Out of bounds read in WebGPU in Google Chrome on Android prior to 142.0.7444.137 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)
Google Chrome on Android is vulnerable to an out-of-bounds read in its WebGPU implementation, allowing a remote attacker to achieve an out-of-bounds memory write. This vulnerability can be exploited through a crafted HTML page, potentially leading to arbitrary code execution and complete device compromise.
Step 1: Payload Delivery: The attacker crafts a malicious HTML page containing JavaScript code designed to interact with the WebGPU API. This page is hosted on a web server controlled by the attacker or delivered through social engineering (e.g., phishing).
Step 2: WebGPU Initialization: The victim's Chrome browser on Android loads the malicious HTML page, which initializes the WebGPU context.
Step 3: Crafted WebGPU Commands: The JavaScript code sends a sequence of carefully crafted WebGPU commands to the browser's WebGPU implementation. These commands are designed to trigger the vulnerability.
Step 4: Out-of-Bounds Read: The crafted commands, due to the vulnerability, cause the WebGPU implementation to perform an out-of-bounds read operation. This reads memory outside the allocated buffer.
Step 5: Memory Corruption (Out-of-Bounds Write): The attacker leverages the information gained from the out-of-bounds read to manipulate the memory layout and trigger an out-of-bounds write. This could involve overwriting critical data structures or function pointers.
Step 6: Code Execution: By overwriting a function pointer or other critical data, the attacker gains control of the program's execution flow, leading to arbitrary code execution within the context of the Chrome browser.
Step 7: Privilege Escalation: The attacker's code, now running within the browser, can potentially access sensitive data, install malware, or further compromise the device.
The vulnerability stems from an improper bounds check within the WebGPU implementation in Google Chrome on Android. Specifically, the code responsible for handling memory access operations within the WebGPU rendering pipeline fails to adequately validate the provided indices or offsets. This leads to an out-of-bounds read, which, when combined with other memory corruption primitives, can be leveraged to achieve an out-of-bounds write. The root cause is likely a missing or incorrect calculation of memory boundaries during the processing of WebGPU commands, allowing an attacker to specify an invalid memory address. This could be due to an integer overflow, incorrect pointer arithmetic, or a flawed implementation of memory allocation and deallocation within the WebGPU rendering engine.