Closed Bug 1264117 Opened 9 years ago Closed 4 years ago

Long IFrame "src" attributes cause crash

Categories

(Core :: Networking: HTTP, defect, P2)

Product:
Core
Component:
Networking: HTTP
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
87 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- wontfix
firefox86 --- wontfix
firefox87 --- fixed

People

(Reporter: bugzilla, Assigned: valentin)

Details

(4 keywords, Whiteboard: [necko-triaged])

Attachments

(3 files)

PoC.html
229 bytes, text/html
Details
subset of the hang backtrace
8.28 KB, text/plain
Details
Bug 1264117 - Limit length of hostnames to 253 characters r=nhnt11
48 bytes, text/x-phabricator-request
Details | Review
Attached file PoC.html
When creating an iframe with a long "src" attribute, a browser-wide crash can be invoked. A PoC is attached. It's pretty straightforward. This causes the browser to freeze, then crash in my testing. This was discovered whilst resolving an issue with the Electronic Frontier Foundation. If I'm not mistaken, Mozilla does not regard DoS bugs as security issues, so I've set this as public.
Can you provide a crashreport ID from about:crashes ?
Component: General → Untriaged
Flags: needinfo?(dylanishappy1)
(In reply to :Gijs Kruitbosch from comment #1) > Can you provide a crashreport ID from about:crashes ? Apologies, it would appear that this does not actually crash the browser, but freezes it, rendering it unusable.
Flags: needinfo?(dylanishappy1)
WFM in Fx45.0.1 & 48.0a1 (2016-04-09) on Win10.
Severity: normal → critical
Keywords: csectype-dos, testcase
Version: 4.0 Branch → unspecified
I'm able to reproduce the hard hang. (FF45 WIn 7)
Component: Untriaged → DOM: Core & HTML
Keywords: crash, hang
Product: Firefox → Core

This still happens. The entire browser freezes, even with Fission. Do we have limits on IPC?

Component: DOM: Core & HTML → DOM: Navigation
Flags: needinfo?(nika)

(In reply to Anne (:annevk) from comment #5)

This still happens. The entire browser freezes, even with Fission. Do we have limits on IPC?

We do have size limits on IPC, but this URL isn't long enough to exceed them. I'm guessing the slowness here is caused by the large number of . characters which leads to a large number of subdomains being handled by our network layer. I ran the test under gdb, and randomly paused execution after a few seconds, and it appears we're spending a ton of time in TRRService::IsExcludedFromTRR_unlocked here: https://searchfox.org/mozilla-central/rev/0379f315c75a2875d716b4f5e1a18bf27188f1e6/netwerk/dns/TRRService.cpp#793-828. It appears as though this code does 3 hashtable lookups for each . character in the string, which understandably can become quite slow, especially as we're hashing subsets of the same very long string over and over again.

Given that the hang appears to be happening in necko code, I'll redirect this to the networking component.

Component: DOM: Navigation → Networking: HTTP
Flags: needinfo?(nika)

Nika, amazing, thank you! Hopefully Valentin can take it from there.

Flags: needinfo?(valentin.gosu)

I think it's time to start enforcing the 253 character limit on hostnames. Not totally sure why we don't do that already.

Assignee: nobody → valentin.gosu
Severity: critical → S2
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(valentin.gosu)
Priority: -- → P2
Whiteboard: [necko-triaged]

(In reply to Valentin Gosu [:valentin] (he/him) from comment #9)

I think it's time to start enforcing the 253 character limit on hostnames. Not totally sure why we don't do that already.

With this, the method in question will do a maximum of 254*3 hashtable lookups by my quick calculation. I think that effectively prevents a DoS.

I believe a name with consecutive dots (i.e. 0-length labels) is illegal. It looks like it would be pretty trivial to also add a check after we get the next dot's position to check if the char after that is also a dot, and if so, return false early. WDYT?

(In reply to Nihanth Subramanya [:nhnt11] from comment #11)

I believe a name with consecutive dots (i.e. 0-length labels) is illegal. It looks like it would be pretty trivial to also add a check after we get the next dot's position to check if the char after that is also a dot, and if so, return false early. WDYT?

Hmm, but I suppose it's weird to have the TRR service worry about valid/invalid domains, and the way the net_IsValidHostName is implemented right now this doesn't look trivial to add it there.

Pushed by valentin.gosu@gmail.com: https://hg.mozilla.org/integration/autoland/rev/fd00d1b7fd67 Limit length of hostnames to 253 characters r=nhnt11,necko-reviewers,dragana
Flags: needinfo?(valentin.gosu)
Pushed by valentin.gosu@gmail.com: https://hg.mozilla.org/integration/autoland/rev/0b48f6f8e965 Limit length of hostnames to 253 characters r=nhnt11,necko-reviewers,dragana
Pushed by valentin.gosu@gmail.com: https://hg.mozilla.org/integration/autoland/rev/7fc4b1a0a5d0 Limit length of hostnames to 253 characters r=nhnt11,necko-reviewers,dragana
Flags: needinfo?(valentin.gosu)

https://hg.mozilla.org/mozilla-central/rev/7fc4b1a0a5d0

Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox87: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 87 Branch
status-firefox86: --- → wontfix
status-firefox-esr78: --- → wontfix
Flags: in-testsuite+

Can you confirm if this is fixed for you Anne?

Flags: needinfo?(annevk)

I can. The testcase from comment 0 no longer hangs. \o/

Status: RESOLVED → VERIFIED
Flags: needinfo?(annevk)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: