Talos Vulnerability Report

TALOS-2020-1119

AMD ATIKMDAG.SYS D3DKMTCreateAllocation handler denial-of-service vulnerability

October 7, 2020
CVE Number

CVE-2020-12911

SUMMARY

A denial-of-service vulnerability exists in the D3DKMTCreateAllocation handler functionality of AMD ATIKMDAG.SYS 26.20.15029.27017. A specially crafted D3DKMTCreateAllocation API request can cause an out-of-bounds read and denial of service (BSOD). This vulnerability can be triggered from a guest account.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

AMD ATIKMDAG.SYS 26.20.15029.27017

PRODUCT URLS

ATIKMDAG.SYS - https://amd.com

CVSSv3 SCORE

7.1 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CWE

CWE-125 - Out-of-bounds Read

DETAILS

AMD ATIKMDAG.SYS graphics driver

This vulnerability can be triggered by executing the D3DKMTCreateAllocation function with malformed data. This leads to an out-of-bounds read vulnerability in AMD ATIKMDAG.SYS driver.
An attacker can influence the read address for the movzx operation by modifying the payload for the D3DKMTCreateAllocation function, potentially leading to an out-of-bound read vulnerability and denial of service.

Disassembly:

.text:000000000017B22C                 mov     eax, [rcx+0B0h]
.text:000000000017B232                 test    eax, eax
.text:000000000017B234                 jz      short loc_17B248
.text:000000000017B236                 cmp     dword ptr [rax+rcx], 114h ; bug
.text:000000000017B23D                 jnz     loc_17B83C
.text:000000000017B243                 mov     r12d, [rax+rcx+20h]

The EAX register is initialized by dword value taken from [RCX+0xB0] address. This value is taken straight from the D3DKMTCreateAllocation payload and attacker may change it freely.
This can lead to out-of-bounds read (instruction at 0x17B236) and BSOD if the specified address (together with RCX) points to a not-present memory region.

: kd> .trap 0xffff84886e196e60
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=00000000cccccccc rbx=0000000000000000 rcx=ffffd88f1cf885a0
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80c23dfb236 rsp=ffff84886e196ff0 rbp=ffffd88f24b87000
 r8=00000000ffffffff  r9=7fffd88f14991d18 r10=0000fffff80529ca
r11=ffffb57c5fa00000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na po nc
atikmdag+0x16b236:
fffff80c`23dfb236 813c0814010000  cmp     dword ptr [rax+rcx],114h ds:ffffd88f`e9c5526c=????????

Stack trace:

2: kd> kb
 # RetAddr           : Args to Child                                                           : Call Site
00 fffff801`673fbf22 : 00000000`00000050 ffffa60a`05a17b30 00000000`00000000 fffff68c`80a26e60 : nt!KeBugCheckEx
01 fffff801`6726773f : 00000000`00000038 00000000`00000000 00000000`00000000 ffffa60a`05a17b30 : nt!MiSystemFault+0x1c5ae2
02 fffff801`673df41e : fffff801`672aff20 fffff801`67b892d5 00000000`00000000 00000000`00000000 : nt!MmAccessFault+0x34f
03 fffff801`a5ccb236 : 00000000`00000000 ffff958e`cd0f3600 00000000`00000038 fffff801`00000000 : nt!KiPageFault+0x35e
04 fffff801`a5c1964e : fffff68c`80a270f0 fffff68c`00000000 00000000`00000000 ffff958e`00000000 : atikmdag+0x16b236
05 fffff801`a5b8893d : 00000000`00000000 fffff801`a5efba28 ffff958e`c2d77000 00000000`00000000 : atikmdag+0xb964e
06 fffff801`9f412a6e : ffff958e`c2d77030 fffff68c`80a27450 ffff958e`cdbe2c00 ffff958e`c5799930 : atikmdag+0x2893d
07 fffff801`9c74abb7 : ffff958e`cdbe2c00 fffff68c`80a27450 fffff68c`80a27300 ffffa60a`01899c00 : atikmpag+0x12a6e
08 fffff801`9c64100f : ffffa60a`0e71edf0 ffffa609`ff8d3dd0 00000000`00000000 00000000`00000000 : dxgkrnl!ADAPTER_RENDER::DdiOpenAllocation+0x167
09 fffff801`9c6503b4 : ffffa60a`0e8b05e0 fffff68c`80a278c0 ffffa60a`0e71eb20 ffffa609`ff8d3dd0 : dxgkrnl!DXGDEVICE::OpenAllocations+0x1bf
0a fffff801`9c6521e2 : ffffffff`ffffffff fffff68c`80a27b40 00000000`00000000 ffffa60a`0e8b05e0 : dxgkrnl!DXGDEVICE::CreateAllocation+0x1044
0b fffff801`9c687ded : 00000000`00000000 00000000`00000000 ffff958e`cf022080 00000000`00000000 : dxgkrnl!DxgkCreateAllocationInternal+0x592
0c fffff801`673e2c18 : ffff958e`cf022080 ffff958e`cf022080 00000000`00000000 00000000`00000000 : dxgkrnl!DxgkCreateAllocation+0xd
0d 00007ffe`023746c4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x28
0e 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffe`023746c4

Crash Information

6: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: ffffd88fe9c5526c, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff80c23dfb236, If non-zero, the instruction address which referenced the bad memory
	address.
Arg4: 0000000000000002, (reserved)

Debugging Details:
------------------


KEY_VALUES_STRING: 1

	Key  : Analysis.CPU.Sec
	Value: 3

	Key  : Analysis.DebugAnalysisProvider.CPP
	Value: Create: 8007007e on CLAB

	Key  : Analysis.DebugData
	Value: CreateObject

	Key  : Analysis.DebugModel
	Value: CreateObject

	Key  : Analysis.Elapsed.Sec
	Value: 29

	Key  : Analysis.Memory.CommitPeak.Mb
	Value: 70

	Key  : Analysis.System
	Value: CreateObject


ADDITIONAL_XML: 1

BUGCHECK_CODE:  50

BUGCHECK_P1: ffffd88fe9c5526c

BUGCHECK_P2: 0

BUGCHECK_P3: fffff80c23dfb236

BUGCHECK_P4: 2

READ_ADDRESS:  ffffd88fe9c5526c Paged pool

MM_INTERNAL_CODE:  2

IMAGE_NAME:  atikmdag.sys

MODULE_NAME: atikmdag

FAULTING_MODULE: fffff80c23c90000 atikmdag

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXNTFS: 1 (!blackboxntfs)


BLACKBOXPNP: 1 (!blackboxpnp)


BLACKBOXWINLOGON: 1

PROCESS_NAME:  DeviceIoTrigger.exe

TRAP_FRAME:  ffff84886e196e60 -- (.trap 0xffff84886e196e60)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=00000000cccccccc rbx=0000000000000000 rcx=ffffd88f1cf885a0
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80c23dfb236 rsp=ffff84886e196ff0 rbp=ffffd88f24b87000
 r8=00000000ffffffff  r9=7fffd88f14991d18 r10=0000fffff80529ca
r11=ffffb57c5fa00000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na po nc
atikmdag+0x16b236:
fffff80c`23dfb236 813c0814010000  cmp     dword ptr [rax+rcx],114h ds:ffffd88f`e9c5526c=????????
Resetting default scope

STACK_TEXT:  
ffff8488`6e196bb8 fffff805`29df0f22 : 00000000`00000050 ffffd88f`e9c5526c 00000000`00000000 ffff8488`6e196e60 : nt!KeBugCheckEx
ffff8488`6e196bc0 fffff805`29c5c73f : 00000000`00000038 00000000`00000000 00000000`00000000 ffffd88f`e9c5526c : nt!MiSystemFault+0x1c5ae2
ffff8488`6e196cc0 fffff805`29dd441e : fffff805`29ca4f20 fffff805`2a57e2d5 00000000`00000000 00000000`00000000 : nt!MmAccessFault+0x34f
ffff8488`6e196e60 fffff80c`23dfb236 : 00000000`00000000 ffff9c89`ca58d040 00000000`00000038 fffff805`00000000 : nt!KiPageFault+0x35e
ffff8488`6e196ff0 fffff80c`23d4964e : ffff8488`6e1970f0 ffff8488`00000000 00000000`00000000 ffff9c89`00000000 : atikmdag+0x16b236
ffff8488`6e1970a0 fffff80c`23cb893d : 00000000`00000000 fffff80c`2402ba28 ffff9c89`c04b4000 00000000`00000000 : atikmdag+0xb964e
ffff8488`6e1970d0 fffff80c`1d612a6e : ffff9c89`c04b4030 ffff8488`6e197450 ffff9c89`c779ec00 ffff9c89`c31bddc0 : atikmdag+0x2893d
ffff8488`6e197120 fffff80c`1a8eabb7 : ffff9c89`c779ec80 ffff8488`6e197450 ffff8488`6e197300 ffffd88f`14991c00 : atikmpag+0x12a6e
ffff8488`6e197340 fffff80c`1a7e100f : ffffd88f`1f2c3870 ffffd88f`1c9e8680 00000000`00000000 00000000`00000000 : dxgkrnl!ADAPTER_RENDER::DdiOpenAllocation+0x167
ffff8488`6e197410 fffff80c`1a7f03b4 : ffffd88f`24fc2010 ffff8488`6e1978c0 ffffd88f`1f2c35a0 ffffd88f`1c9e8680 : dxgkrnl!DXGDEVICE::OpenAllocations+0x1bf
ffff8488`6e1974d0 fffff80c`1a7f21e2 : ffffffff`ffffffff ffff8488`6e197b40 00000000`00000000 ffffd88f`24fc2010 : dxgkrnl!DXGDEVICE::CreateAllocation+0x1044
ffff8488`6e1977e0 fffff80c`1a827ded : 00000000`00000000 00000000`00000000 ffff9c89`ca542080 00000000`00000000 : dxgkrnl!DxgkCreateAllocationInternal+0x592
ffff8488`6e197a80 fffff805`29dd7c18 : ffff9c89`ca542080 ffff9c89`ca542080 00000000`00000000 00000000`00000000 : dxgkrnl!DxgkCreateAllocation+0xd
ffff8488`6e197ac0 00007ffd`6c7f46c4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x28
000000a6`73fef898 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffd`6c7f46c4


SYMBOL_NAME:  atikmdag+16b236

STACK_COMMAND:  .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET:  16b236

FAILURE_BUCKET_ID:  AV_VRF_R_INVALID_atikmdag!unknown_function

OS_VERSION:  10.0.18362.1

BUILDLAB_STR:  19h1_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {ade8e590-3238-14fc-782c-3fa79b332a3e}

Followup:     MachineOwner
---------
TIMELINE

2020-07-07 - Vendor Disclosure
2020-09-29 - Vendor assigned CVE-2020-12911 for planned fix early Q1 2021
2020-10-07 - Public Release

Credit

Discovered by Piotr Bania of Cisco Talos.