689 - Hyper-V vmswitch.sys VmsVmNicHandleRssParametersChange OOBR Guest to Host BugChecks - project-zero

Starred by 1 user

Status:	Fixed
Owner:	kost...@google.com
Closed:	Apr 2016
Cc:	project-...@google.com
Reported-2016-Jan-1 Deadline-90 Deadline-Grace Finder-kostyak CCProjectZeroMembers Severity-High Product-Hyper-V Vendor-Microsoft

Hyper-V vmswitch.sys VmsVmNicHandleRssParametersChange OOBR Guest to Host BugChecks

Project Member Reported by kost...@google.com, Jan 4 2016

Back to list

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.


This function trusts two different offset fields that are used as sources of memmove (memcpy?). It is reachable by sending a RNDIS Set request with OID 0x00010204 (OID_GEN_RECEIVE_SCALE_PARAMETERS). The significance of these fields can be determined by looking at the source code of the Linux Hyper-V network driver.

 Issue #1 : indirect_taboffset

http://lxr.free-electrons.com/source/drivers/net/hyperv/rndis_filter.c#L741

.text:000000000006516C mov edx, [rbp+10h] ; rssp->indirect_taboffset
.text:000000000006516F movzx r13d, r15w
.text:0000000000065173 lea r12, [rsi+294h]
.text:000000000006517A mov r8d, r13d
.text:000000000006517D add rdx, rbp ; Src
.text:0000000000065180 mov rcx, r12 ; Dst
.text:0000000000065183 shl r8, 2 ; Size
.text:0000000000065187 call memmove

Specifying an invalid indirect_taboffset will result in vmswitch.sys accessing invalid memory in R0, thus triggering a Host BugCheck from the Guest. This can be demonstrated trivially by recompiling the Linux driver adding the following line:

rssp->indirect_taboffset = 0x80808080; // or anything else outrageous

prior to the rndis_filter_send_request call in rndis_filter_set_rss_param. This method requires root in the Guest.

Issue #2: kashkey_offset (SIC)

http://lxr.free-electrons.com/source/drivers/net/hyperv/rndis_filter.c#L743
(that structure member should really be named hashkey_offset to comform with the rest, but the typo persisted everywhere)

.text:0000000000065265 mov edx, [rbp+18h] ; rssp->kashkey_offset
.text:0000000000065268 movzx r8d, word ptr [rbp+14h] ; Size
.text:000000000006526D lea rbx, [rsi+497h]
.text:0000000000065274 add rdx, rbp ; Src
.text:0000000000065277 mov rcx, rbx ; Dst
.text:000000000006527A call memmove

Specifying an invalid kashkey_offset will have the same result as for indirect_taboffset.

Please note that those 2 issues have been silently fixed in Windows Server 2016 TP4 (and maybe prior).

Project Member Comment 1 by kost...@google.com, Jan 4 2016

Summary: Hyper-V vmswitch.sys VmsVmNicHandleRssParametersChange OOBR Guest to Host BugChecks (was: VmsVmNicHandleRssParametersChange OOBR Guest to Host BugChecks)

Project Member Comment 2 by kost...@google.com, Apr 5 2016

Labels: Deadline-Grace

Project Member Comment 3 by kost...@google.com, Apr 19 2016

Labels: -Restrict-View-Commit

Project Member Comment 4 by kost...@google.com, Apr 19 2016

Status: Fixed

► Sign in to add a comment