Closed Bug 758920 Opened 13 years ago Closed 3 years ago

Firefox 12 Memory DOS with ROP

Categories

(Firefox :: Security, defect)

12 Branch
x86_64
Linux
defect
Not set
major

Tracking

()

RESOLVED INCOMPLETE

People

(Reporter: shibam, Unassigned)

Details

(Keywords: crash, sec-other, testcase, Whiteboard: [sg:dos oom])

Attachments

(1 file)

Attached file firefox.txt
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0 Build ID: 20120526170248 Steps to reproduce: Hello, I've reciently found a script that causes a memory crash in firefox 12 (I haven't tested prior versions). The code of the simple .html page that crashes it is attached as firefox.txt. The attached code is available here for testing purposes only: http://kgb.pentagon.ru/firefox.html Actual results: * On my system (Gentoo Linux amd64 - Firefox 12): Firefox freezes using a cpu thread at 100% until I manually kill the process. * On another user's system (ArchLinux 64bit - Firefox 12): Firefox consumes all his RAM and starts writting to SWAP. The user had to manually kill the process to avoid OOM and a system crash. * On another user's system (Windows 7 64bit - Firefox 12): He mentioned that his browser got unresponsive but he was able to close that tab. Expected results: It should clearly not act like that, causing OOM is not an expected behaviour. NOTE: Expected behaviour should be the one Chromium 20 on my system shows: It stops the page from loading printing a message like "Script on the page used too much memory." Regards.
Severity: normal → major
Component: Untriaged → Security
I tried this on OS X 10.7 with current Firefox and had no issues.
Hello, with all my respect, personal experience is worth less than statistics. I think someone should really have a look at that simple code and have a little white-box testing on this. I've done further black-box testings using two VMs, one with Windows XP (32bit - Firefox 12.0) and the other on Windows 7 (64bit - Firefox 12.0), you'll be happy to hear that on both, when opened that page the system RAM got full in barely a second and Firefox crashed with the following crash reports: WINDOWS XP: AdapterDeviceID: 0xbeef AdapterVendorID: 0x80ee Add-ons: {972ce4c6-7e08-4474-a285-3208198ce6fd}:12.0 AvailablePageFile: 3333988352 AvailablePhysicalMemory: 1249153024 AvailableVirtualMemory: 1172357120 BuildID: 20120420145725 CrashTime: 1338336379 EMCheckCompatibility: true FramePoisonBase: 00000000f0de0000 FramePoisonSize: 65536 InstallTime: 1338336356 Notes: AdapterVendorID: 0x80ee, AdapterDeviceID: 0xbeef, AdapterSubsysID: 00000000, AdapterDriverVersion: 4.1.16.0 D3D10 Layers? D3D10 Layers- D3D9 Layers? D3D9 Layers- OOMAllocationSize: 387420488 ProductID: {ec8030f7-c20a-464f-9b0e-13a3a9e97384} ProductName: Firefox ReleaseChannel: release StartupTime: 1338336356 SystemMemoryUsePercentage: 46 Theme: classic/1.0 Throttleable: 1 TotalVirtualMemory: 2147352576 URL: wyciwyg://0/http://kgb.pentagon.ru/firefox.html Vendor: Mozilla Version: 12.0 Winsock_LSP: MSAFD Tcpip [TCP/IP] : 2 : 1 : MSAFD Tcpip [UDP/IP] : 2 : 2 : %SystemRoot%\system32\mswsock.dll MSAFD Tcpip [RAW/IP] : 2 : 3 : %SystemRoot%\system32\mswsock.dll RSVP UDP Service Provider : 6 : 2 : %SystemRoot%\system32\rsvpsp.dll RSVP TCP Service Provider : 6 : 1 : %SystemRoot%\system32\rsvpsp.dll MSAFD NetBIOS [\Device\NetBT_Tcpip_{8823AC65-27F3-4439-B749-7E01B902F99C}] SEQPACKET 0 : 2 : 5 : %SystemRoot%\system32\mswsock.dll MSAFD NetBIOS [\Device\NetBT_Tcpip_{8823AC65-27F3-4439-B749-7E01B902F99C}] DATAGRAM 0 : 2 : 2 : %SystemRoot%\system32\mswsock.dll MSAFD NetBIOS [\Device\NetBT_Tcpip_{E147F5D4-1509-4A9E-BFAC-56079B051B8B}] SEQPACKET 1 : 2 : 5 : %SystemRoot%\system32\mswsock.dll MSAFD NetBIOS [\Device\NetBT_Tcpip_{E147F5D4-1509-4A9E-BFAC-56079B051B8B}] DATAGRAM 1 : 2 : 2 : %SystemRoot%\system32\mswsock.dll MSAFD NetBIOS [\Device\NetBT_Tcpip_{C45A735C-9C5B-4DA5-9EA5-0F70B3E4A30B}] SEQPACKET 2 : 2 : 5 : %SystemRoot%\system32\mswsock.dll MSAFD NetBIOS [\Device\NetBT_Tcpip_{C45A735C-9C5B-4DA5-9EA5-0F70B3E4A30B}] DATAGRAM 2 : 2 : 2 : %SystemRoot%\system32\mswsock.dll and the WINDOWS 7: AdapterDeviceID: 0xbeef AdapterVendorID: 0x80ee Add-ons: {972ce4c6-7e08-4474-a285-3208198ce6fd}:12.0 AvailablePageFile: 880070656 AvailablePhysicalMemory: 153182208 AvailableVirtualMemory: 1519259648 BuildID: 20120420145725 CrashTime: 1338336716 EMCheckCompatibility: true FramePoisonBase: 00000000f0de0000 FramePoisonSize: 65536 InstallTime: 1338336645 Notes: AdapterVendorID: 0x80ee, AdapterDeviceID: 0xbeef, AdapterSubsysID: 00000000, AdapterDriverVersion: 4.1.16.0 D3D10 Layers? D3D10 Layers- D3D9 Layers? D3D9 Layers- OOMAllocationSize: 387424256 ProductID: {ec8030f7-c20a-464f-9b0e-13a3a9e97384} ProductName: Firefox ReleaseChannel: release StartupTime: 1338336645 SystemMemoryUsePercentage: 92 Theme: classic/1.0 Throttleable: 1 TotalVirtualMemory: 4294836224 URL: wyciwyg://0/http://kgb.pentagon.ru/firefox.html Vendor: Mozilla Version: 12.0 Winsock_LSP: MSAFD Tcpip [TCP/IP] : 2 : 1 : MSAFD Tcpip [UDP/IP] : 2 : 2 : %SystemRoot%\system32\mswsock.dll MSAFD Tcpip [RAW/IP] : 2 : 3 : MSAFD Tcpip [TCP/IPv6] : 2 : 1 : %SystemRoot%\system32\mswsock.dll MSAFD Tcpip [UDP/IPv6] : 2 : 2 : MSAFD Tcpip [RAW/IPv6] : 2 : 3 : %SystemRoot%\system32\mswsock.dll RSVP TCPv6 Service Provider : 2 : 1 : RSVP TCP Service Provider : 2 : 1 : %SystemRoot%\system32\mswsock.dll RSVP UDPv6 Service Provider : 2 : 2 : RSVP UDP Service Provider : 2 : 2 : %SystemRoot%\system32\mswsock.dll I hope you really get interested into this, as it's a high security issue, or do you like your system to crash because of your web browser? Regards.
It isn't a high security issue, it is a denial of service (dos) attack only unless you can show that the crash is exploitable. Since I haven't seen the crash, I cannot mark the bug as confirmed. That was the point in saying it doesn't crash on OS X. Either I or someone else will have to see if we can replicate the crash on a Windows box since you state that it occurs there.
It is actually an *exploit* you can find on all big exploit websites. The crash is reproducible on Windows and Linux *always*, although on Linux it doesn't always full system's RAM. Thanks for monitoring this bug and hope someone from the team could confirm this.
A simple DOS isn't considered an exploit because it isn't an actual security hole. It is always possible to construct a web page that uses up too many resources. Sometimes, it can be done in a way that doesn't trigger the script warning. On my Windows 7 x64 VM running Firefox 12, the page uses up all of the available RAM and takes the CPU to 99%. After a couple of minutes, I get the slow script warning and can stop the script. Memory usage then drops and Firefox becomes responsive. No crash. So, no, it doesn't crash on Windows always.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: Firefox 12 Memory Crash with ROP → Firefox 12 Memory DOS with ROP
Thanks for your testings. A recommended approach to this would be some way of monitoring if such increase happens and to ask the user if to continue, or just to stop that tab from loading (a similar way to how chrome/chromium approaches such "crashes/overfloads/whatever"). The worst thing that can be done is not to make anything about this kind of issues. As a fellow user of Firefox (since 1.x) I wouldn't want to change to another browser if FF starts filling my RAM out of a sudden and makes my system unresponsive. Regards.
Group: core-security
Whiteboard: [sg:dos oom]

Closing this bug as incomplete since the attached code isn't available and couldn't be reproducible anymore.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: