# Pwn2Own Whitepaper: SpanMeNot

Submitted by Seunghyun Lee (@0x10n) of KAIST Hacking Lab


## Target

Google Chrome Renderer Only RCE

> Note that all Chromium-based browsers are vulnerable, but only one Double Tap Addon is allowed for a single participant in Pwn2Own.


## Hashes

```text
$ sha256sum exp.html poc.html poc_no_transfer.html
64c1e9938cedc5d81401251f0cabfe52c3a965256ed19e9d9564687fe9523171  exp.html
7625cb021fc1cbe511cde17207370d3286aaf9eddb7a5a83ce40caaedcfda390  poc.html
de5cc6dc7d5a3490d12e7101d84a0cfdc12bbf3b4407ee00c97c9454ae0e86c5  poc_no_transfer.html
```


## Repro (Minimal PoC)

1. Run a webserver to serve the given `poc.html` file (e.g. `python3 -m http.server -b 127.0.0.1 8000`)
2. Start Chrome or Edge
3. Assert that hardware accelerated compositing is enabled.
   1. Visit `chrome://gpu`
   2. Check that `Compositing: Hardware accelerated`
   3. If not, kill all `chrome.exe` or `msedge.exe` process and retry from step 2 with `--ignore-gpu-blocklist` flag added (if this still fails, hardware is likely ancient or is lacking proper graphics driver support)
4. Browse to `http://127.0.0.1:8000/poc.html`

Result should be an immediate crash with `STATUS_ACCESS_VIOLATION`.


## Repro (RCE)

1. Run a webserver to serve the given `exp.html` file (e.g. `python3 -m http.server -b 127.0.0.1 8000`)
2. Start Chrome or Edge with `--no-sandbox` flag
3. Assert that hardware accelerated compositing is enabled.
   1. Visit `chrome://gpu`
   2. Check that `Compositing: Hardware accelerated`
   3. If not, kill all `chrome.exe` or `msedge.exe` process and retry from step 2 with `--ignore-gpu-blocklist` flag added (if this still fails, hardware is likely ancient or is lacking proper graphics driver support)
4. Browse to `http://127.0.0.1:8000/exp.html`

Result should be a command prompt opening with arbitrary commands executed (`echo`ing of some ASCII art).

> Note that with all default options (Windows 11 VM in VMware Workstation), "Accelerate 3D graphics" option will be enabled by default. This uses VMware SVGA 3D display adapter, which by default supports hardware accelerated compositing for Google Chrome. Microsoft Edge for some unknown reason still blocklists this, so `--ignore-gpu-blocklist` is required.
>
> Without "Accelerate 3D graphics", both Chrome and Edge requires `--ignore-gpu-blocklist`.


## Bug / Root Cause Analysis

The `copyTo()` method of the `VideoFrame` object supports asynchronous copying of the contents of the VideoFrame to a user-supplied `ArrayBuffer`, `DataView` or `TypedArray`. This is implemented in `VideoFrame::copyTo()`:

```cpp
ScriptPromise VideoFrame::copyTo(ScriptState* script_state,
                                 const AllowSharedBufferSource* destination,
                                 VideoFrameCopyToOptions* options,
                                 ExceptionState& exception_state) {
  // ...
  // Validate destination buffer.
  auto buffer = AsSpan<uint8_t>(destination);
  if (!buffer.data()) {
    exception_state.ThrowTypeError("destination is detached.");
    return ScriptPromise();
  }
  if (buffer.size() < dest_layout.Size()) {
    exception_state.ThrowTypeError("destination is not large enough.");
    return ScriptPromise();
  }

  if (RuntimeEnabledFeatures::WebCodecsCopyToRGBEnabled() &&
      dest_layout.Format() != local_frame->format() &&
      media::IsRGB(dest_layout.Format())) {
    ConvertAndCopyToRGB(local_frame, src_rect, dest_layout, buffer);
  } else if (local_frame->IsMappable()) {
    CopyMappablePlanes(*local_frame, src_rect, dest_layout, buffer);
  } else if (local_frame->HasGpuMemoryBuffer()) {
    auto mapped_frame = media::ConvertToMemoryMappedFrame(local_frame);
    if (!mapped_frame) {
      exception_state.ThrowDOMException(DOMExceptionCode::kInvalidStateError,
                                        "Failed to read VideoFrame data.");
      return ScriptPromise();
    }
    CopyMappablePlanes(*mapped_frame, src_rect, dest_layout, buffer);
  } else {
    DCHECK(local_frame->HasTextures());

    if (auto* resolver = CopyToAsync(script_state, local_frame, src_rect,       // [!] target code
                                     destination, dest_layout)) {
      return resolver->Promise();
    }

    if (!CopyTexturablePlanes(*local_frame, src_rect, dest_layout, buffer)) {
      exception_state.ThrowDOMException(DOMExceptionCode::kInvalidStateError,
                                        "Failed to read VideoFrame data.");
      return ScriptPromise();
    }
  }

  auto result = ConvertLayout(dest_layout);
  return ScriptPromise::Cast(
      script_state,
      ToV8Traits<IDLSequence<PlaneLayout>>::ToV8(script_state, result));
}
```

After passing a lot of if statements, we reach `CopyToAsync()`:

```cpp
ScriptPromiseResolver* VideoFrame::CopyToAsync(
    ScriptState* script_state,
    scoped_refptr<media::VideoFrame> frame,
    gfx::Rect src_rect,
    const AllowSharedBufferSource* destination,
    const VideoFrameLayout& dest_layout) {
  auto* background_readback =
      BackgroundReadback::From(*ExecutionContext::From(script_state));
  if (!background_readback)
    return nullptr;

  ArrayBufferContents contents = PinArrayBufferContent(destination);        // [!] (improper) ownership acquisition
  if (!contents.DataLength())
    return nullptr;

  auto* resolver = MakeGarbageCollected<ScriptPromiseResolver>(script_state);
  auto readback_done_handler = [](ArrayBufferContents contents,
                                  ScriptPromiseResolver* resolver,
                                  VideoFrameLayout dest_layout, bool success) {
    auto* script_state = resolver->GetScriptState();
    if (success && script_state->ContextIsValid()) {
      resolver->Resolve(ConvertLayout(dest_layout));
    } else {
      resolver->Reject();
    }
  };
  auto done_cb = WTF::BindOnce(readback_done_handler, std::move(contents),
                               WrapPersistent(resolver), dest_layout);

  auto buffer = AsSpan<uint8_t>(destination);                               // [!] acquires a base::span of the buffer
  background_readback->ReadbackTextureBackedFrameToBuffer(                  // [!] dispatched into another thread
      std::move(frame), src_rect, dest_layout, buffer, std::move(done_cb));
  return resolver;
}
```

The copy is dispatched to another thread, with the promise resolved asynchronously. To keep the buffer alive, the underlying `ArrayBufferContents` is pinned via `PinArrayBufferContent()` and is bound to the resolver callback function `done_cb`:

```cpp
ArrayBufferContents PinArrayBufferContent(
    const AllowSharedBufferSource* buffer_union) {
  ArrayBufferContents result;
  switch (buffer_union->GetContentType()) {
    case AllowSharedBufferSource::ContentType::kArrayBufferAllowShared: {
      // ...
    }
    case AllowSharedBufferSource::ContentType::kArrayBufferViewAllowShared: {
      auto* view = buffer_union->GetAsArrayBufferViewAllowShared().Get();
      if (view && !view->IsDetached()) {
        if (view->IsShared()) {
          view->BufferShared()->Content()->ShareWith(result);
        } else {
          view->buffer()->ShareNonSharedForInternalUse(result);             // [!] non-shared, non-detached DataView
        }
      }
      return result;
    }
  }
}

bool DOMArrayBuffer::ShareNonSharedForInternalUse(ArrayBufferContents& result) {
  if (!Content()->BackingStore()) {
    result.Detach();
    return false;
  }
  Content()->ShareNonSharedForInternalUse(result);
  return true;
}

void ArrayBufferContents::ShareNonSharedForInternalUse(
    ArrayBufferContents& other) {
  DCHECK(!IsShared());
  DCHECK(!other.Data());
  DCHECK(Data());
  other.backing_store_ = backing_store_;                                    // [!] std::shared_ptr ref to backing store
}
```

However, this only pins the reference to `v8::BackingStore`. The backing store structure is kept alive, but this is insufficient to keep the underlying buffer alive. Thus the extracted `base::span` may be stale at the moment copy operation is carried out.

The actual copy to buffer is done in the following function:

```cpp
void GLHelper::CopyTextureToImpl::ReadbackDone(Request* finished_request) {
  TRACE_EVENT0("gpu.capture",
               "GLHelper::CopyTextureToImpl::CheckReadbackFramebufferComplete");
  finished_request->done = true;

  FinishRequestHelper finish_request_helper;

  // We process transfer requests in the order they were received, regardless
  // of the order we get the callbacks in.
  while (!request_queue_.empty()) {
    Request* request = request_queue_.front();
    if (!request->done) {
      break;
    }

    bool result = false;
    if (request->buffer != 0) {
      gl_->BindBuffer(GL_PIXEL_PACK_TRANSFER_BUFFER_CHROMIUM, request->buffer);
      unsigned char* src = static_cast<unsigned char*>(gl_->MapBufferCHROMIUM(
          GL_PIXEL_PACK_TRANSFER_BUFFER_CHROMIUM, GL_READ_ONLY));
      if (src) {
        result = true;
        int dst_stride = base::saturated_cast<int>(request->row_stride_bytes);
        int src_stride = base::saturated_cast<int>(request->bytes_per_pixel *
                                                   request->size.width());
        size_t bytes_to_copy =
            std::min(request->row_stride_bytes, request->bytes_per_row);
        unsigned char* dst = request->pixels;
        if (request->flip_y && request->size.height() > 1) {
          dst += dst_stride * (request->size.height() - 1);
          dst_stride = -dst_stride;
        }
        for (int y = 0; y < request->size.height(); y++) {
          memcpy(dst, src, bytes_to_copy);                      // [!] copying to buffer
          dst += dst_stride;
          src += src_stride;
        }
        gl_->UnmapBufferCHROMIUM(GL_PIXEL_PACK_TRANSFER_BUFFER_CHROMIUM);
      }
      gl_->BindBuffer(GL_PIXEL_PACK_TRANSFER_BUFFER_CHROMIUM, 0);
    }
    FinishRequest(request, result, &finish_request_helper);
  }
}
```

To sum up, the main JS thread may race against the background readback thread to reallocate the underlying buffer via `ArrayBuffer.prototype.transfer()` before the actual copy is made, resulting in a use-after-free write on the underlying buffer pointed by the `ArrayBuffer`, `DataView` or `TypedArray` passed to `VideoFrame.copyTo()`.

> Note that UAF is not the only problem with modifications on the underlying buffer from another thread. The main JS thread may attempt to sort a TypedArray on this buffer at the same time, where optimizations on non-shared buffers will [result in `std::sort()` to be used](https://source.chromium.org/chromium/chromium/src/+/main:v8/src/runtime/runtime-typedarray.cc;l=100). This function is well known to be unsafe on data races similar to the [qsort() issue reported by Qualys](https://blog.qualys.com/vulnerabilities-threat-research/2024/01/30/qualys-tru-discovers-important-vulnerabilities-in-gnu-c-librarys-syslog).
>
> However, also note that for the PoC given, debugging shows that the above code (`ReadbackDone()`) is in fact called in the main JS thread. It may be the case that the background readback thread dispatches the actual copy operation back to the original context (main JS thread). This is not a blocker in exploiting the data race - see the Affected Version section for more information.

Back to the starting point, to trigger the bug we must pass quite a lot of if statements to reach `copyToAsync()` inside `copyTo()`. Analysis shows that `media::VideoFrame::StorageType::STORAGE_OPAQUE` is the only valid VideoFrame storage type that can reach the asynchronous copy. Although there are a lot of platform-specific codes that can create such VideoFrame, `VideoFrame::WrapNativeTextures` seems the most promising:

```cpp
scoped_refptr<VideoFrame> VideoFrame::WrapNativeTextures(
    VideoPixelFormat format,
    const gpu::MailboxHolder (&mailbox_holders)[kMaxPlanes],
    ReleaseMailboxCB mailbox_holder_release_cb,
    const gfx::Size& coded_size,
    const gfx::Rect& visible_rect,
    const gfx::Size& natural_size,
    base::TimeDelta timestamp) {
  // ...
  const StorageType storage = STORAGE_OPAQUE;                                       // [!] desired StorageType
  // ...
  scoped_refptr<VideoFrame> frame =
      new VideoFrame(*layout, storage, visible_rect, natural_size, timestamp);      // [!] VideoFrame with desired StorageType
  // ...
  return frame;
}
```

From a lot of call sites, `VideoFrame::Create()` seems the most promising:

```cpp
VideoFrame* VideoFrame::Create(ScriptState* script_state,
                               const V8CanvasImageSource* source,
                               const VideoFrameInit* init,
                               ExceptionState& exception_state) {
  // ...
  // Special case <video> and VideoFrame to directly use the underlying frame.
  if (source->IsVideoFrame() || source->IsHTMLVideoElement()) {                     // [!] should not be true
    // ...
    return MakeGarbageCollected<VideoFrame>(
        std::move(source_frame), ExecutionContext::From(script_state),
        /* monitoring_source_id */ std::string(), std::move(sk_image));
  }
  // ...
  if (image->IsTextureBacked() && SharedGpuContext::IsGpuCompositingEnabled()) {    // [!] should be true
    // ...
    frame = media::VideoFrame::WrapNativeTextures(                                  // [!] target callsite
        format, mailbox_holders, std::move(release_cb), coded_size,
        parsed_init.visible_rect, parsed_init.display_size, timestamp);
    // ...
  } else {
    // ...
  }
  // ...
}
```

`image->IsTextureBacked()` is only true for `blink::AcceleratedStaticBitmapImage`:

```cpp
class PLATFORM_EXPORT AcceleratedStaticBitmapImage final
    : public StaticBitmapImage {
  // ...
  bool IsTextureBacked() const override { return true; }
  // ...
};
```

`IsGpuCompositingEnabled()` is self-explanatory - we need hardware accelerated (i.e. GPU) compositing.

Thus, the bug is triggerable with:
1. Hardware accelerated compositing is enabled
2. Underlying image data of the VideoFrame is a canvas (but not `bitmaprenderer` context)

> Note that this is not the only condition to reach the bug. For example, VideoFrames from video elements with hardware accelerated decoding are also `STORAGE_OPAQUE` and can trigger the bug.


## Exploit

> Most of the exploit steps below are almost eqivalent to that of the other bug since we construct the same exploit primitives. The remaining are just exploit techniques in the modern Chrome heap sandbox environment (especially with regards to PartitionAlloc).

### From a Race UAF Write to Persistent (Almost) Arbitrary Address Write

Although this bug is technically a UAF trigged by a race condition, empirically the race UAF write primitive shows 100% stability regardless of how long the main JS thread runs - an infinite loop after ArrayBuffer `transfer()` does not even crash. It is speculated that the copy operation is dispatched back to the main JS thread via IPC, which runs like a microtask (i.e. only at an await point).

The primitive we currently have is a use-after-free write on any chosen ArrayBuffer, with arbitrary offset and with almost arbitrary length within the buffer by the use of DataView. Unfortunately this is caged in the 1TB heap sandbox, and furthermore is [allocated in the ArrayBuffer partition](https://chromium.googlesource.com/chromium/src/+/master/third_party/blink/renderer/platform/wtf/allocator/Allocator.md) of PartitionAlloc.

There have been exploits on ArrayBuffer UAF: CVE-2019-5786, CVE-2019-13270 a.k.a. Operation WizardOpium, and many more. All of these exploit techniques, especially freelist corruption to PartitionAlloc metadata, are no longer valid due to sanity checks:

```cpp
  PA_ALWAYS_INLINE static bool IsSane(const EncodedNextFreelistEntry* here,
                                      const EncodedNextFreelistEntry* next,
                                      bool for_thread_cache) {
    // Don't allow the freelist to be blindly followed to any location.
    // Checks two constraints:
    // - here and next must belong to the same superpage, unless this is in the
    //   thread cache (they even always belong to the same slot span).
    // - next cannot point inside the metadata area.
    //
    // Also, the lightweight UaF detection (pointer shadow) is checked.

    uintptr_t here_address = SlotStartPtr2Addr(here);
    uintptr_t next_address = SlotStartPtr2Addr(next);

#if PA_CONFIG(HAS_FREELIST_SHADOW_ENTRY)
    bool shadow_ptr_ok = here->encoded_next_.Inverted() == here->shadow_;
#else
    bool shadow_ptr_ok = true;
#endif

    bool same_superpage = (here_address & kSuperPageBaseMask) ==
                          (next_address & kSuperPageBaseMask);          // [!] checks superpage equality
#if BUILDFLAG(USE_FREESLOT_BITMAP)
    bool marked_as_free_in_bitmap =
        for_thread_cache ? true : !FreeSlotBitmapSlotIsUsed(next_address);
#else
    bool marked_as_free_in_bitmap = true;
#endif

    // This is necessary but not sufficient when quarantine is enabled, see
    // SuperPagePayloadBegin() in partition_page.h. However we don't want to
    // fetch anything from the root in this function.
    bool not_in_metadata =
        (next_address & kSuperPageOffsetMask) >= PartitionPageSize();   // [!] checks metadata inclusivity

    if (for_thread_cache) {
      return shadow_ptr_ok & not_in_metadata;
    } else {
      return shadow_ptr_ok & same_superpage & marked_as_free_in_bitmap &
             not_in_metadata;
    }
  }
```

However, as we have a use-after-free write on any ArrayBuffers, we can simply directly target the metadata region by using ArrayBuffers of size exceeding 0xf0000. This gets mapped directly ("Direct Map") on the PartitionAlloc region which could be unmapped and reclaimed as part of super pages, including metadata.

Also, freelist head on the metadata region is not validated if its next pointer is NULL:

```cpp
template <bool crash_on_corruption>
PA_ALWAYS_INLINE EncodedNextFreelistEntry*
EncodedNextFreelistEntry::GetNextInternal(size_t slot_size,
                                          bool for_thread_cache) const {
  // GetNext() can be called on discarded memory, in which case |encoded_next_|
  // is 0, and none of the checks apply. Don't prefetch nullptr either.
  if (IsEncodedNextPtrZero()) {             // [!] no checks if freelist head is the last entry, i.e. next == NULL
    return nullptr;
  }

  auto* ret = encoded_next_.Decode();
  // We rely on constant propagation to remove the branches coming from
  // |for_thread_cache|, since the argument is always a compile-time constant.
  if (PA_UNLIKELY(!IsSane(this, ret, for_thread_cache))) {
    if constexpr (crash_on_corruption) {
      // Put the corrupted data on the stack, it may give us more information
      // about what kind of corruption that was.
      PA_DEBUG_DATA_ON_STACK("first",
                             static_cast<size_t>(encoded_next_.encoded_));
#if PA_CONFIG(HAS_FREELIST_SHADOW_ENTRY)
      PA_DEBUG_DATA_ON_STACK("second", static_cast<size_t>(shadow_));
#endif
      FreelistCorruptionDetected(slot_size);
    } else {
      return nullptr;
    }
  }
  // ...
}

PA_ALWAYS_INLINE EncodedNextFreelistEntry* EncodedNextFreelistEntry::GetNext(
    size_t slot_size) const {
  return GetNextInternal<true>(slot_size, false);
}

PA_ALWAYS_INLINE PartitionFreelistEntry* SlotSpanMetadata::PopForAlloc(
    size_t size) {
  // Not using bucket->slot_size directly as the compiler doesn't know that
  // |bucket->slot_size| is the same as |size|.
  PA_DCHECK(size == bucket->slot_size);
  PartitionFreelistEntry* result = freelist_head;
  // Not setting freelist_is_sorted_ to false since this doesn't destroy
  // ordering.
  freelist_head = freelist_head->GetNext(size);
  num_allocated_slots++;
  return result;
}
```

Thus, we can partially overwrite the freelist head inside metadata so that the next free chunk points to itself, somewhere within the metadata region where:
1. NULL is already written on it
2. The last 8 bytes of the allocated chunk would overlap with the span metadata's freelist head (`freelist_head`)

Then, the next ArrayBuffer partition allocation with the corresponding size will return the forged chunk pointing inside the metadata region. Using this we can now persistently overwrite `freelist_head` (without triggering the bug again) to arbitrary address already containing NULL, which would be returned on the next ArrayBuffer partition allocation with the corresponding size.

> In the exploit, we partially overwrite the lower 3 bytes of `freelist_head` located at offset `0x401060` so that it now points to offset `0x401030` which is within the metadata region. This span consists of 0x40-sized chunks, thus reclaiming it results in range `[0x401030, 0x401070)` to be returned. The last 0x10 bytes overlaps with the span metadata of the original `freelist_head` that we've initially overwritten as well as `next_slot_span` (irrelevant for our exploit), granting full control over freelist.

Using this primitive we can claim the metadata corresponding to yet unused slot spans, then create an ArrayBuffer with different size to populate the metadata. This allows leaking binary base (of `chrome.dll` or `msedge.dll`) from bucket address and heap address from freelist head. Note that we could have directly overwritten `freelist_head` to point to yet unused slot span metadata to start with as it also grants full control over metadata, but this is just a matter of preference.

> We have now built an equivalent primitive to that of the other bug (fully controlled UAF on PartitionAlloc metadata) - the remaining exploits are the same boilerplates.

### Uncaging the V8 Heap Sandbox

This is now one step short of arbitrary allocation primitive on any address that already contains NULL. On the actual allocation routine, the returned address is checked so that it is within the V8 heap sandbox:

```cpp
// Allocate a backing store using the array buffer allocator from the embedder.
std::unique_ptr<BackingStore> BackingStore::Allocate(
    Isolate* isolate, size_t byte_length, SharedFlag shared,
    InitializedFlag initialized) {
  void* buffer_start = nullptr;
  auto allocator = isolate->array_buffer_allocator();
  CHECK_NOT_NULL(allocator);
  if (byte_length != 0) {
    // ...
    auto allocate_buffer = [allocator, initialized](size_t byte_length) {
      if (initialized == InitializedFlag::kUninitialized) {
        return allocator->AllocateUninitialized(byte_length);
      }
      return allocator->Allocate(byte_length);
    };

    buffer_start = isolate->heap()->AllocateExternalBackingStore(
        allocate_buffer, byte_length);
    // ...
#ifdef V8_ENABLE_SANDBOX
    // Check to catch use of a non-sandbox-compatible ArrayBufferAllocator.
    CHECK_WITH_MSG(GetProcessWideSandbox()->Contains(buffer_start),
                   "When the V8 Sandbox is enabled, ArrayBuffer backing stores "
                   "must be allocated inside the sandbox address space. Please "
                   "use an appropriate ArrayBuffer::Allocator to allocate "
                   "these buffers, or disable the sandbox.");
#endif
  }

  // ...
}

class V8_EXPORT_PRIVATE Sandbox {
  // ...
  /**
   * Returns true if the given address lies within the sandbox address space.
   */
  bool Contains(Address addr) const {
    return base::IsInHalfOpenRange(addr, base_, base_ + size_);
  }

  /**
   * Returns true if the given pointer points into the sandbox address space.
   */
  bool Contains(void* ptr) const {
    return Contains(reinterpret_cast<Address>(ptr));
  }
  // ...
};
```

This check can be avoided by using reallocation instead:

```cpp
bool BackingStore::Reallocate(Isolate* isolate, size_t new_byte_length) {
  CHECK(CanReallocate());
  auto allocator = get_v8_api_array_buffer_allocator();
  CHECK_EQ(isolate->array_buffer_allocator(), allocator);
  CHECK_EQ(byte_length_, byte_capacity_);
  void* new_start =
      allocator->Reallocate(buffer_start_, byte_length_, new_byte_length);  // [!] no check on this pointer
  if (!new_start) return false;
  buffer_start_ = new_start;
  byte_capacity_ = new_byte_length;
  byte_length_ = new_byte_length;
  max_byte_length_ = new_byte_length;
  return true;
}

void* v8::ArrayBuffer::Allocator::Reallocate(void* data, size_t old_length,
                                             size_t new_length) {
  if (old_length == new_length) return data;
  uint8_t* new_data =
      reinterpret_cast<uint8_t*>(AllocateUninitialized(new_length));        // [!] no check on this pointer
  if (new_data == nullptr) return nullptr;
  size_t bytes_to_copy = std::min(old_length, new_length);
  memcpy(new_data, data, bytes_to_copy);                                    // [!] arbitrary write
  if (new_length > bytes_to_copy) {
    memset(new_data + bytes_to_copy, 0, new_length - bytes_to_copy);
  }
  Free(data, old_length);
  return new_data;
}
```

We now have arbitrary write. However, the primitive still crashes the renderer before returning to our JS due to another check while setting the backing store address:

```cpp
void JSArrayBuffer::set_backing_store(Isolate* isolate, void* value) {
  Address addr = reinterpret_cast<Address>(value);
  WriteSandboxedPointerField(kBackingStoreOffset, isolate, addr);
}

void HeapObject::WriteSandboxedPointerField(size_t offset, Isolate* isolate,
                                            Address value) {
  i::WriteSandboxedPointerField(field_address(offset),
                                PtrComprCageBase(isolate), value);
}

V8_INLINE void WriteSandboxedPointerField(Address field_address,
                                          PtrComprCageBase cage_base,
                                          Address pointer) {
#ifdef V8_ENABLE_SANDBOX
  // The pointer must point into the sandbox.
  CHECK(GetProcessWideSandbox()->Contains(pointer));                        // [!] check crashes

  Address offset = pointer - cage_base.address();
  SandboxedPointer_t sandboxed_pointer = offset << kSandboxedPointerShift;
  base::WriteUnalignedValue<SandboxedPointer_t>(field_address,
                                                sandboxed_pointer);
#else
  WriteMaybeUnalignedValue<Address>(field_address, pointer);
#endif
}
```

Recall again that this check is triggered AFTER the reallocation which have already `memcpy()`-ed attacker-controlled contents on to attacker-controlled address outside of the heap sandbox. We can simple overwrite the sandbox bounds as the full 64bit address space, completely bypassing any following sandbox address checks:

```cpp
class V8_EXPORT_PRIVATE Sandbox {
  // ...
  Address base_ = kNullAddress;     // [!] bounds later initialized on sandbox init, to be overwritten
  Address end_ = kNullAddress;
  size_t size_ = 0;
  // ...
};
```

Now we can continue our exploit with the sandbox region forged as the full 64bit address space, effectively uncaging the sandbox to allow our primitive to allocate arbitrary addresses with NULL already written on it.

Note that the sandbox is the whole 1TB cage which contains other partitions - pivoting to such partitions without overwriting the sandbox bounds would also be a valid exploit technique, although recent sandbox hardening changes from M123 and above are somewhat mitigating such primitives.

### Gaining Arbitrary Code Execution

We have the following primitives:
- Leak:
  - Binary base address (`chrome.dll` / `msedge.dll`)
  - ArrayBuffer partition address
- Primitives:
  - AAW on any address which already has NULL (i.e. 8 bytes of zeros) written on it

Obtaining PC control can be done in many ways, but as we're already overwriting the `Sandbox` object to change the cage bounds we might as well just overwrite something that's located in front of it.

What's in front of `Sandbox`? It's `CodePointerTable`:

```cpp
class V8_EXPORT_PRIVATE CodePointerTable
    : public ExternalEntityTable<CodePointerTableEntry,
                                 kCodePointerTableReservationSize> {
  // ...
};

template <typename Entry, size_t size>
class V8_EXPORT_PRIVATE ExternalEntityTable {
  // ...
  // The pointer to the base of the virtual address space backing this table.
  // All entry accesses happen through this pointer.
  // It is equivalent to |vas_->base()| and is effectively const after
  // initialization since the backing memory is never reallocated.
  Entry* base_ = nullptr;

  // The virtual address space backing this table.
  // This is used to manage the underlying OS pages, in particular to allocate
  // and free the segments that make up the table.
  VirtualAddressSpace* vas_ = nullptr;
};
```

So if we overwrite `base_` of the `CodePointerTable` to attacker-controlled region together with the `Sandbox` region, we can point the whole code table into attacker-controlled region. Triggering a call through a code pointer within `CodePointerTable` will now grant PC control - `JSEntry()` is one of the many examples of such, easily triggered by asynchronously resolving from `setTimeout()` or even with a simple `console.log({})`. Note that the address must be XORed with appropriate tags for versions affected with CodeEntrypointTag (commit [aae8ec28](https://chromium.googlesource.com/v8/v8/+/aae8ec28b2e2ba8be993cb372cc7c0907f602b1e)).

```cpp
V8_WARN_UNUSED_RESULT MaybeHandle<Object> Invoke(Isolate* isolate,
                                                 const InvokeParams& params) {
  // ...
  // Placeholder for return value.
  Tagged<Object> value;
  Handle<Code> code =
      JSEntry(isolate, params.execution_target, params.is_construct);
  {
    // ...
    if (params.execution_target == Execution::Target::kCallable) {
      // ...
      using JSEntryFunction = GeneratedCode<Address(
          Address root_register_value, Address new_target, Address target,
          Address receiver, intptr_t argc, Address** argv)>;
      // clang-format on
      JSEntryFunction stub_entry =
          JSEntryFunction::FromAddress(isolate, code->instruction_start());     // [!] using pointer from our forged table

      Address orig_func = (*params.new_target).ptr();
      Address func = (*params.target).ptr();
      Address recv = (*params.receiver).ptr();
      Address** argv = reinterpret_cast<Address**>(params.argv);
      RCS_SCOPE(isolate, RuntimeCallCounterId::kJS_Execution);
      value = Tagged<Object>(
          stub_entry.Call(isolate->isolate_data()->isolate_root(), orig_func,
                          func, recv, JSParameterCount(params.argc), argv));
    } else {
      // ...
      using JSEntryFunction = GeneratedCode<Address(
          Address root_register_value, MicrotaskQueue* microtask_queue)>;
      // clang-format on
      JSEntryFunction stub_entry =
          JSEntryFunction::FromAddress(isolate, code->instruction_start());     // [!] using pointer from our forged table

      RCS_SCOPE(isolate, RuntimeCallCounterId::kJS_Execution);
      value = Tagged<Object>(stub_entry.Call(
          isolate->isolate_data()->isolate_root(), params.microtask_queue));
    }
  }
  // ...
}

DEF_GETTER(Code, instruction_start, Address) {
#ifdef V8_ENABLE_SANDBOX
  return ReadCodeEntrypointViaCodePointerField(kSelfIndirectPointerOffset,
                                               entrypoint_tag());
#else
  return ReadField<Address>(kInstructionStartOffset);
#endif
}

constexpr int kCodeEntrypointTagShift = 48;
enum CodeEntrypointTag : uint64_t {
  // TODO(saelo): eventually, we'll probably want to remove the default tag.
  kDefaultCodeEntrypointTag = 0,
  // TODO(saelo): give these unique tags.
  kJSEntrypointTag = kDefaultCodeEntrypointTag,
  kWasmEntrypointTag = kDefaultCodeEntrypointTag,
  kBytecodeHandlerEntrypointTag = uint64_t{1} << kCodeEntrypointTagShift,
  kICHandlerEntrypointTag = uint64_t{2} << kCodeEntrypointTagShift,
  kRegExpEntrypointTag = uint64_t{3} << kCodeEntrypointTagShift,
  // TODO(saelo): create more of these tags.

  // Tag to use for code that will never be called indirectly via the CPT.
  kInvalidEntrypointTag = uint64_t{0xff} << kCodeEntrypointTagShift,            // [!] tag for JSEntry
  // Tag used internally by the code pointer table to mark free entries.
  kFreeCodePointerTableEntryTag = uint64_t{0xffff} << kCodeEntrypointTagShift,  // [!] tag for JSEntry (before commit 0c86ce84)
};
```

> Note that overwriting something in front of `Sandbox` is required for Chrome to exploit the vulnerability deterministically ("deterministically" meaning 100% exploit chance in a single run without crashing), as there are no leading NULL directly in front of the `Sandbox` object in memory. Alternatively one could bruteforce sandbox region until there are consecutive 8 zero bytes, but crashing in Windows sometimes take a long time to recover :(
>
> In Edge, there already is a NULL in front of `Sandbox`, but to make the exploit equivalent with Chrome the same technique is applied.

Although we have PC control, there are no controlled registers pointing to attacker-controlled ArrayBuffer partition address. We can use an intermediate gadget that loads a value from .data section and then calls/jumps from a pointer again on .data section. Chaining this with a stack pivot gadget we can trigger our ropchain.

The intermediate gadget that I've used looks like `mov rax, [rip+0x..]; mov rcx, [rax+(0x18 or 0x20)]; mov edx, ebx; mov r8, rdi; mov r9, rsi; call qword ptr [rip+0x..];`, and the pivot gadget called is `push rax ; pop rsp ; ret`. Both the `rip`-relative address points to .data, has NULL within several bytes in front of it, and can be overwritten without adverse side effects. Both the gadgets exist on all Windows x64 Chrome and Edge release builds that I have tested on.

This completes the arbitrary code execution - ROP to call `VirtualProtect()` and return to shellcode.


## Affected Version

From M110 up to latest. The vulnerable pattern is introduced in M110 commit [8b5ccd22](https://chromium.googlesource.com/chromium/src.git/+/8b5ccd22cc5d626dd7b58971a5e64e761e057c4f).

Triggering the bug via `ArrayBuffer.prototype.transfer` and its variants is blocked behind `--harmony-rab-gsab-transfer` flag from M105 which is later enabled by default in M114 (commit [6387763c](https://chromium.googlesource.com/v8/v8.git/+/6387763c67f958f1b67b6da2e84c147dab0f4a78)).

This bug is still likely to be exploitable without `ArrayBuffer.prototype.transfer` by exploiting data races on non-shared ArrayBuffers, for example with the following execution order:
1. Create ArrayBuffer `ab` on main JS thread
2. Create a worker thread
3. Dispatch `VideoFrame.copyTo(ab)` operation
4. Zero-copy transfer `ab` to the worker thread via `postMessage()`
   - Now the worker thread is able to operate on the ArrayBuffer concurrently with the main JS thread
5. Race the two operations:
   - Worker thread: Either one of the following:
     1. Optimized `TypedArray.prototype.sort()` using `std::sort()`, similar to https://chromium-review.googlesource.com/c/v8/v8/+/1581641
     2. WASM compiling non-shared ArrayBuffer, similar to https://issues.chromium.org/issues/40088842
   - Main JS thread: Copy operation in `ReadbackDone()`

I've confirmed that the data race does trigger by hitting a check (`int 3; ud2;`) with `TypedArray.prototype.sort()` - this is included in the attachments as `poc_no_transfer.html` and the stack trace is also included at the end of this document.


## Fix

1. Stop acquiring raw pointers and `base::span` of `ArrayBuffer`-like objects across awaitble points or threaded operations
   - Either steal the underlying backing store as if we detach the buffer (this violates spec), or mark the buffer as shared (only internally)
     - Marking it as shared should not actually make it a SharedArrayBuffer, but instead should result in all non-shared ArrayBuffer optimizations to be avoided while being internally shared
   - Validate and mark all unsafe buffer usages as per https://issues.chromium.org/issues/40284755, notably initial spanification points that are worthy of marking `UNSAFE_BUFFERS()`
2. **Assert that there are no other potential data races on non-shared ArrayBuffers exposed to JS** (most likely in WebAudio, WebCodecs, etc.)
   - As a starting point, `AsSpan()` and `DOMArrayBuffer::ShareNonSharedForInternalUse()` sounds really bad (except for some legitimate use cases)
3. (Mitigation) Temporarily mitigate data races on non-shared ArrayBuffers for WASM compilation by copying the underlying buffer regardless of shared state
4. (Mitigation) Mitigate UAF on PartitionAlloc by implementing read-only metadata, i.e. [ShadowMetadata](https://bugs.chromium.org/p/chromium/issues/detail?id=1362969)
   - As shown in the exploit section, metadata corruption is still an extremely strong technique that trivially bypasses all heap sandbox mitigations
   - For a stopgap patch, verify that freelist head points inside of the corresponding super span's non-metadata region. This is likely to incur overheads, but likely less than that of ShadowMetadata
     - Bypasses expected with this approach, for example by exploiting forged `bucket` or `next_slot_span` pointer
5. (Mitigation) Make `Sandbox`, `CodePointerTable` and a bunch of security-critical data structures read-only after init
   - This may incur heavy overhead for frequently changing data structures
   - Alternatively, for all pointers that are eventually CHECK()ed to be within the sandbox, hoist the CHECK() into (re)allocation code


## Call Stack (Minimal PoC)

Tested on Chrome version 123.0.6312.10 release build, symbolized via Visual Studio debugger.

```text
; crash within chrome.dll!memcpy()
MoveSmall5::
00007FFF47AF1C67  mov         byte ptr [rax],cl  
        mov      ecx, DWORD PTR [rdx]                            ; handle 5 bytes (4+1)
00007FFF47AF1C69  ret  
        movzx    r8d, BYTE PTR (4)[rdx]
        mov      [rax], ecx
00007FFF47AF1C6A  mov         ecx,dword ptr [rdx]  
        mov      (4)[rax], r8b
00007FFF47AF1C6C  mov         dword ptr [rax],ecx                ; RIP
        ret

RAX = 000002C000217337 RBX = 0000751800BDB570 RCX = 00000000DEADBEEF RDX = 0000028C8A290000 RSI = 0000751800B758A0 RDI = 0000000000000004 R8  = 0000000000000004 R9  = 00007FFF47AF1C6A R10 = 00007FFF41230000 R11 = 000000964BDFDA90 R12 = 000002C000217337 R13 = 0000000000000004 R14 = 0000028C8A290000 R15 = 0000000000000004 RIP = 00007FFF47AF1C6C RSP = 000000964BDFDAF8 RBP = 0000000000000000 EFL = 00010206 

0x000002C000217337 = 00000000
```

```text
chrome.dll!memcpy() Line 208
	at D:\a\_work\1\s\src\vctools\crt\vcruntime\src\string\amd64\memcpy.asm(208)
chrome.dll!gpu::GLHelper::CopyTextureToImpl::ReadbackDone(gpu::GLHelper::CopyTextureToImpl::Request * finished_request) Line 457
	at C:\b\s\w\ir\cache\builder\src\gpu\command_buffer\client\gl_helper.cc(457)
[Inline Frame] chrome.dll!base::OnceCallback<void ()>::Run() Line 156
	at C:\b\s\w\ir\cache\builder\src\base\functional\callback.h(156)
chrome.dll!gpu::ImplementationBase::RunIfContextNotLost(base::OnceCallback<void ()> callback) Line 400
	at C:\b\s\w\ir\cache\builder\src\gpu\command_buffer\client\implementation_base.cc(400)
[Inline Frame] chrome.dll!base::internal::DecayedFunctorTraits<void (content::WebBluetoothServiceImpl::*)(base::OnceCallback<void (blink::mojom::WebBluetoothResult)>),base::WeakPtr<content::WebBluetoothServiceImpl> &&,base::OnceCallback<void (blink::mojom::WebBluetoothResult)> &&>::Invoke(void(content::WebBluetoothServiceImpl::*)(base::OnceCallback<void (blink::mojom::WebBluetoothResult)>) method, const base::WeakPtr<content::WebBluetoothServiceImpl> & receiver_ptr, base::OnceCallback<void (blink::mojom::WebBluetoothResult)> && args) Line 752
	at C:\b\s\w\ir\cache\builder\src\base\functional\bind_internal.h(752)
[Inline Frame] chrome.dll!base::internal::InvokeHelper<1,base::internal::FunctorTraits<void (content::WebBluetoothServiceImpl::*)(base::OnceCallback<void (blink::mojom::WebBluetoothResult)>),base::WeakPtr<content::WebBluetoothServiceImpl> &&,base::OnceCallback<void (blink::mojom::WebBluetoothResult)> &&>,void,0,1>::MakeItSo(void(content::WebBluetoothServiceImpl::*)(base::OnceCallback<void (blink::mojom::WebBluetoothResult)>) && functor, std::__Cr::tuple<base::WeakPtr<content::WebBluetoothServiceImpl>,base::OnceCallback<void (blink::mojom::WebBluetoothResult)>> && bound) Line 946
	at C:\b\s\w\ir\cache\builder\src\base\functional\bind_internal.h(946)
[Inline Frame] chrome.dll!base::internal::Invoker<base::internal::FunctorTraits<void (content::WebBluetoothServiceImpl::*)(base::OnceCallback<void (blink::mojom::WebBluetoothResult)>),base::WeakPtr<content::WebBluetoothServiceImpl> &&,base::OnceCallback<void (blink::mojom::WebBluetoothResult)> &&>,base::internal::BindState<1,1,0,void (content::WebBluetoothServiceImpl::*)(base::OnceCallback<void (blink::mojom::WebBluetoothResult)>),base::WeakPtr<content::WebBluetoothServiceImpl>,base::OnceCallback<void (blink::mojom::WebBluetoothResult)>>,void ()>::RunImpl(void(content::WebBluetoothServiceImpl::*)(base::OnceCallback<void (blink::mojom::WebBluetoothResult)>) && functor, std::__Cr::tuple<base::WeakPtr<content::WebBluetoothServiceImpl>,base::OnceCallback<void (blink::mojom::WebBluetoothResult)>> && bound, std::__Cr::integer_sequence<unsigned long long,0,1>) Line 1059
	at C:\b\s\w\ir\cache\builder\src\base\functional\bind_internal.h(1059)
chrome.dll!base::internal::Invoker<base::internal::FunctorTraits<void (content::WebBluetoothServiceImpl::*)(base::OnceCallback<void (blink::mojom::WebBluetoothResult)>),base::WeakPtr<content::WebBluetoothServiceImpl> &&,base::OnceCallback<void (blink::mojom::WebBluetoothResult)> &&>,base::internal::BindState<1,1,0,void (content::WebBluetoothServiceImpl::*)(base::OnceCallback<void (blink::mojom::WebBluetoothResult)>),base::WeakPtr<content::WebBluetoothServiceImpl>,base::OnceCallback<void (blink::mojom::WebBluetoothResult)>>,void ()>::RunOnce(base::internal::BindStateBase * base) Line 975
	at C:\b\s\w\ir\cache\builder\src\base\functional\bind_internal.h(975)
[Inline Frame] chrome.dll!base::OnceCallback<void ()>::Run() Line 156
	at C:\b\s\w\ir\cache\builder\src\base\functional\callback.h(156)
chrome.dll!gpu::CommandBufferProxyImpl::OnSignalAck(unsigned int id, const gpu::CommandBuffer::State & state) Line 213
	at C:\b\s\w\ir\cache\builder\src\gpu\ipc\client\command_buffer_proxy_impl.cc(213)
chrome.dll!gpu::mojom::CommandBufferClientStubDispatch::Accept(gpu::mojom::CommandBufferClient * impl, mojo::Message * message) Line 7707
	at C:\b\s\w\ir\cache\builder\src\out\Release_x64\gen\gpu\ipc\common\gpu_channel.mojom.cc(7707)
[Inline Frame] chrome.dll!mojo::InterfaceEndpointClient::HandleValidatedMessage(mojo::Message * message) Line 1021
	at C:\b\s\w\ir\cache\builder\src\mojo\public\cpp\bindings\lib\interface_endpoint_client.cc(1021)
chrome.dll!mojo::InterfaceEndpointClient::HandleIncomingMessageThunk::Accept(mojo::Message * message) Line 368
	at C:\b\s\w\ir\cache\builder\src\mojo\public\cpp\bindings\lib\interface_endpoint_client.cc(368)
[Inline Frame] chrome.dll!mojo::MessageDispatcher::Accept(mojo::Message * message) Line 43
	at C:\b\s\w\ir\cache\builder\src\mojo\public\cpp\bindings\lib\message_dispatcher.cc(43)
chrome.dll!mojo::InterfaceEndpointClient::HandleIncomingMessage(mojo::Message * message) Line 706
	at C:\b\s\w\ir\cache\builder\src\mojo\public\cpp\bindings\lib\interface_endpoint_client.cc(706)
chrome.dll!IPC::ChannelAssociatedGroupController::AcceptOnEndpointThread(mojo::Message message, IPC::`anonymous namespace'::ScopedUrgentMessageNotification scoped_urgent_message_notification) Line 1182
	at C:\b\s\w\ir\cache\builder\src\ipc\ipc_mojo_bootstrap.cc(1182)
[Inline Frame] chrome.dll!base::internal::DecayedFunctorTraits<void (IPC::ChannelAssociatedGroupController::*)(mojo::Message, IPC::(anonymous namespace)::ScopedUrgentMessageNotification),IPC::ChannelAssociatedGroupController *&&,mojo::Message &&,IPC::(anonymous namespace)::ScopedUrgentMessageNotification &&>::Invoke(void(IPC::ChannelAssociatedGroupController::*)(mojo::Message, IPC::`anonymous namespace'::ScopedUrgentMessageNotification) method, scoped_refptr<IPC::ChannelAssociatedGroupController> && receiver_ptr, mojo::Message && args, IPC::`anonymous namespace'::ScopedUrgentMessageNotification && args) Line 752
	at C:\b\s\w\ir\cache\builder\src\base\functional\bind_internal.h(752)
[Inline Frame] chrome.dll!base::internal::InvokeHelper<0,base::internal::FunctorTraits<void (IPC::ChannelAssociatedGroupController::*)(mojo::Message, IPC::(anonymous namespace)::ScopedUrgentMessageNotification),IPC::ChannelAssociatedGroupController *&&,mojo::Message &&,IPC::(anonymous namespace)::ScopedUrgentMessageNotification &&>,void,0,1,2>::MakeItSo(void(IPC::ChannelAssociatedGroupController::*)(mojo::Message, IPC::`anonymous namespace'::ScopedUrgentMessageNotification) && functor, std::__Cr::tuple<scoped_refptr<IPC::ChannelAssociatedGroupController>,mojo::Message,IPC::(anonymous namespace)::ScopedUrgentMessageNotification> && bound) Line 922
	at C:\b\s\w\ir\cache\builder\src\base\functional\bind_internal.h(922)
[Inline Frame] chrome.dll!base::internal::Invoker<base::internal::FunctorTraits<void (IPC::ChannelAssociatedGroupController::*)(mojo::Message, IPC::(anonymous namespace)::ScopedUrgentMessageNotification),IPC::ChannelAssociatedGroupController *&&,mojo::Message &&,IPC::(anonymous namespace)::ScopedUrgentMessageNotification &&>,base::internal::BindState<1,1,0,void (IPC::ChannelAssociatedGroupController::*)(mojo::Message, IPC::(anonymous namespace)::ScopedUrgentMessageNotification),scoped_refptr<IPC::ChannelAssociatedGroupController>,mojo::Message,IPC::(anonymous namespace)::ScopedUrgentMessageNotification>,void ()>::RunImpl(void(IPC::ChannelAssociatedGroupController::*)(mojo::Message, IPC::`anonymous namespace'::ScopedUrgentMessageNotification) && functor, std::__Cr::tuple<scoped_refptr<IPC::ChannelAssociatedGroupController>,mojo::Message,IPC::(anonymous namespace)::ScopedUrgentMessageNotification> && bound, std::__Cr::integer_sequence<unsigned long long,0,1,2>) Line 1059
	at C:\b\s\w\ir\cache\builder\src\base\functional\bind_internal.h(1059)
chrome.dll!base::internal::Invoker<base::internal::FunctorTraits<void (IPC::ChannelAssociatedGroupController::*)(mojo::Message, IPC::(anonymous namespace)::ScopedUrgentMessageNotification),IPC::ChannelAssociatedGroupController *&&,mojo::Message &&,IPC::(anonymous namespace)::ScopedUrgentMessageNotification &&>,base::internal::BindState<1,1,0,void (IPC::ChannelAssociatedGroupController::*)(mojo::Message, IPC::(anonymous namespace)::ScopedUrgentMessageNotification),scoped_refptr<IPC::ChannelAssociatedGroupController>,mojo::Message,IPC::(anonymous namespace)::ScopedUrgentMessageNotification>,void ()>::RunOnce(base::internal::BindStateBase * base) Line 972
	at C:\b\s\w\ir\cache\builder\src\base\functional\bind_internal.h(972)
[Inline Frame] chrome.dll!base::OnceCallback<void ()>::Run() Line 156
	at C:\b\s\w\ir\cache\builder\src\base\functional\callback.h(156)
[Inline Frame] chrome.dll!base::TaskAnnotator::RunTaskImpl(base::PendingTask & pending_task) Line 202
	at C:\b\s\w\ir\cache\builder\src\base\task\common\task_annotator.cc(202)
[Inline Frame] chrome.dll!base::TaskAnnotator::RunTask(perfetto::StaticString event_name, base::PendingTask & pending_task, base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWorkImpl::<lambda_4> && args) Line 89
	at C:\b\s\w\ir\cache\builder\src\base\task\common\task_annotator.h(89)
[Inline Frame] chrome.dll!base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWorkImpl(base::LazyNow * continuation_lazy_now) Line 473
	at C:\b\s\w\ir\cache\builder\src\base\task\sequence_manager\thread_controller_with_message_pump_impl.cc(473)
chrome.dll!base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork() Line 338
	at C:\b\s\w\ir\cache\builder\src\base\task\sequence_manager\thread_controller_with_message_pump_impl.cc(338)
chrome.dll!base::MessagePumpDefault::Run(base::MessagePump::Delegate * delegate) Line 42
	at C:\b\s\w\ir\cache\builder\src\base\message_loop\message_pump_default.cc(42)
chrome.dll!base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::Run(bool application_tasks_allowed, base::TimeDelta timeout) Line 644
	at C:\b\s\w\ir\cache\builder\src\base\task\sequence_manager\thread_controller_with_message_pump_impl.cc(644)
chrome.dll!base::RunLoop::Run(const base::Location & location) Line 136
	at C:\b\s\w\ir\cache\builder\src\base\run_loop.cc(136)
chrome.dll!content::RendererMain(content::MainFunctionParams parameters) Line 375
	at C:\b\s\w\ir\cache\builder\src\content\renderer\renderer_main.cc(375)
chrome.dll!content::RunOtherNamedProcessTypeMain(const std::__Cr::basic_string<char,std::__Cr::char_traits<char>,std::__Cr::allocator<char>> & process_type, content::MainFunctionParams main_function_params, content::ContentMainDelegate * delegate) Line 771
	at C:\b\s\w\ir\cache\builder\src\content\app\content_main_runner_impl.cc(771)
chrome.dll!content::ContentMainRunnerImpl::Run() Line 1148
	at C:\b\s\w\ir\cache\builder\src\content\app\content_main_runner_impl.cc(1148)
[Inline Frame] chrome.dll!content::RunContentProcess(content::ContentMainParams params, content::ContentMainRunner * content_main_runner) Line 335
	at C:\b\s\w\ir\cache\builder\src\content\app\content_main.cc(335)
chrome.dll!content::ContentMain(content::ContentMainParams params) Line 348
	at C:\b\s\w\ir\cache\builder\src\content\app\content_main.cc(348)
chrome.dll!ChromeMain(HINSTANCE__ * instance, sandbox::SandboxInterfaceInfo * sandbox_info, __int64 exe_entry_point_ticks) Line 194
	at C:\b\s\w\ir\cache\builder\src\chrome\app\chrome_main.cc(194)
[External Code]
```


## Call Stack (Minimal PoC, no transfer variant)

Tested on Chrome version 123.0.6312.10 release build, symbolized via Visual Studio debugger.

```text
00007FFCB503A340  int         3                ; RIP
00007FFCB503A341  ud2  

RAX = 000002780000C081 RBX = 0000000000000000 RCX = 00007FFCBA85872D RDX = 00007FFCBA85EB3D RSI = 000002780000C080 RDI = 000002780000C09F R8  = 0000000000000001 R9  = 0000000000000022 R10 = 0000000000000000 R11 = FFFFFFFFFFFFFFFF R12 = 000002780000C08C R13 = 000000000000000F R14 = 000000000000000C R15 = 000002780000C08F RIP = 00007FFCB503A340 RSP = 000000A9EE7FD988 RBP = 0000000000000000 EFL = 00000255 
```

```text
chrome.dll!content::ContentMainDelegate::TerminateForFatalInitializationError() Line 40
	at C:\b\s\w\ir\cache\builder\src\content\public\app\content_main_delegate.cc(40)
chrome.dll!std::__Cr::__insertion_sort_unguarded<std::__Cr::_ClassicAlgPolicy,std::__Cr::ranges::less,unsigned char *>(unsigned char * const __first, unsigned char * __last, std::__Cr::ranges::less __comp) Line 331
	at C:\b\s\w\ir\cache\builder\src\third_party\libc++\src\include\__algorithm\sort.h(331)
chrome.dll!std::__Cr::__introsort<std::__Cr::_ClassicAlgPolicy,std::__Cr::ranges::less,unsigned char *,0>(unsigned char * __first, unsigned char * __last, std::__Cr::ranges::less __depth, __int64 __leftmost, bool) Line 868
	at C:\b\s\w\ir\cache\builder\src\third_party\libc++\src\include\__algorithm\sort.h(868)
chrome.dll!std::__Cr::__introsort<std::__Cr::_ClassicAlgPolicy,std::__Cr::ranges::less,unsigned char *,0>(unsigned char * __first, unsigned char * __last, std::__Cr::ranges::less __depth, __int64 __leftmost, bool) Line 868
	at C:\b\s\w\ir\cache\builder\src\third_party\libc++\src\include\__algorithm\sort.h(868)
[Inline Frame] chrome.dll!v8::internal::__RT_impl_Runtime_TypedArraySortFast(v8::internal::Arguments<0> args, v8::internal::Isolate * isolate) Line 173
	at C:\b\s\w\ir\cache\builder\src\v8\src\runtime\runtime-typedarray.cc(173)
chrome.dll!v8::internal::Runtime_TypedArraySortFast(int args_length, unsigned __int64 * args_object, v8::internal::Isolate * isolate) Line 100
	at C:\b\s\w\ir\cache\builder\src\v8\src\runtime\runtime-typedarray.cc(100)
[External Code]
chrome.dll!v8::internal::`anonymous namespace'::Invoke(v8::internal::Isolate * isolate, const v8::internal::`anonymous namespace'::InvokeParams & params) Line 417
	at C:\b\s\w\ir\cache\builder\src\v8\src\execution\execution.cc(417)
[Inline Frame] chrome.dll!v8::internal::Execution::Call(v8::internal::Isolate * isolate, v8::internal::Handle<v8::internal::Object> callable, v8::internal::Handle<v8::internal::Object> receiver, int argc, v8::internal::Handle<v8::internal::Object> * argv) Line 504
	at C:\b\s\w\ir\cache\builder\src\v8\src\execution\execution.cc(504)
chrome.dll!v8::Function::Call(v8::Local<v8::Context> context, v8::Local<v8::Value> recv, int argc, v8::Local<v8::Value> * argv) Line 5516
	at C:\b\s\w\ir\cache\builder\src\v8\src\api\api.cc(5516)
chrome.dll!blink::V8ScriptRunner::CallFunction(v8::Local<v8::Function> function, blink::ExecutionContext * context, v8::Local<v8::Value> receiver, int argc, v8::Local<v8::Value> * argv, v8::Isolate * isolate) Line 847
	at C:\b\s\w\ir\cache\builder\src\third_party\blink\renderer\bindings\core\v8\v8_script_runner.cc(847)
[Inline Frame] chrome.dll!blink::bindings::CallbackInvokeHelper<blink::CallbackFunctionBase,0,0>::CallInternal(int argc, v8::Local<v8::Value> * argv) Line 152
	at C:\b\s\w\ir\cache\builder\src\third_party\blink\renderer\bindings\core\v8\callback_invoke_helper.cc(152)
chrome.dll!blink::bindings::CallbackInvokeHelper<blink::CallbackFunctionBase,0,0>::Call(int argc, v8::Local<v8::Value> * argv) Line 173
	at C:\b\s\w\ir\cache\builder\src\third_party\blink\renderer\bindings\core\v8\callback_invoke_helper.cc(173)
chrome.dll!blink::V8EventHandlerNonNull::InvokeWithoutRunnabilityCheck(blink::bindings::V8ValueOrScriptWrappableAdapter arg0_receiver, const blink::HeapVector<blink::ScriptValue,0> & arg1_args) Line 164
	at C:\b\s\w\ir\cache\builder\src\out\Release_x64\gen\third_party\blink\renderer\bindings\core\v8\v8_event_handler_non_null.cc(164)
chrome.dll!blink::JSEventHandler::InvokeInternal(blink::EventTarget & event_target, blink::Event & event, v8::Local<v8::Value> js_event) Line 133
	at C:\b\s\w\ir\cache\builder\src\third_party\blink\renderer\bindings\core\v8\js_event_handler.cc(133)
[Inline Frame] chrome.dll!blink::JSBasedEventListener::Invoke(blink::ExecutionContext * execution_context_of_event_target, blink::Event * event) Line 158
	at C:\b\s\w\ir\cache\builder\src\third_party\blink\renderer\bindings\core\v8\js_based_event_listener.cc(158)
[Inline Frame] chrome.dll!blink::EventTarget::FireEventListeners(blink::Event & event, blink::EventTargetData * d, blink::HeapVector<cppgc::internal::BasicMember<blink::RegisteredEventListener,cppgc::internal::StrongMemberTag,cppgc::internal::DijkstraWriteBarrierPolicy,cppgc::internal::DisabledCheckingPolicy,cppgc::internal::CompressedPointer>,1> entry) Line 1092
	at C:\b\s\w\ir\cache\builder\src\third_party\blink\renderer\core\dom\events\event_target.cc(1092)
chrome.dll!blink::EventTarget::FireEventListeners(blink::Event & event) Line 1011
	at C:\b\s\w\ir\cache\builder\src\third_party\blink\renderer\core\dom\events\event_target.cc(1011)
[Inline Frame] chrome.dll!blink::EventTarget::DispatchEventInternal(blink::Event & event) Line 906
	at C:\b\s\w\ir\cache\builder\src\third_party\blink\renderer\core\dom\events\event_target.cc(906)
chrome.dll!blink::EventTarget::DispatchEvent(blink::Event & event) Line 899
	at C:\b\s\w\ir\cache\builder\src\third_party\blink\renderer\core\dom\events\event_target.cc(899)
chrome.dll!blink::WorkerGlobalScope::ReceiveMessage(blink::BlinkTransferableMessage message) Line 577
	at C:\b\s\w\ir\cache\builder\src\third_party\blink\renderer\core\workers\worker_global_scope.cc(577)
chrome.dll!blink::DedicatedWorkerObjectProxy::ProcessMessageFromWorkerObject(blink::BlinkTransferableMessage message, blink::WorkerThread * worker_thread) Line 75
	at C:\b\s\w\ir\cache\builder\src\third_party\blink\renderer\core\workers\dedicated_worker_object_proxy.cc(75)
[Inline Frame] chrome.dll!base::internal::DecayedFunctorTraits<void (blink::DedicatedWorkerObjectProxy::*)(blink::BlinkTransferableMessage, blink::WorkerThread *),blink::DedicatedWorkerObjectProxy *,blink::BlinkTransferableMessage &&,blink::WorkerThread *>::Invoke(void(blink::DedicatedWorkerObjectProxy::*)(blink::BlinkTransferableMessage, blink::WorkerThread *) method, blink::DedicatedWorkerObjectProxy * && receiver_ptr, blink::BlinkTransferableMessage && args, blink::WorkerThread * && args) Line 752
	at C:\b\s\w\ir\cache\builder\src\base\functional\bind_internal.h(752)
[Inline Frame] chrome.dll!base::internal::InvokeHelper<0,base::internal::FunctorTraits<void (blink::DedicatedWorkerObjectProxy::*)(blink::BlinkTransferableMessage, blink::WorkerThread *),blink::DedicatedWorkerObjectProxy *,blink::BlinkTransferableMessage &&,blink::WorkerThread *>,void,0,1,2>::MakeItSo(void(blink::DedicatedWorkerObjectProxy::*)(blink::BlinkTransferableMessage, blink::WorkerThread *) && functor, std::__Cr::tuple<WTF::CrossThreadUnretainedWrapper<blink::DedicatedWorkerObjectProxy>,blink::BlinkTransferableMessage,WTF::CrossThreadUnretainedWrapper<blink::WorkerThread>> && bound) Line 922
	at C:\b\s\w\ir\cache\builder\src\base\functional\bind_internal.h(922)
[Inline Frame] chrome.dll!base::internal::Invoker<base::internal::FunctorTraits<void (blink::DedicatedWorkerObjectProxy::*)(blink::BlinkTransferableMessage, blink::WorkerThread *),blink::DedicatedWorkerObjectProxy *,blink::BlinkTransferableMessage &&,blink::WorkerThread *>,base::internal::BindState<1,1,0,void (blink::DedicatedWorkerObjectProxy::*)(blink::BlinkTransferableMessage, blink::WorkerThread *),WTF::CrossThreadUnretainedWrapper<blink::DedicatedWorkerObjectProxy>,blink::BlinkTransferableMessage,WTF::CrossThreadUnretainedWrapper<blink::WorkerThread>>,void ()>::RunImpl(void(blink::DedicatedWorkerObjectProxy::*)(blink::BlinkTransferableMessage, blink::WorkerThread *) && functor, std::__Cr::tuple<WTF::CrossThreadUnretainedWrapper<blink::DedicatedWorkerObjectProxy>,blink::BlinkTransferableMessage,WTF::CrossThreadUnretainedWrapper<blink::WorkerThread>> && bound, std::__Cr::integer_sequence<unsigned long long,0,1,2>) Line 1059
	at C:\b\s\w\ir\cache\builder\src\base\functional\bind_internal.h(1059)
chrome.dll!base::internal::Invoker<base::internal::FunctorTraits<void (blink::DedicatedWorkerObjectProxy::*)(blink::BlinkTransferableMessage, blink::WorkerThread *),blink::DedicatedWorkerObjectProxy *,blink::BlinkTransferableMessage &&,blink::WorkerThread *>,base::internal::BindState<1,1,0,void (blink::DedicatedWorkerObjectProxy::*)(blink::BlinkTransferableMessage, blink::WorkerThread *),WTF::CrossThreadUnretainedWrapper<blink::DedicatedWorkerObjectProxy>,blink::BlinkTransferableMessage,WTF::CrossThreadUnretainedWrapper<blink::WorkerThread>>,void ()>::RunOnce(base::internal::BindStateBase * base) Line 972
	at C:\b\s\w\ir\cache\builder\src\base\functional\bind_internal.h(972)
[Inline Frame] chrome.dll!base::OnceCallback<void ()>::Run() Line 156
	at C:\b\s\w\ir\cache\builder\src\base\functional\callback.h(156)
[Inline Frame] chrome.dll!base::TaskAnnotator::RunTaskImpl(base::PendingTask & pending_task) Line 202
	at C:\b\s\w\ir\cache\builder\src\base\task\common\task_annotator.cc(202)
[Inline Frame] chrome.dll!base::TaskAnnotator::RunTask(perfetto::StaticString event_name, base::PendingTask & pending_task, base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWorkImpl::<lambda_4> && args) Line 89
	at C:\b\s\w\ir\cache\builder\src\base\task\common\task_annotator.h(89)
[Inline Frame] chrome.dll!base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWorkImpl(base::LazyNow * continuation_lazy_now) Line 473
	at C:\b\s\w\ir\cache\builder\src\base\task\sequence_manager\thread_controller_with_message_pump_impl.cc(473)
chrome.dll!base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork() Line 338
	at C:\b\s\w\ir\cache\builder\src\base\task\sequence_manager\thread_controller_with_message_pump_impl.cc(338)
chrome.dll!base::MessagePumpDefault::Run(base::MessagePump::Delegate * delegate) Line 42
	at C:\b\s\w\ir\cache\builder\src\base\message_loop\message_pump_default.cc(42)
chrome.dll!base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::Run(bool application_tasks_allowed, base::TimeDelta timeout) Line 644
	at C:\b\s\w\ir\cache\builder\src\base\task\sequence_manager\thread_controller_with_message_pump_impl.cc(644)
chrome.dll!base::RunLoop::Run(const base::Location & location) Line 136
	at C:\b\s\w\ir\cache\builder\src\base\run_loop.cc(136)
chrome.dll!blink::scheduler::NonMainThreadImpl::SimpleThreadImpl::Run() Line 183
	at C:\b\s\w\ir\cache\builder\src\third_party\blink\renderer\platform\scheduler\worker\non_main_thread_impl.cc(183)
chrome.dll!base::`anonymous namespace'::ThreadFunc(void * params) Line 133
	at C:\b\s\w\ir\cache\builder\src\base\threading\platform_thread_win.cc(133)
[External Code]
```