CVE-2019-5049
An exploitable memory corruption vulnerability exists in AMD ATIDXX64.DLL driver, versions 25.20.15031.5004 and 25.20.15031.9002. A specially crafted pixel shader can cause an out-of-bounds memory write. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability can be triggered from VMware guest, affecting VMware host.
AMD ATIDXX64.DLL (25.20.15031.5004 / 25.20.15031.9002) running on Radeon RX 550 / 550 Series VMware Workstation 15 (15.0.4 build-12990004) with Windows 10 x64 as guestVM
http://amd.com http://vmware.com
9.0 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE-787: Out-of-bounds Write
This vulnerability can be triggered by supplying a malformed pixel shader (inside VMware guest OS) to the AMD ATIDXX64.DLL driver. Such an attack can be triggered from a VMware guest usermode to cause a memory corruption on vmware-vmx.exe process on host, or theoretically through WEBGL (remote website).
Vulnerable code from sub_32B820 (from ATIDXX64.DLL library):
.text:000000000032B87B mov eax, ebx ; ebx = is taken directly from shader bytecode (negative in this case), passed as argument to function sub_32B820
.text:000000000032B87D mov rbx, [rsp+28h+arg_0]
.text:000000000032B882 cdq
.text:000000000032B883 and edx, 1Fh
.text:000000000032B886 add eax, edx
.text:000000000032B888 mov r8, [rdi+rcx*8+358h]
.text:000000000032B890 mov ecx, eax
.text:000000000032B892 and eax, 1Fh
.text:000000000032B895 sar ecx, 5
.text:000000000032B898 sub eax, edx
.text:000000000032B89A lea rdx, [r8+rcx*4] ; rdx = calc destination write address based on supplied data
.text:000000000032B89E mov ecx, eax
.text:000000000032B8A0 mov eax, 1
.text:000000000032B8A5 shl eax, cl
.text:000000000032B8A7 or [rdx+358h], eax ; overwrite
Part of sample / modified shader bytecode:
dcl_constant_buffer cb0[3].xyzw, immediateIndexed
...
mul r50.xyz, cb-30249[0].xxxx, l(2, 1.9, 0.8, 0.8)
...
The function sub_32B820 is called with an argument that is controlled directly by attacker-supplied shader bytecode data (in this case it is taken from the MUL instruction, where the modified operand is a CBX (constant buffer) reference).
Due to this, and lack of proper bounds checking, an attacker can partially control the calculation of the destination address, which leads to controlled memory corruption:
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\System32\DriverStore\FileRepository\c0341248.inf_amd64_3000f277af7fbb1b\B341349\atidxx64.dll -
atidxx64!AmdDxGsaFreeCompiledShader+0x2b4ba7:
00007fff`b2bfb8a7 098258030000 or dword ptr [rdx+358h],eax ds:00000227`90b441ac=????????
stack trace:
0:000> kb
# RetAddr : Args to Child : Call Site
00 00007fff`b2ef9cb5 : 00000000`89d70014 00000223`90b980d8 00000223`90b1bd90 00000223`90b980d8 : atidxx64!AmdDxGsaFreeCompiledShader+0x2b4ba7
01 00007fff`b2f08ffd : ffffffff`89d70014 00000000`00000049 00007fff`b28e0000 00000223`90e27600 : atidxx64!AmdDxGsaFreeCompiledShader+0x5b2fb5
02 00007fff`b2f08eab : 00000079`6d3e9290 00000223`90e2e6f0 00000223`90b2f478 00000223`90dfd150 : atidxx64!AmdDxGsaFreeCompiledShader+0x5c22fd
03 00007fff`b2a2b860 : 00000223`90b1bd90 00000223`90dfc9e0 00000223`90e17c48 00000223`90e17cb8 : atidxx64!AmdDxGsaFreeCompiledShader+0x5c21ab
04 00007fff`b2a2a52b : 00000223`90b4b630 00000223`90b97fd8 00000223`90b1bd90 00000223`90b1bd90 : atidxx64!AmdDxGsaFreeCompiledShader+0xe4b60
05 00007fff`b2a1b1e0 : 00000223`90b1bd90 00000223`90b90098 00000000`00000004 00000223`90b1bd90 : atidxx64!AmdDxGsaFreeCompiledShader+0xe382b
06 00007fff`b29fb9fa : 00000223`90b1bd90 00000223`90b44d18 00000079`6d3e9120 00000223`90b1bd90 : atidxx64!AmdDxGsaFreeCompiledShader+0xd44e0
07 00007fff`b2964f94 : 00000000`00000001 00000079`6d3e9120 00000223`90b44d18 00000079`6d3e9120 : atidxx64!AmdDxGsaFreeCompiledShader+0xb4cfa
08 00007fff`b3021488 : 00000000`00000000 00000079`6d3e9010 00000079`6d3e9120 00000223`90a53da0 : atidxx64!AmdDxGsaFreeCompiledShader+0x1e294
09 00007fff`b3006c6b : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x6da788
0a 00007fff`b30067a5 : 00000000`00000000 00000223`90b44a20 00000223`90a8d940 00000079`6d3ecd90 : atidxx64!AmdDxGsaFreeCompiledShader+0x6bff6b
0b 00007fff`b3037323 : 00000223`90b44a20 00000000`00000000 00000223`90af3500 00000079`6d3ecd90 : atidxx64!AmdDxGsaFreeCompiledShader+0x6bfaa5
0c 00007fff`b3006677 : 00000000`00000004 00000223`90b44740 00000223`90ae0860 00000223`90a9b720 : atidxx64!AmdDxGsaFreeCompiledShader+0x6f0623
0d 00007fff`b30ccf31 : 00000000`00000000 00000079`6d3ed0a0 00000000`00000000 00007fff`c8349a46 : atidxx64!AmdDxGsaFreeCompiledShader+0x6bf977
0e 00007fff`b296091a : 00000000`00000000 00000000`00000000 00000079`6d3ed0a0 00000223`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x786231
0f 00007fff`b2960763 : 00000223`90ab58d0 00000000`00000003 00000000`00000003 00000000`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x19c1a
10 00007fff`b28ec01e : 00000223`00000001 00000000`00000000 00000223`8a7c7558 00000223`00000003 : atidxx64!AmdDxGsaFreeCompiledShader+0x19a63
11 00007fff`b2f902ee : 00007fff`b28e0000 00000079`6d3ed0a0 00000000`00000000 ffffffff`ffffffff : atidxx64!XdxQueryTlsLookupTable+0x6dbe
12 00007fff`b2fedb19 : 00000000`00000000 00000223`8a74c81c 00000079`6d3ed0a0 00000223`90a5cbc0 : atidxx64!AmdDxGsaFreeCompiledShader+0x6495ee
13 00007fff`b28fd5b1 : 00000223`8a7c6948 00000223`907b2498 ffffffff`fffffffe 00000000`00000036 : atidxx64!AmdDxGsaFreeCompiledShader+0x6a6e19
14 00007fff`c833b11d : 00000000`00000000 00000079`6d3ed280 00000223`8a7c6938 00000223`8a7c7460 : atidxx64!XdxQueryTlsLookupTable+0x18351
15 00007fff`c8334eab : 00000223`8a74c81c 00000223`907a4a50 00000223`8a7c6938 00000000`00000000 : d3d11!CPixelShader::CLS::FinalConstruct+0x219
16 00007fff`c8334dc3 : 00000079`6d3eedf0 00007fff`c8513b10 00000223`8a7c6800 00000223`907988e0 : d3d11!CLayeredObjectWithCLS<CPixelShader>::FinalConstruct+0xa3
17 00007fff`c8347665 : 00000223`8a7c6830 00000079`6d3eedf0 00000079`6d3eee20 00007fff`c8513b10 : d3d11!CLayeredObjectWithCLS<CPixelShader>::CreateInstance+0x14b
18 00007fff`c834cac6 : 00000000`00000038 00000000`00000030 00000000`00000001 00000000`00000030 : d3d11!CDevice::CreateLayeredChild+0x975
19 00007fff`c834d3c0 : 00000223`8a7c6800 00007ff7`591f9760 00007fff`c85130e8 00000000`00000030 : d3d11!NDXGI::CDevice::CreateLayeredChild+0x266
1a 00007fff`c832ca83 : 00000223`8a799b20 00000223`00000009 00000223`8a79a358 00007fff`c832aa43 : d3d11!NOutermost::CDevice::CreateLayeredChild+0x1b0
1b 00007fff`c832a976 : 00000223`8a74c780 004e004f`0000c000 00000079`6d3ef290 00000000`00000000 : d3d11!CDevice::CreateAndRecreateLayeredChild<SD3D11LayeredPixelShaderCreationArgs>+0x5f
1c 00007fff`c832a768 : 00000223`8a79a358 00000223`8a74c780 00000000`00000e6c 00000000`00000000 : d3d11!CDevice::CreatePixelShader_Worker+0x202
*** WARNING: Unable to verify checksum for VENDOR_ONLY.exe
1d 00007ff7`59182f16 : 00000223`907a4b28 00007fff`c9b59895 00000223`8a79a368 00000000`00000000 : d3d11!CDevice::CreatePixelShader+0x28
...
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\System32\CRYPT32.dll -
DUMP_CLASS: 2
DUMP_QUALIFIER: 0
FAULTING_IP:
atidxx64!AmdDxGsaFreeCompiledShader+2b4ba7
00007fff`b2bfb8a7 098258030000 or dword ptr [rdx+358h],eax
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 00007fffb2bfb8a7 (atidxx64!AmdDxGsaFreeCompiledShader+0x00000000002b4ba7)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000001
Parameter[1]: 0000022790b441ac
Attempt to write to address 0000022790b441ac
FAULTING_THREAD: 000035e8
PROCESS_NAME: VENDOR_ONLY.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 0000000000000001
EXCEPTION_PARAMETER2: 0000022790b441ac
FOLLOWUP_IP:
atidxx64!AmdDxGsaFreeCompiledShader+2b4ba7
00007fff`b2bfb8a7 098258030000 or dword ptr [rdx+358h],eax
WRITE_ADDRESS: 0000022790b441ac
WATSON_BKT_PROCSTAMP: 5cb740ee
WATSON_BKT_MODULE: atidxx64.dll
WATSON_BKT_MODSTAMP: 5caf9008
WATSON_BKT_MODOFFSET: 31b8a7
WATSON_BKT_MODVER: 25.20.15031.5004
MODULE_VER_PRODUCT: Advanced Micro Devices, Inc. Radeon DirectX 11 Driver
BUILD_VERSION_STRING: 10.0.17763.437 (WinBuild.160101.0800)
MODLIST_WITH_TSCHKSUM_HASH: b6b6cabd6abd69c3934ef3019d538fde036b7163
MODLIST_SHA1_HASH: 013dd3db26e9bbd1c3fc1c384970ffefff579eea
NTGLOBALFLAG: 70
PROCESS_BAM_CURRENT_THROTTLED: 0
PROCESS_BAM_PREVIOUS_THROTTLED: 0
APPLICATION_VERIFIER_FLAGS: 0
PRODUCT_TYPE: 1
SUITE_MASK: 272
DUMP_TYPE: fe
ANALYSIS_SESSION_HOST: CLAB
ANALYSIS_SESSION_TIME: 04-18-2019 10:41:12.0345
ANALYSIS_VERSION: 10.0.16299.15 amd64fre
THREAD_ATTRIBUTES:
OS_LOCALE: ENU
PROBLEM_CLASSES:
ID: [0n301]
Type: [@ACCESS_VIOLATION]
Class: Addendum
Scope: BUCKET_ID
Name: Omit
Data: Omit
PID: [Unspecified]
TID: [0x35e8]
Frame: [0] : atidxx64!AmdDxGsaFreeCompiledShader
ID: [0n274]
Type: [INVALID_POINTER_WRITE]
Class: Primary
Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
BUCKET_ID
Name: Add
Data: Omit
PID: [Unspecified]
TID: [0x35e8]
Frame: [0] : atidxx64!AmdDxGsaFreeCompiledShader
ID: [0n111]
Type: [EXPLOITABLE]
Class: Addendum
Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
BUCKET_ID
Name: Add
Data: Omit
PID: [0xc60]
TID: [0x35e8]
Frame: [0] : atidxx64!AmdDxGsaFreeCompiledShader
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_EXPLOITABLE
DEFAULT_BUCKET_ID: INVALID_POINTER_WRITE_EXPLOITABLE
PRIMARY_PROBLEM_CLASS: APPLICATION_FAULT
LAST_CONTROL_TRANSFER: from 00007fffb2ef9cb5 to 00007fffb2bfb8a7
STACK_TEXT:
00000079`6d3e8580 00007fff`b2ef9cb5 : 00000000`89d70014 00000223`90b980d8 00000223`90b1bd90 00000223`90b980d8 : atidxx64!AmdDxGsaFreeCompiledShader+0x2b4ba7
00000079`6d3e85b0 00007fff`b2f08ffd : ffffffff`89d70014 00000000`00000049 00007fff`b28e0000 00000223`90e27600 : atidxx64!AmdDxGsaFreeCompiledShader+0x5b2fb5
00000079`6d3e8610 00007fff`b2f08eab : 00000079`6d3e9290 00000223`90e2e6f0 00000223`90b2f478 00000223`90dfd150 : atidxx64!AmdDxGsaFreeCompiledShader+0x5c22fd
00000079`6d3e86a0 00007fff`b2a2b860 : 00000223`90b1bd90 00000223`90dfc9e0 00000223`90e17c48 00000223`90e17cb8 : atidxx64!AmdDxGsaFreeCompiledShader+0x5c21ab
00000079`6d3e86f0 00007fff`b2a2a52b : 00000223`90b4b630 00000223`90b97fd8 00000223`90b1bd90 00000223`90b1bd90 : atidxx64!AmdDxGsaFreeCompiledShader+0xe4b60
00000079`6d3e8760 00007fff`b2a1b1e0 : 00000223`90b1bd90 00000223`90b90098 00000000`00000004 00000223`90b1bd90 : atidxx64!AmdDxGsaFreeCompiledShader+0xe382b
00000079`6d3e88e0 00007fff`b29fb9fa : 00000223`90b1bd90 00000223`90b44d18 00000079`6d3e9120 00000223`90b1bd90 : atidxx64!AmdDxGsaFreeCompiledShader+0xd44e0
00000079`6d3e8960 00007fff`b2964f94 : 00000000`00000001 00000079`6d3e9120 00000223`90b44d18 00000079`6d3e9120 : atidxx64!AmdDxGsaFreeCompiledShader+0xb4cfa
00000079`6d3e8ee0 00007fff`b3021488 : 00000000`00000000 00000079`6d3e9010 00000079`6d3e9120 00000223`90a53da0 : atidxx64!AmdDxGsaFreeCompiledShader+0x1e294
00000079`6d3e8f10 00007fff`b3006c6b : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x6da788
00000079`6d3e9080 00007fff`b30067a5 : 00000000`00000000 00000223`90b44a20 00000223`90a8d940 00000079`6d3ecd90 : atidxx64!AmdDxGsaFreeCompiledShader+0x6bff6b
00000079`6d3e90e0 00007fff`b3037323 : 00000223`90b44a20 00000000`00000000 00000223`90af3500 00000079`6d3ecd90 : atidxx64!AmdDxGsaFreeCompiledShader+0x6bfaa5
00000079`6d3ecd40 00007fff`b3006677 : 00000000`00000004 00000223`90b44740 00000223`90ae0860 00000223`90a9b720 : atidxx64!AmdDxGsaFreeCompiledShader+0x6f0623
00000079`6d3ecd70 00007fff`b30ccf31 : 00000000`00000000 00000079`6d3ed0a0 00000000`00000000 00007fff`c8349a46 : atidxx64!AmdDxGsaFreeCompiledShader+0x6bf977
00000079`6d3ecdd0 00007fff`b296091a : 00000000`00000000 00000000`00000000 00000079`6d3ed0a0 00000223`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x786231
00000079`6d3ece10 00007fff`b2960763 : 00000223`90ab58d0 00000000`00000003 00000000`00000003 00000000`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x19c1a
00000079`6d3ece50 00007fff`b28ec01e : 00000223`00000001 00000000`00000000 00000223`8a7c7558 00000223`00000003 : atidxx64!AmdDxGsaFreeCompiledShader+0x19a63
00000079`6d3ecee0 00007fff`b2f902ee : 00007fff`b28e0000 00000079`6d3ed0a0 00000000`00000000 ffffffff`ffffffff : atidxx64!XdxQueryTlsLookupTable+0x6dbe
00000079`6d3ecf20 00007fff`b2fedb19 : 00000000`00000000 00000223`8a74c81c 00000079`6d3ed0a0 00000223`90a5cbc0 : atidxx64!AmdDxGsaFreeCompiledShader+0x6495ee
00000079`6d3ed050 00007fff`b28fd5b1 : 00000223`8a7c6948 00000223`907b2498 ffffffff`fffffffe 00000000`00000036 : atidxx64!AmdDxGsaFreeCompiledShader+0x6a6e19
00000079`6d3ed080 00007fff`c833b11d : 00000000`00000000 00000079`6d3ed280 00000223`8a7c6938 00000223`8a7c7460 : atidxx64!XdxQueryTlsLookupTable+0x18351
00000079`6d3ed180 00007fff`c8334eab : 00000223`8a74c81c 00000223`907a4a50 00000223`8a7c6938 00000000`00000000 : d3d11!CPixelShader::CLS::FinalConstruct+0x219
00000079`6d3ed310 00007fff`c8334dc3 : 00000079`6d3eedf0 00007fff`c8513b10 00000223`8a7c6800 00000223`907988e0 : d3d11!CLayeredObjectWithCLS<CPixelShader>::FinalConstruct+0xa3
00000079`6d3ed380 00007fff`c8347665 : 00000223`8a7c6830 00000079`6d3eedf0 00000079`6d3eee20 00007fff`c8513b10 : d3d11!CLayeredObjectWithCLS<CPixelShader>::CreateInstance+0x14b
00000079`6d3ed3e0 00007fff`c834cac6 : 00000000`00000038 00000000`00000030 00000000`00000001 00000000`00000030 : d3d11!CDevice::CreateLayeredChild+0x975
00000079`6d3eec40 00007fff`c834d3c0 : 00000223`8a7c6800 00007ff7`591f9760 00007fff`c85130e8 00000000`00000030 : d3d11!NDXGI::CDevice::CreateLayeredChild+0x266
00000079`6d3eedb0 00007fff`c832ca83 : 00000223`8a799b20 00000223`00000009 00000223`8a79a358 00007fff`c832aa43 : d3d11!NOutermost::CDevice::CreateLayeredChild+0x1b0
00000079`6d3eef60 00007fff`c832a976 : 00000223`8a74c780 004e004f`0000c000 00000079`6d3ef290 00000000`00000000 : d3d11!CDevice::CreateAndRecreateLayeredChild<SD3D11LayeredPixelShaderCreationArgs>+0x5f
00000079`6d3eefb0 00007fff`c832a768 : 00000223`8a79a358 00000223`8a74c780 00000000`00000e6c 00000000`00000000 : d3d11!CDevice::CreatePixelShader_Worker+0x202
00000079`6d3ef140 00007ff7`59182f16 : 00000223`907a4b28 00007fff`c9b59895 00000223`8a79a368 00000000`00000000 : d3d11!CDevice::CreatePixelShader+0x28
...
STACK_COMMAND: ~0s ; .cxr ; kb
THREAD_SHA1_HASH_MOD_FUNC: bcd7be3b43a779129e13366e0dd73159976d4796
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: cdb7bf27011f444ce55188168b40313b0cf6575d
THREAD_SHA1_HASH_MOD: fd41290a284c5251b8b7fe40ca737a509b23c20e
FAULT_INSTR_CODE: 3588209
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: atidxx64!AmdDxGsaFreeCompiledShader+2b4ba7
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: atidxx64
IMAGE_NAME: atidxx64.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 5caf9008
FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_EXPLOITABLE_c0000005_atidxx64.dll!AmdDxGsaFreeCompiledShader
BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_WRITE_EXPLOITABLE_atidxx64!AmdDxGsaFreeCompiledShader+2b4ba7
FAILURE_EXCEPTION_CODE: c0000005
FAILURE_IMAGE_NAME: atidxx64.dll
BUCKET_ID_IMAGE_STR: atidxx64.dll
FAILURE_MODULE_NAME: atidxx64
BUCKET_ID_MODULE_STR: atidxx64
FAILURE_FUNCTION_NAME: AmdDxGsaFreeCompiledShader
BUCKET_ID_FUNCTION_STR: AmdDxGsaFreeCompiledShader
BUCKET_ID_OFFSET: 2b4ba7
BUCKET_ID_MODTIMEDATESTAMP: 5caf9008
BUCKET_ID_MODCHECKSUM: 10b6e76
BUCKET_ID_MODVER_STR: 0.0.0.0
BUCKET_ID_PREFIX_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_EXPLOITABLE_
FAILURE_PROBLEM_CLASS: APPLICATION_FAULT
FAILURE_SYMBOL_NAME: atidxx64.dll!AmdDxGsaFreeCompiledShader
TARGET_TIME: 2019-04-18T08:42:06.000Z
OSBUILD: 17763
OSSERVICEPACK: 437
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt SingleUserTS
USER_LCID: 0
OSBUILD_TIMESTAMP: unknown_date
BUILDDATESTAMP_STR: 160101.0800
BUILDLAB_STR: WinBuild
BUILDOSVER_STR: 10.0.17763.437
ANALYSIS_SESSION_ELAPSED_TIME: d236
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:invalid_pointer_write_exploitable_c0000005_atidxx64.dll!amddxgsafreecompiledshader
FAILURE_ID_HASH: {72016af8-990d-a858-b88f-3efa8bc6aa05}
Followup: MachineOwner
---------
2019-05-08 - Vendor Disclosure
2019-05-16 - Plain text file sent to AMD Security
2019-06-07 - Reissued files to AMD PSIRT vendor
2019-07-18 - Conference call with vendor to discuss report
2019-08-13 - Conference call with vendor to discuss mitigation; Disclosure extended to 2019-09-16
2019-09-16 - Vendor patched; Public Release
Discovered by Piotr Bania of Cisco Talos.