Closed Bug 1647019 Opened 4 years ago Closed 4 years ago

Spamming blobs via `<a download>` clicks on a short interval can hang the parent process (even after closing the offending tab) and use excessive memory

Categories

(Core :: DOM: File, defect, P3)

Product:
Core
Component:
DOM: File
Version:
77 Branch
Platform:
Desktop
Windows 10
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: u635660, Unassigned)

References

(Blocks 1 open bug)

Details

(4 keywords)

Attachments

(1 file)

index.html
(deleted), text/html
Details
Attached file index.html (deleted) —

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.106 Safari/537.36

Steps to reproduce:

open index.html

and then wait a few minutes and then it fully crashes

Actual results:

it crashes

Expected results:

it should not crash

Component: Untriaged → Security
OS: Unspecified → Windows 10
Hardware: Unspecified → Desktop

keeping this hidden mainly because as it seems to impact TOR

It takes 5 to 10 minutes or more to crash

All of these crashes are shutdown hangs, so they do not pinpoint the issue.

But checking this locally, the issue in the testcase appears to be about spamming blobs into the parent for downloads, plus some history navigation (for which I'm not sure whether it's related or not...).

:baku, I seem to recall you worked on this before? Maybe this is a dupe?

Group: firefox-core-security → dom-core-security
Component: Security → DOM: File
Flags: needinfo?(amarchesini)
Product: Firefox → Core
Summary: firefox dos bug → Spamming blobs via `<a download>` clicks on a short interval can hang the parent process (even after closing the offending tab) and use excessive memory

I think the main issue is that we allow multiple simultaneous downloads. I would block the issue at that level. See bug 1463527.

Flags: needinfo?(amarchesini)

(In reply to Andrea Marchesini [:baku] from comment #6)

I think the main issue is that we allow multiple simultaneous downloads. I would block the issue at that level. See bug 1463527.

I don't understand why you believe that would help. The blobs get created and we have to at least start to load them before we even realize it's a download, so we'd incur the memory/IPC penalty already, no?

Flags: needinfo?(amarchesini)

I don't understand why you believe that would help. The blobs get created and we have to at least start to load them before we even realize it's a download, so we'd incur the memory/IPC penalty already, no?

You are right. I haven't realized that the page reloads itself.
Something nice Chrome does is to detect IPC messages "abuse" and it blocks the content process.

Flags: needinfo?(amarchesini)
Blocks: eviltraps
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash, csectype-dos, sec-low, testcase
Severity: -- → S3
Priority: -- → P3

seems fixed on firefox 83

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Group: dom-core-security → core-security-release
Resolution: FIXED → WORKSFORME

The testcase has:

    <script>while(true)document.location.href="#",window.history.back(),window.history.forward();</script>

I guess this was busted by bug 1314912 (thanks :pbz !)

Are we confident there aren't other issues left here with the blob URI stuff itself that could be abused some other way?

Johann, do you know?

Flags: needinfo?(jhofmann)

I don't off-hand, and it's unlikely I can look more closely into this in the future. :)

Flags: needinfo?(mail)
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: