skip to content
Back to GitHub.com
Home Bounties CodeQL Research Advisories Get Involved Events
March 8, 2021

GHSL-2020-167: Use-after-free (UaF) in Chrome AudioHandler - CVE-2020-15972, CVE-2021-21114

Man Yue Mo

Coordinated Disclosure Timeline

Summary

UaF in AudioHandler::ProcessIfNecessary

Product

Chrome

Tested Version

Details

The tear down mutex removed in this commit [1] does not only protect against UaF issues with the BaseAudioContext (which is what the self-referencing patch fixed), but also race conditions where AudioHandlers may still be processing while the ClearHandlersToBeDeleted method is removing the rendering_orphan_handlers_. As various processing methods of the AudioHandler (e.g. Process, ProcessIfNeccessary) are not protected by any lock, it can race with ClearHandlersToBeDeleted (protected by GraphLock) and the AudioHandler can be deleted while ClearHandlersToBeDeleted clears it away. This causes UaF.

  1. https://source.chromium.org/chromium/chromium/src/+/e4c27b508976fb751ccd4d34e52b70b668618271?originalUrl=https%2F:%2F%2F%2Fcs.chromium.org%2F

CVE

Impact

Use-after-free in the sandboxed renderer process that can be triggered by visiting a malicious website.

Credit

This issue was discovered and reported by GHSL team member @m-y-mo (Man Yue Mo).

Contact

You can contact the GHSL team at securitylab@github.com, please include the GHSL-2020-167 in any communication regarding this issue.