GHSL-2020-166: Use-after-free (UaF) in Chrome PaymentCredential - CVE-2020-16018

Coordinated Disclosure Timeline

• 07/10/2020 Reported as Chromium Issue 1136078
• 17/11/2020 Issue fixed in the release of version 87.

Summary

UaF in PaymentCredential::DidDownloadFavicon

Product

Chrome

Tested Version

Tested on master branch commit 775b30d and also 86.0.4240.75 on Ubuntu 18.04.2 LTS.

Details

In the PaymentCredential::DidDownloadFavicon function, the this pointer is passed into AddSecurePaymentConfirmationInstrument [1]. This is then passed to a callback as a raw pointer (consumer). As PaymentCredential is re-created every time PaymentRequestWebContentsManager::CreatePaymentCredential is called [3], a compromised renderer can create multiple PaymentCredential bindings to destroy PaymentCredential on the browser side. If the destruction of PaymentCredential happens while it is waiting inside the callback in [2], a use after free will happen when the callback is executed.

1. https://source.chromium.org/chromium/chromium/src/+/a5ae714863136d65c56547f8f733bc1a7a1ea089:components/payments/content/payment_credential.cc;l=105
2. https://source.chromium.org/chromium/chromium/src/+/a5ae714863136d65c56547f8f733bc1a7a1ea089:components/payments/content/payment_manifest_web_data_service.cc;l=124;drc=5cf19d56421cf1c08f91d1bcdf919268275fd8d6
3. https://source.chromium.org/chromium/chromium/src/+/a5ae714863136d65c56547f8f733bc1a7a1ea089:components/payments/content/payment_credential.cc;l=105

CVE

= CVE-2020-16018

Impact

Use-after-free in browser that requires a compromised renderer, which could result in a sandbox escape.

Credit

This issue was discovered and reported by GHSL team member @m-y-mo (Man Yue Mo).

Contact

You can contact the GHSL team at securitylab@github.com, please include the GHSL-2020-166 in any communication regarding this issue.