1404571 - Script can load heaps of memory

Status: RESOLVED WORKSFORME

(Core :: DOM: Core & HTML, defect, P3)

Description

[kylekuhn99]

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0
Build ID: 20170816210634

Steps to reproduce:

I visited a less-than-reliable web-page, and got a fake virus popup.


Actual results:

The malicious web page had a script on it that loaded heaps of memory. The script had managed to steal 8.8 gigabytes of memory before I closed it with Task Manager.


Expected results:

I would expect a page to have a reasonable limit to the amount of memory it can use before it is stopped from allocating more space.

Comment 1

[kylekuhn99]

I wrote a webpage that can successfully reproduce the bug. Such allocation also seems to be permitted on Firefox Stable.



<!DOCTYPE html>
<html>
<script>var foo = []; while(1) { foo.push("random ****"); }</script>
<body><p>Hello World!</p></body>
</html>

Comment 2

[Daniel Veditz [:dveditz]]

This should be on file somewhere--there are many ways a malicious page can DOS the browser by exhausting limits.

Comment 3

[Cosmin Muntean [:cmuntean], Ecosystem QA]

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0
Firefox: 58.0a1, Build ID: 20171003220138

I have managed to reproduce the heaps of memory using the script from comment 1 using latest Firefox (56.0) release and latest Nightly (58.0a1) build.

Comment 4

[Daniel Veditz [:dveditz]]

This works for me.
 1) the slow script infobar pops up and lets you stop the offending script
 2) eventually we killed the page script ourselves, "uncaught exception: out of memory"

Yes, it used gobs of memory while it was running, but given the script we handled the DoS about as well as expected.