430154 - Loop in Javascript will eat all RAM and CPU under Ubuntu

Status: VERIFIED DUPLICATE of bug 430127

(Core :: DOM: Core & HTML, defect)

Description

[Al Billings [:abillings - ex-MoCo]]

Attachment: Repro case for bug, run on Ubuntu

This was reported at http://seclists.org/fulldisclosure/2008/Apr/0566.html. 

From blog entry: 

From: K-Gen <alphakgen_at_gmail.com>
Date: Mon, 21 Apr 2008 21:32:27 +0300

This is a funny find, it is incredibly simple, yet it managed to hang my
Linux OS completely. I'd love to see this attempted on newer hardware, since
I'm not 100% sure it will hurt higher end systems as badly.

Elaboration:

"I'll be honest, I was very surprised by this find. As a matter of fact,
this was the first time I ever managed to crash Linux completely... Through
a web browser.

The attack is too simple to brag about, just a simple JS that takes up a lot
of memory fast.

<html>
<body>
    <form method = "GET" action = "bla">
        <input name = "vuln" value =
"012345678901234567890123456789012345678901234567890123456789">
    </form>

    <script>
        for (i=0; i<=5000; i++){
            document.forms[0].vuln.value += document.forms[0].vuln.value;
        }
    </script>

</body>
</html>

This algorithm takes M*2^N bytes of memory (where M is the length of the
"vuln" field and N is the number of loop iterations). You would expect the
browser to alert you that this script is going to take a really long time to
execute, but apparently, this doesn't happen.

After one second of this script running, Firefox stopped responding, a few
seconds later I couldn't even launch the Force Quit applet, a few seconds
after that the system reached a screeching halt.

I have a vague idea of how this is possible, but I guess this is related to
the new GTK+ forms in FF 3. I ran this script on Windows in Firefox 2, and
nothing too scary happened. It did take up 1GB of memory in 5 seconds, but
as it appeared, some limit was reached and the page was loaded with nothing
more exciting than blank text field. The same happened with IE 6.

Note however, that the windows machine had twice more RAM and processing
power than the Linux machine, so I'm not sure whether this was a very
"scientific" test. (I should also try installing FF 3 for Windows and see
what happens).

Certainly, I know FF 3 is beta software. However, what really shocked me
here is how easy it was to overload the whole system through a web page.
This certainly isn't "expected behavior"." 

----

I've tested this using the April 20 nightly trunk build of Firefox on both Windows XP and Ubuntu 7.10. On XP, it takes the CPU to 98% and memory usage to 384 MB and then it backs off to very little. After a couple of minutes, it will do it again.

On Ubuntu, it pretty much eats all of your memory and cpu within about a minute or so. I was running in a virtual machine with 512 MB of RAM and the VM quit responding after about a minute. I had to hard boot it to shut it down. The whole system was completely unresponsive, even mouse movement.