CVE-2024-4368 - Understanding and Exploiting a Use-After-Free in Dawn in Google Chrome

CVE-2024-4368 is a newly discovered security vulnerability in Google Chrome's Dawn library prior to version 124..6367.118. Specifically, it is a use-after-free (UAF) bug that allows a remote attacker to potentially execute arbitrary code or cause Chrome to crash by exploiting heap memory corruption via a specially crafted HTML page.

This vulnerability was rated as High severity by the Chromium security team, and it showcases the dangers of memory mismanagement in complex browser components like Dawn, which is involved in WebGPU operations.

What is Dawn?

Dawn is an open-source web graphics API implementation that helps Chrome support WebGPU, a modern graphics API. Bugs in this layer can have severe consequences because WebGPU is accessible from web content and handles low-level GPU resources.

Understanding Use-After-Free

A use-after-free occurs when a program continues to use memory after it has been freed (released). This can result in unpredictable behavior, including crashes, information leaks, or even arbitrary code execution if an attacker can control what occupies the freed memory.

In CVE-2024-4368, improper memory management in Dawn can be triggered from malicious HTML and JavaScript, leading to use-after-free—and, under the right circumstances, heap corruption.

Technical Details

While the full code context is not public, the bug involved incorrect handling of object lifetimes. The attacker can trigger conditions where a WebGPU object is freed, but Chrome (Dawn), after releasing the memory, still tries to access or operate on it.

Here's a simplified example in C++-like pseudocode illustrating a generic use-after-free in a browser GPU library:

// Vulnerable code pattern (pseudocode)

void HandleGPURequest(GPUObject* obj) {
    if (!obj)
        return;
    DeleteGPUObject(obj); // Frees 'obj'
    ... // Other work
    DoSomethingWith(obj); // UAF: Using freed pointer
}

This pattern is dangerous: after DeleteGPUObject(), any use of obj is undefined behavior.

In the real Chrome case, the object is part of the WebGPU pipeline, and the trigger is an attacker-controlled HTML page sending GPU commands in a specific sequence.

Exploitation Details: How Could an Attacker Abuse This?

This bug is remotely triggerable via a crafted web page. An attacker creates a malicious page with JavaScript that:

Forces Chrome to access the already-freed object, causing use-after-free.

3. Attempts to arrange "heap spray" (filling memory with controlled data) to influence what memory replaces the freed object, possibly leading to remote code execution.

A simplified proof-of-concept (conceptual) in JavaScript might look like this (note: the real exploit is more complex and not publicly available):

// NOT an actual Chrome exploit, just a conceptual snippet

async function triggerUAF() {
    if (!navigator.gpu) {
        alert("WebGPU not supported");
        return;
    }
    let adapter = await navigator.gpu.requestAdapter();
    let device = await adapter.requestDevice();

    for (let i = ; i < 10000; ++i) {
        let buffer = device.createBuffer({size: 64, usage: GPUBufferUsage.COPY_SRC});
        buffer.destroy(); // Prematurely free
        // Some browsers might still reference buffer here
    }

    // Heap spray: fill memory
    let junk = [];
    for (let i = ; i < 100000; i++) {
        junk.push(new ArrayBuffer(100)); // Try to occupy freed memory
    }

    // Try to access after free via another GPU operation
    // ... exploit specifics omitted ...
}

NOTE: The real exploit needs precise timing and understanding of Chrome's memory allocator, and may chain multiple JavaScript calls. This is only to illustrate the idea.

Patch and Mitigation

Google patched the vulnerability in Chrome 124..6367.118. If you use an older version, you are at risk!

Use browser security features like Site Isolation and Enhanced Safe Browsing.

- Consider disabling WebGPU or using browser extensions that limit HTML5 features on untrusted sites.

References

- Chromium Stable Channel Update for Desktop (CVE mention)
- CVE-2024-4368 at NIST
- Dawn WebGPU Project
- Introduction to Use-After-Free

Final Thoughts

CVE-2024-4368 shows how complex and powerful web features can introduce serious security risks through subtle bugs. Always keep your browser up-to-date and be cautious about visiting untrusted websites, as attackers are always looking for chances to exploit these kinds of vulnerabilities.

Timeline

Published on: 05/01/2024 13:15:52 UTC
Last modified on: 07/03/2024 02:07:28 UTC