Skip to content

Commit

Permalink
Update CVE-2021-21206.md
Browse files Browse the repository at this point in the history
Fix small nits
  • Loading branch information
blendin authored and maddiestone committed Sep 14, 2023
1 parent d7b4526 commit 423f19b
Showing 1 changed file with 4 additions and 4 deletions.
8 changes: 4 additions & 4 deletions 0day-RCAs/2021/CVE-2021-21206.md
Original file line number Diff line number Diff line change
Expand Up @@ -53,16 +53,18 @@

## The Vulnerability

**Bug class:** use-after-free and unexpected JavaScript callback triggered by a `thennable` object

**Vulnerability details:**

Prerequisites:
* Each DOM node owns a `LayoutObject`. `LayoutObjects` form a tree structure that is a close mapping of the DOM tree.
* `LayoutObjects` store information needed for painting and are created by [LayoutTreeBuilderForElement::CreateLayoutTree](https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/core/dom/layout_tree_builder.cc;l=85;drc=5342041f85833c038dcbc5632d62fc10f7592323).
* The code within `renderer/core/paint` converts the `LayoutObject` tree into a rendering format for the compositor. The process is broken up into two parts: [PrePaint](https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/core/frame/local_frame_view.cc;l=2743;drc=5342041f85833c038dcbc5632d62fc10f7592323) and [Paint](https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/core/frame/local_frame_view.cc;l=2596;drc=5342041f85833c038dcbc5632d62fc10f7592323).
* PrePaint walks the `LayoutObject` tree and builds the `PaintPropertyTree`. The `PaintPropertyTree` is a specialized tree used for painting. Each `LayoutObject` has one or more `FragmentData` which holds information about a portion of the `LayoutObject` and every `FragmentData` has an `ObjectPaintProperties` if any paint property nodes are induced on it (e.g. if the fragment has a transform then its [ObjectPaintProperties::Transform()](https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/core/paint/object_paint_properties.h;l=91;drc=5342041f85833c038dcbc5632d62fc10f7592323) points to the `TransformPaintPropertyNode` representing that transform). These property nodes are stored to the `PaintPropertyTree` [during PrePaint](https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/core/paint/paint_property_tree_builder.cc;l=974;drc=5342041f85833c038dcbc5632d62fc10f7592323). Notably, the `PainPropertyTrees` hold [raw pointers](https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/platform/graphics/paint/property_tree_state.h;l=96;drc=5342041f85833c038dcbc5632d62fc10f7592323) to the `ObjectPaintProperties` nodes.
* Tanegentially, `DocumentAnimations::UpdateAnimations` can trigger a synchronous JavaScript callback if there is a queued microtask and the animation has a [pending_pause_](https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/core/animation/animation.cc;l=1244;drc=5342041f85833c038dcbc5632d62fc10f7592323) ([NotifyRead](https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/core/animation/pending_animations.cc;l=94;drc=5342041f85833c038dcbc5632d62fc10f7592323) -> [CommitPendingPause](https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/core/animation/animation.cc;l=635;drc=5342041f85833c038dcbc5632d62fc10f7592323) -> [ResolvePromiseMaybeAsync](https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/core/animation/animation.cc;l=2307;drc=5342041f85833c038dcbc5632d62fc10f7592323) -> PromiseResolve). PromiseResolve has a documented way to trigger synchronous callbacks that has caused many issues.
* Tangentially, `DocumentAnimations::UpdateAnimations` can trigger a synchronous JavaScript callback if there is a queued microtask and the animation has a [pending_pause_](https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/core/animation/animation.cc;l=1244;drc=5342041f85833c038dcbc5632d62fc10f7592323) ([NotifyRead](https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/core/animation/pending_animations.cc;l=94;drc=5342041f85833c038dcbc5632d62fc10f7592323) -> [CommitPendingPause](https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/core/animation/animation.cc;l=635;drc=5342041f85833c038dcbc5632d62fc10f7592323) -> [ResolvePromiseMaybeAsync](https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/core/animation/animation.cc;l=2307;drc=5342041f85833c038dcbc5632d62fc10f7592323) -> PromiseResolve). PromiseResolve has a documented way to trigger synchronous callbacks that has caused many issues.

```
```c++
void LocalFrameView::RunPaintLifecyclePhase(PaintBenchmarkMode benchmark_mode) {
ForAllNonThrottledLocalFrameViews(
Expand Down Expand Up @@ -93,8 +95,6 @@ The bug lies within Paint. `UpdateAnimations` [1] can trigger a callback, and wi
Note: Synchronous JavaScript execution is not expected within PrePaint nor Paint. There are likely many ways to trigger memory corruption bug beyond this specific use-after-free.
**Bug class:** use-after-free and unexpected JavaScript callback triggered by a `thennable` object

**Patch analysis:**
The patch wraps `UpdateAnimations` with a `ScriptForbiddenScope` assert-scope which will cause the JavaScript callback to be executed asynchronously.
Expand Down

0 comments on commit 423f19b

Please sign in to comment.