skip to content
Back to GitHub.com
Home Bounties Research Advisories Get Involved Events
March 8, 2021

GHSL-2020-166: Use-after-free (UaF) in Chrome PaymentCredential - CVE-2020-16018

Man Yue Mo

Coordinated Disclosure Timeline

Summary

UaF in PaymentCredential::DidDownloadFavicon

Product

Chrome

Tested Version

Tested on master branch commit 775b30d and also 86.0.4240.75 on Ubuntu 18.04.2 LTS.

Details

In the PaymentCredential::DidDownloadFavicon function, the this pointer is passed into AddSecurePaymentConfirmationInstrument [1]. This is then passed to a callback as a raw pointer (consumer). As PaymentCredential is re-created every time PaymentRequestWebContentsManager::CreatePaymentCredential is called [3], a compromised renderer can create multiple PaymentCredential bindings to destroy PaymentCredential on the browser side. If the destruction of PaymentCredential happens while it is waiting inside the callback in [2], a use after free will happen when the callback is executed.

  1. https://source.chromium.org/chromium/chromium/src/+/a5ae714863136d65c56547f8f733bc1a7a1ea089:components/payments/content/payment_credential.cc;l=105
  2. https://source.chromium.org/chromium/chromium/src/+/a5ae714863136d65c56547f8f733bc1a7a1ea089:components/payments/content/payment_manifest_web_data_service.cc;l=124;drc=5cf19d56421cf1c08f91d1bcdf919268275fd8d6
  3. https://source.chromium.org/chromium/chromium/src/+/a5ae714863136d65c56547f8f733bc1a7a1ea089:components/payments/content/payment_credential.cc;l=105

CVE

= CVE-2020-16018

Impact

Use-after-free in browser that requires a compromised renderer, which could result in a sandbox escape.

Credit

This issue was discovered and reported by GHSL team member @m-y-mo (Man Yue Mo).

Contact

You can contact the GHSL team at securitylab@github.com, please include the GHSL-2020-166 in any communication regarding this issue.