overlong data in localstore.rdf causes DoS on startup (persistent)

VERIFIED FIXED

Status

()

defect
VERIFIED FIXED
14 years ago
12 years ago

People

(Reporter: moz_bug_r_a4, Assigned: dveditz)

Tracking

({fixed1.8.1, verified1.7.13, verified1.8.0.2})

Trunk
x86
Windows XP
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.7.13 +
blocking-aviary1.0.8 +
blocking1.8.0.1 -
blocking1.8.0.2 +
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:dos][rft-dl])

Attachments

(2 attachments)

Reporter

Description

14 years ago
This is similar to Bug 319004.

Steps to Reproduce:
1. Load testcase, and click "Click me!" button.
2. Restart the browser.

The browser will become unresponsive for a few minutes on every startup.

I'm not sure if this needs to be marked as security-sensitive bug, or not.
Reporter

Comment 1

14 years ago
Posted file testcase
Assignee

Updated

14 years ago
Depends on: CVE-2008-5505
Assignee

Comment 2

14 years ago
Seems to spend its time in little2_scanAtts (xmltok_impl.c), at least that's where it always seems to be when I break in the debugger. No profiler ATM so can't get much more specific. Looks like it reparses the whole millions-of-chars line after every 4K chunk is appended and found to still be incomplete.

The safe, quick fix is to probably put a limit on the size of persisted attributes (bug 295994 was going to put some limits by virtue of switching back-ends).

We probably have to do something about the XML parser as well, it'd be very easy for someone to serve up an XML doc with really long attribute values of repeated characters. If served compressed these would download quickly and hang the user for an arbitrary amount of time.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.8.0.1+
Flags: blocking1.7.13+
Flags: blocking-aviary1.0.8+
Summary: overlong data in localstore.rdf causes DoS on startup → overlong data in localstore.rdf causes DoS on startup (persistent)
Whiteboard: [sg:dos]
Assignee

Updated

14 years ago
Flags: blocking1.8.0.2?
Flags: blocking1.8.0.1-
Flags: blocking1.8.0.1+
Assignee

Comment 4

14 years ago
This solves the persistent part of the DoS by clamping attribute values at 4k (picked over 2k because it matches the length that will be imposed when the storage back-end is reimplemented in bug 295994). Does not touch the n^2 issue in the xml tokenizer.
Attachment #210884 - Flags: superreview?(benjamin)
Attachment #210884 - Flags: review?(mrbkap)
Attachment #210884 - Flags: branch-1.8.1?(benjamin)
Attachment #210884 - Flags: approval1.8.0.2?
Attachment #210884 - Flags: approval1.7.13?
Attachment #210884 - Flags: approval-aviary1.0.8?
File a followup bug on the XML parser issue and cc peterv on it?
Comment on attachment 210884 [details] [diff] [review]
clamp attribute length to 4k

I think that this patch might clamp in the middle of a non-BMP character, but other than that, it looks fine (and I'm not sure that this is even a problem).
Attachment #210884 - Flags: review?(mrbkap) → review+

Updated

14 years ago
Attachment #210884 - Flags: superreview?(benjamin)
Attachment #210884 - Flags: superreview+
Attachment #210884 - Flags: branch-1.8.1?(benjamin)
Attachment #210884 - Flags: branch-1.8.1+

Comment 7

14 years ago
Comment on attachment 210884 [details] [diff] [review]
clamp attribute length to 4k

a=timr for drivers
Attachment #210884 - Flags: approval1.7.13?
Attachment #210884 - Flags: approval1.7.13+
Attachment #210884 - Flags: approval-aviary1.0.8?
Attachment #210884 - Flags: approval-aviary1.0.8+
Assignee

Comment 8

14 years ago
Fixed on trunk and 1.7, aviary101, and 1.8 branches.

Filed bug 326206 on the parser issue.
Status: NEW → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → FIXED
Assignee

Updated

14 years ago
Keywords: fixed1.8fixed1.8.1
Assignee

Updated

14 years ago
Flags: blocking1.8.0.2? → blocking1.8.0.2+
Status: RESOLVED → VERIFIED
verified with:
Windows:
Moz - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060214
Fx - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060214
Firefox/1.0.8
Assignee

Comment 10

14 years ago
Comment on attachment 210884 [details] [diff] [review]
clamp attribute length to 4k

approved for 1.8.0 branch, a=dveditz for drivers
Attachment #210884 - Flags: approval1.8.0.2? → approval1.8.0.2+

Updated

13 years ago
Flags: testcase+
Assignee

Updated

13 years ago
Keywords: fixed1.8.0.2
Marking [rft-dl] (ready for testing in Firefox 1.5.0.2 release candidates) since in-testsuite+ indicates a test case exists in the js test library.
Whiteboard: [sg:dos] → [sg:dos][rft-dl]

Comment 12

13 years ago
v 1.8.0.2/winxp/20060308
Assignee

Updated

13 years ago
Group: security

Updated

12 years ago
Flags: in-testsuite+ → in-testsuite?
You need to log in before you can comment on or make changes to this bug.