browser hang and memory exhaustion using iframe.src and javascript: protocol

NEW
Unassigned

Status

()

Core
DOM: Core & HTML
--
critical
8 years ago
2 months ago

People

(Reporter: bcoles, Unassigned)

Tracking

(Blocks: 1 bug)

Trunk
x86
Windows XP
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:dos], URL)

Attachments

(1 attachment, 1 obsolete attachment)

262 bytes, text/html
Details
(Reporter)

Description

8 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5

This may be a duplicate of https://bugzilla.mozilla.org/show_bug.cgi?id=101276 from 2001 which doesn't appear to be resolved?

Remote browser crash if a user browses a webpage with the following HTML code:
<iframe src="javascript: while (true) { window.location=''; }">

Javascript must be enabled.

Tested on:

Windows XP SP2:
Firefox/3.5.5
Firefox/3.0.15

Windows Vista SP0:
Firefox/3.0.10

Reproducible: Always

Steps to Reproduce:
1. create new *.html file
2. upload it to a web host (optional)
3. enable javascript
4. run file

Actual Results:  
browser hangs. killing the process is the only option.

Expected Results:  
"this script will run forever, do you wish to terminate? y/n" warning.

Happens even when "warn me when web sites try to redirect or load the page" under tools->options->advanced->general->accessibility is selected.

I spent a few minutes debugging but couldn't get control of eip. i'm lazy.
(Reporter)

Comment 1

8 years ago
Created attachment 413778 [details]
proof of concept
Not sure why bug 101276 never had its fix checked in, but this isn't behaving like that one. This one is chewing up a lot more memory and CPU. I _do_ get the "A script on this page may be busy, or it may have stopped responding" prompt, but it does NOT let me kill the script! Memory use goes back down to reasonable levels every time that prompt comes us. It seems to be creating recursive iframes, but only one or two per busy prompt. If they were being created due to the while loop I'd have expected a lot more.

I don't see a crash. Maybe with less memory you'd trip over one of our many out-of-memory crashes
Blocks: 432687
Summary: Remote browser crash if a user browses a webpage (if java script is enabled). → browser hang if iframe src sets window.location to '' in a loop.
Whiteboard: [sg:dos]
Status: UNCONFIRMED → NEW
Ever confirmed: true
(Reporter)

Comment 3

8 years ago
proof of concept #1 : Firefox 3.0.x : http://pixelsinspace.net/f.html

[code]
<iframe src="javascript: while (true) { window.location=''; }">
[/code]

My apologies, this causes Firefox 3.0.x to hang without prompting.

As you say, Firefox 3.5.5 reports an unresponsive script but won't allow you to continue. You also can't change tabs when the "unresponsive script" prompt is shown (also a bug?).


proof of concept #2 : Firefox 3.5.5 & Internet Explorer 8.0.6: http://pixelsinspace.net/ff.html

I've adjusted the HTML (poc url above, code below) which now causes Firefox 3.5.5 and Internet Explorer 8.0.6 to hang (IE dev team have been notified). It also causes memory exhaustion.

[code]
<iframe src="javascript:while(true) { document.write('<iframe src=\'javascript:\';></iframe>'); }"></iframe>
[/code]

With WinXP SP2 @ 2.2GHz and 3GB of RAM this provides the "unresponsive script" prompt after ~10 seconds and ~800MB of memory usage. Upon clicking "stop script" the memory usage idles until the browser stop event is evoked (closed tab, or closed browser, or clicked "stop", or pressed ESC, etc).

The browser hangs and the memory usage then increases rapidly until it peaks at ~2GB. Killing the process is required.


proof of concept #3 : Firefox 3.5.5 : http://pixelsinspace.net/fff.html

For reliable denial of service repeat the previous line 100 times as it will hang the browser and exhaust memory WITHOUT prompting with "unresponsive script. continue y/n?"
Summary: browser hang if iframe src sets window.location to '' in a loop. → browser hang and memory exhaustion using iframe.src and javascript: protocol
Version: unspecified → 3.5 Branch
(Reporter)

Comment 4

8 years ago
Created attachment 414035 [details]
proof of concept
Attachment #413778 - Attachment is obsolete: true
Group: core-security
Version: 3.5 Branch → Trunk
Component: Security → DOM: Core & HTML
Product: Firefox → Core
QA Contact: firefox → general

Comment 5

a year ago
FYI, this is a major issue with e10s on at the very least all desktop platforms. Every 15 seconds this chews up 1GB of RAM, and closing the tab doesn't stop it. If somebody lands on a page with this and e10s they'll be crashing every time.
You need to log in before you can comment on or make changes to this bug.