Coordinated Disclosure Timeline
- 07/09/2020 Reported as Chromium Issue 1125635
- 07/09/2020 Was told that it was a duplicate of issue 1115901.
- 11/09/2020 Developers deduplicated due to differences with 1115901.
- 29/09/2020 Was told it was a duplicate afterall.
- 14/10/2020 Issue fixed in release 86.0.4240.75 as CVE-2020-15972 by an anonymous researcher.
- 03/11/2020 Fix of issue causes deadlock in some circumstances and patch was reverted as developers could no longer reproduced the issue.
- 16/11/2020 Tested that the issue still reproduced after the patch reverted and informed Chromium security via the original ticket.
- 17/11/2020 Helped developers to reproduce the issue and a new ticket opened as 1150065.
- Issue fixed again in release of 87.0.4280.141 as CVE-2021-21114.
UaF in AudioHandler::ProcessIfNecessary
- Chrome version: master branch build 9dfba38, stable build 85.0.4183.83
- Operating System: Ubuntu 18.04
The tear down mutex removed in this commit  does not only protect against UaF issues with the BaseAudioContext (which is what the self-referencing patch fixed), but also race conditions where
AudioHandlers may still be processing while the
ClearHandlersToBeDeleted method is removing the
rendering_orphan_handlers_. As various processing methods of the
ProcessIfNeccessary) are not protected by any lock, it can race with
ClearHandlersToBeDeleted (protected by GraphLock) and the
AudioHandler can be deleted while
ClearHandlersToBeDeleted clears it away. This causes UaF.
- CVE-2020-15972 (credited to anonymous researcher)
- CVE-2021-21114 (regression credited to us)
Use-after-free in the sandboxed renderer process that can be triggered by visiting a malicious website.
This issue was discovered and reported by GHSL team member @m-y-mo (Man Yue Mo).
You can contact the GHSL team at
email@example.com, please include the
GHSL-2020-167 in any communication regarding this issue.