Talos Vulnerability Report

TALOS-2020-0979

Intel IGC64.DLL shader functionality ATOMIC_ADD code execution vulnerability

July 14, 2020
CVE Number

Microsoft Hyper-V/RemoteFX: CVE-2020-1036

Summary

An exploitable memory corruption vulnerability exists in Intel’s IGC64.DLL graphics driver, version 26.20.100.7584. A specially crafted vertex shader can cause an out-of-bounds write, which could lead to arbitrary code execution. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability could potentially be triggered from guest machines running on virtualization environments (e.g. VMware, QEMU, VirtualBox etc.) to perform guest-to-host escape - as it was demonstrated before in TALOS-2018-0533, TALOS-2018-0568, etc. Theoretically, this vulnerability could be also triggered from a web browser (using WebGL and WebAssembly) but Talos has not been able to confirm this.

Tested Versions

Intel IGC64.DLL (Intel Graphics Shader Compiler for Intel(R) Graphics Accelerator), version 26.20.100.7584
Microsoft Hyper-V with RemoteFX enabled (CVE-2020-1036)

Product URLs

http://intel.com

CVSSv3 Score

8.5 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-787: Out-of-bounds Write

Details

This vulnerability can be triggered by supplying a malformed vertex shader, leading to an out-of-bounds write in the Intel IGC64 driver (this driver is mapped by the affected component, e.g. VMware’s vmware-vmx.exe).

Example of pixel shader triggering the bug (can include only one instruction to trigger the bug):

LEN:0004 ad 00 00 01 atomic_iadd

ATOMIC_ADD is an instruction included in Shader Model 5 language and it is designed to atomically add integer to memory.
By emitting this single instruction it is possible to cause an arbitrary memory write:

igc64!OpenCompiler12+338c0
00007ffc`7133b050 c681d000000000  mov     byte ptr [rcx+0D0h],0
WRITE_ADDRESS:  00000173c8c800d0 

Stack trace:

0:000> kb
 # RetAddr           : Args to Child                                                           : Call Site
00 00007ffc`713344e3 : 00000173`c67ef750 00000173`c67e760c 00000173`c67e7624 00000173`c67e7628 : igc64!OpenCompiler12+0x338c0
01 00007ffc`713341a3 : 00000000`00000000 00000173`c67f0da0 00000173`c67ef750 00000173`c67e760c : igc64!OpenCompiler12+0x2cd53
02 00007ffc`7133406f : 00000173`c67e760c 00000173`c67e760c 00000173`c67e760c 00000173`c67eee50 : igc64!OpenCompiler12+0x2ca13
03 00007ffc`7130c37a : 00000173`c67e98e0 00000173`c67e9a00 00000173`c67e9a00 00000173`c67e9a00 : igc64!OpenCompiler12+0x2c8df
04 00007ffc`7130b6cd : 00000000`00000000 00000173`c67e80c8 00000067`b20fcac0 00007ffc`837dbabb : igc64!OpenCompiler12+0x4bea
05 00007ffc`7130cbf3 : 00000173`c67e8098 00007ffc`75013537 00000173`c67e8150 00000000`00000000 : igc64!OpenCompiler12+0x3f3d
06 00007ffc`748f7946 : 00000173`c67e7fb0 00000000`00000000 00000173`c6720d50 00000000`00000001 : igc64!OpenCompiler12+0x5463
07 00007ffc`750bb966 : 00000173`bfa16080 00000173`c67e7a50 00000173`c67e9720 00000067`b20fc620 : igd10iumd64!OpenAdapter10_2+0x30326
08 00007ffc`7cc28edc : 00000000`00000000 00000173`c67e7a38 00000173`c6716e30 00000000`00000000 : igd10iumd64!OpenAdapter10_2+0x7f4346
09 00007ffc`7cc3295f : 00000067`00000001 00000173`c6720d48 00000173`c67e7a38 00000173`c6716e30 : d3d11!CPixelShader::CLS::FinalConstruct+0x23c
0a 00007ffc`7cc3289a : 00000067`b20fe3e0 00007ffc`3ff47a18 00000173`c67e7660 00000173`bf990320 : d3d11!CLayeredObjectWithCLS<CPixelShader>::FinalConstruct+0xa3
0b 00007ffc`7cc1ee58 : 00000173`c67e7928 00000067`b20fe3e0 00000067`b20fe360 00007ffc`3ff47a18 : d3d11!CLayeredObjectWithCLS<CPixelShader>::CreateInstance+0x152
0c 00007ffc`7cc2b17d : 00000000`00000040 00000173`c67e76a8 00000173`bf989a70 00000067`0c040109 : d3d11!CDevice::CreateLayeredChild+0xc88
0d 00007ffc`3fed3ade : 00000173`c67e76a8 00000000`00000000 00000000`00000000 00000000`00000009 : d3d11!NDXGI::CDevice::CreateLayeredChild+0x6d
0e 00007ffc`3fec0d83 : 00000173`c67e7758 00000000`00000000 00000000`00000000 00000173`c67e7660 : D3D11_3SDKLayers!NDebug::CDeviceChild<ID3D11PixelShader>::FinalConstruct+0x82
0f 00007ffc`3fe7da23 : 00000173`c67e7690 00000173`c67e7688 00000173`c67e7688 00000173`c67e7660 : D3D11_3SDKLayers!CLayeredObject<NDebug::CPixelShader>::CreateInstance+0x167
10 00007ffc`7cc2b950 : 00000173`c67e7660 00000000`00000030 00000067`b20fe4d0 00000173`bf990000 : D3D11_3SDKLayers!NDebug::CDevice::CreateLayeredChild+0x773
11 00007ffc`7cc114f4 : 00000173`c670e350 00000067`00000009 00000173`c67e7570 00000173`c670f1e8 : d3d11!NOutermost::CDevice::CreateLayeredChild+0x1b0
12 00007ffc`7cc11463 : 00000173`c67e7570 00000000`0000c100 00000000`00000000 00000000`00000001 : d3d11!CDevice::CreateAndRecreateLayeredChild<SD3D11LayeredPixelShaderCreationArgs>+0x64
13 00007ffc`7cc111e8 : 00000173`c670f1e8 00000173`c67e7570 00000000`000000b8 00000000`00000000 : d3d11!CDevice::CreatePixelShader_Worker+0x203
14 00007ffc`3fea9f85 : 00000173`c670e3a8 00000173`00000001 00000173`c670e3a8 00000173`c670e3b0 : d3d11!CDevice::CreatePixelShader+0x28

Crash Information

0:000> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************


KEY_VALUES_STRING: 1

	Key  : AV.Fault
	Value: Write

	Key  : Analysis.CPU.Sec
	Value: 1

	Key  : Analysis.Elapsed.Sec
	Value: 96

	Key  : Analysis.Memory.CommitPeak.Mb
	Value: 72

	Key  : Timeline.OS.Boot.DeltaSec
	Value: 126392

	Key  : Timeline.Process.Start.DeltaSec
	Value: 46


PROCESSES_ANALYSIS: 1

SERVICE_ANALYSIS: 1

STACKHASH_ANALYSIS: 1

TIMELINE_ANALYSIS: 1

Timeline: !analyze.Start
	Name: <blank>
	Time: 2020-01-12T14:36:38.911Z
	Diff: 88 mSec

Timeline: Dump.Current
	Name: <blank>
	Time: 2020-01-12T14:36:39.0Z
	Diff: 0 mSec

Timeline: Process.Start
	Name: <blank>
	Time: 2020-01-12T14:35:53.0Z
	Diff: 46000 mSec

Timeline: OS.Boot
	Name: <blank>
	Time: 2020-01-11T03:30:07.0Z
	Diff: 126392000 mSec


DUMP_CLASS: 2

DUMP_QUALIFIER: 0

MODLIST_WITH_TSCHKSUM_HASH:  68520726b589446b188e9a1fa156e8f36ea4808b

MODLIST_SHA1_HASH:  a128a094da68947a63ade4a350e9f21c32a899c7

NTGLOBALFLAG:  70

APPLICATION_VERIFIER_FLAGS:  0

PRODUCT_TYPE:  1

SUITE_MASK:  272

DUMP_TYPE:  fe

FAULTING_IP: 
igc64!OpenCompiler12+338c0
00007ffc`7133b050 c681d000000000  mov     byte ptr [rcx+0D0h],0

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 00007ffc7133b050 (igc64!OpenCompiler12+0x00000000000338c0)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000001
   Parameter[1]: 00000173c8c800d0
Attempt to write to address 00000173c8c800d0

FAULTING_THREAD:  00003b00

DEFAULT_BUCKET_ID:  INVALID_POINTER_WRITE

PROCESS_NAME:  SimpleBezier11.exe

FOLLOWUP_IP: 
igc64!OpenCompiler12+338c0
00007ffc`7133b050 c681d000000000  mov     byte ptr [rcx+0D0h],0

WRITE_ADDRESS:  00000173c8c800d0 

ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo a a si  do pami ci pod adresem 0x%p. Pami   nie mo e by  %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo a a si  do pami ci pod adresem 0x%p. Pami   nie mo e by  %s.

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  0000000000000001

EXCEPTION_PARAMETER2:  00000173c8c800d0

WATSON_BKT_PROCSTAMP:  5e1a4ea8

WATSON_BKT_MODULE:  igc64.dll

WATSON_BKT_MODSTAMP:  5ddcfccd

WATSON_BKT_MODOFFSET:  a7b050

WATSON_BKT_MODVER:  26.20.100.7584

MODULE_VER_PRODUCT:  Intel HD Graphics Drivers for Windows(R)

BUILD_VERSION_STRING:  18362.1.amd64fre.19h1_release.190318-1202

ANALYSIS_SESSION_HOST:  IAMLEGION

ANALYSIS_SESSION_TIME:  01-12-2020 15:36:38.0911

ANALYSIS_VERSION: 10.0.18914.1001 amd64fre

THREAD_ATTRIBUTES: 
OS_LOCALE:  PLK

BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE

PRIMARY_PROBLEM_CLASS:  APPLICATION_FAULT

PROBLEM_CLASSES: 

	ID:     [0n313]
	Type:   [@ACCESS_VIOLATION]
	Class:  Addendum
	Scope:  BUCKET_ID
	Name:   Omit
	Data:   Omit
	PID:    [Unspecified]
	TID:    [0x3b00]
	Frame:  [0] : igc64!OpenCompiler12

	ID:     [0n286]
	Type:   [INVALID_POINTER_WRITE]
	Class:  Primary
	Scope:  DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
			BUCKET_ID
	Name:   Add
	Data:   Omit
	PID:    [Unspecified]
	TID:    [0x3b00]
	Frame:  [0] : igc64!OpenCompiler12

LAST_CONTROL_TRANSFER:  from 00007ffc713344e3 to 00007ffc7133b050

STACK_TEXT:  
00000067`b20f66c0 00007ffc`713344e3 : 00000173`c67ef750 00000173`c67e760c 00000173`c67e7624 00000173`c67e7628 : igc64!OpenCompiler12+0x338c0
00000067`b20fc170 00007ffc`713341a3 : 00000000`00000000 00000173`c67f0da0 00000173`c67ef750 00000173`c67e760c : igc64!OpenCompiler12+0x2cd53
00000067`b20fc1b0 00007ffc`7133406f : 00000173`c67e760c 00000173`c67e760c 00000173`c67e760c 00000173`c67eee50 : igc64!OpenCompiler12+0x2ca13
00000067`b20fc2b0 00007ffc`7130c37a : 00000173`c67e98e0 00000173`c67e9a00 00000173`c67e9a00 00000173`c67e9a00 : igc64!OpenCompiler12+0x2c8df
00000067`b20fc340 00007ffc`7130b6cd : 00000000`00000000 00000173`c67e80c8 00000067`b20fcac0 00007ffc`837dbabb : igc64!OpenCompiler12+0x4bea
00000067`b20fc3c0 00007ffc`7130cbf3 : 00000173`c67e8098 00007ffc`75013537 00000173`c67e8150 00000000`00000000 : igc64!OpenCompiler12+0x3f3d
00000067`b20fc480 00007ffc`748f7946 : 00000173`c67e7fb0 00000000`00000000 00000173`c6720d50 00000000`00000001 : igc64!OpenCompiler12+0x5463
00000067`b20fc4c0 00007ffc`750bb966 : 00000173`bfa16080 00000173`c67e7a50 00000173`c67e9720 00000067`b20fc620 : igd10iumd64!OpenAdapter10_2+0x30326
00000067`b20fc520 00007ffc`7cc28edc : 00000000`00000000 00000173`c67e7a38 00000173`c6716e30 00000000`00000000 : igd10iumd64!OpenAdapter10_2+0x7f4346
00000067`b20fc950 00007ffc`7cc3295f : 00000067`00000001 00000173`c6720d48 00000173`c67e7a38 00000173`c6716e30 : d3d11!CPixelShader::CLS::FinalConstruct+0x23c
00000067`b20fcbb0 00007ffc`7cc3289a : 00000067`b20fe3e0 00007ffc`3ff47a18 00000173`c67e7660 00000173`bf990320 : d3d11!CLayeredObjectWithCLS<CPixelShader>::FinalConstruct+0xa3
00000067`b20fcc40 00007ffc`7cc1ee58 : 00000173`c67e7928 00000067`b20fe3e0 00000067`b20fe360 00007ffc`3ff47a18 : d3d11!CLayeredObjectWithCLS<CPixelShader>::CreateInstance+0x152
00000067`b20fcca0 00007ffc`7cc2b17d : 00000000`00000040 00000173`c67e76a8 00000173`bf989a70 00000067`0c040109 : d3d11!CDevice::CreateLayeredChild+0xc88
00000067`b20fd0e0 00007ffc`3fed3ade : 00000173`c67e76a8 00000000`00000000 00000000`00000000 00000000`00000009 : d3d11!NDXGI::CDevice::CreateLayeredChild+0x6d
00000067`b20fd250 00007ffc`3fec0d83 : 00000173`c67e7758 00000000`00000000 00000000`00000000 00000173`c67e7660 : D3D11_3SDKLayers!NDebug::CDeviceChild<ID3D11PixelShader>::FinalConstruct+0x82
00000067`b20fe2e0 00007ffc`3fe7da23 : 00000173`c67e7690 00000173`c67e7688 00000173`c67e7688 00000173`c67e7660 : D3D11_3SDKLayers!CLayeredObject<NDebug::CPixelShader>::CreateInstance+0x167
00000067`b20fe3a0 00007ffc`7cc2b950 : 00000173`c67e7660 00000000`00000030 00000067`b20fe4d0 00000173`bf990000 : D3D11_3SDKLayers!NDebug::CDevice::CreateLayeredChild+0x773
00000067`b20fe490 00007ffc`7cc114f4 : 00000173`c670e350 00000067`00000009 00000173`c67e7570 00000173`c670f1e8 : d3d11!NOutermost::CDevice::CreateLayeredChild+0x1b0
00000067`b20fe680 00007ffc`7cc11463 : 00000173`c67e7570 00000000`0000c100 00000000`00000000 00000000`00000001 : d3d11!CDevice::CreateAndRecreateLayeredChild<SD3D11LayeredPixelShaderCreationArgs>+0x64
00000067`b20fe6e0 00007ffc`7cc111e8 : 00000173`c670f1e8 00000173`c67e7570 00000000`000000b8 00000000`00000000 : d3d11!CDevice::CreatePixelShader_Worker+0x203
00000067`b20fe890 00007ffc`3fea9f85 : 00000173`c670e3a8 00000173`00000001 00000173`c670e3a8 00000173`c670e3b0 : d3d11!CDevice::CreatePixelShader+0x28
00000067`b20fe8e0 00007ff7`2dad8f49 : 00000000`00000000 00000000`00000000 00000067`b20fe9b8 00000173`c67e7584 : D3D11_3SDKLayers!NDebug::CDevice::CreatePixelShader+0x115
00000067`b20fe950 00007ff7`2dad6bd4 : 00000173`c670e3b0 00000173`bf9a34d0 00000173`00000000 00007ff7`2dd03030 : SimpleBezier11+0x58f49
00000067`b20febb0 00007ff7`2da9f70e : 00000173`c670e3b0 00000173`bf9daeb0 00000000`00000000 00000000`00000000 : SimpleBezier11+0x56bd4
00000067`b20fefb0 00007ff7`2da9bea2 : 00000173`bfa16320 00000173`bfa16301 00000000`00000000 00000000`00000000 : SimpleBezier11+0x1f70e
00000067`b20ff250 00007ff7`2da9821c : 00000173`bfa16320 00470055`00000201 0065006d`005f0032 00720077`005f006d : SimpleBezier11+0x1bea2
00000067`b20ff640 00007ff7`2dad515b : 00007ff7`0000b000 00007ff7`2da80001 ffffffff`00000320 00000000`00000258 : SimpleBezier11+0x1821c
00000067`b20ff840 00007ff7`2db283bd : 00007ff7`2da80000 00000000`00000000 00000173`bf993afc 00007ff7`0000000a : SimpleBezier11+0x5515b
00000067`b20ff8f0 00007ff7`2db2826e : 00007ff7`2db42000 00007ff7`2db423a0 00000000`00000000 00000000`00000000 : SimpleBezier11+0xa83bd
00000067`b20ff930 00007ff7`2db2812e : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : SimpleBezier11+0xa826e
00000067`b20ff9a0 00007ff7`2db28449 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : SimpleBezier11+0xa812e
00000067`b20ff9d0 00007ffc`82497bd4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : SimpleBezier11+0xa8449
00000067`b20ffa00 00007ffc`8380ced1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
00000067`b20ffa30 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21


STACK_COMMAND:  ~0s ; .cxr ; kb

THREAD_SHA1_HASH_MOD_FUNC:  35432efb24038964cffc57d4452411c4eec32c8c

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  c6f1f2b85e5669d833f4df518bd941305a60161c

THREAD_SHA1_HASH_MOD:  b69d115479d8aa2381c6e13353a51f982422c1d8

FAULT_INSTR_CODE:  d081c6

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  igc64!OpenCompiler12+338c0

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: igc64

IMAGE_NAME:  igc64.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  5ddcfccd

FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_c0000005_igc64.dll!OpenCompiler12

BUCKET_ID:  APPLICATION_FAULT_INVALID_POINTER_WRITE_igc64!OpenCompiler12+338c0

FAILURE_EXCEPTION_CODE:  c0000005

FAILURE_IMAGE_NAME:  igc64.dll

BUCKET_ID_IMAGE_STR:  igc64.dll

FAILURE_MODULE_NAME:  igc64

BUCKET_ID_MODULE_STR:  igc64

FAILURE_FUNCTION_NAME:  OpenCompiler12

BUCKET_ID_FUNCTION_STR:  OpenCompiler12

BUCKET_ID_OFFSET:  338c0

BUCKET_ID_MODTIMEDATESTAMP:  5ddcfccd

BUCKET_ID_MODCHECKSUM:  2450ddb

BUCKET_ID_MODVER_STR:  26.20.100.7584

BUCKET_ID_PREFIX_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE_

FAILURE_PROBLEM_CLASS:  APPLICATION_FAULT

FAILURE_SYMBOL_NAME:  igc64.dll!OpenCompiler12

TARGET_TIME:  2020-01-12T14:38:15.000Z

OSBUILD:  18362

OSSERVICEPACK:  329

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

OSEDITION:  Windows 10 WinNt SingleUserTS

USER_LCID:  0

OSBUILD_TIMESTAMP:  unknown_date

BUILDDATESTAMP_STR:  190318-1202

BUILDLAB_STR:  19h1_release

BUILDOSVER_STR:  10.0.18362.1.amd64fre.19h1_release.190318-1202

ANALYSIS_SESSION_ELAPSED_TIME:  17987

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:invalid_pointer_write_c0000005_igc64.dll!opencompiler12

FAILURE_ID_HASH:  {1c89f3a6-178c-7483-67bb-857d785cefd5}

Followup:     MachineOwner
---------

Timeline

2020-01-27 - Vendor Disclosure
2020-04-01 - Disclosure deadline extended
2020-07-14 - Public Release

Credit

Discovered by Piotr Bania of Cisco Talos.