Play AppSec WarGames
Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.
The Chrome Swiftshader Vulnerability
In May 2018, a critical vulnerability was discovered in Chromium Browser’s SwiftShader renderer, allowing attackers to exploit floating-point precision errors for sensitive information disclosure. The vulnerability (Chromium bug: 848238) arose specifically in the blitting process (Renderer/Blitter.cpp ), where pixel data from one surface is copied to another using repeated incremental additions of floating-point values.
The vulnerability stemmed from how incremental floating-point additions accumulate small precision errors over iterations. Attackers could leverage carefully selected input dimensions (e.g., source width of 5828 pixels and destination width of 8132 pixels) to escalate these minor errors. Eventually, the errors became significant enough to trigger an out-of-bounds memory read, causing Chromium to access memory regions outside the intended graphics buffer.
Practically, exploiting this flaw could disclose sensitive GPU process memory, including heap addresses, pointers to the Chrome binary, or the SwiftShader library, significantly increasing the risk of further exploitation.
Chromium promptly addressed the issue by implementing a patch that prevents accumulation of floating-point errors during the blitting process, thereby resolving the precision issue and mitigating the memory disclosure vulnerability.
This incident underscores the importance of careful floating-point arithmetic handling and rigorous bounds checking in security-critical applications to prevent subtle yet severe vulnerabilities.
We made a challenge in Python to replicate this vulnerability:
