Closed
Bug 758920
Opened 13 years ago
Closed 3 years ago
Firefox 12 Memory DOS with ROP
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: shibam, Unassigned)
Details
(Keywords: crash, sec-other, testcase, Whiteboard: [sg:dos oom])
Attachments
(1 file)
2.95 KB,
text/plain
|
Details |
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0
Build ID: 20120526170248
Steps to reproduce:
Hello, I've reciently found a script that causes a memory crash in firefox 12 (I haven't tested prior versions). The code of the simple .html page that crashes it is attached as firefox.txt.
The attached code is available here for testing purposes only: http://kgb.pentagon.ru/firefox.html
Actual results:
* On my system (Gentoo Linux amd64 - Firefox 12): Firefox freezes using a cpu thread at 100% until I manually kill the process.
* On another user's system (ArchLinux 64bit - Firefox 12): Firefox consumes all his RAM and starts writting to SWAP. The user had to manually kill the process to avoid OOM and a system crash.
* On another user's system (Windows 7 64bit - Firefox 12): He mentioned that his browser got unresponsive but he was able to close that tab.
Expected results:
It should clearly not act like that, causing OOM is not an expected behaviour.
NOTE: Expected behaviour should be the one Chromium 20 on my system shows: It stops the page from loading printing a message like "Script on the page used too much memory."
Regards.
Comment 1•13 years ago
|
||
I tried this on OS X 10.7 with current Firefox and had no issues.
Hello, with all my respect, personal experience is worth less than statistics. I think someone should really have a look at that simple code and have a little white-box testing on this.
I've done further black-box testings using two VMs, one with Windows XP (32bit - Firefox 12.0) and the other on Windows 7 (64bit - Firefox 12.0), you'll be happy to hear that on both, when opened that page the system RAM got full in barely a second and Firefox crashed with the following crash reports:
WINDOWS XP:
AdapterDeviceID: 0xbeef
AdapterVendorID: 0x80ee
Add-ons: {972ce4c6-7e08-4474-a285-3208198ce6fd}:12.0
AvailablePageFile: 3333988352
AvailablePhysicalMemory: 1249153024
AvailableVirtualMemory: 1172357120
BuildID: 20120420145725
CrashTime: 1338336379
EMCheckCompatibility: true
FramePoisonBase: 00000000f0de0000
FramePoisonSize: 65536
InstallTime: 1338336356
Notes: AdapterVendorID: 0x80ee, AdapterDeviceID: 0xbeef, AdapterSubsysID: 00000000, AdapterDriverVersion: 4.1.16.0
D3D10 Layers? D3D10 Layers- D3D9 Layers? D3D9 Layers-
OOMAllocationSize: 387420488
ProductID: {ec8030f7-c20a-464f-9b0e-13a3a9e97384}
ProductName: Firefox
ReleaseChannel: release
StartupTime: 1338336356
SystemMemoryUsePercentage: 46
Theme: classic/1.0
Throttleable: 1
TotalVirtualMemory: 2147352576
URL: wyciwyg://0/http://kgb.pentagon.ru/firefox.html
Vendor: Mozilla
Version: 12.0
Winsock_LSP: MSAFD Tcpip [TCP/IP] : 2 : 1 :
MSAFD Tcpip [UDP/IP] : 2 : 2 : %SystemRoot%\system32\mswsock.dll
MSAFD Tcpip [RAW/IP] : 2 : 3 : %SystemRoot%\system32\mswsock.dll
RSVP UDP Service Provider : 6 : 2 : %SystemRoot%\system32\rsvpsp.dll
RSVP TCP Service Provider : 6 : 1 : %SystemRoot%\system32\rsvpsp.dll
MSAFD NetBIOS [\Device\NetBT_Tcpip_{8823AC65-27F3-4439-B749-7E01B902F99C}] SEQPACKET 0 : 2 : 5 : %SystemRoot%\system32\mswsock.dll
MSAFD NetBIOS [\Device\NetBT_Tcpip_{8823AC65-27F3-4439-B749-7E01B902F99C}] DATAGRAM 0 : 2 : 2 : %SystemRoot%\system32\mswsock.dll
MSAFD NetBIOS [\Device\NetBT_Tcpip_{E147F5D4-1509-4A9E-BFAC-56079B051B8B}] SEQPACKET 1 : 2 : 5 : %SystemRoot%\system32\mswsock.dll
MSAFD NetBIOS [\Device\NetBT_Tcpip_{E147F5D4-1509-4A9E-BFAC-56079B051B8B}] DATAGRAM 1 : 2 : 2 : %SystemRoot%\system32\mswsock.dll
MSAFD NetBIOS [\Device\NetBT_Tcpip_{C45A735C-9C5B-4DA5-9EA5-0F70B3E4A30B}] SEQPACKET 2 : 2 : 5 : %SystemRoot%\system32\mswsock.dll
MSAFD NetBIOS [\Device\NetBT_Tcpip_{C45A735C-9C5B-4DA5-9EA5-0F70B3E4A30B}] DATAGRAM 2 : 2 : 2 : %SystemRoot%\system32\mswsock.dll
and the WINDOWS 7:
AdapterDeviceID: 0xbeef
AdapterVendorID: 0x80ee
Add-ons: {972ce4c6-7e08-4474-a285-3208198ce6fd}:12.0
AvailablePageFile: 880070656
AvailablePhysicalMemory: 153182208
AvailableVirtualMemory: 1519259648
BuildID: 20120420145725
CrashTime: 1338336716
EMCheckCompatibility: true
FramePoisonBase: 00000000f0de0000
FramePoisonSize: 65536
InstallTime: 1338336645
Notes: AdapterVendorID: 0x80ee, AdapterDeviceID: 0xbeef, AdapterSubsysID: 00000000, AdapterDriverVersion: 4.1.16.0
D3D10 Layers? D3D10 Layers- D3D9 Layers? D3D9 Layers-
OOMAllocationSize: 387424256
ProductID: {ec8030f7-c20a-464f-9b0e-13a3a9e97384}
ProductName: Firefox
ReleaseChannel: release
StartupTime: 1338336645
SystemMemoryUsePercentage: 92
Theme: classic/1.0
Throttleable: 1
TotalVirtualMemory: 4294836224
URL: wyciwyg://0/http://kgb.pentagon.ru/firefox.html
Vendor: Mozilla
Version: 12.0
Winsock_LSP: MSAFD Tcpip [TCP/IP] : 2 : 1 :
MSAFD Tcpip [UDP/IP] : 2 : 2 : %SystemRoot%\system32\mswsock.dll
MSAFD Tcpip [RAW/IP] : 2 : 3 :
MSAFD Tcpip [TCP/IPv6] : 2 : 1 : %SystemRoot%\system32\mswsock.dll
MSAFD Tcpip [UDP/IPv6] : 2 : 2 :
MSAFD Tcpip [RAW/IPv6] : 2 : 3 : %SystemRoot%\system32\mswsock.dll
RSVP TCPv6 Service Provider : 2 : 1 :
RSVP TCP Service Provider : 2 : 1 : %SystemRoot%\system32\mswsock.dll
RSVP UDPv6 Service Provider : 2 : 2 :
RSVP UDP Service Provider : 2 : 2 : %SystemRoot%\system32\mswsock.dll
I hope you really get interested into this, as it's a high security issue, or do you like your system to crash because of your web browser?
Regards.
Comment 3•13 years ago
|
||
It isn't a high security issue, it is a denial of service (dos) attack only unless you can show that the crash is exploitable.
Since I haven't seen the crash, I cannot mark the bug as confirmed. That was the point in saying it doesn't crash on OS X. Either I or someone else will have to see if we can replicate the crash on a Windows box since you state that it occurs there.
It is actually an *exploit* you can find on all big exploit websites. The crash is reproducible on Windows and Linux *always*, although on Linux it doesn't always full system's RAM.
Thanks for monitoring this bug and hope someone from the team could confirm this.
Comment 5•13 years ago
|
||
A simple DOS isn't considered an exploit because it isn't an actual security hole. It is always possible to construct a web page that uses up too many resources. Sometimes, it can be done in a way that doesn't trigger the script warning.
On my Windows 7 x64 VM running Firefox 12, the page uses up all of the available RAM and takes the CPU to 99%. After a couple of minutes, I get the slow script warning and can stop the script. Memory usage then drops and Firefox becomes responsive. No crash.
So, no, it doesn't crash on Windows always.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Updated•13 years ago
|
Summary: Firefox 12 Memory Crash with ROP → Firefox 12 Memory DOS with ROP
Thanks for your testings. A recommended approach to this would be some way of monitoring if such increase happens and to ask the user if to continue, or just to stop that tab from loading (a similar way to how chrome/chromium approaches such "crashes/overfloads/whatever").
The worst thing that can be done is not to make anything about this kind of issues. As a fellow user of Firefox (since 1.x) I wouldn't want to change to another browser if FF starts filling my RAM out of a sudden and makes my system unresponsive.
Regards.
Updated•13 years ago
|
Comment 7•3 years ago
|
||
Closing this bug as incomplete since the attached code isn't available and couldn't be reproducible anymore.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → INCOMPLETE
You need to log in
before you can comment on or make changes to this bug.
Description
•