Stack Overflow in LLVMPipe reachable from Chromium

We discussed this vulnerability during Episode 76 on 11 May 2021

Cool bug, but hard to actually exploit despite getting PC control. The vuln uses GLSL, a c-like shader language that gets translated into C before being executed. The translation process also does things like zero-initing new arrays. The problem is that it doesn’t validate there is enough stack space for new arrays being allocated. So it is possible to declare an array that will overflow available stack space and end up in another threads stack.

This is somewhat mitigated by the zero-init process which will attempt to write 0s to the allocated array, crashing when it hits a guard page.

The zero-init only happens when the array is actually declared in code, however the stack frame is setup at the start of the function call. This means that that a variable can be declared that’ll be stored after the end of the large buffer despite the larger one not actually being initialized. Allowing for a targeted overwrite that doesn’t write over the guard page.