skip to content
Back to GitHub.com
Home Bounties Research Advisories Get Involved Events
September 29, 2021

GHSL-2021-124: Use After Free (UAF) in Chrome - CVE-2021-30528

Man Yue Mo

Coordinated Disclosure Timeline

Summary

UAF in InternalAuthenticatorAndroid::InvokeIsUserVerifyingPlatformAuthenticatorAvailableResponse

Product

Chrome

CVE

CVE-2021-30528

Tested Version

Tested on Pixel 3a firmware version RQ2A.210405.005, Android 11

Chromium stable build 90.0.4430.91

Details

When fetching credit card details for autofill, IsUserVerifyingPlatformAuthenticatorAvailable will be called [1]. On Android, this will call the corresponding method of the Java class InternalAuthenticator [2]. This method then stores mNativeInternalAuthenticatorAndroid in a callback [3] as a Java lambda. Although mNativeInternalAuthenticatorAndroid owns a reference to this InternalAuthenticator [4] and will normally destroy this InternalAuthenticator when it is destroyed, by storing mNativeInternalAuthenticatorAndroid in a Java lambda, the lambda callback will also hold a shared reference to the InternalAuthenticator. This means even if the mNativeInternalAuthenticator is destroyed, the Java lambda can still be keeping InternalAuthenticator alive, while mNativeInternalAuthenticator will now point to a free’d object. When the callback is finally invoked, a UAF will happen [5]. As the lifetime of mNativeInternalAuthenticator is bound to the RenderFrameHost that transitively owns it, it can be freed by destroying an iframe that holds it from the renderer before the Java callback is invoked.

  1. https://source.chromium.org/chromium/chromium/src/+/f95d0eb0ad8e7671f2a8171ff96cad06973423cb:components/autofill/core/browser/payments/credit_card_fido_authenticator.cc;l=148;bpv=0;bpt=1
  2. https://source.chromium.org/chromium/chromium/src/+/f95d0eb0ad8e7671f2a8171ff96cad06973423cb:chrome/browser/autofill/android/internal_authenticator_android.cc;l=94;drc=c3fe176a27dcad95b576fa233c63d7238b138af4;bpv=1;bpt=1
  3. https://source.chromium.org/chromium/chromium/src/+/f95d0eb0ad8e7671f2a8171ff96cad06973423cb:chrome/android/java/src/org/chromium/chrome/browser/autofill/InternalAuthenticator.java;l=98;bpv=1;bpt=1
  4. https://source.chromium.org/chromium/chromium/src/+/f95d0eb0ad8e7671f2a8171ff96cad06973423cb:chrome/browser/autofill/android/internal_authenticator_android.cc;l=34;drc=c3fe176a27dcad95b576fa233c63d7238b138af4;bpv=1;bpt=1
  5. https://source.chromium.org/chromium/chromium/src/+/f95d0eb0ad8e7671f2a8171ff96cad06973423cb:chrome/browser/autofill/android/internal_authenticator_android.cc;l=152;drc=c3fe176a27dcad95b576fa233c63d7238b138af4;bpv=1;bpt=1
  6. https://blog.chromium.org/2019/07/easier-payments-with-chrome.html?m=1

CVE

Impact

Can be exploited to gain sandox escape from a compromised renderer on Android.

Credit

This issue was discovered and reported by GHSL team member @m-y-mo (Man Yue Mo).

Contact

You can contact the GHSL team at securitylab@github.com, please include the GHSL-2021-124 in any communication regarding this issue.