Open Bug 1838888 Opened 2 years ago Updated 1 year ago

crash at [@ atidxx64.dll | CContext::TID3D11DeviceContext_ClearRenderTargetView_<T> ]

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Type:
defect

Tracking

()

People

(Reporter: alisyarief.404, Unassigned)

Details

(6 keywords, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Crash Data

Attachments

(4 files)

firefox.png
62.49 KB, image/png
Details
memtest.html
673 bytes, text/html
Details
Application Basics
34.77 KB, application/octet-stream
Details
poc_nightly.mp4
1.73 MB, video/mp4
Details
Attached image firefox.png

Crash report:
https://crash-stats.mozilla.org/report/index/0888fe14-6a0f-4407-9721-7031b0230616#tab-bugzilla

in Asan Error :
JavaScript error: resource://devtools/server/actors/resources/parent-process-document-event.js, line 90: TypeError: can't access property "innerWindowId", webProgress.browsingContext.currentWindowGlobal is null

Flags: sec-bounty?

The crash report is a null deref crash inside the graphics drivers, in the GPU process.

Do you have a test case that can be used to reproduce the issue?

Group: firefox-core-security → gfx-core-security
Component: Security → Graphics
Flags: needinfo?(alisyarief.404)
Product: Firefox → Core
Attached file memtest.html
Flags: needinfo?(alisyarief.404)

yes im testing with script
script in attachment

Thanks

Status: UNCONFIRMED → NEW
Crash Signature: [@ atidxx64.dll | CContext::TID3D11DeviceContext_ClearRenderTargetView_<T> ]
Ever confirmed: true
Keywords: crash, csectype-nullptr, testcase
Summary: CContext::TID3D11DeviceContext_ClearRenderTargetView_<T> ] → crash at [@ atidxx64.dll | CContext::TID3D11DeviceContext_ClearRenderTargetView_<T> ]

Filing as security sensitive exploitable since the address indicates UAF:

Crash Reason EXCEPTION_ACCESS_VIOLATION_READ
Crash Address 0x0000000000000060

Thanks

Could you attach the output of about:support for your machine?

Blocks: gfx-triage
Flags: needinfo?(alisyarief.404)
Severity: -- → S2
Attached file Application Basics
Flags: needinfo?(alisyarief.404)

im attach file output about:support in attachment

Thanks

Thanks. I see that the driver is from 2022:

Driver Version: 31.0.12042.4
Driver Date: 10-19-2022

Would it be possible to try update the driver and see if the bug is still reproducible?

Flags: needinfo?(alisyarief.404)

im testing in update driver
the bug not reproducible
But not all user update driver in PC/laptop

Thanks

Flags: needinfo?(alisyarief.404)

im check in second laptop driver is 2022 but not notification update driver in laptop
if default BYOD Laptop many driver amd or nvidia 2021 or 2022 which is still active

Attached video poc_nightly.mp4

Im testing in

Nightly Version : 116.0a1 (2023-06-18) (64-bit)
Eror : Crash Tab

Poc In Attachment

Any update for this report ?
This finding is valid ?

The memtest.html is just exhausting memory, and something has to give on the system. It sounds like the new driver is different (maybe possibly better-behaved in this case), but that overall this is just something crashing in response to OOM, which is just a known DOS vector.

Keywords: sec-low, wsec-dos
No longer blocks: gfx-triage
Severity: S2 → S3
Group: gfx-core-security
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: