Closed Bug 1169918 Opened 9 years ago Closed 9 years ago

If I visit somewhere with a window.open busy-loop, Firefox freezes

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
38 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 685828

People

(Reporter: u540336, Unassigned)

Details

(Keywords: crash, csectype-oom, hang) 

User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.81 Safari/537.36

Steps to reproduce:

Visited this page -https://m1zg4rd.net/files/exp/crash_on_firefox.html


Actual results:

Firefox froze and I had to kill the process


Expected results:

I should have able to visit and load the page normally
The page has a busy loop of window.open calls up to 1 billion. They all get blocked (in the default configuration, anyway).

I'm a little surprised that it freezes rather than showing the slow script dialog. I'm not sure why it does that and what its memory use is doing - on an instance of 38.0.1, I'm seeing memory use go up to 2.5gb, then back down to about 600, then back up, all the while using 100% cpu. Similar things happen on Nightly.

Full page contents:


<script>
    function crash(){
        for(i=1;i<999999999;i++) {
            window.open('https://google.pl/','_blank');
        }
    }

    crash();
</script>
Status: UNCONFIRMED → NEW
Ever confirmed: true
Well thaks for the info, so can you guys fix it ?
(In reply to Mark from comment #2)
> Well thaks for the info, so can you guys fix it ?

We'll be trying, but doing so will require figuring out what's happening, which is why I left a comment with some first attempts at doing so. Other people will probably leave similar comments until we come up with a way of addressing the problem. You'll get more email about that and can always check the state of the issue on this page.
Alright, thanks. I hope this gets patched in the next build.
I think the slow script detection doesn't trigger because each window.open() yields while Firefox does the opening (or not, in this case) and resets the slow timer. Pretty sure we've got this trick on file already.
URL: https://m1zg4rd.net/files/exp/crash_o...
Group: core-security
Keywords: crash, csectype-oom, hang
Whiteboard: DUPME
(In reply to Mark from comment #0)
> I should have able to visit and load the page normally

No, you shouldn't. You just hope that by submitting that page my website will be blocked on Firefox as unsafe domain. This [b]link is private[/b], it is [b]not indexed by Google[/b] or published, it's my private project. They can be unsafe to you, so I suggest you to stop browsing my private projects directory on that server (otherwise kittens will die).
(In reply to Mark Five from comment #6)
> (In reply to Mark from comment #0)
> > I should have able to visit and load the page normally
> 
> No, you shouldn't. You just hope that by submitting that page my website
> will be blocked on Firefox as unsafe domain. This [b]link is private[/b], it
> is [b]not indexed by Google[/b] or published, it's my private project. They
> can be unsafe to you, so I suggest you to stop browsing my private projects
> directory on that server (otherwise kittens will die).

Yes, I should and I did with Chrome. I only came here to report and get it patched, which will happen soon, consider it done within the next few releases. Thank you for confirming that it's you who made that ugly piece of ****. Now that it's confirmed, Firefox will either block it or patch your PUNY page, that way we all can breathe a sign of relief. Nothing is private on the Internet, get off your high horse and start realizing the fact that everything exploit you will code for Firefox, I will report it here and get it patched and I will NOT stop untill you stop, so you're ON, polish guy. Your private project is going down, mr wannabe hacker. I will make sure you will never BRAG about your exploits anymore.
(In reply to Daniel Veditz [:dveditz] from comment #5)
> I think the slow script detection doesn't trigger because each window.open()
> yields while Firefox does the opening (or not, in this case) and resets the
> slow timer. Pretty sure we've got this trick on file already.

So any updates, guys ?
Group: firefox-core-security
CC list accessible: false
No longer blocks: eviltraps
URL: https://m1zg4rd.net/files/exp/crash_o...
Group: firefox-core-security
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
Summary: If I visit a certain page, Firefox would freeze and crash - https://m1zg4rd.net/files/exp/crash_on_firefox.html → If I visit somewhere with a window.open busy-loop, Firefox freezes
Whiteboard: DUPME
(In reply to Mark from comment #7)
> Yes, I should and I did with Chrome. I only came here to report and get it
> patched, which will happen soon, consider it done within the next few
> releases. Thank you for confirming that it's you who made that ugly piece of
> ****. Now that it's confirmed, Firefox will either block it or patch your
> PUNY page, that way we all can breathe a sign of relief. Nothing is private
> on the Internet, get off your high horse and start realizing the fact that
> everything exploit you will code for Firefox, I will report it here and get
> it patched and I will NOT stop untill you stop, so you're ON, polish guy.
> Your private project is going down, mr wannabe hacker. I will make sure you
> will never BRAG about your exploits anymore.

I never used this script, you have some kind of directory brute-force to scan pages, and that is as dishonorable to bug reporter as scanning for open ports of server and connecting to them. No, you are unfair to others, it's only one loop in javascript, don't think that can even be called exploit. Also, I started to contemplate about selling some [b]real[/b] exploits to your russian friends on milw0rm, russian guy. You should be more polite to other users, especially on Mozilla community.
Group: firefox-core-security
(In reply to :Gijs Kruitbosch from comment #9)
> 
> *** This bug has been marked as a duplicate of bug 685828 ***

When was it resolved and in which version of Firefox ?
(In reply to Mark Five from comment #10)
> (In reply to Mark from comment #7)
> > Yes, I should and I did with Chrome. I only came here to report and get it
> > patched, which will happen soon, consider it done within the next few
> > releases. Thank you for confirming that it's you who made that ugly piece of
> > ****. Now that it's confirmed, Firefox will either block it or patch your
> > PUNY page, that way we all can breathe a sign of relief. Nothing is private
> > on the Internet, get off your high horse and start realizing the fact that
> > everything exploit you will code for Firefox, I will report it here and get
> > it patched and I will NOT stop untill you stop, so you're ON, polish guy.
> > Your private project is going down, mr wannabe hacker. I will make sure you
> > will never BRAG about your exploits anymore.
> 
> I never used this script, you have some kind of directory brute-force to
> scan pages, and that is as dishonorable to bug reporter as scanning for open
> ports of server and connecting to them. No, you are unfair to others, it's
> only one loop in javascript, don't think that can even be called exploit.
> Also, I started to contemplate about selling some [b]real[/b] exploits to
> your russian friends on milw0rm, russian guy. You should be more polite to
> other users, especially on Mozilla community.

You can lie all you want, I reported this bug as soon as I visited that page and your website is public, google lists it, I was looking for a crasher for firefox and google link me, anyways, it appears patched, so you keep crying and whining all you want, it's done. You should be ashamed of the fact that you came across this bug and you didn't even bother to report it like I did. You're the dishonourable guy here, rather you brag about it and show it off to others. This will teach you a good lesson, not to brag about such dangerous exploits and immediately report, so it can be patched.You're not smart to contemplate anything, but rather whine and cry on a bug report two months later. That is pathetic of you.
Mods, please lock this report.
(In reply to Mark from comment #11)
> (In reply to :Gijs Kruitbosch from comment #9)
> > 
> > *** This bug has been marked as a duplicate of bug 685828 ***
> 
> When was it resolved and in which version of Firefox ?

It has not been resolved as yet. This report is simply a duplicate of one filed earlier, and it was marked as such. Please don't re-mark this report as security-sensitive.

I'm going to restrict comments on this bug to avoid further namecalling.
Group: firefox-core-security
Restrict Comments: true
You need to log in before you can comment on or make changes to this bug.