Closed Bug 848716 Opened 12 years ago Closed 12 years ago

[Browser] Passing a huge amount of data via the web activity crashes the phone

Categories

(Firefox OS Graveyard :: General, defect)

Product:
Firefox OS Graveyard
Component:
General
Platform:
ARM
Gonk (Firefox OS)
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(blocking-b2g:tef+, b2g18 verified, b2g18-v1.0.1 verified)

Status:
VERIFIED FIXED
Project Flags:
blocking-b2g tef+
Tracking Flags:
Tracking Status
b2g18 --- verified
b2g18-v1.0.1 --- verified

People

(Reporter: amac, Assigned: amac)

References

Details

(Keywords: crash, Whiteboard: [b2g-crash])

Attachments

(3 files)

b2g-ps output.
14.14 KB, text/plain
Details
dmesg out after the crash
26.05 KB, text/plain
Details
Link to PR 8626
169 bytes, text/html
arcturus
: review+
Details
STR: * Visit http://sigsegv.es/testW.html with the device browser * Press Test with the default options Expected result: * Either a new browser window saying the URL is invalid should show, or nothing should happen Actual result: * The parent process gets killed by the memory watcher process, rebooting the phone. Sometimes the phone doesn't reboot completely (I think some other process gets killed first) but the phone stops working until it reboots by itself or it's manually rebooted. Cause: The browser web activity doesn't control the maximum size of the URL that gets passed. Setting tef? because this allow any web page to crash the phone at will, and it has a pretty easy solution.
I could take this, it has a pretty easy solution even without fixing bug 847854 but I would like some input about what's a reasonable value for the maximum size of an URL first.
See Also: → 847854
Component: Gaia::Browser → General
Keywords: crash
QA Contact: nhirata.bugzilla
Whiteboard: [b2g-crash]
Summary: Passing a huge amount of data via the web activity crashes the phone → [Browser] Passing a huge amount of data via the web activity crashes the phone
Marking as a blocker for TEF
blocking-b2g: tef? → tef+
(In reply to Antonio Manuel Amaya Calvo from comment #1) > I could take this Done :) I've CC'd some people who may be able to help.
Assignee: nobody → amac
(In reply to Antonio Manuel Amaya Calvo from comment #1) > I could take this, it has a pretty easy solution even without fixing bug > 847854 but I would like some input about what's a reasonable value for the > maximum size of an URL first. I would say 4k is reasonable, but I don't have real data to back up that.
Ok, I can limit it to 4K for the time being, we can always fine tune that later on. There's one other thing though... I don't think this is going to cut it, and I think we need a way to limit the *global* size of the data part of a WebActivity. Why? Cause I can restrict using regexps the data the web activity actually expects to get passed and uses (like the URL or the phone number) but I can't limit the data the web activity won't do anything with (like randomAttributeIJustAddedToInjectMemoryOnYourProcess). I haven't been able to create a repeatable attack using this vector yet, since as the app doesn't use the extra memory I'm passing it it becomes a issue of injecting enough memory on the victim app without using too much memory on the attacker. Selects not working today isn't helping me much too :)
4k is too small since data: URL quickly get much larger. I would prefer a 500K or 1MB limit if we can get away with it. At how large sizes do you start seeing the parent process crashing? Also note that this isn't specific to webactivities in any way. A normal webpage that the browser navigates to can set location.href to a large URL.
(In reply to Jonas Sicking (:sicking) from comment #6) > 4k is too small since data: URL quickly get much larger. I would prefer a > 500K or 1MB limit if we can get away with it. At how large sizes do you > start seeing the parent process crashing? I see it crashing consistently at about 3MB. Don't have an exact number since it depends also on how much memory is the parent process consuming previously. 500K of URL, NVM 1MB seems pretty excessive to me. For reference, IE limits the URL length including potential GET data to 2083 chars [1]. The standard [2], section 3.2.1. doesn't set any hard limit on URI sizes but warn against using URI lengths higher than 255 chars. I think we can reach a compromise here and allow 32K? Much more than current IE implementations, still short enough to not cause any problems on the short term. And BTW, IE not allowing URLs bigger than aprox. 2K means that anything bigger than that doesn't work on IE... and I would say it's most probably an attack of some kind. > Also note that this isn't specific to webactivities in any way. A normal > webpage that the browser navigates to can set location.href to a large URL. True, but that isn't a propblem per se. This problem *is* specific of webactivities since if a webpage sets it's own href to something huge then it just kill itself, the same way that it'll kill itself eventually if it does for(;;) addTillIDie+='1234567890'; But that's not a big problem. The memory watcher kill helpfully kill the offending process, and that's the end of it. With a web activity though the attacker process is doing: consumeALongAmountOfMemoryButNotEnoughToKillMe(); injectAllThatMemoryOnAnotherProcessAndHopeItsKilled(); So the memory watcher isn't killing the offending process... it's killing the victim process. Which in this case happens to be the parent process also so it basically resets the phone. [1] http://support.microsoft.com/kb/208427 [2] http://www.faqs.org/rfcs/rfc2616.html
Oh, something else I forgot. The browser web activity (which will be the only thing affected by this change)only supports http/s URLs.
Can you post stacks from the main process where this crashes from OOM? It would probably be smart to make that allocation site fallible and force-kill the child that sends the data rather than let the main process go down.
I don't think the main process is crashing (as in getting a segmentation fault or similar and dieing because of that). What I think is happening is that the OOM watcher process is killing the main process to free memory.
(In reply to Antonio Manuel Amaya Calvo from comment #10) > I don't think the main process is crashing (as in getting a segmentation > fault or similar and dieing because of that). What I think is happening is > that the OOM watcher process is killing the main process to free memory. We should use the output from dmesg (adb shell dmesg) to test this hypothesis.
Attached file b2g-ps output.
The computer clock isn't synchronized with the phone, sorry. I think there's a shift of 8 seconds approximately.
(In reply to Justin Lebar [:jlebar] (PTO 3/11-3/15, then GMT+9 until 3/24) from comment #11) > (In reply to Antonio Manuel Amaya Calvo from comment #10) > > I don't think the main process is crashing (as in getting a segmentation > > fault or similar and dieing because of that). What I think is happening is > > that the OOM watcher process is killing the main process to free memory. > > We should use the output from dmesg (adb shell dmesg) to test this > hypothesis. <4>[03-13 15:13:36.157] [109: b2g]select 109 (b2g), adj 0, size 40815, to kill <4>[03-13 15:13:36.157] [109: b2g]send sigkill to 109 (b2g), adj 0, size 40815 I attached the full dmesg output (from the attack start) and the output of a b2g-ps I had running also that shows how the process grows and grows until it's killed.
Ick, we really shouldn't let the lowmem process kill the main b2g process... All child apps will instantly(ish) die too. Justin, can we prevent this?
(In reply to ben turner [:bent] from comment #15) > Ick, we really shouldn't let the lowmem process kill the main b2g process... > All child apps will instantly(ish) die too. Justin, can we prevent this? The problem is that there was nothing else left to kill :). The main b2g process just grew and grew and grew until it was killed. In fact by the time it was killed the homescreen usually has been killed and relaunched also.
Attached file Link to PR 8626
Attachment #724492 - Flags: review?(francisco.jordano)
Comment on attachment 724492 [details] Link to PR 8626 So far, if we go for the gaia solution is looking good to me, r+.
Attachment #724492 - Flags: review?(francisco.jordano) → review+
what is preventing you from landing this?
Flags: needinfo?(amac)
For someone with the right permissions to see it :). ¿Francisco?
Flags: needinfo?(amac)
Keywords: checkin-needed
Also, the Travis CI is complaining. Can you take a look why?
Taking a look to Travis, once solved I'll land it. Cheers!
Lintin errors not caused by this PR: make lint Skipping 45 file(s). ----- FILE : /home/travis/build/mozilla-b2g/gaia/apps/system/js/sound_manager.js ----- Line 8, E:0001: Extra space before ")" Line 17, E:0001: Extra space before ")" Found 2 errors, including 0 new errors, in 1 files (599 files OK). Landed: https://github.com/mozilla-b2g/gaia/commit/ddcdcc29156c462d62e4f98e166af5bb28571348
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Flags: in-moztrap-
John, can you take care of the uplift on this?
Flags: needinfo?(jhford)
v1-train: 6a5637e v1.0.1: 4f4d059
status-b2g18: affectedfixed
status-b2g18-v1.0.1: affectedfixed
Flags: needinfo?(jhford)
Verified in both 1.0.1 and 1.1 builds. Navigating to http://sigsegv.es/testW.html and tapping the Test button has no reaction from the Browser or the device. 1.0.1: Unagi build 20130403070201 Gecko: http://hg.mozilla.org/releases/mozilla-b2g18_v1_0_1/rev/512258bc00a3 Gaia: daea430624ec02f8d36a12d581fc4a3278c27cb7 1.1: Unagi build 20130403070204 Gecko: http://hg.mozilla.org/releases/mozilla-b2g18/rev/d467369d1b0c Gaia: 06e0e5ce42bdfb62bdbe38271de6b5b2d9e40e75
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: