Change theme
Help
Press space for more information.
Show links for this issue (Shortcut: i, l)
Copy issue ID
Previous Issue (Shortcut: k)
Next Issue (Shortcut: j)
Sign in to use full features.
Vote: I am impacted
Notification menu
Refresh (Shortcut: Shift+r)
Go home (Shortcut: u)
Use Markdown for this comment
Set severity, which reflects how much the issue affects the use of the product
Change issue status back to 'Assigned'
Remove item
Pending code changes (auto-populated)
Select items in the list
Backend [ID: 1311526]
GPU [ID: 1311527]
[ID: 1223084]
Tracks the current rank of this item in the teams backlog [ID: 1225362]
Build number, such as 117.0.5911.2 [ID: 1223033]
[ID: 1223136]
[ID: 1223081]
[ID: 1223087]
[ID: 1223134]
Milestone(s) impacted by this issue. [ID: 1223085]
Date of next expected progress update or deadline for providing requested information. [ID: 1225154]
[ID: 1223086]
[ID: 1223034]
[ID: 1223088]
[ID: 1223135]
he CWE ID for the type of security defect the current issue is describing. [ID: 1410892]
This field contains Gerrit urls of code changes that ‘fix’ a security bug (i.e., excluding logging/cleanup commits) and is used when a singular fix cannot be uniquely identified from the existing “Code Changes” field. The change can be in the chromium repo or any other third_party repo. [ID: 1358989]
This is a custom field created and used by go/roadmap. [ID: 1333341]
This is a custom field created and used by go/roadmap. [ID: 1333368]
Set the version(s) of the product affected by this issue (comma-separated list)
Set the version(s) of the product in which the issue should be fixed (comma-separated list)
Set the version(s) of the product in which the issue fix was verified (comma-separated list)
Set if this issue occurs in production
[ID: 1223031]
Blink
Blink>WebGPU
Dawn
Dawn>Tint
[ID: 1253656]
Supplemental component tags only. Set main component first. [ID: 1222907]
Design doc to be reviewed. [ID: 1223032]
[ID: 1223131]
How many engineer days the task is estimated to take. [ID: 1225337]
Link to incidents in IRM as a result of this ticket. [ID: 1300460]
[ID: 1223083]
Set Reporter
Set Type
Set priority, which reflects how soon the issue should be fixed
Set Status
Set Assignee
Set Verifier
View or edit staffing
View issue level access limits(Press Alt + Right arrow for more information)
Description
#1VULNERABILITY DETAILS
Chromium translates wgsl shaders via tint to an OS-specific shader format. On Windows, the OS-specific file format is hlsl, processed in dxcompiler.dll. When compiling chrome-generated hlsl files, this triggers a UAF inside the hlsl compiler.
VERSION
Chrome Version: Pre-compiled ASAN Chromium 127.0.6497.0 (Developer Build) (64-bit)
Operating System: Win11 Build 22631.3447
REPRODUCTION CASE
Attached is a .html file containing a WebGPU shader. Opening the html file (on windows with the D3D12 backend) crashes the GPU process.
Reproducing the issue stand-alone on Linux also possible:
./tint standalone.wgsl -o standalone.hlsl. I also attached standalone.hlsl, but you should get the very same file when compiling standalone.wgsl yourself./dxc-3.7 -T cs_6_2 -HV 2018 standalone.hlsl. This should trigger an ASAN violation.Attached: