Questionable AMD PCI Driver May Improve Game Stability But Could Be A Security Headache
We have seen major OEMs tinker with drivers and system settings for workarounds and various fixes in games and other apps before. And now that AMD is firmly back in the mainstream desktop processor race, the company is occasionally under the microscope with power users and developers that stumble onto similar patch type efforts. In that regard, it appears Ryzen systems may pose a potential cause for concern. A researcher has found a seemingly disguised AMD driver toggling certain system behaviors when it detects a list of games, which could open the door to security vulnerabilities and other issues.
This past Saturday, security researcher and Windows Internals expert Alex Ionescu was working with an AMD Ryzen system that had a Ryzen 7 1700 under the hood. As any good researcher would do, he proceeded to dig into what was on the system and made an interesting discovery with a mysterious "AMDPciDev.sys" file. AMDPciDev.sys was WHQL certified as a PnP PCI driver, installed on the system for a "PCIe Dummy Function" device. Seeing this dummy device association, Ionescu decided to reverse engineer the driver and saw some odd behaviors like a hashing algorithm and oddities with process creation, termination, and monitoring.
The initial findings from this reverse engineering, of which he reported on Twitter, explained that the "AMD PCI Driver" registers a process creation notify routine that, in short, "checks all process names against a list of 19 hashed names." If a match is found against that list, which turns out to be a list of game executables, the driver sets a bit to disable certain hardware optimizations. Disabling these optimizations, like the instruction cache, which could cause instability under load, could improve game stability. As Ionescu then explained to us, "it doesn't disable them merely for the running game -- it disables them for the entire machine."
This could be quite problematic, as he further stated that the 19 hashes that are used to check against running processes use a "very weak 32-bit hash -- like a CRC or XOR." The weak hash could lead to program hash collisions, where the system thinks a game is running, even though it could actually be a critical process or other software that was not intended to get this special treatment, per se.
Another problem is that this driver has security settings that allows anyone with low level read/write access to a system to use its interface. Ionescu reports that the driver "exposes, to user-mode applications, a completely unprivileged interface for adding additional processes to monitor." However, the code to handle these requests is unsafe and insecure, and could be used to crash the system, leaving the potential for unwanted information disclosure. If someone wanted to be malicious, Ionescu also wrote a PowerShell one-liner that demonstrates how it can crash a Ryzen system, as shown in the above tweet.
Thankfully, these issues only affect stepping B1 of Zen 1 (Ryzen 1xxx) and Zen 2 XT series (Ryzen 3xxx) processors. Regardless of what this affects, as Ionescu tweeted, "the driver is vulnerable, its use is obfuscated, these checks are poorly thought out, the list of processes is arbitrary, everything is being done behind user's backs, and it affects the system globally based on a single process name."
As such, it's rather concerning that this questionable driver is apparently deployed for production-level AMD systems of this vintage. Hopefully we will find out what is really going on with this methodology being employed, as we have reached out to AMD for comment. Until we get a response, let us know what you make of this situation in the comments below.