Talos Vulnerability Report

TALOS-2019-0818

AMD ATI Radeon ATIDXX64.DLL shader functionality remote code execution vulnerability

September 16, 2019
CVE Number

CVE-2019-5049

Summary

An exploitable memory corruption vulnerability exists in AMD ATIDXX64.DLL driver, versions 25.20.15031.5004 and 25.20.15031.9002. A specially crafted pixel shader can cause an out-of-bounds memory write. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability can be triggered from VMware guest, affecting VMware host.

Tested Versions

AMD ATIDXX64.DLL (25.20.15031.5004 / 25.20.15031.9002) running on Radeon RX 550 / 550 Series VMware Workstation 15 (15.0.4 build-12990004) with Windows 10 x64 as guestVM

Product URLs

http://amd.com http://vmware.com

CVSSv3 Score

9.0 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-787: Out-of-bounds Write

Details

This vulnerability can be triggered by supplying a malformed pixel shader (inside VMware guest OS) to the AMD ATIDXX64.DLL driver. Such an attack can be triggered from a VMware guest usermode to cause a memory corruption on vmware-vmx.exe process on host, or theoretically through WEBGL (remote website).

Vulnerable code from sub_32B820 (from ATIDXX64.DLL library):

.text:000000000032B87B                 mov     eax, ebx         ; ebx = is taken directly from shader bytecode (negative in this case), passed as argument to function sub_32B820
.text:000000000032B87D                 mov     rbx, [rsp+28h+arg_0]
.text:000000000032B882                 cdq
.text:000000000032B883                 and     edx, 1Fh
.text:000000000032B886                 add     eax, edx
.text:000000000032B888                 mov     r8, [rdi+rcx*8+358h]
.text:000000000032B890                 mov     ecx, eax
.text:000000000032B892                 and     eax, 1Fh
.text:000000000032B895                 sar     ecx, 5
.text:000000000032B898                 sub     eax, edx
.text:000000000032B89A                 lea     rdx, [r8+rcx*4]  ; rdx = calc destination write address based on supplied data
.text:000000000032B89E                 mov     ecx, eax
.text:000000000032B8A0                 mov     eax, 1
.text:000000000032B8A5                 shl     eax, cl
.text:000000000032B8A7                 or      [rdx+358h], eax  ; overwrite

Part of sample / modified shader bytecode:

dcl_constant_buffer cb0[3].xyzw, immediateIndexed
...
mul r50.xyz, cb-30249[0].xxxx, l(2, 1.9, 0.8, 0.8)
...

The function sub_32B820 is called with an argument that is controlled directly by attacker-supplied shader bytecode data (in this case it is taken from the MUL instruction, where the modified operand is a CBX (constant buffer) reference). Due to this, and lack of proper bounds checking, an attacker can partially control the calculation of the destination address, which leads to controlled memory corruption:

*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\System32\DriverStore\FileRepository\c0341248.inf_amd64_3000f277af7fbb1b\B341349\atidxx64.dll - 
atidxx64!AmdDxGsaFreeCompiledShader+0x2b4ba7:
00007fff`b2bfb8a7 098258030000    or      dword ptr [rdx+358h],eax ds:00000227`90b441ac=????????

stack trace:

0:000> kb
 # RetAddr           : Args to Child                                                           : Call Site
00 00007fff`b2ef9cb5 : 00000000`89d70014 00000223`90b980d8 00000223`90b1bd90 00000223`90b980d8 : atidxx64!AmdDxGsaFreeCompiledShader+0x2b4ba7
01 00007fff`b2f08ffd : ffffffff`89d70014 00000000`00000049 00007fff`b28e0000 00000223`90e27600 : atidxx64!AmdDxGsaFreeCompiledShader+0x5b2fb5
02 00007fff`b2f08eab : 00000079`6d3e9290 00000223`90e2e6f0 00000223`90b2f478 00000223`90dfd150 : atidxx64!AmdDxGsaFreeCompiledShader+0x5c22fd
03 00007fff`b2a2b860 : 00000223`90b1bd90 00000223`90dfc9e0 00000223`90e17c48 00000223`90e17cb8 : atidxx64!AmdDxGsaFreeCompiledShader+0x5c21ab
04 00007fff`b2a2a52b : 00000223`90b4b630 00000223`90b97fd8 00000223`90b1bd90 00000223`90b1bd90 : atidxx64!AmdDxGsaFreeCompiledShader+0xe4b60
05 00007fff`b2a1b1e0 : 00000223`90b1bd90 00000223`90b90098 00000000`00000004 00000223`90b1bd90 : atidxx64!AmdDxGsaFreeCompiledShader+0xe382b
06 00007fff`b29fb9fa : 00000223`90b1bd90 00000223`90b44d18 00000079`6d3e9120 00000223`90b1bd90 : atidxx64!AmdDxGsaFreeCompiledShader+0xd44e0
07 00007fff`b2964f94 : 00000000`00000001 00000079`6d3e9120 00000223`90b44d18 00000079`6d3e9120 : atidxx64!AmdDxGsaFreeCompiledShader+0xb4cfa
08 00007fff`b3021488 : 00000000`00000000 00000079`6d3e9010 00000079`6d3e9120 00000223`90a53da0 : atidxx64!AmdDxGsaFreeCompiledShader+0x1e294
09 00007fff`b3006c6b : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x6da788
0a 00007fff`b30067a5 : 00000000`00000000 00000223`90b44a20 00000223`90a8d940 00000079`6d3ecd90 : atidxx64!AmdDxGsaFreeCompiledShader+0x6bff6b
0b 00007fff`b3037323 : 00000223`90b44a20 00000000`00000000 00000223`90af3500 00000079`6d3ecd90 : atidxx64!AmdDxGsaFreeCompiledShader+0x6bfaa5
0c 00007fff`b3006677 : 00000000`00000004 00000223`90b44740 00000223`90ae0860 00000223`90a9b720 : atidxx64!AmdDxGsaFreeCompiledShader+0x6f0623
0d 00007fff`b30ccf31 : 00000000`00000000 00000079`6d3ed0a0 00000000`00000000 00007fff`c8349a46 : atidxx64!AmdDxGsaFreeCompiledShader+0x6bf977
0e 00007fff`b296091a : 00000000`00000000 00000000`00000000 00000079`6d3ed0a0 00000223`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x786231
0f 00007fff`b2960763 : 00000223`90ab58d0 00000000`00000003 00000000`00000003 00000000`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x19c1a
10 00007fff`b28ec01e : 00000223`00000001 00000000`00000000 00000223`8a7c7558 00000223`00000003 : atidxx64!AmdDxGsaFreeCompiledShader+0x19a63
11 00007fff`b2f902ee : 00007fff`b28e0000 00000079`6d3ed0a0 00000000`00000000 ffffffff`ffffffff : atidxx64!XdxQueryTlsLookupTable+0x6dbe
12 00007fff`b2fedb19 : 00000000`00000000 00000223`8a74c81c 00000079`6d3ed0a0 00000223`90a5cbc0 : atidxx64!AmdDxGsaFreeCompiledShader+0x6495ee
13 00007fff`b28fd5b1 : 00000223`8a7c6948 00000223`907b2498 ffffffff`fffffffe 00000000`00000036 : atidxx64!AmdDxGsaFreeCompiledShader+0x6a6e19
14 00007fff`c833b11d : 00000000`00000000 00000079`6d3ed280 00000223`8a7c6938 00000223`8a7c7460 : atidxx64!XdxQueryTlsLookupTable+0x18351
15 00007fff`c8334eab : 00000223`8a74c81c 00000223`907a4a50 00000223`8a7c6938 00000000`00000000 : d3d11!CPixelShader::CLS::FinalConstruct+0x219
16 00007fff`c8334dc3 : 00000079`6d3eedf0 00007fff`c8513b10 00000223`8a7c6800 00000223`907988e0 : d3d11!CLayeredObjectWithCLS<CPixelShader>::FinalConstruct+0xa3
17 00007fff`c8347665 : 00000223`8a7c6830 00000079`6d3eedf0 00000079`6d3eee20 00007fff`c8513b10 : d3d11!CLayeredObjectWithCLS<CPixelShader>::CreateInstance+0x14b
18 00007fff`c834cac6 : 00000000`00000038 00000000`00000030 00000000`00000001 00000000`00000030 : d3d11!CDevice::CreateLayeredChild+0x975
19 00007fff`c834d3c0 : 00000223`8a7c6800 00007ff7`591f9760 00007fff`c85130e8 00000000`00000030 : d3d11!NDXGI::CDevice::CreateLayeredChild+0x266
1a 00007fff`c832ca83 : 00000223`8a799b20 00000223`00000009 00000223`8a79a358 00007fff`c832aa43 : d3d11!NOutermost::CDevice::CreateLayeredChild+0x1b0
1b 00007fff`c832a976 : 00000223`8a74c780 004e004f`0000c000 00000079`6d3ef290 00000000`00000000 : d3d11!CDevice::CreateAndRecreateLayeredChild<SD3D11LayeredPixelShaderCreationArgs>+0x5f
1c 00007fff`c832a768 : 00000223`8a79a358 00000223`8a74c780 00000000`00000e6c 00000000`00000000 : d3d11!CDevice::CreatePixelShader_Worker+0x202
*** WARNING: Unable to verify checksum for VENDOR_ONLY.exe
1d 00007ff7`59182f16 : 00000223`907a4b28 00007fff`c9b59895 00000223`8a79a368 00000000`00000000 : d3d11!CDevice::CreatePixelShader+0x28
...

Crash Information

0:000> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\System32\CRYPT32.dll - 

DUMP_CLASS: 2

DUMP_QUALIFIER: 0

FAULTING_IP: 
atidxx64!AmdDxGsaFreeCompiledShader+2b4ba7
00007fff`b2bfb8a7 098258030000    or      dword ptr [rdx+358h],eax

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 00007fffb2bfb8a7 (atidxx64!AmdDxGsaFreeCompiledShader+0x00000000002b4ba7)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000001
   Parameter[1]: 0000022790b441ac
Attempt to write to address 0000022790b441ac

FAULTING_THREAD:  000035e8

PROCESS_NAME:  VENDOR_ONLY.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  0000000000000001

EXCEPTION_PARAMETER2:  0000022790b441ac

FOLLOWUP_IP: 
atidxx64!AmdDxGsaFreeCompiledShader+2b4ba7
00007fff`b2bfb8a7 098258030000    or      dword ptr [rdx+358h],eax

WRITE_ADDRESS:  0000022790b441ac 

WATSON_BKT_PROCSTAMP:  5cb740ee

WATSON_BKT_MODULE:  atidxx64.dll

WATSON_BKT_MODSTAMP:  5caf9008

WATSON_BKT_MODOFFSET:  31b8a7

WATSON_BKT_MODVER:  25.20.15031.5004

MODULE_VER_PRODUCT:  Advanced Micro Devices, Inc. Radeon DirectX 11 Driver

BUILD_VERSION_STRING:  10.0.17763.437 (WinBuild.160101.0800)

MODLIST_WITH_TSCHKSUM_HASH:  b6b6cabd6abd69c3934ef3019d538fde036b7163

MODLIST_SHA1_HASH:  013dd3db26e9bbd1c3fc1c384970ffefff579eea

NTGLOBALFLAG:  70

PROCESS_BAM_CURRENT_THROTTLED: 0

PROCESS_BAM_PREVIOUS_THROTTLED: 0

APPLICATION_VERIFIER_FLAGS:  0

PRODUCT_TYPE:  1

SUITE_MASK:  272

DUMP_TYPE:  fe

ANALYSIS_SESSION_HOST:  CLAB

ANALYSIS_SESSION_TIME:  04-18-2019 10:41:12.0345

ANALYSIS_VERSION: 10.0.16299.15 amd64fre

THREAD_ATTRIBUTES: 
OS_LOCALE:  ENU

PROBLEM_CLASSES: 

    ID:     [0n301]
    Type:   [@ACCESS_VIOLATION]
    Class:  Addendum
    Scope:  BUCKET_ID
    Name:   Omit
    Data:   Omit
    PID:    [Unspecified]
    TID:    [0x35e8]
    Frame:  [0] : atidxx64!AmdDxGsaFreeCompiledShader

    ID:     [0n274]
    Type:   [INVALID_POINTER_WRITE]
    Class:  Primary
    Scope:  DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
            BUCKET_ID
    Name:   Add
    Data:   Omit
    PID:    [Unspecified]
    TID:    [0x35e8]
    Frame:  [0] : atidxx64!AmdDxGsaFreeCompiledShader

    ID:     [0n111]
    Type:   [EXPLOITABLE]
    Class:  Addendum
    Scope:  DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
            BUCKET_ID
    Name:   Add
    Data:   Omit
    PID:    [0xc60]
    TID:    [0x35e8]
    Frame:  [0] : atidxx64!AmdDxGsaFreeCompiledShader

BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE_EXPLOITABLE

DEFAULT_BUCKET_ID:  INVALID_POINTER_WRITE_EXPLOITABLE

PRIMARY_PROBLEM_CLASS:  APPLICATION_FAULT

LAST_CONTROL_TRANSFER:  from 00007fffb2ef9cb5 to 00007fffb2bfb8a7

STACK_TEXT:  
00000079`6d3e8580 00007fff`b2ef9cb5 : 00000000`89d70014 00000223`90b980d8 00000223`90b1bd90 00000223`90b980d8 : atidxx64!AmdDxGsaFreeCompiledShader+0x2b4ba7
00000079`6d3e85b0 00007fff`b2f08ffd : ffffffff`89d70014 00000000`00000049 00007fff`b28e0000 00000223`90e27600 : atidxx64!AmdDxGsaFreeCompiledShader+0x5b2fb5
00000079`6d3e8610 00007fff`b2f08eab : 00000079`6d3e9290 00000223`90e2e6f0 00000223`90b2f478 00000223`90dfd150 : atidxx64!AmdDxGsaFreeCompiledShader+0x5c22fd
00000079`6d3e86a0 00007fff`b2a2b860 : 00000223`90b1bd90 00000223`90dfc9e0 00000223`90e17c48 00000223`90e17cb8 : atidxx64!AmdDxGsaFreeCompiledShader+0x5c21ab
00000079`6d3e86f0 00007fff`b2a2a52b : 00000223`90b4b630 00000223`90b97fd8 00000223`90b1bd90 00000223`90b1bd90 : atidxx64!AmdDxGsaFreeCompiledShader+0xe4b60
00000079`6d3e8760 00007fff`b2a1b1e0 : 00000223`90b1bd90 00000223`90b90098 00000000`00000004 00000223`90b1bd90 : atidxx64!AmdDxGsaFreeCompiledShader+0xe382b
00000079`6d3e88e0 00007fff`b29fb9fa : 00000223`90b1bd90 00000223`90b44d18 00000079`6d3e9120 00000223`90b1bd90 : atidxx64!AmdDxGsaFreeCompiledShader+0xd44e0
00000079`6d3e8960 00007fff`b2964f94 : 00000000`00000001 00000079`6d3e9120 00000223`90b44d18 00000079`6d3e9120 : atidxx64!AmdDxGsaFreeCompiledShader+0xb4cfa
00000079`6d3e8ee0 00007fff`b3021488 : 00000000`00000000 00000079`6d3e9010 00000079`6d3e9120 00000223`90a53da0 : atidxx64!AmdDxGsaFreeCompiledShader+0x1e294
00000079`6d3e8f10 00007fff`b3006c6b : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x6da788
00000079`6d3e9080 00007fff`b30067a5 : 00000000`00000000 00000223`90b44a20 00000223`90a8d940 00000079`6d3ecd90 : atidxx64!AmdDxGsaFreeCompiledShader+0x6bff6b
00000079`6d3e90e0 00007fff`b3037323 : 00000223`90b44a20 00000000`00000000 00000223`90af3500 00000079`6d3ecd90 : atidxx64!AmdDxGsaFreeCompiledShader+0x6bfaa5
00000079`6d3ecd40 00007fff`b3006677 : 00000000`00000004 00000223`90b44740 00000223`90ae0860 00000223`90a9b720 : atidxx64!AmdDxGsaFreeCompiledShader+0x6f0623
00000079`6d3ecd70 00007fff`b30ccf31 : 00000000`00000000 00000079`6d3ed0a0 00000000`00000000 00007fff`c8349a46 : atidxx64!AmdDxGsaFreeCompiledShader+0x6bf977
00000079`6d3ecdd0 00007fff`b296091a : 00000000`00000000 00000000`00000000 00000079`6d3ed0a0 00000223`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x786231
00000079`6d3ece10 00007fff`b2960763 : 00000223`90ab58d0 00000000`00000003 00000000`00000003 00000000`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x19c1a
00000079`6d3ece50 00007fff`b28ec01e : 00000223`00000001 00000000`00000000 00000223`8a7c7558 00000223`00000003 : atidxx64!AmdDxGsaFreeCompiledShader+0x19a63
00000079`6d3ecee0 00007fff`b2f902ee : 00007fff`b28e0000 00000079`6d3ed0a0 00000000`00000000 ffffffff`ffffffff : atidxx64!XdxQueryTlsLookupTable+0x6dbe
00000079`6d3ecf20 00007fff`b2fedb19 : 00000000`00000000 00000223`8a74c81c 00000079`6d3ed0a0 00000223`90a5cbc0 : atidxx64!AmdDxGsaFreeCompiledShader+0x6495ee
00000079`6d3ed050 00007fff`b28fd5b1 : 00000223`8a7c6948 00000223`907b2498 ffffffff`fffffffe 00000000`00000036 : atidxx64!AmdDxGsaFreeCompiledShader+0x6a6e19
00000079`6d3ed080 00007fff`c833b11d : 00000000`00000000 00000079`6d3ed280 00000223`8a7c6938 00000223`8a7c7460 : atidxx64!XdxQueryTlsLookupTable+0x18351
00000079`6d3ed180 00007fff`c8334eab : 00000223`8a74c81c 00000223`907a4a50 00000223`8a7c6938 00000000`00000000 : d3d11!CPixelShader::CLS::FinalConstruct+0x219
00000079`6d3ed310 00007fff`c8334dc3 : 00000079`6d3eedf0 00007fff`c8513b10 00000223`8a7c6800 00000223`907988e0 : d3d11!CLayeredObjectWithCLS<CPixelShader>::FinalConstruct+0xa3
00000079`6d3ed380 00007fff`c8347665 : 00000223`8a7c6830 00000079`6d3eedf0 00000079`6d3eee20 00007fff`c8513b10 : d3d11!CLayeredObjectWithCLS<CPixelShader>::CreateInstance+0x14b
00000079`6d3ed3e0 00007fff`c834cac6 : 00000000`00000038 00000000`00000030 00000000`00000001 00000000`00000030 : d3d11!CDevice::CreateLayeredChild+0x975
00000079`6d3eec40 00007fff`c834d3c0 : 00000223`8a7c6800 00007ff7`591f9760 00007fff`c85130e8 00000000`00000030 : d3d11!NDXGI::CDevice::CreateLayeredChild+0x266
00000079`6d3eedb0 00007fff`c832ca83 : 00000223`8a799b20 00000223`00000009 00000223`8a79a358 00007fff`c832aa43 : d3d11!NOutermost::CDevice::CreateLayeredChild+0x1b0
00000079`6d3eef60 00007fff`c832a976 : 00000223`8a74c780 004e004f`0000c000 00000079`6d3ef290 00000000`00000000 : d3d11!CDevice::CreateAndRecreateLayeredChild<SD3D11LayeredPixelShaderCreationArgs>+0x5f
00000079`6d3eefb0 00007fff`c832a768 : 00000223`8a79a358 00000223`8a74c780 00000000`00000e6c 00000000`00000000 : d3d11!CDevice::CreatePixelShader_Worker+0x202
00000079`6d3ef140 00007ff7`59182f16 : 00000223`907a4b28 00007fff`c9b59895 00000223`8a79a368 00000000`00000000 : d3d11!CDevice::CreatePixelShader+0x28
...

    
STACK_COMMAND:  ~0s ; .cxr ; kb

THREAD_SHA1_HASH_MOD_FUNC:  bcd7be3b43a779129e13366e0dd73159976d4796

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  cdb7bf27011f444ce55188168b40313b0cf6575d

THREAD_SHA1_HASH_MOD:  fd41290a284c5251b8b7fe40ca737a509b23c20e

FAULT_INSTR_CODE:  3588209

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  atidxx64!AmdDxGsaFreeCompiledShader+2b4ba7

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: atidxx64

IMAGE_NAME:  atidxx64.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  5caf9008

FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_EXPLOITABLE_c0000005_atidxx64.dll!AmdDxGsaFreeCompiledShader

BUCKET_ID:  APPLICATION_FAULT_INVALID_POINTER_WRITE_EXPLOITABLE_atidxx64!AmdDxGsaFreeCompiledShader+2b4ba7

FAILURE_EXCEPTION_CODE:  c0000005

FAILURE_IMAGE_NAME:  atidxx64.dll

BUCKET_ID_IMAGE_STR:  atidxx64.dll

FAILURE_MODULE_NAME:  atidxx64

BUCKET_ID_MODULE_STR:  atidxx64

FAILURE_FUNCTION_NAME:  AmdDxGsaFreeCompiledShader

BUCKET_ID_FUNCTION_STR:  AmdDxGsaFreeCompiledShader

BUCKET_ID_OFFSET:  2b4ba7

BUCKET_ID_MODTIMEDATESTAMP:  5caf9008

BUCKET_ID_MODCHECKSUM:  10b6e76

BUCKET_ID_MODVER_STR:  0.0.0.0

BUCKET_ID_PREFIX_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE_EXPLOITABLE_

FAILURE_PROBLEM_CLASS:  APPLICATION_FAULT

FAILURE_SYMBOL_NAME:  atidxx64.dll!AmdDxGsaFreeCompiledShader

TARGET_TIME:  2019-04-18T08:42:06.000Z

OSBUILD:  17763

OSSERVICEPACK:  437

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

OSEDITION:  Windows 10 WinNt SingleUserTS

USER_LCID:  0

OSBUILD_TIMESTAMP:  unknown_date

BUILDDATESTAMP_STR:  160101.0800

BUILDLAB_STR:  WinBuild

BUILDOSVER_STR:  10.0.17763.437

ANALYSIS_SESSION_ELAPSED_TIME:  d236

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:invalid_pointer_write_exploitable_c0000005_atidxx64.dll!amddxgsafreecompiledshader

FAILURE_ID_HASH:  {72016af8-990d-a858-b88f-3efa8bc6aa05}

Followup:     MachineOwner
---------

Timeline

2019-05-08 - Vendor Disclosure
2019-05-16 - Plain text file sent to AMD Security
2019-06-07 - Reissued files to AMD PSIRT vendor
2019-07-18 - Conference call with vendor to discuss report
2019-08-13 - Conference call with vendor to discuss mitigation; Disclosure extended to 2019-09-16
2019-09-16 - Vendor patched; Public Release

Credit

Discovered by Piotr Bania of Cisco Talos.