Coordinated Disclosure Timeline
- 2020-09-11 Reported as Chromium Issue 1127322
- 2020-10-06 Fixed in version 86.0.4240.75
Summary
UaF in ServiceWorkerPaymentApp
Product
Chrome
CVE
CVE-2020-15967
Tested Version
Tested on an Pixel 3a emulator running Android 10 with Chromium 85.0.4183.102
Details
The PaymentAppServiceBridge stores a raw PaymentRequestSpec pointer as the field spec_ [1]. This spec_ is owned by PaymentRequestImpl [2] and will get destroyed in the closeUIAndDestroyNativeObjects method of PaymentRequestImpl [3], which can happen when there is a mojo connection error, which means that its lifetime can be controlled by a compromised renderer by resetting the payment request mojo client to cause UaF while spec_ is still in use. For example, in CreatePaymentApps, spec_ is passed onto ServiceWorkerPaymentApp [4], which is owned by ServiceWorkerPaymentAppFactory and does not bound to the lifetime of PaymentRequest. The use of the raw spec_ in ServiceWorkerPaymentApp can then cause UaF if PaymentRequest is already destroyed by the renderer. The attached example shows the use that occurs in CreateCanMakePaymentEventData [5].
- https://source.chromium.org/chromium/chromium/src/+/aa38d046e8e6fee8ac7c350534cb9257c4145c50:chrome/browser/payments/android/payment_app_service_bridge.h;l=110;bpv=1;bpt=1?originalUrl=%2F
- https://source.chromium.org/chromium/chromium/src/+/aa38d046e8e6fee8ac7c350534cb9257c4145c50:chrome/android/java/src/org/chromium/chrome/browser/payments/PaymentRequestImpl.java;l=180;bpv=1;bpt=1?q=PaymentRequestImpl&ss=chromium%2Fchromium%2Fsrc&originalUrl=%2F
- https://source.chromium.org/chromium/chromium/src/+/aa38d046e8e6fee8ac7c350534cb9257c4145c50:chrome/android/java/src/org/chromium/chrome/browser/payments/PaymentRequestImpl.java;l=1844;bpv=1;bpt=1?originalUrl=%2F
- https://source.chromium.org/chromium/chromium/src/+/aa38d046e8e6fee8ac7c350534cb9257c4145c50:components/payments/content/service_worker_payment_app_factory.cc;l=77;drc=c741e070dbfcc33b2369e7a5131be87c7b21bb99;bpv=1;bpt=1?originalUrl=%2F
- https://source.chromium.org/chromium/chromium/src/+/aa38d046e8e6fee8ac7c350534cb9257c4145c50:components/payments/content/service_worker_payment_app.cc;l=144;drc=c741e070dbfcc33b2369e7a5131be87c7b21bb99;bpv=1;bpt=1?originalUrl=%2F
CVE
- CVE-2020-15967
Reproduction case
| Serve the files | payment_app.html | , | payment-manifest.json | , | manifest.json | and | sw_payments.js | on localhost:8000 (can probably serve on other port and host, but http://localhost:8000 is hardcoded in the files and need changing if served on other host/port) and open | payment_app.html | with the patched version of Chrome. If successful, it should crash the Chrome browser process and generate a stack trace like the attached one in logcat. |
Impact
Use-after-free in browser. Can be reached directly from a malicious website, without user gesture.
Credit
This issue was discovered and reported by GHSL team member @m-y-mo (Man Yue Mo).
Contact
You can contact the GHSL team at securitylab@github.com, please include GHSL-2020-164 in any communication regarding this issue.