Closed
Bug 1404571
Opened 7 years ago
Closed 6 years ago
Script can load heaps of memory
Categories
(Core :: DOM: Core & HTML, defect, P3)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: kylekuhn99, Unassigned)
References
(Blocks 1 open bug)
Details
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Build ID: 20170816210634 Steps to reproduce: I visited a less-than-reliable web-page, and got a fake virus popup. Actual results: The malicious web page had a script on it that loaded heaps of memory. The script had managed to steal 8.8 gigabytes of memory before I closed it with Task Manager. Expected results: I would expect a page to have a reasonable limit to the amount of memory it can use before it is stopped from allocating more space.
Reporter | ||
Comment 1•7 years ago
|
||
I wrote a webpage that can successfully reproduce the bug. Such allocation also seems to be permitted on Firefox Stable. <!DOCTYPE html> <html> <script>var foo = []; while(1) { foo.push("random ****"); }</script> <body><p>Hello World!</p></body> </html>
Comment 2•7 years ago
|
||
This should be on file somewhere--there are many ways a malicious page can DOS the browser by exhausting limits.
Blocks: eviltraps
Group: firefox-core-security
Comment 3•7 years ago
|
||
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0 Firefox: 58.0a1, Build ID: 20171003220138 I have managed to reproduce the heaps of memory using the script from comment 1 using latest Firefox (56.0) release and latest Nightly (58.0a1) build.
Status: UNCONFIRMED → NEW
status-firefox56:
--- → affected
status-firefox57:
--- → affected
status-firefox58:
--- → affected
Component: Untriaged → DOM
Ever confirmed: true
Product: Firefox → Core
Updated•7 years ago
|
Priority: -- → P3
Comment 4•6 years ago
|
||
This works for me. 1) the slow script infobar pops up and lets you stop the offending script 2) eventually we killed the page script ourselves, "uncaught exception: out of memory" Yes, it used gobs of memory while it was running, but given the script we handled the DoS about as well as expected.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WORKSFORME
Assignee | ||
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•