GHSL-2021-124: Use After Free (UAF) in Chrome - CVE-2021-30528

Coordinated Disclosure Timeline

• 05/06/2021 Reported as Chromium Issue 12062329
• 05/25/2021 Issue fixed in release 91.0.4472.77 as CVE-2021-30528.

Summary

UAF in InternalAuthenticatorAndroid::InvokeIsUserVerifyingPlatformAuthenticatorAvailableResponse

Product

Chrome

CVE

CVE-2021-30528

Tested Version

Tested on Pixel 3a firmware version RQ2A.210405.005, Android 11

Chromium stable build 90.0.4430.91

Details

When fetching credit card details for autofill, IsUserVerifyingPlatformAuthenticatorAvailable will be called [1]. On Android, this will call the corresponding method of the Java class InternalAuthenticator [2]. This method then stores mNativeInternalAuthenticatorAndroid in a callback [3] as a Java lambda. Although mNativeInternalAuthenticatorAndroid owns a reference to this InternalAuthenticator [4] and will normally destroy this InternalAuthenticator when it is destroyed, by storing mNativeInternalAuthenticatorAndroid in a Java lambda, the lambda callback will also hold a shared reference to the InternalAuthenticator. This means even if the mNativeInternalAuthenticator is destroyed, the Java lambda can still be keeping InternalAuthenticator alive, while mNativeInternalAuthenticator will now point to a free’d object. When the callback is finally invoked, a UAF will happen [5]. As the lifetime of mNativeInternalAuthenticator is bound to the RenderFrameHost that transitively owns it, it can be freed by destroying an iframe that holds it from the renderer before the Java callback is invoked.

1. https://source.chromium.org/chromium/chromium/src/+/f95d0eb0ad8e7671f2a8171ff96cad06973423cb:components/autofill/core/browser/payments/credit_card_fido_authenticator.cc;l=148;bpv=0;bpt=1
2. https://source.chromium.org/chromium/chromium/src/+/f95d0eb0ad8e7671f2a8171ff96cad06973423cb:chrome/browser/autofill/android/internal_authenticator_android.cc;l=94;drc=c3fe176a27dcad95b576fa233c63d7238b138af4;bpv=1;bpt=1
3. https://source.chromium.org/chromium/chromium/src/+/f95d0eb0ad8e7671f2a8171ff96cad06973423cb:chrome/android/java/src/org/chromium/chrome/browser/autofill/InternalAuthenticator.java;l=98;bpv=1;bpt=1
4. https://source.chromium.org/chromium/chromium/src/+/f95d0eb0ad8e7671f2a8171ff96cad06973423cb:chrome/browser/autofill/android/internal_authenticator_android.cc;l=34;drc=c3fe176a27dcad95b576fa233c63d7238b138af4;bpv=1;bpt=1
5. https://source.chromium.org/chromium/chromium/src/+/f95d0eb0ad8e7671f2a8171ff96cad06973423cb:chrome/browser/autofill/android/internal_authenticator_android.cc;l=152;drc=c3fe176a27dcad95b576fa233c63d7238b138af4;bpv=1;bpt=1
6. https://blog.chromium.org/2019/07/easier-payments-with-chrome.html?m=1

CVE

• CVE-2021-30528

Impact

Can be exploited to gain sandox escape from a compromised renderer on Android.

Credit

This issue was discovered and reported by GHSL team member @m-y-mo (Man Yue Mo).

Contact

You can contact the GHSL team at securitylab@github.com, please include the GHSL-2021-124 in any communication regarding this issue.