Talos Vulnerability Report

TALOS-2020-1038

NVIDIA D3D10 Driver nvwgf2umx_cfg.dll nvwg DCL_CONSTANT_BUFFER code execution vulnerability

September 30, 2020
CVE Number

CVE‑2020‑5981

Summary

An exploitable code execution vulnerability exists in the nvwg DCL_CONSTANT_BUFFER functionality of NVIDIA D3D10 Driver Version 442.50 - 26.21.14.4250. A specially crafted shader can cause remote code execution. An attacker can use this vulnerability to guest-to-host escape (through Hyper-V RemoteFX).

Tested Versions

NVIDIA D3D10 Driver Version 442.50 - 26.21.14.4250

Product URLs

https://nvidia.com

CVSSv3 Score

8.5 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-787 - Out-of-bounds Write

Details

NVIDIA Graphics drivers is software for NVIDIA Graphics GPU installed on the PC. It is used to communicate between the operating system and the GPU device. This software is required in most cases for the hardware device to function properly.

This vulnerability can be triggered by supplying a malformed pixel shader. This leads to a memory corruption problem in the NVIDIA driver (this driver is mapped to the application - like Hyper-V (rdvgm.exe).

example of a pixel shader triggering the bug:

ps_4_1
dcl_global_flags refactoringAllowed
dcl_constant_buffer cb-609943552[511].xyzw, immediateIndexed
dcl_input_ps_siv linear noperspective v0.xy, position
dcl_output o0.xyzw
...

The DCL_CONSTANT_BUFFER instruction declares a shader constant buffer, cbN[size], where N is an integer that denotes the constant-buffer-register number, and size is an integer that denotes the number of elements in the buffer. By modifying the DCL_CONSTANT_BUFFER N integer (in the cbN declaration) to exceed the default cb max count it is possible to trigger memory corruption in the NVIDIA graphics driver.

Attacker can control the memory write address by modifying the instruction’s shader bytecode.

0:123> r
rax=0000000000000000 rbx=00000292aec7aad0 rcx=00000000dba50001
rdx=00000000dba50000 rsi=00000000dba50000 rdi=00000292a29b6940
rip=00007ffbb642c6f2 rsp=000000e4744fea20 rbp=000000e4744fea99
 r8=00000000dba50000  r9=00000000dba50000 r10=00000fff76c7eb7a
r11=0400001000000000 r12=00000292a29b6901 r13=00000000dba50000
r14=00000000dba50000 r15=00000292abd62fc0
iopl=0         nv up ei ng nz na pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010282
nvwgf2umx_cfg!OpenAdapter12+0x1f92a2:
00007ffb`b642c6f2 4289b4b340030000 mov     dword ptr [rbx+r14*4+340h],esi ds:00000296`1d5bae10=????????

stack trace:

0:123> kb
 # RetAddr           : Args to Child                                                           : Call Site
00 00007ffb`b63f5c18 : 00000000`00000000 ffffffff`ffffffff 000000e4`744feb50 00000000`dba50000 : nvwgf2umx_cfg!OpenAdapter12+0x1f92a2
01 00007ffb`b63f3378 : 00000292`a29b6940 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx_cfg!OpenAdapter12+0x1c27c8
02 00007ffb`b63f2405 : 00000000`00000059 000000e4`744ff071 00000000`00000059 00000000`00000000 : nvwgf2umx_cfg!OpenAdapter12+0x1bff28
03 00007ffb`b624a02e : 00000292`abcc6b70 00007ffb`c5a5fc11 00000000`00000000 00000292`a2617780 : nvwgf2umx_cfg!OpenAdapter12+0x1befb5
04 00007ffb`b624b826 : 00000000`00000000 00000000`00000000 000000e4`744ff2c0 00000000`00000000 : nvwgf2umx_cfg!OpenAdapter12+0x16bde
05 00007ffb`b64e978d : 00000292`a274b1a0 00000292`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx_cfg!OpenAdapter12+0x183d6
06 00007ffb`b655a84d : 00000292`9bbf27b0 00000000`fffffff1 00000000`fffffff1 00000000`fffffff1 : nvwgf2umx_cfg!OpenAdapter12+0x2b633d
07 00007ffb`b73ec500 : 00000000`00000000 00000000`00000000 00000292`ab9006d0 00000000`00000000 : nvwgf2umx_cfg!OpenAdapter12+0x3273fd
08 00007ffb`c3c17bd4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx_cfg!NVAPI_Thunk+0x7cb5d0
09 00007ffb`c5a8ced1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
0a 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21

Crash Information

0:123> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************


KEY_VALUES_STRING: 1

	Key  : AV.Fault
	Value: Write

	Key  : Timeline.OS.Boot.DeltaSec
	Value: 60523

	Key  : Timeline.Process.Start.DeltaSec
	Value: 8430


PROCESSES_ANALYSIS: 1

SERVICE_ANALYSIS: 1

STACKHASH_ANALYSIS: 1

TIMELINE_ANALYSIS: 1

Timeline: !analyze.Start
	Name: <blank>
	Time: 2020-03-17T14:51:29.966Z
	Diff: 33 mSec

Timeline: Dump.Current
	Name: <blank>
	Time: 2020-03-17T14:51:30.0Z
	Diff: 0 mSec

Timeline: Process.Start
	Name: <blank>
	Time: 2020-03-17T12:31:00.0Z
	Diff: 8430000 mSec

Timeline: OS.Boot
	Name: <blank>
	Time: 2020-03-16T22:02:47.0Z
	Diff: 60523000 mSec


DUMP_CLASS: 2

DUMP_QUALIFIER: 0

FAULTING_IP: 
nvwgf2umx_cfg!OpenAdapter12+1f92a2
00007ffb`b642c6f2 4289b4b340030000 mov     dword ptr [rbx+r14*4+340h],esi

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 00007ffbb642c6f2 (nvwgf2umx_cfg!OpenAdapter12+0x00000000001f92a2)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000001
   Parameter[1]: 000002961d5bae10
Attempt to write to address 000002961d5bae10

FAULTING_THREAD:  00003d04

PROCESS_NAME:  rdvgm.exe

FOLLOWUP_IP: 
nvwgf2umx_cfg!OpenAdapter12+1f92a2
00007ffb`b642c6f2 4289b4b340030000 mov     dword ptr [rbx+r14*4+340h],esi

WRITE_ADDRESS:  000002961d5bae10 

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  0000000000000001

EXCEPTION_PARAMETER2:  000002961d5bae10

WATSON_BKT_PROCSTAMP:  c2ed11f1

WATSON_BKT_PROCVER:  10.0.18362.693

PROCESS_VER_PRODUCT:  Microsoft® Windows® Operating System

WATSON_BKT_MODULE:  nvwgf2umx_cfg.dll

WATSON_BKT_MODSTAMP:  5e543369

WATSON_BKT_MODOFFSET:  38c6f2

WATSON_BKT_MODVER:  26.21.14.4250

MODULE_VER_PRODUCT:  NVIDIA D3D10 drivers

BUILD_VERSION_STRING:  18362.1.amd64fre.19h1_release.190318-1202

MODLIST_WITH_TSCHKSUM_HASH:  7b8f4223b131bc362bb4a845b5a9cb46eb56e1c8

MODLIST_SHA1_HASH:  0f361cbbe04384b6e38c75ba58473fb3acfe310b

NTGLOBALFLAG:  400

PROCESS_BAM_CURRENT_THROTTLED: 0

PROCESS_BAM_PREVIOUS_THROTTLED: 0

APPLICATION_VERIFIER_FLAGS:  0

PRODUCT_TYPE:  1

SUITE_MASK:  272

DUMP_TYPE:  fe

ANALYSIS_SESSION_HOST:  CLAB

ANALYSIS_SESSION_TIME:  03-17-2020 15:51:29.0966

ANALYSIS_VERSION: 10.0.18362.1 amd64fre

THREAD_ATTRIBUTES: 
OS_LOCALE:  PLK

BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE_EXPLOITABLE

DEFAULT_BUCKET_ID:  INVALID_POINTER_WRITE_EXPLOITABLE

PRIMARY_PROBLEM_CLASS:  APPLICATION_FAULT

PROBLEM_CLASSES: 

	ID:     [0n313]
	Type:   [@ACCESS_VIOLATION]
	Class:  Addendum
	Scope:  BUCKET_ID
	Name:   Omit
	Data:   Omit
	PID:    [Unspecified]
	TID:    [0x3d04]
	Frame:  [0] : nvwgf2umx_cfg!OpenAdapter12

	ID:     [0n286]
	Type:   [INVALID_POINTER_WRITE]
	Class:  Primary
	Scope:  DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
			BUCKET_ID
	Name:   Add
	Data:   Omit
	PID:    [Unspecified]
	TID:    [0x3d04]
	Frame:  [0] : nvwgf2umx_cfg!OpenAdapter12

	ID:     [0n117]
	Type:   [EXPLOITABLE]
	Class:  Addendum
	Scope:  DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
			BUCKET_ID
	Name:   Add
	Data:   Omit
	PID:    [0x35dc]
	TID:    [0x3d04]
	Frame:  [0] : nvwgf2umx_cfg!OpenAdapter12

LAST_CONTROL_TRANSFER:  from 00007ffbb63f5c18 to 00007ffbb642c6f2

STACK_TEXT:  
000000e4`744fea20 00007ffb`b63f5c18 : 00000000`00000000 ffffffff`ffffffff 000000e4`744feb50 00000000`dba50000 : nvwgf2umx_cfg!OpenAdapter12+0x1f92a2
000000e4`744feaf0 00007ffb`b63f3378 : 00000292`a29b6940 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx_cfg!OpenAdapter12+0x1c27c8
000000e4`744feb30 00007ffb`b63f2405 : 00000000`00000059 000000e4`744ff071 00000000`00000059 00000000`00000000 : nvwgf2umx_cfg!OpenAdapter12+0x1bff28
000000e4`744fefc0 00007ffb`b624a02e : 00000292`abcc6b70 00007ffb`c5a5fc11 00000000`00000000 00000292`a2617780 : nvwgf2umx_cfg!OpenAdapter12+0x1befb5
000000e4`744ff0c0 00007ffb`b624b826 : 00000000`00000000 00000000`00000000 000000e4`744ff2c0 00000000`00000000 : nvwgf2umx_cfg!OpenAdapter12+0x16bde
000000e4`744ff1c0 00007ffb`b64e978d : 00000292`a274b1a0 00000292`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx_cfg!OpenAdapter12+0x183d6
000000e4`744ffc50 00007ffb`b655a84d : 00000292`9bbf27b0 00000000`fffffff1 00000000`fffffff1 00000000`fffffff1 : nvwgf2umx_cfg!OpenAdapter12+0x2b633d
000000e4`744ffd40 00007ffb`b73ec500 : 00000000`00000000 00000000`00000000 00000292`ab9006d0 00000000`00000000 : nvwgf2umx_cfg!OpenAdapter12+0x3273fd
000000e4`744ffd90 00007ffb`c3c17bd4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx_cfg!NVAPI_Thunk+0x7cb5d0
000000e4`744ffdc0 00007ffb`c5a8ced1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
000000e4`744ffdf0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21


THREAD_SHA1_HASH_MOD_FUNC:  20d9fabfbb60c195813c37b82f9cd32370c54005

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  93ffd0abf2179e49213ec0eef2ec221f3ffebede

THREAD_SHA1_HASH_MOD:  685fcebdc54c161cffb3ee49c08a2ea54c68ef8d

FAULT_INSTR_CODE:  b3b48942

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  nvwgf2umx_cfg!OpenAdapter12+1f92a2

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nvwgf2umx_cfg

IMAGE_NAME:  nvwgf2umx_cfg.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  5e543369

STACK_COMMAND:  ~123s ; .cxr ; kb

FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_EXPLOITABLE_c0000005_nvwgf2umx_cfg.dll!OpenAdapter12

BUCKET_ID:  APPLICATION_FAULT_INVALID_POINTER_WRITE_EXPLOITABLE_nvwgf2umx_cfg!OpenAdapter12+1f92a2

FAILURE_EXCEPTION_CODE:  c0000005

FAILURE_IMAGE_NAME:  nvwgf2umx_cfg.dll

BUCKET_ID_IMAGE_STR:  nvwgf2umx_cfg.dll

FAILURE_MODULE_NAME:  nvwgf2umx_cfg

BUCKET_ID_MODULE_STR:  nvwgf2umx_cfg

FAILURE_FUNCTION_NAME:  OpenAdapter12

BUCKET_ID_FUNCTION_STR:  OpenAdapter12

BUCKET_ID_OFFSET:  1f92a2

BUCKET_ID_MODPRIVATE: 1

BUCKET_ID_MODTIMEDATESTAMP:  5e543369

BUCKET_ID_MODCHECKSUM:  272ca91

BUCKET_ID_MODVER_STR:  26.21.14.4250

BUCKET_ID_PREFIX_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE_EXPLOITABLE_

FAILURE_PROBLEM_CLASS:  APPLICATION_FAULT

FAILURE_SYMBOL_NAME:  nvwgf2umx_cfg.dll!OpenAdapter12

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/rdvgm.exe/10.0.18362.693/c2ed11f1/nvwgf2umx_cfg.dll/26.21.14.4250/5e543369/c0000005/0038c6f2.htm?Retriage=1

TARGET_TIME:  2020-03-17T14:51:34.000Z

OSBUILD:  18363

OSSERVICEPACK:  329

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

OSEDITION:  Windows 10 WinNt SingleUserTS

USER_LCID:  0

OSBUILD_TIMESTAMP:  unknown_date

BUILDDATESTAMP_STR:  190318-1202

BUILDLAB_STR:  19h1_release

BUILDOSVER_STR:  10.0.18362.1.amd64fre.19h1_release.190318-1202

ANALYSIS_SESSION_ELAPSED_TIME:  12db

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:invalid_pointer_write_exploitable_c0000005_nvwgf2umx_cfg.dll!openadapter12

FAILURE_ID_HASH:  {32968bfd-cb9d-86c1-30b8-ad1954eb9190}

Followup:     MachineOwner
---------

Timeline

2020-03-25 - Vendor Disclosure
2020-04-06 - Vendor requested disclosure extension; Talos granted extension
2020-08-25 - Discussion w/vendor regarding CVE assignment
2020-09-30 - Public Release

Credit

Discovered by Piotr Bania of Cisco Talos.