CVE-2020-12933
A denial of service vulnerability exists in the D3DKMTEscape handler functionality of AMD ATIKMDAG.SYS 26.20.15029.27017. A specially crafted D3DKMTEscape request can cause an out-of-bounds read in Windows OS kernel memory area. This vulnerability can be triggered from guest account.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
AMD ATIKMDAG.SYS 26.20.15029.27017
ATIKMDAG.SYS - https://amd.com
7.1 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CWE-125 - Out-of-bounds Read
AMD ATIKMDAG.SYS graphics driver
This vulnerability can be triggered by executing the D3DKMTEscape function with malformed data. This leads to an out-of-bounds read vulnerability in AMD ATIKMDAG.SYS driver.
An attacker can influence the read address for the movzx operation by modifying the payload for the D3DKMTEscape function, leading to an out-of-bounds read that causes a denial-of-service.
Disassembly of the affected code:
atikmdag+0x39456:
fffff800`12d49456 410fb60c02 movzx ecx,byte ptr [r10+rax] ds:002b:000000cc`cccccc38=??
(as you can see attacker can control the read address)
.text:0000000000049451 loc_49451: ; CODE XREF: sub_493C0+AB¡j
.text:0000000000049451 test r8, r8
.text:0000000000049454 jz short loc_4946D
.text:0000000000049456 movzx ecx, byte ptr [r10+rax] ; bug, attacker can control the read address
.text:000000000004945B test cl, cl
.text:000000000004945D jz short loc_4946D
.text:000000000004945F mov [rax], cl
.text:0000000000049461 dec r8
.text:0000000000049464 inc rax
.text:0000000000049467 sub rdx, 1
.text:000000000004946B jnz short loc_49451
Stack trace:
: kd> kb
*** Stack trace for last set context - .thread/.cxr resets it
# RetAddr : Args to Child : Call Site
00 fffff800`12d46c44 : ffff8003`bc7cec20 fffff881`a14ed068 00000000`00000103 00000000`00000000 : atikmdag+0x39456
01 fffff800`12d48039 : ffffb088`a30487a0 fffff881`a14ecee0 fffff881`a14ecf08 fffff881`a14ed068 : atikmdag+0x36c44
02 fffff800`12d3dc8b : 00000000`00000000 00000000`00000000 fffff881`a14ed0b9 fffff801`805b0245 : atikmdag+0x38039
03 fffff800`12d372e5 : 00000000`c000000d ffffb088`9ac02000 fffff881`a14ed90c ffffb088`9ac02000 : atikmdag+0x2dc8b
04 fffff800`0b02585a : 00000000`00000001 fffff881`a14ed329 ffffb088`9ab83d40 ffffb088`9e5805c0 : atikmdag+0x272e5
05 fffff800`0b026ef1 : 00000000`00000001 ffffb088`9e5805c0 ffffb088`9eb3d000 00000000`00000000 : atikmpag+0x2585a
06 fffff800`0b025ca1 : ffffb088`9e5805c0 fffff881`a14ed400 00000000`00000000 00000000`c0000001 : atikmpag+0x26ef1
07 fffff800`0b06e465 : fffff881`a14ed90c fffff881`a14ed430 fffff881`a14ed640 ffffb088`9ba7a790 : atikmpag+0x25ca1
08 fffff800`0a382b36 : ffff8003`cabcdb00 ffffb088`9ec7c080 ffffb088`00000000 00000000`00000000 : atikmpag+0x6e465
09 fffff800`0a384c2a : ffffb088`9eb3d000 fffff881`00000000 ffffb088`9eb3d000 fffff881`a14edb80 : dxgkrnl!DXGADAPTER::DdiEscape+0x1a6
0a fffff801`805e1c18 : ffffb088`00000000 ffffb088`9ec7c080 00000000`00000000 fffff881`a14edb80 : dxgkrnl!DxgkEscape+0x7da
0b 00007ffe`83fd4b24 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x28
0c 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffe`83fd4b24
: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff80012d49456, Address of the instruction which caused the bugcheck
Arg3: fffff881a14ec3c0, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.
Debugging Details:
------------------
KEY_VALUES_STRING: 1
Key : Analysis.CPU.Sec
Value: 3
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on CLAB
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.Sec
Value: 29
Key : Analysis.Memory.CommitPeak.Mb
Value: 71
Key : Analysis.System
Value: CreateObject
ADDITIONAL_XML: 1
BUGCHECK_CODE: 3b
BUGCHECK_P1: c0000005
BUGCHECK_P2: fffff80012d49456
BUGCHECK_P3: fffff881a14ec3c0
BUGCHECK_P4: 0
CONTEXT: fffff881a14ec3c0 -- (.cxr 0xfffff881a14ec3c0)
rax=ffff8003bc7cec21 rbx=ffff8003bc7cec20 rcx=ffffffffffffffff
rdx=00000000000000ff rsi=ffffb0889ac02000 rdi=0000000000000000
rip=fffff80012d49456 rsp=fffff881a14ecdb8 rbp=fffff881a14ece59
r8=000000007ffffffe r9=0000000000000000 r10=000080c9104fe017
r11=0000000000000100 r12=0000000000000000 r13=fffff881a14ed990
r14=fffff881a14ed9f4 r15=fffff881a14ed068
iopl=0 nv up ei pl nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00050202
atikmdag+0x39456:
fffff800`12d49456 410fb60c02 movzx ecx,byte ptr [r10+rax] ds:002b:000000cc`cccccc38=??
Resetting default scope
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1
PROCESS_NAME: DeviceIoTrigger.exe
STACK_TEXT:
fffff881`a14ecdb8 fffff800`12d46c44 : ffff8003`bc7cec20 fffff881`a14ed068 00000000`00000103 00000000`00000000 : atikmdag+0x39456
fffff881`a14ecdc0 fffff800`12d48039 : ffffb088`a30487a0 fffff881`a14ecee0 fffff881`a14ecf08 fffff881`a14ed068 : atikmdag+0x36c44
fffff881`a14ecec0 fffff800`12d3dc8b : 00000000`00000000 00000000`00000000 fffff881`a14ed0b9 fffff801`805b0245 : atikmdag+0x38039
fffff881`a14ed020 fffff800`12d372e5 : 00000000`c000000d ffffb088`9ac02000 fffff881`a14ed90c ffffb088`9ac02000 : atikmdag+0x2dc8b
fffff881`a14ed120 fffff800`0b02585a : 00000000`00000001 fffff881`a14ed329 ffffb088`9ab83d40 ffffb088`9e5805c0 : atikmdag+0x272e5
fffff881`a14ed220 fffff800`0b026ef1 : 00000000`00000001 ffffb088`9e5805c0 ffffb088`9eb3d000 00000000`00000000 : atikmpag+0x2585a
fffff881`a14ed280 fffff800`0b025ca1 : ffffb088`9e5805c0 fffff881`a14ed400 00000000`00000000 00000000`c0000001 : atikmpag+0x26ef1
fffff881`a14ed390 fffff800`0b06e465 : fffff881`a14ed90c fffff881`a14ed430 fffff881`a14ed640 ffffb088`9ba7a790 : atikmpag+0x25ca1
fffff881`a14ed3c0 fffff800`0a382b36 : ffff8003`cabcdb00 ffffb088`9ec7c080 ffffb088`00000000 00000000`00000000 : atikmpag+0x6e465
fffff881`a14ed470 fffff800`0a384c2a : ffffb088`9eb3d000 fffff881`00000000 ffffb088`9eb3d000 fffff881`a14edb80 : dxgkrnl!DXGADAPTER::DdiEscape+0x1a6
fffff881`a14ed520 fffff801`805e1c18 : ffffb088`00000000 ffffb088`9ec7c080 00000000`00000000 fffff881`a14edb80 : dxgkrnl!DxgkEscape+0x7da
fffff881`a14edb00 00007ffe`83fd4b24 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x28
000000ca`32eff778 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffe`83fd4b24
SYMBOL_NAME: atikmdag+39456
MODULE_NAME: atikmdag
IMAGE_NAME: atikmdag.sys
STACK_COMMAND: .cxr 0xfffff881a14ec3c0 ; kb
BUCKET_ID_FUNC_OFFSET: 39456
FAILURE_BUCKET_ID: 0x3B_c0000005_VRF_atikmdag!unknown_function
OS_VERSION: 10.0.18362.1
BUILDLAB_STR: 19h1_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {8664d107-4f84-ae56-efe5-fb613169ae88}
Followup: MachineOwner
---------
2020-06-29 - Vendor Disclosure
2020-09-29 - Vendor assigned CVE-2020-12933
2020-09-30 - Disclosure deadline extended
2020-10-13 - Public Release
Discovered by Piotr Bania of Cisco Talos.