Note: There are a few cases of duplicates in user autocompletion which are being worked on.

Unsafe DOM mutation events in scrollable frame

RESOLVED FIXED

Status

()

Product:
Core
Component:
DOM: Events
--
critical
RESOLVED FIXED
Reported:
10 years ago
Modified:
5 years ago

People

(Reporter: Vlad Sukhoy, Assigned: smaug)

Tracking

({fixed1.8.1.5, testcase, verified1.8.0.13})

Version:
Trunk
x86
All
Keywords:
fixed1.8.1.5, testcase, verified1.8.0.13
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.8.1.5 +
wanted1.8.1.x +
blocking1.8.0.13 +
wanted1.8.0.x +
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:dos] keep private until 355548 is fixed on branches)

Attachments

(2 attachments, 1 obsolete attachment)

a (better) testcase for mutation events in scrollable frame
1.93 KB, application/xhtml+xml
Details
proposed patch
5.44 KB, patch
sicking
: review+
sicking
: superreview+
dveditz
: approval1.8.1.5+
dveditz
: approval1.8.0.13+
Details | Diff | Splinter Review
(Reporter)

Description

10 years ago 
Created attachment 266803 [details]
test case for mutation events in scrollable frame

Using DOM mutation events it is possible to trash the UI so that the browser is unresponsive. See related bug 382568 and bug 355548 for more related test cases.

Comment 1

10 years ago 
I get 100% cpu on trunk also. You mean that shouldn't happen?
(Reporter)

Comment 2

10 years ago 
if the UI is still responsive, then it is not so bad. On branches the UI stop working, and that is equivalent to "denial of service".
(Reporter)

Comment 3

10 years ago 
Oh, indeed, the UI gets unresponsive on trunk too.
Version: 1.8 Branch → Trunk
(Assignee)

Comment 4

10 years ago 
On linux (trunk/1.8) I get endless loop of JS's "too much recursion"s
(which as such isn't Security-Sensitive, IMO). 
bug 382568 and bug 355548 are crashers.
(Reporter)

Comment 5

10 years ago 
IMO, it is security sensitive because it suggests a pattern to exploit things in a way similar to those.
Should we file a metabug or whatever to keep these guys together?
 (Reporter)

Updated

10 years ago
Blocks: 382754
 (Reporter)

Comment 6

10 years ago 
Created attachment 267625 [details]
a (better) testcase for mutation events in scrollable frame

Ok, this testcase does crash 1.8 and 1.8.0 on MacOS for me it was just a matter of skipping a couple of legitimate mutation events and doing nasty stuff on the vulnerable one.
Attachment #266803 - Attachment is obsolete: true
 (Reporter)

Comment 7

10 years ago 
Crashes on Linux too. Severity elevated, title adjusted...
Severity: normal → critical
Summary: Suspicious DOM mutation events in scrollable frame → Unsafe DOM mutation events in scrollable frame
 (Assignee)

Updated

10 years ago
Assignee: nobody → Olli.Pettay
 (Assignee)

Comment 8

10 years ago 
Created attachment 267939 [details] [diff] [review]
proposed patch

Just don't propagate any mutation events from native anonymous content.
IsAnonymousForEvents() is needed because XUL has its own implementation
for IsNativeAnonymous().
This fixes also Bug 382568.
Attachment #267939 - Flags: superreview?(jonas)
Attachment #267939 - Flags: review?(jonas)
 (Assignee)

Updated

10 years ago
Status: NEW → ASSIGNED
 (Assignee)

Comment 9

10 years ago 
attachment 267939 [details] [diff] [review] fixes also bug 382700.
Note, I didn't change nsGenericDOMDataNode::HandleDOMEvent to
check nativeness, because it doesn't implement SetNativeAnonymous
properly and native anon text nodes are AFAIK always inside native
anonymous elements.
(This all ofc works properly on trunk.)
Blocks: 382568, 382700
 (Assignee)

Updated

10 years ago
Flags: blocking1.8.1.5?
Flags: blocking1.8.0.13?
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Whiteboard: [sg:low dos] (related to worse bugs?) need r/sr=sicking
Attachment #267939 - Flags: superreview?(jonas)
Attachment #267939 - Flags: superreview+
Attachment #267939 - Flags: review?(jonas)
Attachment #267939 - Flags: review+
 (Assignee)

Updated

10 years ago
Attachment #267939 - Flags: approval1.8.1.5?
Attachment #267939 - Flags: approval1.8.0.13?
Flags: blocking1.8.1.5?
Flags: blocking1.8.1.5+
Flags: blocking1.8.0.13?
Flags: blocking1.8.0.13+
Whiteboard: [sg:low dos] (related to worse bugs?) need r/sr=sicking → [sg:low dos] (related to worse bugs?)

Comment 10

10 years ago 
Comment on attachment 267939 [details] [diff] [review]
proposed patch

approved for 1.8.1.5 and 1.8.0.13, a=dveditz for release-drivers
Attachment #267939 - Flags: approval1.8.1.5?
Attachment #267939 - Flags: approval1.8.1.5+
Attachment #267939 - Flags: approval1.8.0.13?
Attachment #267939 - Flags: approval1.8.0.13+
 (Assignee)

Comment 11

10 years ago 
Checked in to branches
Status: ASSIGNED → RESOLVED
Last Resolved: 10 years ago
Keywords: fixed1.8.0.13, fixed1.8.0.5
Resolution: --- → FIXED
 (Assignee)

Updated

10 years ago
Keywords: fixed1.8.0.5 → fixed1.8.1.5

Comment 12

10 years ago 
Verified on Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.13pre) Gecko/20070810 Firefox/1.5.0.13pre

Fx15012 crashed but Fx15013pre did not.
Keywords: fixed1.8.0.13 → verified1.8.0.13
Flags: in-testsuite?
Whiteboard: [sg:low dos] (related to worse bugs?) → [sg:low dos] keep private until 355548 is fixed
Whiteboard: [sg:low dos] keep private until 355548 is fixed → [sg:dos] keep private until 355548 is fixed on branches
Group: core-security
You need to log in before you can comment on or make changes to this bug.