skip to content
Back to GitHub.com
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
March 8, 2021

GHSL-2020-165: Use-after-free (UaF) in Chrome PaymentAppServiceBridge - CVE-2020-16045

Man Yue Mo

Coordinated Disclosure Timeline

Summary

UaF in PaymentAppServiceBridge

Product

Chrome

Tested Version

Pixel 3a XL emulator on Android 10 with master branch commit dc7770f

Details

The PaymentAppServiceBridge stores a raw pointer to the RenderFrameHostImpl that is used to create the corresponding PaymentRequest in javascript [1].

This pointer is then used in a number of places, for example, it is used to create an InternalAuthenticator [2], in which the render_frame_host_ is also passed to the InternalAuthenticator as a raw pointer. When InternalAuthenticator is destroyed, it also makes a virtual function call on this raw render_frame_host_ [3].

As the lifespan of the InternalAuthenticator that holds this raw RenderFrameHost is tied to a callback [4], which eventually ended up in a callback queue in the Java code [5], by creating a large amount of paymentRequest in an iframe in javascript and then destroy the frame while these callbacks are still waiting in a queue, it is possible to cause a UaF.

  1. https://source.chromium.org/chromium/chromium/src/+/69e8eedea08044b770bc6661ff805b804eda6465:chrome/browser/payments/android/payment_app_service_bridge.cc;l=201;drc=bb9e95d636a6fffa1f5300fb4fbbf3fba2ce3df2?originalUrl=%2F
  2. https://source.chromium.org/chromium/chromium/src/+/69e8eedea08044b770bc6661ff805b804eda6465:chrome/browser/payments/android/payment_app_service_bridge.cc;l=252;drc=bb9e95d636a6fffa1f5300fb4fbbf3fba2ce3df2;bpv=1;bpt=1?originalUrl=%2F
  3. https://source.chromium.org/chromium/chromium/src/+/69e8eedea08044b770bc6661ff805b804eda6465:chrome/browser/autofill/android/internal_authenticator_android.cc;l=42;drc=bb9e95d636a6fffa1f5300fb4fbbf3fba2ce3df2;bpv=1;bpt=1?originalUrl=%2F
  4. https://source.chromium.org/chromium/chromium/src/+/69e8eedea08044b770bc6661ff805b804eda6465:components/payments/content/secure_payment_confirmation_app_factory.cc;l=135;drc=bb9e95d636a6fffa1f5300fb4fbbf3fba2ce3df2;bpv=1;bpt=1?originalUrl=%2F
  5. https://source.chromium.org/chromium/chromium/src/+/master:chrome/android/java/src/org/chromium/chrome/browser/webauth/AuthenticatorImpl.java;l=186;drc=bb9e95d636a6fffa1f5300fb4fbbf3fba2ce3df2;bpv=1;bpt=1?originalUrl=%2F

CVE

Impact

Use-after-free in browser that requires a compromised renderer, which could result in a sandbox escape. The bug discovered originally only affected beta version of Chrome, although further investigation discovered other crashes that affected stable, which are most likely to be null pointer dereferences.

Credit

This issue was discovered and reported by GHSL team member @m-y-mo (Man Yue Mo).

Contact

You can contact the GHSL team at securitylab@github.com, please include the GHSL-2020-165 in any communication regarding this issue.