Open Bug 1548382 Opened 6 years ago Updated 1 year ago

MOZ_CRASH(IPC message size is too large) causing firefox.exe crash instantly when pasting large amount of input in text field

Categories

(Core :: DOM: Content Processes, defect, P2)

Product:
Core
Component:
DOM: Content Processes
Platform:
Desktop
All
Type:
defect

Tracking

()

People

(Reporter: zakebenjwal, Unassigned)

Details

(4 keywords, Whiteboard: [sg:dos])

Attachments

(2 files, 3 obsolete files)

bufferoverflow.zip
822.93 KB, application/x-zip-compressed
Details
2019-05-02 02-16-32-1.m4v
5.31 MB, video/x-m4v
Details

Vulnerbility: buffer overflow

Firefox version: 66.0.3 (64 bit)

Description and Impact: so i was testing for my webapp buffer overflow and from that i found this bug.in this vulnerbility if you inject a long letter or word in any website you are using on firefox or directly into firefox url field it causes firefox to crash instantly. i have tried it with chromium to verify if this is a valid issue or not and after testing the same thing on chromium and other browsers it is clear that firefox is vulnerable to this attack. so now while typing this report i tried to copy firefox version and tried to paste it in here it got crashed instantly. lol
an attacker can send a forged url link just to crash firefox in one second. so this is pretty critical for userfox users if they use it for office work and for creating projects.

How to reproduce: 1>copy the long letters from my poc .txt file

2>and now paste it into any website search bar or any input field and also with in firefox blank url.

3>thats it you dont even have to hit enter firefox will crash instantly or stop responding right away.

POC: attaching a demo video (including chromium crash verification) and the .txt buffer overflow file.

so i can only upload one file so i am uploading demo poc video here.

Attached file bufferoverflow.zip

this one is the .txt file inside .zip file.

this is demo poc video...i had to compress it ..so follow these steps for more details.

If you go to about:crashes in Firefox, can you copy some links to the most recent crashes generated using this PoC that the crash reporter has sent us, and paste them as a comment here? Thanks.

Flags: needinfo?(zakebenjwal)

https://crash-stats.mozilla.org/report/index/34e1ce43-fc3e-401c-b278-0d84d0190502#allthreads

heres the link for the letest crash caused by poc.

Flags: needinfo?(zakebenjwal)

you can type this long msg in any input field ..like even in firefox search or options search menu and will crash instantly.

This is a safe crash ("MOZ_CRASH(IPC message size is too large)"), not a "buffer overflow".

Group: firefox-core-security
Component: Security → IPC
Product: Firefox → Core
Summary: Buffer overflow causing firefox.exe crash instantly → MOZ_CRASH(IPC message size is too large) causing firefox.exe crash instantly when pasting large amount of input in text field

Simplified STR: navigate to data:text/html,<textarea>, run something like perl -e 'print "A"x(128*1048576)' | pbcopy for Mac or … | xclip -i on X11, paste into the text area.

That crashes serializing the reply to PContent::GetClipboard, which is using the nsString variant of IPCDataTransferData but in theory could be changed to use the Shmem variant for long strings (or just refuse to paste them). The message size limit is 256MiB, which is 128M code units of UTF-16.

Additionally, with a 64MiB string, pasting succeeds but selecting the text with Select All crashes trying to send PBrowser::NotifyIMESelection (bp-207b9cf2-2cf3-4797-8920-00fb50190502); that may need to be broken out into a separate bug.

Status: UNCONFIRMED → NEW
Type: task → defect
Component: IPC → DOM: Content Processes
Ever confirmed: true

okay so what now..am i getting bounty or not? :-)

sir when you put that text thats when it gets crashed...same thing i have tried with chromium and microsoft edge and they dont get crashed plus when you put that text input field you get a error it dont crash and also you can use other tabs for browsing which dont happen in firefox case.
safe crash dont make browser unusable untill restart.

(In reply to Jed Davis [:jld] ⟨⏰|UTC-6⟩ ⟦he/him⟧ from comment #7)

Simplified STR: navigate to data:text/html,<textarea>, run something like perl -e 'print "A"x(128*1048576)' | pbcopy for Mac or … | xclip -i on X11, paste into the text area.

That crashes serializing the reply to PContent::GetClipboard, which is using the nsString variant of IPCDataTransferData but in theory could be changed to use the Shmem variant for long strings (or just refuse to paste them). The message size limit is 256MiB, which is 128M code units of UTF-16.

Additionally, with a 64MiB string, pasting succeeds but selecting the text with Select All crashes trying to send PBrowser::NotifyIMESelection (bp-207b9cf2-2cf3-4797-8920-00fb50190502); that may need to be broken out into a separate bug.

any update on this sir?

Priority: -- → P2

(In reply to :Gijs (he/him) from comment #6)

This is a safe crash ("MOZ_CRASH(IPC message size is too large)"), not a "buffer overflow".

this issue still exist on letest firefox version 66.0.4

OS: Unspecified → Windows 10
Hardware: Unspecified → Desktop
OS: Windows 10 → All

(In reply to karann salunke from comment #8)

okay so what now..am i getting bounty or not? :-)

It does not appear that you've submitted this for bounty consideration. Did you manually enter the whiteboard data yourself, copying other bugs? Yes those things are added by our submission form, but those are for statistics purposes and aren't actually part of the notification to the bounty committee. Please follow the instructions at https://www.mozilla.org/en-US/security/client-bug-bounty/ (since the bug is already submitted you can't use the form so you'll have to use the mail option).

Given the current state of the bug this appears to be a "Denial of Service" vulnerability so it's unlikely to be eligible for a bounty. See our FAQ: https://www.mozilla.org/en-US/security/bug-bounty/faq/#eligible-bugs

Keywords: crash, csectype-dos, testcase
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [sg:dos]

(In reply to Daniel Veditz [:dveditz] from comment #12)

(In reply to karann salunke from comment #8)

okay so what now..am i getting bounty or not? :-)

It does not appear that you've submitted this for bounty consideration. Did you manually enter the whiteboard data yourself, copying other bugs? Yes those things are added by our submission form, but those are for statistics purposes and aren't actually part of the notification to the bounty committee. Please follow the instructions at https://www.mozilla.org/en-US/security/client-bug-bounty/ (since the bug is already submitted you can't use the form so you'll have to use the mail option).

Given the current state of the bug this appears to be a "Denial of Service" vulnerability so it's unlikely to be eligible for a bounty. See our FAQ: https://www.mozilla.org/en-US/security/bug-bounty/faq/#eligible-bugs

but this is not a case of dos attack sir...its buffer overflow...i have submitted many reports like this on bugcrowd and got bounties from websites which i tried with similar attacks.

It's not a buffer overrun, it's an assertion failure; we're intentionally and safely terminating the program. Here's the code.

okay thank you for your time.

Flags: sec-bounty?

Minusing for bounty as this is not a severe issue and does not qualify.

Flags: sec-bounty? → sec-bounty-

(In reply to karann salunke from comment #19)

Created attachment 9262055 [details]
1 (1).svg

THIS IS STORED XSS TEST

Please do not use bugzilla.m.o for testing, use https://bugzilla.allizom.org instead. You can login with a github login.

Attachment #9262052 - Attachment is obsolete: true
Attachment #9262055 - Attachment is obsolete: true
Attachment #9262054 - Attachment is obsolete: true
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: