GHSL-2020-165: Use-after-free (UaF) in Chrome PaymentAppServiceBridge - CVE-2020-16045

Coordinated Disclosure Timeline

• 07/09/2020 Reported as Chromium Issue 1125614
• 08/09/2020 Was told that it only affects the beta version of Chrome
• 09/09/2020 Further investigation uncovered some more crashes that affected the stable version, although these crashes seems to be null pointer dereferences.
• 17/11/2020 Issue fixed in the release of version 87, although CVE not yet assigned due to error in automatic scripts.
• 12/01/2021 CVE-2020-16045 assigned

Summary

UaF in PaymentAppServiceBridge

Product

Chrome

Tested Version

Pixel 3a XL emulator on Android 10 with master branch commit dc7770f

Details

The PaymentAppServiceBridge stores a raw pointer to the RenderFrameHostImpl that is used to create the corresponding PaymentRequest in javascript [1].

This pointer is then used in a number of places, for example, it is used to create an InternalAuthenticator [2], in which the render_frame_host_ is also passed to the InternalAuthenticator as a raw pointer. When InternalAuthenticator is destroyed, it also makes a virtual function call on this raw render_frame_host_ [3].

As the lifespan of the InternalAuthenticator that holds this raw RenderFrameHost is tied to a callback [4], which eventually ended up in a callback queue in the Java code [5], by creating a large amount of paymentRequest in an iframe in javascript and then destroy the frame while these callbacks are still waiting in a queue, it is possible to cause a UaF.

1. https://source.chromium.org/chromium/chromium/src/+/69e8eedea08044b770bc6661ff805b804eda6465:chrome/browser/payments/android/payment_app_service_bridge.cc;l=201;drc=bb9e95d636a6fffa1f5300fb4fbbf3fba2ce3df2?originalUrl=%2F
2. https://source.chromium.org/chromium/chromium/src/+/69e8eedea08044b770bc6661ff805b804eda6465:chrome/browser/payments/android/payment_app_service_bridge.cc;l=252;drc=bb9e95d636a6fffa1f5300fb4fbbf3fba2ce3df2;bpv=1;bpt=1?originalUrl=%2F
3. https://source.chromium.org/chromium/chromium/src/+/69e8eedea08044b770bc6661ff805b804eda6465:chrome/browser/autofill/android/internal_authenticator_android.cc;l=42;drc=bb9e95d636a6fffa1f5300fb4fbbf3fba2ce3df2;bpv=1;bpt=1?originalUrl=%2F
4. https://source.chromium.org/chromium/chromium/src/+/69e8eedea08044b770bc6661ff805b804eda6465:components/payments/content/secure_payment_confirmation_app_factory.cc;l=135;drc=bb9e95d636a6fffa1f5300fb4fbbf3fba2ce3df2;bpv=1;bpt=1?originalUrl=%2F
5. https://source.chromium.org/chromium/chromium/src/+/master:chrome/android/java/src/org/chromium/chrome/browser/webauth/AuthenticatorImpl.java;l=186;drc=bb9e95d636a6fffa1f5300fb4fbbf3fba2ce3df2;bpv=1;bpt=1?originalUrl=%2F

CVE

• CVE-2020-16045

Impact

Use-after-free in browser that requires a compromised renderer, which could result in a sandbox escape. The bug discovered originally only affected beta version of Chrome, although further investigation discovered other crashes that affected stable, which are most likely to be null pointer dereferences.

Credit

This issue was discovered and reported by GHSL team member @m-y-mo (Man Yue Mo).

Contact

You can contact the GHSL team at securitylab@github.com, please include the GHSL-2020-165 in any communication regarding this issue.