Closed Bug 1460286 Opened 6 years ago Closed 4 years ago

large ServiceWorkerRegistrar contents can trigger too-large message crash on startup


(Core :: DOM: Service Workers, defect, P2)

61 Branch



Tracking Status
firefox-esr52 --- disabled
firefox-esr60 --- disabled
firefox60 --- wontfix
firefox61 --- affected
firefox62 --- affected


(Reporter: qab, Assigned: perry)


(Depends on 1 open bug, Blocks 2 open bugs)


(Keywords: csectype-dos, sec-moderate)


(2 files)

Attached file PoC.html
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36

Steps to reproduce:

Using the PoC tool attached, I registered ~300 service workers each pointing to a single JS file (worker source) but with max_length scope initiated. 

1. Host qsw.js attached in comment 1 in the same origin as PoC html file.

2. Open PoC, wait for the tab title to be 400+

3. Close firefox (try exiting normally or force it to shut using task manager.

4. Attempt to open Firefox, crash occurs.

Actual results:

The script kept registering service workers and I noticed a lot of memory is being used by firefox. So I closed it, after opening firefox again I get a crash error after a few seconds.

I then thought maybe firefox is opening the same PoC file that has the script (from cache), so I attempted to open firefox in a private window. Same crash appears:

I also tried to open firefox in safe mode, still crashes. 

The only thing that worked was creating a new profile and using it.

Works on release build as well:

Expected results:

Limit the number of service workers that can be registered. Limit max size of scope string to URL max size instead.
Attached file qsw.js
This is the worker example that should be hosted with the original PoC.

Also would like to clarify, the last crash I said it was from a new profile. I ran the PoC steps again on the new profile and it crashed. You can always create a new profile and firefox will work, just not the profile where we spammed service worker registration.
Group: firefox-core-security → core-security
Component: Untriaged → DOM: Service Workers
Product: Firefox → Core
Group: core-security → dom-core-security
Flags: needinfo?(bkelly)
Note sure this needs to be a secure bug.  Its hitting a MOZ_CRASH:

MOZ_CRASH(IPC message size is too large)

We don't chunk the service worker list on startup.  If you are using very large scope strings obviously we hit this internal message size limit.

This is a DoS/compat/stability issue, but not a security problem.

Somewhat related to:
Flags: needinfo?(bkelly)
Note, this problem will go away once our e10s refactor is complete.  We won't need to send the registration list across IPC at all.
Summary: Persistent Firefox crash on start up using Service Workers → large ServiceWorkerRegistrar contents can trigger too-large message crash on startup
Would this bug not fall into the "Persistent DoS attacks that prevent the user from starting Firefox or another application in the future" description from ?
Flags: needinfo?(bkelly)
Ah, you are correct.
Group: core-security
Flags: needinfo?(bkelly)
Keywords: sec-moderate
Group: core-security → dom-core-security
Priority: -- → P2
Flags: sec-bounty?
Flags: sec-bounty? → sec-bounty+
Assignee: nobody → perry

I tried for a while, but I can't reproduce this. As stated in comment 2 and comment 3, we aren't sending large amounts of registration data over IPC anymore, which appears to be what was causing the crash (the crash reports themselves have expired).

Hi Abdulrahman, can you confirm that this has gone away?
Thank you!

Flags: needinfo?(qab)

ni? myself to verify one last time or close.

Flags: needinfo?(perry)

Unable to reproduce and likely no longer an issue as noted by comment 3, so closing this.

Closed: 4 years ago
Flags: needinfo?(perry)
Resolution: --- → WORKSFORME
Flags: needinfo?(qab)
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.