Closed Bug 846741 Opened 12 years ago Closed 12 years ago

OOM with document.write() of a large string

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
19 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: curtisk, Unassigned)

Details

(4 keywords)

Attachments

(2 files)

Video
1.10 MB, video/mp4
Details
Exploit
1.03 KB, text/html
Details
From: <fabiancuchietti@hotmail.com> To: "security@mozilla.org" <security@mozilla.org> Subject: Firefox 19.0 Memory Corruption Vulnerability Date: Mon, 25 Feb 2013 20:26:06 -0300 -----//----- Hello Mozilla Security Team, This time I have the honor to report to you a vulnerability "Mozilla Firefox 19.0 memory corruption". Version affected: 19.0 (and previous) Vulnerability: Memory Corruption Affected users: Remote Comment: I enclose a video in which I show proof of concept, also exploit that an attacker would use to block Firefox remotely. Best regards, Fabián Cuchietti.
Flags: sec-bounty?
Affected all versions (0day).
Looks like either a JS problem or maybe some kind of character encoding thing.
Assignee: nobody → general
Component: Security → JavaScript Engine
What is the crash stack that you are getting? You can see your recent crash reports in about:crashes.
This looks like an out-of-memory crash to me. The testcase is basically doing document.write() of a huge string. Is there actually evidence of memory corruption here?
You saw the video, my browser "FireFox" reaches +1,500,000 KB of memory, and falls ... Is not that memory corruption?
Memory corruption is when the contents of memory are not what the program expects (which can cause it to do things to other files on the computer that are undesirable, for example). In this case, all that happens is that we ask the operating system for more memory, it says there is no more, and we kill the process in a controlled manner precisely to avoid memory corruption. > https://crash-stats.mozilla.com/report/index/89546332-3cd4-49a0-8d17-653672130311 Right. So from that page, we have: Available Virtual Memory 694255616 OOMAllocationSize 154144768 So we asked the operating system for a single contiguous 154MB chunk of memory. There were about 700MB of virtual memory available, but it was presumably somewhat fragmented, and the OS couldn't provide a single 154MB memory chunk. It told us that, and we killed the process.
not considered a vulnerability?
(In reply to Fabian Cuchietti from comment #11) > not considered a vulnerability? That's correct. The crash report has mozalloc_handle_oom in it, which means the allocator tried allocate some memory, failed, and so the browser decided to exit in a safe manner. This is done rather than trying to handle the error in a nicer manner, because those error paths are hard to test.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Keywords: crash
Resolution: --- → WONTFIX
Summary: Memory corruption → OOM with document.write() of a large string
Ok, also means that it's the same with "SeaMonkey", run the exploit in the search engine and crash in 30 seconds.
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: