CVE-2022-40732
An access violation vulnerability exists in the DirectComposition functionality win32kbase.sys driver version 10.0.22000.593 as part of Windows 11 version 22000.593 and version 10.0.20348.643 as part of Windows Server 2022 version 20348.643. A specially-crafted set of syscalls can lead to a reboot. An unprivileged user can run specially-crafted code to trigger Denial Of Service.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Microsoft Windows Build 22000.593
win32kbase.sys - https://www.microsoft.com Windows - https://www.microsoft.com/en-us/windows/
5.0 - CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
CWE-476 - NULL Pointer Dereference
Microsoft DirectComposition is a Windows component that enables high-performance bitmap composition with transforms, effects, and animations.
When integer property 0x3 is set on CCompositionSurfaceBitmapMarshaler, dxgkrnl!DxgkSetCompositionSurfaceInkCookie(...) is called with a pointer stored at offset +38h of CCompositionSurfaceBitmapMarshaler object passed as first argument.
.text:00000001C014C82C mov rcx, [rcx+38h] ; Resource marshaler + 38h
.text:00000001C014C830 mov edx, r9d
.text:00000001C014C833 call cs:__imp_?DxgkSetCompositionSurfaceInkCookie@@YAJPEAXI@Z ; DxgkSetCompositionSurfaceInkCookie(void *,uint)
.text:00000001C014C83A nop dword ptr [rax+rax+00h]
.text:00000001C014C83F mov edx, eax
.text:00000001C014C841 jmp loc_1C00C1BAC
Offset +38h is set by calling DirectComposition::CCompositionSurfaceBitmapMarshaler::SetHandleProperty. The kernel gets a reference to the DxgkCompositionObjectType object of the given handle.
The bug is that when setting the integer property 0x3, it doesn’t check whether offset +38h stores the pointer to a DxgkCompositionObjectType object or not and blindly calls dxgkrnl!DxgkSetCompositionSurfaceInkCookie(...), which will crash the system, dereferencing a null pointer.
kd> k
# Child-SP RetAddr Call Site
00 ffffe302`e334dd78 fffff802`46372482 nt!DbgBreakPointWithStatus
01 ffffe302`e334dd80 fffff802`46371cc1 nt!KiBugCheckDebugBreak+0x12
02 ffffe302`e334dde0 fffff802`462255c7 nt!KeBugCheck2+0xa71
03 ffffe302`e334e550 fffff802`462380a9 nt!KeBugCheckEx+0x107
04 ffffe302`e334e590 fffff802`462374bc nt!KiBugCheckDispatch+0x69
05 ffffe302`e334e6d0 fffff802`4622ec5f nt!KiSystemServiceHandler+0x7c
06 ffffe302`e334e710 fffff802`461398a7 nt!RtlpExecuteHandlerForException+0xf
07 ffffe302`e334e740 fffff802`4613d7f1 nt!RtlDispatchException+0x2d7
08 ffffe302`e334eea0 fffff802`462381ce nt!KiDispatchException+0x1b1
09 ffffe302`e334f580 fffff802`462341da nt!KiExceptionDispatch+0x10e
0a ffffe302`e334f760 fffff80c`8d0a7b29 nt!KiPageFault+0x41a
0b ffffe302`e334f8f0 ffff9054`ab14c8fa dxgkrnl+0x77b29
0c ffffe302`e334f920 ffff9054`ab0582ba win32kbase!DirectComposition::CCompositionSurfaceBitmapMarshaler::SetIntegerProperty+0x8ad8a
0d ffffe302`e334f950 ffff9054`ab0580e8 win32kbase!DirectComposition::CApplicationChannel::ProcessCommandBufferIterator+0x126
0e ffffe302`e334fa10 ffff9054`abf7fe6a win32kbase!NtDCompositionProcessChannelBatchBuffer+0x168
0f ffffe302`e334faa0 fffff802`46237a75 win32k!NtDCompositionProcessChannelBatchBuffer+0x16
10 ffffe302`e334fae0 00007ffb`cc3e39f4 nt!KiSystemServiceCopyEnd+0x25
2022-04-25 - Vendor Disclosure
2022-08-16 - Public Release
Discovered by Jaewon Min of Cisco Talos.