows 11 version 22000.593 and version 10.0.20348.643 as part of Windows Server 2022 version 20348.643. A specially-crafted set of syscalls can lead to a reboot. An unprivileged user can run specially-crafted code to trigger Denial Of Service.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Microsoft Windows Build 22000.593

PRODUCT URLS

win32kbase.sys - https://www.microsoft.com Windows - https://www.microsoft.com/en-us/windows/

CVSSv3 SCORE

5.0 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

CWE

CWE-476 - NULL Pointer Dereference

DETAILS

Microsoft DirectComposition is a Windows component that enables high-performance bitmap composition with transforms, effects, and animations.

When integer property 0x3 is set on CCompositionSurfaceBitmapMarshaler, dxgkrnl!DxgkSetCompositionSurfaceInkCookie(...) is called with a pointer stored at offset +38h of CCompositionSurfaceBitmapMarshaler object passed as first argument.

.text:00000001C014C82C                 mov     rcx, [rcx+38h]   ; Resource marshaler + 38h
.text:00000001C014C830                 mov     edx, r9d
.text:00000001C014C833                 call    cs:__imp_?DxgkSetCompositionSurfaceInkCookie@@YAJPEAXI@Z ; DxgkSetCompositionSurfaceInkCookie(void *,uint)
.text:00000001C014C83A                 nop     dword ptr [rax+rax+00h]
.text:00000001C014C83F                 mov     edx, eax
.text:00000001C014C841                 jmp     loc_1C00C1BAC

Offset +38h is set by calling DirectComposition::CCompositionSurfaceBitmapMarshaler::SetHandleProperty. The kernel gets a reference to the DxgkCompositionObjectType object of the given handle.

The bug is that when setting the integer property 0x3, it doesn’t check whether offset +38h stores the pointer to a DxgkCompositionObjectType object or not and blindly calls dxgkrnl!DxgkSetCompositionSurfaceInkCookie(...), which will crash the system, dereferencing a null pointer.

kd> k
# Child-SP          RetAddr               Call Site
00 ffffe302`e334dd78 fffff802`46372482     nt!DbgBreakPointWithStatus
01 ffffe302`e334dd80 fffff802`46371cc1     nt!KiBugCheckDebugBreak+0x12
02 ffffe302`e334dde0 fffff802`462255c7     nt!KeBugCheck2+0xa71
03 ffffe302`e334e550 fffff802`462380a9     nt!KeBugCheckEx+0x107
04 ffffe302`e334e590 fffff802`462374bc     nt!KiBugCheckDispatch+0x69
05 ffffe302`e334e6d0 fffff802`4622ec5f     nt!KiSystemServiceHandler+0x7c
06 ffffe302`e334e710 fffff802`461398a7     nt!RtlpExecuteHandlerForException+0xf
07 ffffe302`e334e740 fffff802`4613d7f1     nt!RtlDispatchException+0x2d7
08 ffffe302`e334eea0 fffff802`462381ce     nt!KiDispatchException+0x1b1
09 ffffe302`e334f580 fffff802`462341da     nt!KiExceptionDispatch+0x10e
0a ffffe302`e334f760 fffff80c`8d0a7b29     nt!KiPageFault+0x41a
0b ffffe302`e334f8f0 ffff9054`ab14c8fa     dxgkrnl+0x77b29
0c ffffe302`e334f920 ffff9054`ab0582ba     win32kbase!DirectComposition::CCompositionSurfaceBitmapMarshaler::SetIntegerProperty+0x8ad8a
0d ffffe302`e334f950 ffff9054`ab0580e8     win32kbase!DirectComposition::CApplicationChannel::ProcessCommandBufferIterator+0x126
0e ffffe302`e334fa10 ffff9054`abf7fe6a     win32kbase!NtDCompositionProcessChannelBatchBuffer+0x168
0f ffffe302`e334faa0 fffff802`46237a75     win32k!NtDCompositionProcessChannelBatchBuffer+0x16
10 ffffe302`e334fae0 00007ffb`cc3e39f4     nt!KiSystemServiceCopyEnd+0x25
TIMELINE

2022-04-25 - Vendor Disclosure
2022-08-16 - Public Release

Credit

Discovered by Jaewon Min of Cisco Talos.