GHSL-2020-035: Use after free in Chrome WebAudio

Summary

UaP in IIRFilterHandler::Process

Product

Chrome

CVE

CVE-2020-6427

Tested Version

Chrome version: master branch build 8f57323, release build. Operating System: Ubuntu 18.04

Details

In the IIRFilterHandler::Process method, if an infinite output is encountered, the method IIRFilterHandler::NotifyBadState method will be posted to the main thread[1]:

    if (HasNonFiniteOutput()) {
      did_warn_bad_filter_state_ = true;

      PostCrossThreadTask(*task_runner_, FROM_HERE,
                          CrossThreadBindOnce(&IIRFilterHandler::NotifyBadState,
                                              WrapRefCounted(this)));
    }

The method IIRFilterHandler::NotifyBadState first checks for Context and then call Context()->GetExecutionContext()[2].

void IIRFilterHandler::NotifyBadState() const {
  DCHECK(IsMainThread());
  if (!Context() || !Context()->GetExecutionContext())
    return;

However, as Context is an UntracedMember[3], it is possible to remove it while the IIRFilterHandler::NotifyBadState method is waiting in the main queue. This then causes UaP and subsequently UaF in NotifyBadState.

The BiquadFilterHandler also has an identical routine, so it probably is also vulnerable to this issue [4].

1. https://source.chromium.org/chromium/chromium/src/+/b4c8e1370db91786c807e01ca6d56a88b4054070:third_party/blink/renderer/modules/webaudio/iir_filter_node.cc;l=108;bpv=1;bpt=1?originalUrl=https:%2F%2Fcs.chromium.org%2F

2. https://source.chromium.org/chromium/chromium/src/+/b4c8e1370db91786c807e01ca6d56a88b4054070:third_party/blink/renderer/modules/webaudio/iir_filter_node.cc;l=117;bpv=1;bpt=1?originalUrl=https:%2F%2Fcs.chromium.org%2F

3. https://source.chromium.org/chromium/chromium/src/+/b4c8e1370db91786c807e01ca6d56a88b4054070:third_party/blink/renderer/modules/webaudio/audio_node.h;drc=5cc67ce9c0e922a742dc0064ad38c4f8f9668aa9;bpv=1;bpt=1;l=291?originalUrl=https:%2F%2Fcs.chromium.org%2F

4. https://source.chromium.org/chromium/chromium/src/+/b4c8e1370db91786c807e01ca6d56a88b4054070:third_party/blink/renderer/modules/webaudio/biquad_filter_node.cc;l=88;bpv=1;bpt=1?originalUrl=https:%2F%2Fcs.chromium.org%2F

Impact

Use-after-free in renderer.

Coordinated Disclosure Timeline

• 25/02/2020 Reported as Chromium Issue 1055788
• 18/03/2020 Fixed in version 80.0.3987.149

Credit

This issue was discovered and reported by GHSL team member @m-y-mo (Man Yue Mo).

Contact

You can contact the GHSL team at securitylab@github.com, please include the GHSL-2020-035 in any communication regarding this issue.