Closed
Bug 555303
Opened 15 years ago
Closed 12 years ago
Firefox 3.6.x Remote Denial of Service Exploit Vulnerability
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
WONTFIX
| Tracking | Status | |
|---|---|---|
| firefox9 | --- | unaffected |
| firefox10 | --- | unaffected |
| firefox11 | --- | unaffected |
| firefox12 | --- | unaffected |
| blocking2.0 | --- | - |
| status1.9.2 | --- | wontfix |
People
(Reporter: obarrera, Assigned: decoder)
Details
(Keywords: crash, sec-high, testcase, Whiteboard: [sg:high][oom] maybe sg:critical (DEP violation reported but not repro'd))
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.2) Gecko/20100316 Firefox/3.6.2 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.2) Gecko/20100316 Firefox/3.6.2 (.NET CLR 3.5.30729)
There are several bugs which are present while fuzzing my POC, so I can not be very specific about the deatils.
Reproducible: Always
Steps to Reproduce:
Run the js code.
|
||
Updated•15 years ago
|
Whiteboard: [sg:dos?]
This seems to just crash with OOM though according to the comments in the JS it triggered a DEP violation.
Keywords: stackwanted
|
||
Comment 3•14 years ago
|
||
Reporter, are you still seeing this issue with Firefox 3.6.13 or later in safe mode? If not, please close. These links can help you in your testing.
http://support.mozilla.com/kb/Safe+Mode
http://support.mozilla.com/kb/Managing+profiles
You can also try to reproduce in Firefox 4 Beta 8 or later, there are many improvements in the new version, http://www.mozilla.com/en-US/firefox/all-beta.html
Whiteboard: [sg:dos?] → [CLOSEME 2011-1-30]
|
|
||
Updated•14 years ago
|
Whiteboard: [CLOSEME 2011-1-30] → [sg:dos?][CLOSEME 2011-1-30]
|
|
||
Comment 4•14 years ago
|
||
This needs to be re-triaged. Running the PoC in comment #1 crashes me within a few seconds or less.
Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20101231 Firefox/4.0b9pre
bp-56e88412-6f85-4914-8125-93c322101231
Group: core-security
Severity: normal → critical
Status: UNCONFIRMED → NEW
blocking1.9.2: --- → ?
blocking2.0: --- → ?
status1.9.2:
--- → ?
Component: General → DOM
Ever confirmed: true
Keywords: stackwanted → crash
OS: Windows Vista → All
Product: Firefox → Core
QA Contact: general → general
Hardware: x86 → All
Whiteboard: [sg:dos?][CLOSEME 2011-1-30]
|
|
||
Comment 5•14 years ago
|
||
Hmm, this does seem to be OOM'ing, but breakpad is completely useless. I noticed this on the command line:
terminate called after throwing an instance of 'std::bad_alloc'
what(): std::bad_alloc
Also occasionally getting this:
ExceptionHandler::GenerateDump waitpid failed:No child processes
|
||
Comment 6•14 years ago
|
||
> but breakpad is completely useless.
It's generally useless on OOM, yes, since it runs in the same process and hence has no memory to work with.
|
||
Comment 8•14 years ago
|
||
"testcase" because we've got the reporter's testcase saved, but "testcase-wanted" because we'd like something that reliably caused the DEP violation rather than all the OOM and null-deref "DoS" crashes we're seeing.
Keywords: testcase-wanted
Whiteboard: [sg:needinfo]
|
|
||
Updated•14 years ago
|
Whiteboard: [sg:needinfo] → [sg:needinfo] maybe sg:critical (DEP violation reported but not repro'd)
|
||
Updated•14 years ago
|
Whiteboard: [sg:needinfo] maybe sg:critical (DEP violation reported but not repro'd) → [sg:needinfo][oom] maybe sg:critical (DEP violation reported but not repro'd)
|
|
||
Updated•14 years ago
|
blocking1.9.2: ? → ---
status1.9.2:
? → ---
|
||
Updated•14 years ago
|
blocking2.0: ? → -
Can someone run the test case we have a significant number of times (25+?) using Firefox 9 and see if we still have a problem, and if so, do we ever get the DEP violation? Even without a reliable DEP violation test case we should still be able to determine if this is an issue in the most recent release.
|
||
Comment 10•13 years ago
|
||
The test case doesn't crash or seem to have any impact at all on Firefox 9 on Windows 7. I ran it for over a minute.
|
|
||
Comment 11•13 years ago
|
||
No impact on Firefox 8 on Fedora 15 Linux either.
|
|
||
Comment 12•13 years ago
|
||
I crashed in under 10 seconds using Firefox 3.6.25 in a Windows 7 VM. I think it's safe to say that the only supported version affected by this is 3.6.25.
status-firefox10:
--- → unaffected
status-firefox11:
--- → unaffected
status-firefox12:
--- → unaffected
status-firefox9:
--- → unaffected
Whiteboard: [sg:needinfo][oom] maybe sg:critical (DEP violation reported but not repro'd) → [sg:high][oom] maybe sg:critical (DEP violation reported but not repro'd)
Summary: Firefox 3.6.2 Remote Denial of Service Exploit Vulnerability → Firefox 3.6.x Remote Denial of Service Exploit Vulnerability
|
|
||
Updated•13 years ago
|
Version: unspecified → 1.8 Branch
|
||
Comment 13•13 years ago
|
||
1.9.2 is being end of life'd now and this doesn't affect current versions of Firefox, including the ESR.
We should resolve this as "won't fix" now.
|
||
Updated•13 years ago
|
status1.9.2:
--- → wontfix
|
|
||
Comment 14•13 years ago
|
||
"wontfix" is a bit strong, i'd go with "incomplete".
If we want to be more sure that the bug doesn't exist on trunk, we could ask Christian to run his OOM tool on the testcase ;)
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → INCOMPLETE
|
|
||
Comment 15•13 years ago
|
||
Sounds good to me. Christian, can you do this?
|
Assignee | |
Comment 16•13 years ago
|
||
(In reply to Al Billings [:abillings] from comment #15)
> Sounds good to me. Christian, can you do this?
I'm on it. This required some manual work because my tool isn't meant for tests like this, but it's testing ~1200 callers right now. That'll take quite some time.
|
|
||
Comment 17•13 years ago
|
||
Reopening while we wait for the results of comment 16
Status: RESOLVED → REOPENED
Resolution: INCOMPLETE → ---
|
|
Assignee | |
Comment 19•13 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #18)
> decoder: any results on comment 16?
I haven't been able to find any new bugs here (though that doesn't mean there is none...)
|
|
||
Comment 20•13 years ago
|
||
(In reply to Christian Holler (:decoder) from comment #19)
>
> I haven't been able to find any new bugs here (though that doesn't mean
> there is none...)
How much more testing do you plan to do?
We did think this was 1.9.2 only (probably).
|
|
Assignee | |
Comment 21•13 years ago
|
||
(In reply to Al Billings [:abillings] from comment #20)
> (In reply to Christian Holler (:decoder) from comment #19)
> >
> > I haven't been able to find any new bugs here (though that doesn't mean
> > there is none...)
>
> How much more testing do you plan to do?
>
> We did think this was 1.9.2 only (probably).
I don't feel like spending further resources here will be helpful at all. I'm also not currently doing other OOM testing because I'm waiting for some bugs to be fixed first. Especially if this is 1.9.2. only then I don't think it's worth pursuing.
|
|
||
Comment 22•13 years ago
|
||
Well, as comment 14 says, we want to make sure this isn't present on trunk. You ran the tests on trunk, Christian?
|
|
Assignee | |
Comment 23•13 years ago
|
||
(In reply to Al Billings [:abillings] from comment #22)
> Well, as comment 14 says, we want to make sure this isn't present on trunk.
> You ran the tests on trunk, Christian?
I tested this only on trunk actually, yes.
|
|
||
Comment 24•13 years ago
|
||
I think we should resolve this and never speak of it again.
Any reason not to resolve this as WONTFIX?
|
|
||
Comment 26•12 years ago
|
||
(In reply to Jonas Sicking (:sicking) from comment #25)
> Any reason not to resolve this as WONTFIX?
Sounds good to me. I'll also clear the attachments and opening up this bug.
Status: REOPENED → RESOLVED
Closed: 13 years ago → 12 years ago
Resolution: --- → WONTFIX
|
||
Updated•9 years ago
|
Keywords: testcase-wanted
|
||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•