Talos Vulnerability Report

SUMMARY

An out-of-bounds read vulnerability exists in the Shader Functionality functionality of NVIDIA GPU Compiler Driver 551.61, 31.0.15.5161. A specially crafted executable / shader file can lead to an out-of-bounds read. An attacker can provide a specially crafted shader file to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

NVIDIA GPU Compiler Driver 551.61, 31.0.15.5161

PRODUCT URLS

GPU Compiler Driver - https://nvidia.com

CVSSv3 SCORE

7.8 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-125 - Out-of-bounds Read

DETAILS

This vulnerability potentially could be triggered from guest machines running virtualization environments (ie. VMware, qemu, VirtualBox etc.) in order to perform guest-to-host escape - as it was demonstrated before (TALOS-2018-0533, TALOS-2018-0568, etc.). Theoretically this vulnerability could be also triggered from web browser (using webGL and webassembly). We were able to trigger this vulnerability from HYPER-V guest using RemoteFX feature leading to executing the vulnerable code on the HYPER-V host (inside of the rdvgm.exe process). While the RemoteFX was recently depracated by Microsoft some older machines may still use this software.

This vulnerability can be triggered by supplying a malformed shader. This leads to out-of-bounds memory read problem in NVIDIA driver.

To trigger the bug we have modified and corrupted the shaderbyte code coresponding to the “SINCOS” instruction

(Component-wise sin(theta) and cos(theta) for theta in radians. sincos[_sat] destSIN[.mask], destCOS[.mask], [-]src0[_abs][.swizzle]).

This leads to out-of-bounds memory read situation:

	00007FF93F6C3560 | 48:8B81 00020000         | mov rax,qword ptr ds:[rcx+200]          |
	00007FF93F6C3567 | 48:63D2                  | movsxd rdx,edx                          |
	00007FF93F6C356A | 8B0490                   | mov eax,dword ptr ds:[rax+rdx*4]        | * (RAX pts to 

valid memory region, RDX is taken from the heap memory) 00007FF93F6C356D | C3 | ret |

	the function causing the arbitrary read was executed here:

	00007FF93F92315A | 48:8B4D 50               | mov rcx,qword ptr ss:[rbp+50]           |
	00007FF93F92315E | 41:8B50 6C               | mov edx,dword ptr ds:[r8+6C]            | * edx = taken 

from heap memory (outside the valid region)

	00007FF93F923162 | 48:8B09                  | mov rcx,qword ptr ds:[rcx]              |
	00007FF93F923165 | 81E2 FFFFFF00            | and edx,FFFFFF                          |
	00007FF93F92316B | 83F8 08                  | cmp eax,8                               |
	00007FF93F92316E | 75 07                    | jne nvgpucomp64.7FF93F923177            |
	00007FF93F923170 | E8 AB05DAFF              | call nvgpucomp64.7FF93F6C3720           |
	00007FF93F923175 | EB 07                    | jmp nvgpucomp64.7FF93F92317E            |
	00007FF93F923177 | E8 E403DAFF              | call nvgpucomp64.7FF93F6C3560           | * caller

The source memory address is computed indirectly from the shader bytecode (RDX is taken from the heap memory - outside bounds, this is caused by the modified shaderbyte code). Attacker can modify the shaderbyte code in order to force the nvgpucomp64.dll to read arbitrary memory region.

Crash Information

	0:013> !analyze -v
	*******************************************************************************
	*                                                                             *
	*                        Exception Analysis                                   *
	*                                                                             *
	*******************************************************************************


	KEY_VALUES_STRING: 1

		Key  : AV.Fault
		Value: Read

		Key  : Analysis.CPU.mSec
		Value: 921

		Key  : Analysis.Elapsed.mSec
		Value: 1330

		Key  : Analysis.IO.Other.Mb
		Value: 1

		Key  : Analysis.IO.Read.Mb
		Value: 0

		Key  : Analysis.IO.Write.Mb
		Value: 3

		Key  : Analysis.Init.CPU.mSec
		Value: 405

		Key  : Analysis.Init.Elapsed.mSec
		Value: 16674

		Key  : Analysis.Memory.CommitPeak.Mb
		Value: 75

		Key  : Failure.Bucket
		Value: INVALID_POINTER_READ_c0000005_nvgpucomp64.dll!Unknown

		Key  : Failure.Hash
		Value: {4d039e7f-a53a-c8fd-f064-3b97e816c031}

		Key  : Timeline.OS.Boot.DeltaSec
		Value: 4240213

		Key  : Timeline.Process.Start.DeltaSec
		Value: 16

		Key  : WER.OS.Branch
		Value: vb_release

		Key  : WER.OS.Version
		Value: 10.0.19041.1


	NTGLOBALFLAG:  70

	APPLICATION_VERIFIER_FLAGS:  0

	EXCEPTION_RECORD:  (.exr -1)
	ExceptionAddress: 00007ff93f6c356a (nvgpucomp64!destroyFinalizer+0x0000000000ab389a)
	   ExceptionCode: c0000005 (Access violation)
	  ExceptionFlags: 00000000
	NumberParameters: 2
	   Parameter[0]: 0000000000000000
	   Parameter[1]: 0000017b3e9f7c14
	Attempt to read from address 0000017b3e9f7c14

	FAULTING_THREAD:  0000506c

	PROCESS_NAME:  POC_EXEC11.exe

	READ_ADDRESS:  0000017b3e9f7c14 

	ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo a a si  do pami ci pod adresem 0x%p. Pami   

nie mo e by %s.

	EXCEPTION_CODE_STR:  c0000005

	EXCEPTION_PARAMETER1:  0000000000000000

	EXCEPTION_PARAMETER2:  0000017b3e9f7c14

	STACK_TEXT:  
	00000008`9e74e418 00007ff9`3f92317c     : 00000000`00000000 0000017b`3be1b3c8 0000017b`3be8ff18 

0000017b3be1bc78 : nvgpucomp64!destroyFinalizer+0xab389a 000000089e74e420 00007ff93f91896d : 000000089e74e898 000000089e74e898 0000017b3be7cb50

000000089e74e750 : nvgpucomp64!destroyFinalizer+0xd134ac 000000089e74e570 00007ff93f91b055 : 0000017b3be1b3c8 000000000000000a 000000089e74e6c0

0000000000000007 : nvgpucomp64!destroyFinalizer+0xd08c9d 000000089e74e5c0 00007ff93f92170a : 0000017b3be1b3c8 0000017b3be1b3c8 0000017b3be3a068

0000017b3be1ba00 : nvgpucomp64!destroyFinalizer+0xd0b385 000000089e74e870 00007ff93f739be0 : 00000000000003e7 00000000000003e7 00007ff93ffd71e0

0000000000000017 : nvgpucomp64!destroyFinalizer+0xd11a3a 000000089e74ec10 00007ff93f739cc7 : 00007ff94032d520 000000089e74eda0 000000089e74ee10

00007ff93ffd7e00 : nvgpucomp64!destroyFinalizer+0xb29f10 000000089e74eca0 00007ff93f59c859 : 0000017b3be0fb80 0000017b3be1fc70 0000017b3be1b3c8

000000000000ff98 : nvgpucomp64!destroyFinalizer+0xb29ff7 000000089e74edd0 00007ff93f59c925 : 0000017b0008001f 0000017b3be1b3c8 0000017b3be1b3c8

000000089e74f060 : nvgpucomp64!destroyFinalizer+0x98cb89 000000089e74eeb0 00007ff93f028a20 : 000000089e74f058 000000089e74f058 0000017b34f08500

0000017b34f08500 : nvgpucomp64!destroyFinalizer+0x98cc55 000000089e74eee0 00007ff93f029465 : 0000017b3be0fe00 000000089e74f040 0000017b3be0fc80

0000000000000000 : nvgpucomp64!destroyFinalizer+0x418d50 000000089e74ef40 00007ff93f015838 : 4cf5ad432745937f 000000089e74f3c0 0000017b34f083d0

0000000000000000 : nvgpucomp64!destroyFinalizer+0x419795 000000089e74f260 00007ff93f0159d0 : 0000000000000000 0000000000000000 0000000000000000

0000017b34efbc10 : nvgpucomp64!destroyFinalizer+0x405b68 000000089e74f2a0 00007ff928969311 : 884c0fa05ed4aea0 0000017b34f07b48 0000000000000000

00007ff9297a1e02 : nvgpucomp64!destroyFinalizer+0x405d00 000000089e74f2d0 00007ff929174b70 : 0000000000000000 884c0fa05ed4aea0 0000000000000000

f2dba825ac2d180b : nvwgf2umx+0x89311 000000089e74f340 00007ff928ce6045 : 0000000000000000 0000000000000000 000000089e74f410

000000089e74f479 : nvwgf2umx!OpenAdapter12+0x149f70 000000089e74f3c0 00007ff928bf9717 : 0000017b32d36080 0000017b34f077c0 0000017b34f077c0

00007ff928bf73ed : nvwgf2umx!NVAPI_Thunk+0x1393f5 000000089e74f4c0 00007ff928b9d209 : 0000017b32d36080 0000000000000000 0000017b34f077c0

0000000000000000 : nvwgf2umx!NVAPI_Thunk+0x4cac7 000000089e74f560 00007ff92899b460 : 0000017b34e5a950 0000000000000000 000000089e74f690

0000000000000000 : nvwgf2umx!NVENCODEAPI_Thunk+0x13cbd9 000000089e74f590 00007ff9291d2e93 : 0000000000000000 0000017b34e4a240 0000017b34f7d040

0000000000000000 : nvwgf2umx!NVAPI_DirectMethods+0x29bc0 000000089e74f870 00007ff9291d2bb8 : 0000000000000000 0000017b34f7d040 0000000000000000

0000017b34faab10 : nvwgf2umx!NVDEV_Thunk+0x3afd3 000000089e74f980 00007ff929200983 : 0000000000000000 0000000000000000 0000017b34e4c8e0

0000000000000000 : nvwgf2umx!NVDEV_Thunk+0x3acf8 000000089e74fa30 00007ff92920087f : 0000000000000000 0000017b34e33750 0000000000000000

0000000000000000 : nvwgf2umx!NVDEV_Thunk+0x68ac3 000000089e74fa80 00007ff9297a8d8e : 0000017b34e33750 0000000000000000 0000000000000000

0000000000000000 : nvwgf2umx!NVDEV_Thunk+0x689bf 000000089e74fab0 00007ff9ad7d7344 : 0000000000000000 0000000000000000 0000000000000000

0000000000000000 : nvwgf2umx!NVDEV_Thunk+0x610ece 000000089e74fae0 00007ff9af7a26b1 : 0000000000000000 0000000000000000 0000000000000000

0000000000000000 : KERNEL32!BaseThreadInitThunk+0x14 000000089e74fb10 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000

00000000`00000000 : ntdll!RtlUserThreadStart+0x21

	SYMBOL_NAME:  nvgpucomp64+ab389a

	MODULE_NAME: nvgpucomp64

	IMAGE_NAME:  nvgpucomp64.dll

	STACK_COMMAND:  ~13s ; .cxr ; kb

	FAILURE_BUCKET_ID:  INVALID_POINTER_READ_c0000005_nvgpucomp64.dll!Unknown

	BUCKET_ID_MODPRIVATE: 1

	OS_VERSION:  10.0.19041.1

	BUILDLAB_STR:  vb_release

	OSPLATFORM_TYPE:  x64

	OSNAME:  Windows 10

	IMAGE_VERSION:  31.0.15.5161

	FAILURE_ID_HASH:  {4d039e7f-a53a-c8fd-f064-3b97e816c031}

	Followup:     MachineOwner
	---------

VENDOR RESPONSE

The vendor released a security advisory: https://nvidia.custhelp.com/app/answers/detail/a_id/5557

TIMELINE

2024-03-15 - Vendor Disclosure
2024-07-09 - Vendor Patch Release
2024-07-23 - Public Release