New issue
Advanced search Search tips
Starred by 1 user

Issue metadata

Status: Fixed
Closed: Oct 2016

Sign in to add a comment

NVIDIA: Incorrect bounds check in escape 0x70001b2

Reported by, Sep 13 2016 Back to list

Issue description

The DxgkDdiEscape handler for 0x70001b2 doesn't do proper bounds checks for its
variable size input.

void sub_8C4304(...) {
        // escape_->size is controlled by the user.
        if ( escape_->size < size )
          size = escape_->size;
        memcpy(escape_->data, v31, 28i64 * size);

Note that this appears to be a common pattern. Normally, before
escape handlers are executed, |PrivateDriverDataSize| (from DXGKARG_ESCAPE)
is checked to be equal to some value against a hardcoded table. However, some escapes
allow a more relaxed check that |PrivateDriverDataSize| >= minimum. This means that
the handler themselves must implement an ad hoc bounds check, which either seems to be
missing or implemented incorrectly (relying on a user specified value) in many cases.

 bug 936  is a similar issue and there are likely more. I've noticed (but not confirmed)
a few more OOB reads that I haven't reported that follow this same pattern.

Crashing context with PoC (Win 10 x64 with 372.54):

Invalid system memory was referenced.  This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
rax=ffffd000239d51dc rbx=0000000000000000 rcx=fffffffffffffff4
rdx=fffff000e9e6c754 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80166d6aca0 rsp=ffffd000239d3df8 rbp=ffffd000239d3f00
 r8=0000000000000924  r9=000000000000003b r10=000000000000e9ef
r11=ffffd000239d48ac r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz ac pe cy
fffff801`66d6aca0 f30f7f40f0      movdqu  xmmword ptr [rax-10h],xmm0 ds:ffffd000`239d51cc=????????????????????????????????
Resetting default scope

To reproduce, compile as an x64 executable an run (requires WDK for D3DKMTEscape).

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
2.4 KB Download

Comment 1 by, Sep 13 2016

Summary: NVIDIA: Incorrect bounds check in escape 0x70001b2 (was: NVIDIA: No bounds check in escape 0x70001b2)

Comment 2 by, Oct 28 2016

Labels: CVE-2016-8809

Comment 3 by, Oct 28 2016

Labels: -Restrict-View-Commit
Status: Fixed
Fixed. Bulletin:

Sign in to add a comment