There's very little that GPUs can do that CPUs can't do so far as exploitation i... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		TazeTSchnitzel on March 8, 2022 \| parent \| context \| favorite \| on: WebGPU – All of the cores, none of the canvas There's very little that GPUs can do that CPUs can't do so far as exploitation is concerned. The GPU driver runs in a sandboxed userland process just like the browser engine does, and the GPU respects process isolation just like the CPU does. There is no “bare metal” here! Now, sure, there must be plenty of memory-safety issues in GPU drivers, but why find an exploit in a driver only some users have installed, when you can find an exploit in the browser everyone has installed? The GPU driver exploit doesn't give you higher privileges.

astrange on March 9, 2022 | [–]

The main difference is that it's a lot easier to crash GPU drivers (eg with a 100% busy loop) or slow down UI rendering. There are shader verifiers to avoid some of this.

modshatereality on March 10, 2022 | [–]

The driver runs in ring 0, and talks over PCI bus to some blackbox that is running random source code your web browser just compiled...

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact