Windows: wdmaud.drv/Microsoft GS Wavetable Synth Memory Corruption/OOB Read

[GoogleCodeExporter]

Windows: wdmaud.drv/Microsoft GS Wavetable Synth Memory Corruption/OOB Read
Platform: Tested on Windows 8.1 Update as Windows 10 Build 10130
Class: Memory Corruption

Summary:
A crafted MIDI file can cause the Microsoft GS Wavetable Synth to crash with at 
least an OOB buffer read and sometimes heap corruption. This is exposed via 
Windows Media Player (ActiveX control or desktop) which might result in RCE. 

Description:

When playing back a crafted MIDI file in a player which uses the Microsoft GS 
Wavetable Synth (which is the default on modern versions of Windows) the sample 
position get calculated incorrectly when performing channel mixing. In the 
easiest to demonstrate case this causes an OOB read to occur within the 
wdmaud.drv DLL loaded into the process. This happens in CDigitalAudio::Mix16X 
for 32 bit or CDigitalAudio::Mix16 for 64 bit but they are essentially the same 
function.

For example this crash shows the OOB read:

0:014> r
rax=0000002c82cf7c50 rbx=000000000000002a rcx=00000000fffffffc
rdx=00000000ffffffe3 rsi=00000000fffd1d5d rdi=00000000fffd5d4b
rip=00007ffb707cb9b7 rsp=0000002c8295f6a0 rbp=00000000fd5d4b4e
 r8=0000000000000012  r9=0000002c82bb55ac r10=0000000000000004
r11=0000000000000011 r12=0000000000000002 r13=0000000000000412
r14=0000000000001176 r15=0000000000002a6a
iopl=0         nv up ei pl nz na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010204
wdmaud!CDigitalAudio::Mix16+0xd7:
00007ffb`707cb9b7 410fbf1449      movsx   edx,word ptr [r9+rcx*2] 
ds:0000002e`82bb55a4=????
0:014> k
Child-SP          RetAddr           Call Site
0000002c`8295f6a0 00007ffb`707c69b4 wdmaud!CDigitalAudio::Mix16+0xd7
0000002c`8295f700 00007ffb`707c704f wdmaud!CDigitalAudio::Mix+0x484
0000002c`8295f850 00007ffb`707beac1 wdmaud!CVoice::Mix+0x45f
0000002c`8295fb80 00007ffb`707bd9e7 wdmaud!CSynth::Mix+0x141
0000002c`8295fbe0 00007ffb`707be09c wdmaud!CUserModeSynth::Render+0xc7
0000002c`8295fc60 00007ffb`707be15c wdmaud!CDSLink::SynthProc+0x99
0000002c`8295fcc0 00007ffb`89270b13 wdmaud!CDSLink::SynthThread+0x1d
0000002c`8295fcf0 00007ffb`89270bcd msvcrt!_callthreadstartex+0x2b
0000002c`8295fd20 00007ffb`898413d2 msvcrt!_threadstartex+0x7c
0000002c`8295fd50 00007ffb`8a285444 KERNEL32!BaseThreadInitThunk+0x22
0000002c`8295fd80 00000000`00000000 ntdll!RtlUserThreadStart+0x34

Heap corruption has been observed on rare occasions but it’s unclear what 
causing the underlying problem and whether it’s controllable, therefore 
provided as is. 

Proof of Concept:

Provided is a PoC MIDI file which should be loaded into Windows Media Player. 

1) Copy the PoC to a location on a local hard disk, ensure there’s a sound 
card otherwise it might not work
2) Open the file in Windows Media Player, x64 version seems to be the most 
reliably for a crash
3) If no crash is observed set the file on repeat, it might take a few tries 
depending on heap layout. 

Expected Result:
The MIDI file should play to completion. 

Observed Result:
Media Player Crashes

Note if this issue is to be fixed please credit James Ingram. 

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by fors...@google.com on 18 Jun 2015 at 3:40

Attachments:

• poc.mid

[GoogleCodeExporter]

This is also referenced from the Chrome issue 
https://code.google.com/p/chromium/issues/detail?id=499279

Original comment by fors...@google.com on 18 Jun 2015 at 3:41

[GoogleCodeExporter]

Assigned MSRC case 30466

Original comment by fors...@google.com on 18 Jun 2015 at 9:10

• Added labels: Id-30466

[GoogleCodeExporter]

Original comment by fors...@google.com on 18 Jul 2015 at 9:33

[GoogleCodeExporter]

Original comment by fors...@google.com on 3 Sep 2015 at 10:20

• Added labels: MSRC-30466
• Removed labels: Id-30466

[GoogleCodeExporter]

No response has been received from MSRC since providing the initial report and 
PoC and receiving the MSRC case number. The attack vector through Chrome's Web 
Midi APIs has been mitigated against but it isn't clear whether the bug was 
exploitable anyway.

Original comment by fors...@google.com on 16 Sep 2015 at 10:06

[GoogleCodeExporter]

Microsoft have responded indicating they believe this is only a DoS so it might 
be fixed in a future stability release. We agree with that assessment. Removing 
view restriction.

Original comment by fors...@google.com on 17 Sep 2015 at 12:03

• Changed state: Invalid
• Removed labels: Restrict-View-Commit