#Summary UAF in Webgpu status manager[exploited in th wild] #Type GPU process RCE #NOTE We have evidence that the following bug is being explot in the wild. This problem has been fixed in the latest beta version, the reason for the fix is an accident(https://bugzilla.mozilla.org/show_bug.cgi?id=1746538), but the stable version (97.0.1) has not been synchronized. Therefore, we think it is necessary to report this vulnerability in detail, so that the stable version can be fixed as soon as possible, and at the same time apply for a CVE number to track this vulnerability #CREDIT wang gang&liu jialei&du sihang&huang yi&yang kang of 360 ATA #MINIPOC ``` mov rax, [rsp+0E38h+var_DF8] mov qword ptr [rax+198h], 0 mov rax, [rsp+0E38h+var_DF8] add rax, 198h xor edx, edx mov rcx, rax call [rsp+0E38h+mozilla::webgpu::Instance::Create] <<[1] mov rax, [rsp+0E38h+var_DF8] mov rax, [rax+198h] mov rcx, [rax+20h] call [rsp+0E38h+mozilla::webgpu::PWebGPUChild::SendShutdown] <<[2] mov [rsp+0E38h+var_DEC], 0 ``` #RCA 1. Get Render side RCE,we already reported in https://bugzilla.mozilla.org/show_bug.cgi?id=1758062 2. Run shellcode in compromised Render process call mozilla::webgpu::Instance::Create then call mozilla::webgpu::PWebGPUChild::SendShutdown to get a webgpu with wrong status. 3. After a clever heap layout call mozilla::webgpu::PWebGPUChild::SendShaderModuleDestroy get RCE ``` ipc::IPCResult WebGPUParent::RecvShutdown() { mTimer.Stop(); for (const auto& p : mCanvasMap) { const wr::ExternalImageId extId = {p.first}; layers::TextureHost::DestroyRenderTexture(extId); } mCanvasMap.clear(); ffi::wgpu_server_poll_all_devices(mContext, true); ffi::wgpu_server_delete(const_cast<ffi::WGPUGlobal*>(mContext)); << return IPC_OK(); } ```
Bug 1758070 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
#Summary UAF in Webgpu status manager[exploited in the wild] #Type GPU process RCE #NOTE We have evidence that the following bug is being explot in the wild. This problem has been fixed in the latest beta version, the reason for the fix is an accident(https://bugzilla.mozilla.org/show_bug.cgi?id=1746538), but the stable version (97.0.1) has not been synchronized. Therefore, we think it is necessary to report this vulnerability in detail, so that the stable version can be fixed as soon as possible, and at the same time apply for a CVE number to track this vulnerability #CREDIT wang gang&liu jialei&du sihang&huang yi&yang kang of 360 ATA #MINIPOC ``` mov rax, [rsp+0E38h+var_DF8] mov qword ptr [rax+198h], 0 mov rax, [rsp+0E38h+var_DF8] add rax, 198h xor edx, edx mov rcx, rax call [rsp+0E38h+mozilla::webgpu::Instance::Create] <<[1] mov rax, [rsp+0E38h+var_DF8] mov rax, [rax+198h] mov rcx, [rax+20h] call [rsp+0E38h+mozilla::webgpu::PWebGPUChild::SendShutdown] <<[2] mov [rsp+0E38h+var_DEC], 0 ``` #RCA 1. Get Render side RCE,we already reported in https://bugzilla.mozilla.org/show_bug.cgi?id=1758062 2. Run shellcode in compromised Render process call mozilla::webgpu::Instance::Create then call mozilla::webgpu::PWebGPUChild::SendShutdown to get a webgpu with wrong status. 3. After a clever heap layout call mozilla::webgpu::PWebGPUChild::SendShaderModuleDestroy get RCE ``` ipc::IPCResult WebGPUParent::RecvShutdown() { mTimer.Stop(); for (const auto& p : mCanvasMap) { const wr::ExternalImageId extId = {p.first}; layers::TextureHost::DestroyRenderTexture(extId); } mCanvasMap.clear(); ffi::wgpu_server_poll_all_devices(mContext, true); ffi::wgpu_server_delete(const_cast<ffi::WGPUGlobal*>(mContext)); << return IPC_OK(); } ```