skip to content
Back to GitHub.com
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
April 16, 2020

GHSL-2020-035: Use after free in Chrome WebAudio

Man Yue Mo

Summary

UaP in IIRFilterHandler::Process

Product

Chrome

CVE

CVE-2020-6427

Tested Version

Chrome version: master branch build 8f57323, release build. Operating System: Ubuntu 18.04

Details

In the IIRFilterHandler::Process method, if an infinite output is encountered, the method IIRFilterHandler::NotifyBadState method will be posted to the main thread[1]:

    if (HasNonFiniteOutput()) {
      did_warn_bad_filter_state_ = true;

      PostCrossThreadTask(*task_runner_, FROM_HERE,
                          CrossThreadBindOnce(&IIRFilterHandler::NotifyBadState,
                                              WrapRefCounted(this)));
    }

The method IIRFilterHandler::NotifyBadState first checks for Context and then call Context()->GetExecutionContext()[2].

void IIRFilterHandler::NotifyBadState() const {
  DCHECK(IsMainThread());
  if (!Context() || !Context()->GetExecutionContext())
    return;

However, as Context is an UntracedMember[3], it is possible to remove it while the IIRFilterHandler::NotifyBadState method is waiting in the main queue. This then causes UaP and subsequently UaF in NotifyBadState.

The BiquadFilterHandler also has an identical routine, so it probably is also vulnerable to this issue [4].

  1. https://source.chromium.org/chromium/chromium/src/+/b4c8e1370db91786c807e01ca6d56a88b4054070:third_party/blink/renderer/modules/webaudio/iir_filter_node.cc;l=108;bpv=1;bpt=1?originalUrl=https:%2F%2Fcs.chromium.org%2F

  2. https://source.chromium.org/chromium/chromium/src/+/b4c8e1370db91786c807e01ca6d56a88b4054070:third_party/blink/renderer/modules/webaudio/iir_filter_node.cc;l=117;bpv=1;bpt=1?originalUrl=https:%2F%2Fcs.chromium.org%2F

  3. https://source.chromium.org/chromium/chromium/src/+/b4c8e1370db91786c807e01ca6d56a88b4054070:third_party/blink/renderer/modules/webaudio/audio_node.h;drc=5cc67ce9c0e922a742dc0064ad38c4f8f9668aa9;bpv=1;bpt=1;l=291?originalUrl=https:%2F%2Fcs.chromium.org%2F

  4. https://source.chromium.org/chromium/chromium/src/+/b4c8e1370db91786c807e01ca6d56a88b4054070:third_party/blink/renderer/modules/webaudio/biquad_filter_node.cc;l=88;bpv=1;bpt=1?originalUrl=https:%2F%2Fcs.chromium.org%2F

Impact

Use-after-free in renderer.

Coordinated Disclosure Timeline

Credit

This issue was discovered and reported by GHSL team member @m-y-mo (Man Yue Mo).

Contact

You can contact the GHSL team at securitylab@github.com, please include the GHSL-2020-035 in any communication regarding this issue.