Closed Bug 2019098 Opened 2 months ago Closed 2 months ago

CSS light-dark() unbounded recursion causes content process stack overflow

Categories

(Core :: CSS Transitions and Animations, defect)

Product:
Core
Component:
CSS Transitions and Animations
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1973126

People

(Reporter: nohsecbug, Unassigned)

Details

(Keywords: ai-involved, reporter-external, Whiteboard: [client-bounty-form])

Attachments

(1 file)

poc.html
1.82 KB, text/html
Details
Attached file poc.html

Description

Deeply nested light-dark() CSS expressions crash the content process via stack overflow. No user interaction required — visiting a page with the malicious CSS is sufficient.

Steps to reproduce:

  1. Save attached poc.html to disk
  2. Open in Firefox: firefox --no-remote poc.html
  3. Tab crashes: "Gah. Your tab just crashed."

ASan output (mozilla-central, macOS 26.3, aarch64):

==66977==ERROR: AddressSanitizer: stack-overflow on address 0x00016b45b860
    #0 cssparser::parser::Delimiters::from_byte
    #1 cssparser::parser::Parser::parse_nested_block
    #2 style::values::generics::color::GenericLightDark::parse_with
    #3 style::values::specified::color::Color::parse_internal
    #4 cssparser::parser::Parser::parse_nested_block
    #5 style::values::generics::color::GenericLightDark::parse_with
    #6 style::values::specified::color::Color::parse_internal
    ... (cycle repeats 100+ times)
SUMMARY: AddressSanitizer: stack-overflow

Root cause: Color::parse_internal() in servo/components/style/values/specified/color.rs (line ~501) dispatches to GenericLightDark::parse_with() in servo/components/style/values/generics/color.rs (lines 287-293), which calls back into Color::parse_internal() via closure for each color argument. No depth limit exists. Input like light-dark(light-dark(..., blue), blue) recurses until stack exhaustion.

Same root cause as color-mix() recursion — both recurse through Color::parse_internal(). A single depth counter fix addresses both.

Suggested fix: Add a depth counter to Color::parse_internal() with a limit of 32.

Severity: sec-high — reliable zero-click content process crash. All Firefox versions with light-dark() support (120+), all platforms.

URL

(n/a — local HTML file)

Flags: sec-bounty?
Group: firefox-core-security
Component: Security → CSS Transitions and Animations
Keywords: ai-involved
Product: Firefox → Core
Status: UNCONFIRMED → RESOLVED
Closed: 2 months ago
Duplicate of bug: css-nesting-limit
Resolution: --- → DUPLICATE

Severity: sec-high — reliable zero-click content process crash.

Who told you that? A content process crash with no memory corruption is a minor annoyance -- the malicious page crashed itself and now you don't have to deal with it.

All Firefox versions with light-dark() support (120+), all platforms.

I don't crash with the testcase on macos, so it's clearly not all platforms.

Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: