GHSL-2020-167: Use-after-free (UaF) in Chrome AudioHandler - CVE-2020-15972, CVE-2021-21114

Coordinated Disclosure Timeline

• 07/09/2020 Reported as Chromium Issue 1125635
• 07/09/2020 Was told that it was a duplicate of issue 1115901.
• 11/09/2020 Developers deduplicated due to differences with 1115901.
• 29/09/2020 Was told it was a duplicate afterall.
• 14/10/2020 Issue fixed in release 86.0.4240.75 as CVE-2020-15972 by an anonymous researcher.
• 03/11/2020 Fix of issue causes deadlock in some circumstances and patch was reverted as developers could no longer reproduced the issue.
• 16/11/2020 Tested that the issue still reproduced after the patch reverted and informed Chromium security via the original ticket.
• 17/11/2020 Helped developers to reproduce the issue and a new ticket opened as 1150065.
• Issue fixed again in release of 87.0.4280.141 as CVE-2021-21114.

Summary

UaF in AudioHandler::ProcessIfNecessary

Product

Chrome

Tested Version

• Chrome version: master branch build 9dfba38, stable build 85.0.4183.83
• Operating System: Ubuntu 18.04

Details

The tear down mutex removed in this commit [1] does not only protect against UaF issues with the BaseAudioContext (which is what the self-referencing patch fixed), but also race conditions where AudioHandlers may still be processing while the ClearHandlersToBeDeleted method is removing the rendering_orphan_handlers_. As various processing methods of the AudioHandler (e.g. Process, ProcessIfNeccessary) are not protected by any lock, it can race with ClearHandlersToBeDeleted (protected by GraphLock) and the AudioHandler can be deleted while ClearHandlersToBeDeleted clears it away. This causes UaF.

1. https://source.chromium.org/chromium/chromium/src/+/e4c27b508976fb751ccd4d34e52b70b668618271?originalUrl=https%2F:%2F%2F%2Fcs.chromium.org%2F

CVE

• CVE-2020-15972 (credited to anonymous researcher)
• CVE-2021-21114 (regression credited to us)

Impact

Use-after-free in the sandboxed renderer process that can be triggered by visiting a malicious website.

Credit

This issue was discovered and reported by GHSL team member @m-y-mo (Man Yue Mo).

Contact

You can contact the GHSL team at securitylab@github.com, please include the GHSL-2020-167 in any communication regarding this issue.