Closed Bug 1773732 Opened 2 years ago Closed 2 years ago

Infinite loop within js::SetPrototype

Categories

(Core :: DOM: Core & HTML, defect, P2)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
103 Branch
Tracking Flags:
Tracking Status
firefox103 --- fixed

People

(Reporter: adonkidz7, Assigned: jandem)

References

(
URL
)

Details

(Keywords: csectype-dos, reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(4 files)

UXSS via Prototype.html
2.63 KB, text/html
Details
firefox.jpg
450.51 KB, image/jpeg
Details
firefox 1.jpg
345.01 KB, image/jpeg
Details
Bug 1773732 - Set proto outparam in RemoteObjectProxyBase::getPrototypeIfOrdinary. r?peterv!
48 bytes, text/x-phabricator-request
Details | Review
  1. open the browser (chrome, firefox, ms edge)
  2. go to https://www.w3schools.com/html/tryit.asp?filename=tryhtml_basic
  3. create the code in w3schools, jsfiddle, or codepen io
  4. run the code in w3schools, jsfiddle, and codepen io in chrome, firefox, and ms edge
  5. after you run the code, firefox is having problems like DOS attack
Flags: sec-bounty?
Group: firefox-core-security → core-security
Component: Security → JavaScript Engine
Product: Firefox → Core
Group: core-security → javascript-core-security

It looks like the attachment is copied from a Project Zero report against WebKit, except that the "Tested on Safari" part was changed to "Tested on Firefox 101.0.1 (64-bit)."

The link in comment 1 is a video showing the test case being used in a number of browsers, including Chrome, Edge and Firefox. The Firefox part starts around 58 seconds into the video.

when the code is run in firefox, the firefox browser can't run properly like in ms edge and chrome

Attached image firefox.jpg
Attached image firefox 1.jpg

both browsers run the same code on the same web, it can be seen that chrome browser contains more tabs than firefox.

I explored the existing code myself, and that's what happens in the firefox browser when the code is run

Hello, no update on this?

So far I was not able to prove or disprove any UXSS as this might be the case in other browsers.
The first alert message prints the location of the attacking page, and not the location of the attacked page.

Then the alert message creates a stacked event loops, in which the second onload is being executed.
Within the second onload call, the construct builtin is called, which spin iteratively in js::SetPrototype.

The browser appear stuck in this single function call. The tab can be closed, only the child process is unresponsive.

https://share.firefox.dev/3aRjtB5

Jan, are you the right person to investigate this issue?

Severity: -- → S2
Flags: needinfo?(jdemooij)
Priority: -- → P2
Summary: UXSS via PrototypeMap::createEmptyStructure → Infinite loop including js::SetPrototype
Summary: Infinite loop including js::SetPrototype → Infinite loop within js::SetPrototype

I mean, of the three browsers I used in the video.
Only firefox crashes and can't run properly.
That's why I made this report.

The problem is that RemoteObjectProxyBase::getPrototypeIfOrdinary returns isOrdinary = true but doesn't set the proto outparam to null, so we don't change it and always iloop. This should be the only call site and this isn't security sensitive.

Assignee: nobody → jdemooij
Group: javascript-core-security
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Flags: needinfo?(jdemooij)

So this is just a firefox feature?
Which eats up to 100% cpu performance

This prevents us from ilooping in SetPrototype.

Component: JavaScript Engine → DOM: Core & HTML

Denial of Service bugs (simply crashing Firefox) are excluded from our Bug Bounty program

Flags: sec-bounty? → sec-bounty-
Keywords: csectype-dos

Hi, Thanks for updating

Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/3f8e81810ce2 Set proto outparam in RemoteObjectProxyBase::getPrototypeIfOrdinary. r=peterv

https://hg.mozilla.org/mozilla-central/rev/3f8e81810ce2

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox103: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 103 Branch

Hi, Are you sure it's fixed?

Unless you're building Firefox directly from source, the fix isn't available in a shipping build yet. The fix should be in Nightly builds due to start about an hour from now.

Once fixed, can I upload publicly?

(In reply to Syahri Ramadan from comment #24)

Once fixed, can I upload publicly?

This bug is already public, so feel free to discuss it however you want.

Ok, I'll upload it on YouTube later. Thank you

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: