Summary
UaF in DeferredTaskHandler::ProcessAutomaticPullNodes
Product
Chrome
CVE
CVE-2020-6451
Tested Version
Chrome version: master branch build 79956ba, asan build 80.3987.132 Operating System: Ubuntu 18.04
Details
This vulnerability can be triggered on both the master branch and on 80.0.3987.132, however, the removal of the tear_down_mutex_
affects the way it is triggered. The issue itself is not so much to do with the tear_down_mutex_
, but rather a race condition between accesses to the rendering_automatic_pull_handlers_
of DeferredTaskHandler
.
The root cause of the problem is that, in the DeferredTaskHandler::ProcessAutomaticPullNodes
method, rendering_automatic_pull_handlers_
is accessed without an appropriate lock[1]. This method is called in OfflineAudioDestinationHandler::RenderIfNotSuspended
and the behaviour differs between the master branch and 80.0.3987.132.
On the master branch, because tear_down_mutex_
is removed, this call is not protected by any lock at all[2] and it is running on the audio thread. As rendering_automatic_pull_handlers_
gets cleared in ClearHandlersToBeDeleted
[3], which is running on the main thread, this can cause UaF if ClearHandlersToBeDeleted
clears the AudioHandler in rendering_automatic_pull_handlers_
while ProcessAutomaticPullNodes
is being accessed.
On 80.0.3987.132, ProcessAutomaticPullNodes
is called within the scope of tear_down_mutex_
[4]:
{
MutexTryLocker try_locker(Context()->GetTearDownMutex());
if (try_locker.Locked()) {
...
}
...
Context()->GetDeferredTaskHandler().ProcessAutomaticPullNodes(
number_of_frames);
}
However, the function is called even if try_locker.Locked
failed. This means that if BaseAudioContext::Uninitialize
had already obtained the tear_down_mutex_
at this point[5], ProcessAutomaticPullNodes
will still be called without any protection from the tear_down_mutex_
. This again can lead to a race condition where ClearHandlersToBeDeleted
destroys the handler while ProcessAutomaticPullNodes
is accessing it and causes UaF.
Impact
Use-after-free in renderer.
Coordinated Disclosure Timeline
- 12/03/2020 Reported as Chromium Issue 1061018
- 31/03/2020 Fixed in 80.0.3987.162
Credit
This issue was discovered and reported by GHSL team member @m-y-mo (Man Yue Mo).
Contact
You can contact the GHSL team at securitylab@github.com
, please include the GHSL-2020-041
in any communication regarding this issue.