Talos Vulnerability Report

SUMMARY

An arbitrary write vulnerability exists in the Shader functionality of AMD Radeon DirectX 11 Driver atidxx64.dll 31.0.21018.6011. A specially crafted executable/shader file can lead to an out-of-bounds write. An attacker can provide a specially crafted shader file to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

AMD Radeon DirectX 11 Driver atidxx64.dll 31.0.21018.6011

PRODUCT URLS

Radeon DirectX 11 Driver atidxx64.dll - https://amd.com

CVSSv3 SCORE

5.3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE

CWE-787 - Out-of-bounds Write

DETAILS

AMD Graphics drivers are software for AMD Graphics GPU installed on a PC, used to communicate between the operating system and the GPU device. This software is required in most cases for the hardware device to function properly.

This vulnerability could be triggered from guest machines running virtualization environments (ie. VMware, qemu, VirtualBox, etc.) in order to perform guest-to-host escape (demonstrated in TALOS-2018-0533, TALOS-2018-0568, etc.). Theoretically this vulnerability could also be triggered from a web browser (using webGL and webassembly). We have already demonstrated in previously reported bugs that such vulnerabilities could be triggered from HYPER-V guest using a RemoteFX feature, leading to executing the vulnerable code on the HYPER-V host (inside of the rdvgm.exe process). While RemoteFX was recently deprecated by Microsoft, some older machines may still use this software.

This vulnerability can be triggered by supplying a malformed shader. This leads to a memory corruption problem in AMD driver.

Example of shader instruction triggering the bug: dcl_unordered_access_view_typed u476643329

Vulnerable code from the atidxx64.dll:

Array index is taken directly from the shader bytecode supplied by the attacker:

	00007FF9CCD8D830 | 8BC2                     | mov eax,edx                                                                            |
	00007FF9CCD8D832 | 48:C1E0 05               | shl rax,5                                                                              |
	00007FF9CCD8D836 | 8B4408 08                | mov eax,dword ptr ds:[rax+rcx+8]                                                       | read the index from the shader's bytecode
	00007FF9CCD8D83A | C3                       | ret                                                                                    |

and later used to write memory, causing memory corruption. The attacker can influence the memory address for the write operation.

	00007FF9CCD905BC | 89B487 CC500000          | mov dword ptr ds:[rdi+rax*4+50CC],esi                                                  | (rax controlled by attacker), memory corruption
	00007FF9CCD905C3 | 48:8D8F C84D0000         | lea rcx,qword ptr ds:[rdi+4DC8]                                                        |
	00007FF9CCD905CA | E8 01D2FFFF              | call atidxx64.7FF9CCD8D7D0                                                             |

As you can see, RAX is controlled by the attacker:

	atidxx64!XdxQueryTlsLookupTable+0x4f02c:
	00007ff9`ccd905bc 89b487cc500000  mov     dword ptr [rdi+rax*4+50CCh],esi ds:00000191`33cc8f80=????????
	0:000> r
	rax=00000000aaaa0001 rbx=0000000000000070 rcx=00000062afdbdcc0
	rdx=0000000000000000 rsi=0000000000000001 rdi=0000018e89243eb0

Crash Information

	0:000> !analyze -v
	*******************************************************************************
	*                                                                             *
	*                        Exception Analysis                                   *
	*                                                                             *
	*******************************************************************************


	KEY_VALUES_STRING: 1

		Key  : AV.Fault
		Value: Write

		Key  : Analysis.CPU.mSec
		Value: 890

		Key  : Analysis.Elapsed.mSec
		Value: 1260

		Key  : Analysis.IO.Other.Mb
		Value: 0

		Key  : Analysis.IO.Read.Mb
		Value: 0

		Key  : Analysis.IO.Write.Mb
		Value: 0

		Key  : Analysis.Init.CPU.mSec
		Value: 311

		Key  : Analysis.Init.Elapsed.mSec
		Value: 38130

		Key  : Analysis.Memory.CommitPeak.Mb
		Value: 76

		Key  : Failure.Bucket
		Value: INVALID_POINTER_WRITE_c0000005_atidxx64.dll!Unknown

		Key  : Failure.Hash
		Value: {025ee883-d51b-86d2-0f7e-9a6cfb6137bb}

		Key  : Timeline.OS.Boot.DeltaSec
		Value: 70367

		Key  : Timeline.Process.Start.DeltaSec
		Value: 37

		Key  : WER.OS.Branch
		Value: vb_release

		Key  : WER.OS.Version
		Value: 10.0.19041.1


	NTGLOBALFLAG:  70

	APPLICATION_VERIFIER_FLAGS:  0

	EXCEPTION_RECORD:  (.exr -1)
	ExceptionAddress: 00007ff9ccd905bc (atidxx64!XdxQueryTlsLookupTable+0x000000000004f02c)
	   ExceptionCode: c0000005 (Access violation)
	  ExceptionFlags: 00000000
	NumberParameters: 2
	   Parameter[0]: 0000000000000001
	   Parameter[1]: 0000019133cc8f80
	Attempt to write to address 0000019133cc8f80

	FAULTING_THREAD:  000037ac

	PROCESS_NAME:  POC_EXEC11.exe

	WRITE_ADDRESS:  0000019133cc8f80 

	ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

	EXCEPTION_CODE_STR:  c0000005

	EXCEPTION_PARAMETER1:  0000000000000001

	EXCEPTION_PARAMETER2:  0000019133cc8f80

	STACK_TEXT:  
	00000062`afdbdb80 00007ff9`ccd8ec77     : 00000000`00000000 00000000`00000000 0000018e`89243eb0 00000000`0000009c : atidxx64!XdxQueryTlsLookupTable+0x4f02c
	00000062`afdbe4b0 00007ff9`ccda024e     : 0000018e`00000000 0000018e`88fbba30 00000000`00000001 00000000`00000000 : atidxx64!XdxQueryTlsLookupTable+0x4d6e7
	00000062`afdbe570 00007ff9`ccd89e82     : 0000018e`8927bb70 0000018e`8927b9c0 0000018e`84810000 00000062`afdbe659 : atidxx64!XdxQueryTlsLookupTable+0x5ecbe
	00000062`afdbe5a0 00007ff9`ccd89bd2     : 0000018e`89243eb0 0000018e`8927b9c0 00000062`afdbe840 00000000`80004005 : atidxx64!XdxQueryTlsLookupTable+0x488f2
	00000062`afdbe6c0 00007ff9`ccdc9552     : 00000000`00000000 00000000`00000000 0000018e`8927b9c0 00000000`00000001 : atidxx64!XdxQueryTlsLookupTable+0x48642
	00000062`afdbe6f0 00007ff9`ccdc929d     : 0000018e`8913e760 00000000`00000000 0000018e`8913e798 0000018e`89273730 : atidxx64!AmdDxGsaFreeCompiledShader+0x1aa02
	00000062`afdbe730 00007ff9`ccd4a73b     : 00000062`00000001 00000000`00000000 00000000`00000000 0000018e`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x1a74d
	00000062`afdbe7b0 00007ff9`cd68f247     : 00000000`00000000 0000018e`83008a80 0000018e`82ff9740 00000062`afdbea60 : atidxx64!XdxQueryTlsLookupTable+0x91ab
	00000062`afdbe7f0 00007ff9`ccd5f38d     : 0000018e`88fba7c8 0000018e`82ff9740 0000018e`88fb6640 00007ff9`d6f656ca : atidxx64!AmdDxGsaFreeCompiledShader+0x8e06f7
	00000062`afdbe820 00007ff9`d6f5e3d1     : 00000062`afdbecb0 0000018e`88fba7c8 00000000`00000000 00000000`45434649 : atidxx64!XdxQueryTlsLookupTable+0x1ddfd
	00000062`afdbe950 00007ff9`d6f5ddeb     : 0000018e`88fbba30 00000000`00000000 0000018e`88fba7b8 0000018e`88fba6b8 : d3d11!CComputeShader::CLS::FinalConstruct+0x125
	00000062`afdbead0 00007ff9`d6f5dd27     : 00000062`afdbf190 00007ff9`d713a360 0000018e`88fba6a0 00000000`000001e0 : d3d11!CLayeredObjectWithCLS<CComputeShader>::FinalConstruct+0xa3
	00000062`afdbeb60 00007ff9`d6f7dbc9     : 0000018e`88fba6c8 00000062`afdbf190 00000062`afdbf1c0 00007ff9`d713a360 : d3d11!CLayeredObjectWithCLS<CComputeShader>::CreateInstance+0x137
	00000062`afdbebc0 00007ff9`d6f8382d     : 00000000`00000000 00000000`00000030 00000000`00000000 00000000`00000000 : d3d11!CDevice::CreateLayeredChild+0x10e9
	00000062`afdbf000 00007ff9`d6f83fdc     : 0000018e`88fba6a0 00007ff7`a1869850 00007ff9`d7138538 00000000`00000030 : d3d11!NDXGI::CDevice::CreateLayeredChild+0x6d
	00000062`afdbf150 00007ff9`d6f5e046     : 0000018e`88fb4450 00000000`00000018 00000000`00000001 00000000`00000000 : d3d11!NOutermost::CDevice::CreateLayeredChild+0x1bc
	00000062`afdbf340 00007ff7`a17e271f     : 00000000`80070057 0000018e`88fbb740 0000018e`88fb4c98 00000000`00000001 : d3d11!CDevice::CreateComputeShader+0x1a6
	00000062`afdbf490 00007ff7`a17e42a7     : 0000018e`82f73ac0 00000000`00008b54 0000018e`88fb4c98 0000018e`84dc8c01 : POC_EXEC11+0x271f
	00000062`afdbf500 00007ff7`a17ec880     : 00000000`00000000 0000018e`82fc5ec4 0000018e`82fa1620 0000018e`00008b54 : POC_EXEC11+0x42a7
	00000062`afdbf930 00007ff7`a17ea8cc     : 00000000`00000000 00000000`00000000 00000000`00000001 00007ff9`00000000 : POC_EXEC11+0xc880
	00000062`afdbfa30 00007ff7`a17ea26c     : 00000000`00000000 004e0045`0056005f 00000000`00000000 0059004c`004e004f : POC_EXEC11+0xa8cc
	00000062`afdbfc50 00007ff7`a17e324a     : 0000018e`82fa1620 00000000`00000000 0000018e`82fa1620 0000018e`82f77da0 : POC_EXEC11+0xa26c
	00000062`afdbfe40 00007ff7`a180f5aa     : 00000000`0000000a 00000000`00000000 00000000`00000000 00000000`00000000 : POC_EXEC11+0x324a
	00000062`afdbfe90 00007ff9`dcb07344     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : POC_EXEC11+0x2f5aa
	00000062`afdbfed0 00007ff9`dd0826b1     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
	00000062`afdbff00 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21


	STACK_COMMAND:  ~0s ; .cxr ; kb

	SYMBOL_NAME:  atidxx64+4f02c

	MODULE_NAME: atidxx64

	IMAGE_NAME:  atidxx64.dll

	FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_c0000005_atidxx64.dll!Unknown

	OS_VERSION:  10.0.19041.1

	BUILDLAB_STR:  vb_release

	OSPLATFORM_TYPE:  x64

	OSNAME:  Windows 10

	IMAGE_VERSION:  31.0.21018.6011

	FAILURE_ID_HASH:  {025ee883-d51b-86d2-0f7e-9a6cfb6137bb}

	Followup:     MachineOwner
	---------

VENDOR RESPONSE

The vendor has released an advisory at: https://www.amd.com/en/resources/product-security/bulletin/amd-sb-6012.html

TIMELINE

2023-11-29 - Vendor Disclosure
2024-04-09 - Vendor Patch Release
2024-04-10 - Public Release