As a security precaution, we have turned on the setting "Require API key authentication for API requests" for everyone. If this has broken something, please contact bugzilla-admin@mozilla.org
Last Comment Bug 382681 - Unsafe DOM mutation events in scrollable frame
: Unsafe DOM mutation events in scrollable frame
Status: RESOLVED FIXED
[sg:dos] keep private until 355548 is...
: fixed1.8.1.5, testcase, verified1.8.0.13
Product: Core
Classification: Components
Component: DOM: Events (show other bugs)
: Trunk
: x86 All
: -- critical (vote)
: ---
Assigned To: Olli Pettay [:smaug] (review queue closed until backlog cleared)
:
: Andrew Overholt [:overholt]
Mentors:
Depends on:
Blocks: 382568 382700 382754
  Show dependency treegraph
 
Reported: 2007-05-31 14:11 PDT by Vlad Sukhoy
Modified: 2012-12-03 22:02 PST (History)
11 users (show)
dveditz: blocking1.8.1.5+
dveditz: wanted1.8.1.x+
dveditz: blocking1.8.0.13+
dveditz: wanted1.8.0.x+
dveditz: in‑testsuite?
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
test case for mutation events in scrollable frame (1.83 KB, application/xhtml+xml)
2007-05-31 14:11 PDT, Vlad Sukhoy
no flags Details
a (better) testcase for mutation events in scrollable frame (1.93 KB, application/xhtml+xml)
2007-06-07 14:09 PDT, Vlad Sukhoy
no flags Details
proposed patch (5.44 KB, patch)
2007-06-11 00:53 PDT, Olli Pettay [:smaug] (review queue closed until backlog cleared)
jonas: review+
jonas: superreview+
dveditz: approval1.8.1.5+
dveditz: approval1.8.0.13+
Details | Diff | Splinter Review

Description User image Vlad Sukhoy 2007-05-31 14:11:23 PDT
Created attachment 266803 [details]
test case for mutation events in scrollable frame

Using DOM mutation events it is possible to trash the UI so that the browser is unresponsive. See related bug 382568 and bug 355548 for more related test cases.
Comment 1 User image Martijn Wargers [:mwargers] 2007-05-31 14:40:29 PDT
I get 100% cpu on trunk also. You mean that shouldn't happen?
Comment 2 User image Vlad Sukhoy 2007-05-31 14:42:21 PDT
if the UI is still responsive, then it is not so bad. On branches the UI stop working, and that is equivalent to "denial of service".
Comment 3 User image Vlad Sukhoy 2007-05-31 14:44:21 PDT
Oh, indeed, the UI gets unresponsive on trunk too.
Comment 4 User image Olli Pettay [:smaug] (review queue closed until backlog cleared) 2007-05-31 14:47:17 PDT
On linux (trunk/1.8) I get endless loop of JS's "too much recursion"s
(which as such isn't Security-Sensitive, IMO). 
bug 382568 and bug 355548 are crashers.
Comment 5 User image Vlad Sukhoy 2007-05-31 14:50:31 PDT
IMO, it is security sensitive because it suggests a pattern to exploit things in a way similar to those.
Should we file a metabug or whatever to keep these guys together?
Comment 6 User image Vlad Sukhoy 2007-06-07 14:09:55 PDT
Created attachment 267625 [details]
a (better) testcase for mutation events in scrollable frame

Ok, this testcase does crash 1.8 and 1.8.0 on MacOS for me it was just a matter of skipping a couple of legitimate mutation events and doing nasty stuff on the vulnerable one.
Comment 7 User image Vlad Sukhoy 2007-06-07 14:12:52 PDT
Crashes on Linux too. Severity elevated, title adjusted...
Comment 8 User image Olli Pettay [:smaug] (review queue closed until backlog cleared) 2007-06-11 00:53:52 PDT
Created attachment 267939 [details] [diff] [review]
proposed patch

Just don't propagate any mutation events from native anonymous content.
IsAnonymousForEvents() is needed because XUL has its own implementation
for IsNativeAnonymous().
This fixes also Bug 382568.
Comment 9 User image Olli Pettay [:smaug] (review queue closed until backlog cleared) 2007-06-11 01:09:51 PDT
attachment 267939 [details] [diff] [review] fixes also bug 382700.
Note, I didn't change nsGenericDOMDataNode::HandleDOMEvent to
check nativeness, because it doesn't implement SetNativeAnonymous
properly and native anon text nodes are AFAIK always inside native
anonymous elements.
(This all ofc works properly on trunk.)
Comment 10 User image Daniel Veditz [:dveditz] 2007-06-22 10:58:26 PDT
Comment on attachment 267939 [details] [diff] [review]
proposed patch

approved for 1.8.1.5 and 1.8.0.13, a=dveditz for release-drivers
Comment 11 User image Olli Pettay [:smaug] (review queue closed until backlog cleared) 2007-06-25 00:42:07 PDT
Checked in to branches
Comment 12 User image juan becerra [:juanb] 2007-08-23 10:15:13 PDT
Verified on Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.13pre) Gecko/20070810 Firefox/1.5.0.13pre

Fx15012 crashed but Fx15013pre did not.

Note You need to log in before you can comment on or make changes to this bug.