[Webkit-unassigned] [Bug 239154] [CoreIPC][WebGL] Heap Buffer Overflow from CoreIPC WebGL MultiDraw* due to discarded firsts/counts length in favour of attacker controlled drawcount
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Apr 14 03:24:46 PDT 2022
https://bugs.webkit.org/show_bug.cgi?id=239154
Kimmo Kinnunen <kkinnunen at apple.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Group|Security-Sensitive |
CC| |dino at apple.com,
| |kbr at google.com
Component|Security |WebGL
Assignee|webkit-security-unassigned@ |webkit-unassigned at lists.web
|lists.webkit.org |kit.org
Product|Security |WebKit
--- Comment #9 from Kimmo Kinnunen <kkinnunen at apple.com> ---
Moving out of security, GPUP variant has not shipped anywhere. This is only a security problem for GPUP in case WP can run arbitrary code to select the arbitrary drawcount.
If WP variant has different threat model: if WP can already run arbitrary code to select arbitrary drawcount, it doesn't need an overflow in WP.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220414/0d0b81f5/attachment.htm>
More information about the webkit-unassigned
mailing list