New issue
Advanced search Search tips
Starred by 1 user

Issue metadata

Status: Fixed
Closed: Oct 2016

Sign in to add a comment

Issue 936: NVIDIA: No bounds checking in escape 0x7000170

Reported by, Sep 12 2016

Issue description

The DxgkDdiEscape handler for 0x7000170 lacks proper bounds checks for the variable size
input escape data, and relies on a user provided size as the upper bound for writing output.

Crashing context with PoC (Win 10 x64 with 372.54):

A kernel component has corrupted a critical data structure.  The corruption
could potentially allow a malicious user to gain control of this machine.

rax=fffff801f417e600 rbx=0000000000000000 rcx=0000000000000002
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff801f4152b75 rsp=ffffd000287b4468 rbp=ffffd000287b53e8
 r8=fffff801f4169e24  r9=ffffd000287b5620 r10=ffffd000287b5620
r11=0000000000000450 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz ac pe nc
fffff801`f4152b75 cd29            int     29h
Resetting default scope

EXCEPTION_RECORD:  ffffd000287b4228 -- (.exr 0xffffd000287b4228)
ExceptionAddress: fffff801f4152b75 (dxgkrnl!_report_gsfailure+0x0000000000000005)
   ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
  ExceptionFlags: 00000001
NumberParameters: 1
   Parameter[0]: 0000000000000002

To reproduce, compile the PoC as a x64 binary (requires linking with
setupapi.lib, and WDK for D3DKMTEscape), and run. It may require some changes
as for it to work as the escape data must contain the right values (e.g. a
field that appears to be gpu bus device function). My PoC should hopefully set
all the right values for the machine it's running on.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
2.9 KB Download

Comment 1 by, Sep 12 2016

Labels: -Product-NVIDIA Product-Windows-Driver

Comment 2 by, Oct 28 2016

Labels: CVE-2016-8811

Comment 3 by, Oct 28 2016

Labels: -Restrict-View-Commit
Status: Fixed (was: New)
Fixed. Bulletin:

Sign in to add a comment