This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
This function trusts two different offset fields that are used as sources of memmove (memcpy?). It is reachable by sending a RNDIS Set request with OID 0x00010204 (OID_GEN_RECEIVE_SCALE_PARAMETERS). The significance of these fields can be determined by looking at the source code of the Linux Hyper-V network driver.
Issue #1 : indirect_taboffset
http://lxr.free-electrons.com/source/drivers/net/hyperv/rndis_filter.c#L741
.text:000000000006516C mov edx, [rbp+10h] ; rssp->indirect_taboffset
.text:000000000006516F movzx r13d, r15w
.text:0000000000065173 lea r12, [rsi+294h]
.text:000000000006517A mov r8d, r13d
.text:000000000006517D add rdx, rbp ; Src
.text:0000000000065180 mov rcx, r12 ; Dst
.text:0000000000065183 shl r8, 2 ; Size
.text:0000000000065187 call memmove
Specifying an invalid indirect_taboffset will result in vmswitch.sys accessing invalid memory in R0, thus triggering a Host BugCheck from the Guest. This can be demonstrated trivially by recompiling the Linux driver adding the following line:
rssp->indirect_taboffset = 0x80808080; // or anything else outrageous
prior to the rndis_filter_send_request call in rndis_filter_set_rss_param. This method requires root in the Guest.
Issue #2: kashkey_offset (SIC)
http://lxr.free-electrons.com/source/drivers/net/hyperv/rndis_filter.c#L743
(that structure member should really be named hashkey_offset to comform with the rest, but the typo persisted everywhere)
.text:0000000000065265 mov edx, [rbp+18h] ; rssp->kashkey_offset
.text:0000000000065268 movzx r8d, word ptr [rbp+14h] ; Size
.text:000000000006526D lea rbx, [rsi+497h]
.text:0000000000065274 add rdx, rbp ; Src
.text:0000000000065277 mov rcx, rbx ; Dst
.text:000000000006527A call memmove
Specifying an invalid kashkey_offset will have the same result as for indirect_taboffset.
Please note that those 2 issues have been silently fixed in Windows Server 2016 TP4 (and maybe prior).