NVIDIA: Unchecked write to user provided pointer in escape 0x600000D
Reported by firstname.lastname@example.org, Aug 23 2016
The DxgkDdiEscape handler for 0x600000D passes an unchecked user provided pointer as the destination for a memcpy call. This leads to kernel memory corruption. (Win 10 x64 372.54) crashing context with PoC: SYSTEM_SERVICE_EXCEPTION (3b) CONTEXT: ffffd000c076c8b0 -- (.cxr 0xffffd000c076c8b0) rax=0000000000000880 rbx=0000000000000000 rcx=000000000000000f rdx=bebe9ec057cc7d47 rsi=ffffd000c076d870 rdi=ffffe001990da008 rip=fffff8010f1eab00 rsp=ffffd000c076d2d8 rbp=ffffd000c076d360 r8=0000000000003ff1 r9=fffff8010f217d48 r10=fffff78000000008 r11=4141414141414141 r12=0000000000000000 r13=ffffe001990dbe88 r14=ffffe001945f1201 r15=0000000000004000 iopl=0 nv up ei pl nz ac pe nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010212 nvlddmkm+0x5dab00: fffff801`0f1eab00 f3410f7f03 movdqu xmmword ptr [r11],xmm0 ds:002b:41414141`41414141=???????????????????????????????? Resetting default scope To reproduce, compile the PoC as a x64 binary (requires WDK for D3DKMTEscape), and run. This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
Sep 13 2016,
For completeness, it looks like many of the other escape handlers in the same function has similar issues with writing to user provided pointers in an unchecked way. This should have been fairly obvious as the code is very close to each other in the same function.
Sep 29 2016,
Oct 28 2016,
Fixed. Bulletin: http://nvidia.custhelp.com/app/answers/detail/a_id/4247
Nov 4 2016,
Reopening this bug. The original poc no longer reproduces, but unfortunately it looks like it wasn't fixed completely. As mentioned in #1, there are other vulnerable handlers in the same function which still appear to have the same vulnerability.
Dec 13 2016,
Should this be restricted from public view again if very similar vulnerabilities still exist?
Dec 14 2016,
NVIDIA claims that the rest of these issues were fixed (http://nvidia.custhelp.com/app/answers/detail/a_id/4278).
Jan 17 2017,
(Forgot to upload the rest of the PoCs that demonstrated that the issues still existed).
Sign in to add a comment