April 16, 2020

GHSL-2020-041: Use After Free in Chrome WebAudio

Man Yue Mo

Summary

UaF in DeferredTaskHandler::ProcessAutomaticPullNodes

Product

Chrome

CVE

CVE-2020-6451

Tested Version

Chrome version: master branch build 79956ba, asan build 80.3987.132 Operating System: Ubuntu 18.04

Details

This vulnerability can be triggered on both the master branch and on 80.0.3987.132, however, the removal of the tear_down_mutex_ affects the way it is triggered. The issue itself is not so much to do with the tear_down_mutex_, but rather a race condition between accesses to the rendering_automatic_pull_handlers_ of DeferredTaskHandler.

The root cause of the problem is that, in the DeferredTaskHandler::ProcessAutomaticPullNodes method, rendering_automatic_pull_handlers_ is accessed without an appropriate lock[1]. This method is called in OfflineAudioDestinationHandler::RenderIfNotSuspended and the behaviour differs between the master branch and 80.0.3987.132.

On the master branch, because tear_down_mutex_ is removed, this call is not protected by any lock at all[2] and it is running on the audio thread. As rendering_automatic_pull_handlers_ gets cleared in ClearHandlersToBeDeleted[3], which is running on the main thread, this can cause UaF if ClearHandlersToBeDeleted clears the AudioHandler in rendering_automatic_pull_handlers_ while ProcessAutomaticPullNodes is being accessed.

On 80.0.3987.132, ProcessAutomaticPullNodes is called within the scope of tear_down_mutex_[4]:

  {
    MutexTryLocker try_locker(Context()->GetTearDownMutex());
    if (try_locker.Locked()) {
      ...
    }
    ...
    Context()->GetDeferredTaskHandler().ProcessAutomaticPullNodes(
        number_of_frames);
  }

However, the function is called even if try_locker.Locked failed. This means that if BaseAudioContext::Uninitialize had already obtained the tear_down_mutex_ at this point[5], ProcessAutomaticPullNodes will still be called without any protection from the tear_down_mutex_. This again can lead to a race condition where ClearHandlersToBeDeleted destroys the handler while ProcessAutomaticPullNodes is accessing it and causes UaF.

Impact

Use-after-free in renderer.

Coordinated Disclosure Timeline

Credit

This issue was discovered and reported by GHSL team member @m-y-mo (Man Yue Mo).

Contact

You can contact the GHSL team at securitylab@github.com, please include the GHSL-2020-041 in any communication regarding this issue.