Coordinated Disclosure Timeline

Summary

UaF in ServiceWorkerPaymentApp

Product

Chrome

CVE

CVE-2020-15967

Tested Version

Tested on an Pixel 3a emulator running Android 10 with Chromium 85.0.4183.102

Details

The PaymentAppServiceBridge stores a raw PaymentRequestSpec pointer as the field spec_ [1]. This spec_ is owned by PaymentRequestImpl [2] and will get destroyed in the closeUIAndDestroyNativeObjects method of PaymentRequestImpl [3], which can happen when there is a mojo connection error, which means that its lifetime can be controlled by a compromised renderer by resetting the payment request mojo client to cause UaF while spec_ is still in use. For example, in CreatePaymentApps, spec_ is passed onto ServiceWorkerPaymentApp [4], which is owned by ServiceWorkerPaymentAppFactory and does not bound to the lifetime of PaymentRequest. The use of the raw spec_ in ServiceWorkerPaymentApp can then cause UaF if PaymentRequest is already destroyed by the renderer. The attached example shows the use that occurs in CreateCanMakePaymentEventData [5].

  1. https://source.chromium.org/chromium/chromium/src/+/aa38d046e8e6fee8ac7c350534cb9257c4145c50:chrome/browser/payments/android/payment_app_service_bridge.h;l=110;bpv=1;bpt=1?originalUrl=%2F
  2. https://source.chromium.org/chromium/chromium/src/+/aa38d046e8e6fee8ac7c350534cb9257c4145c50:chrome/android/java/src/org/chromium/chrome/browser/payments/PaymentRequestImpl.java;l=180;bpv=1;bpt=1?q=PaymentRequestImpl&ss=chromium%2Fchromium%2Fsrc&originalUrl=%2F
  3. https://source.chromium.org/chromium/chromium/src/+/aa38d046e8e6fee8ac7c350534cb9257c4145c50:chrome/android/java/src/org/chromium/chrome/browser/payments/PaymentRequestImpl.java;l=1844;bpv=1;bpt=1?originalUrl=%2F
  4. https://source.chromium.org/chromium/chromium/src/+/aa38d046e8e6fee8ac7c350534cb9257c4145c50:components/payments/content/service_worker_payment_app_factory.cc;l=77;drc=c741e070dbfcc33b2369e7a5131be87c7b21bb99;bpv=1;bpt=1?originalUrl=%2F
  5. https://source.chromium.org/chromium/chromium/src/+/aa38d046e8e6fee8ac7c350534cb9257c4145c50:components/payments/content/service_worker_payment_app.cc;l=144;drc=c741e070dbfcc33b2369e7a5131be87c7b21bb99;bpv=1;bpt=1?originalUrl=%2F

CVE

Reproduction case

Serve the files payment_app.html , payment-manifest.json , manifest.json and sw_payments.js on localhost:8000 (can probably serve on other port and host, but http://localhost:8000 is hardcoded in the files and need changing if served on other host/port) and open payment_app.html with the patched version of Chrome. If successful, it should crash the Chrome browser process and generate a stack trace like the attached one in logcat.

Impact

Use-after-free in browser. Can be reached directly from a malicious website, without user gesture.

Credit

This issue was discovered and reported by GHSL team member @m-y-mo (Man Yue Mo).

Contact

You can contact the GHSL team at securitylab@github.com, please include GHSL-2020-164 in any communication regarding this issue.