Closed
Bug 319846
Opened 19 years ago
Closed 19 years ago
overlong data in localstore.rdf causes DoS on startup (persistent)
Categories
(Core :: Security, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: moz_bug_r_a4, Assigned: dveditz)
References
Details
(Keywords: fixed1.8.1, verified1.7.13, verified1.8.0.2, Whiteboard: [sg:dos][rft-dl])
Attachments
(2 files)
|
(deleted),
application/vnd.mozilla.xul+xml
|
Details | |
|
(deleted),
patch
|
mrbkap
:
review+
benjamin
:
superreview+
timr
:
approval-aviary1.0.8+
timr
:
approval1.7.13+
benjamin
:
approval-branch-1.8.1+
dveditz
:
approval1.8.0.2+
|
Details | Diff | Splinter Review |
This is similar to Bug 319004.
Steps to Reproduce:
1. Load testcase, and click "Click me!" button.
2. Restart the browser.
The browser will become unresponsive for a few minutes on every startup.
I'm not sure if this needs to be marked as security-sensitive bug, or not.
|
Reporter | |
Comment 1•19 years ago
|
||
|
Assignee | |
Updated•19 years ago
|
Depends on: CVE-2008-5505
|
|
Assignee | |
Comment 2•19 years ago
|
||
Seems to spend its time in little2_scanAtts (xmltok_impl.c), at least that's where it always seems to be when I break in the debugger. No profiler ATM so can't get much more specific. Looks like it reparses the whole millions-of-chars line after every 4K chunk is appended and found to still be incomplete.
The safe, quick fix is to probably put a limit on the size of persisted attributes (bug 295994 was going to put some limits by virtue of switching back-ends).
We probably have to do something about the XML parser as well, it'd be very easy for someone to serve up an XML doc with really long attribute values of repeated characters. If served compressed these would download quickly and hang the user for an arbitrary amount of time.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.8.0.1+
Flags: blocking1.7.13+
Flags: blocking-aviary1.0.8+
Summary: overlong data in localstore.rdf causes DoS on startup → overlong data in localstore.rdf causes DoS on startup (persistent)
Whiteboard: [sg:dos]
|
||
Comment 3•19 years ago
|
||
Clamping persisted attributes to 2k sounds reasonable, and can be done at http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/content/xul/document/src/nsXULDocument.cpp&rev=1.682&mark=1427#1424
|
|
Assignee | |
Updated•19 years ago
|
Flags: blocking1.8.0.2?
Flags: blocking1.8.0.1-
Flags: blocking1.8.0.1+
|
|
Assignee | |
Comment 4•19 years ago
|
||
This solves the persistent part of the DoS by clamping attribute values at 4k (picked over 2k because it matches the length that will be imposed when the storage back-end is reimplemented in bug 295994). Does not touch the n^2 issue in the xml tokenizer.
Attachment #210884 -
Flags: superreview?(benjamin)
Attachment #210884 -
Flags: review?(mrbkap)
Attachment #210884 -
Flags: branch-1.8.1?(benjamin)
Attachment #210884 -
Flags: approval1.8.0.2?
Attachment #210884 -
Flags: approval1.7.13?
Attachment #210884 -
Flags: approval-aviary1.0.8?
|
||
Comment 5•19 years ago
|
||
File a followup bug on the XML parser issue and cc peterv on it?
|
||
Comment 6•19 years ago
|
||
Comment on attachment 210884 [details] [diff] [review]
clamp attribute length to 4k
I think that this patch might clamp in the middle of a non-BMP character, but other than that, it looks fine (and I'm not sure that this is even a problem).
Attachment #210884 -
Flags: review?(mrbkap) → review+
|
|
||
Updated•19 years ago
|
Attachment #210884 -
Flags: superreview?(benjamin)
Attachment #210884 -
Flags: superreview+
Attachment #210884 -
Flags: branch-1.8.1?(benjamin)
Attachment #210884 -
Flags: branch-1.8.1+
|
||
Comment 7•19 years ago
|
||
Comment on attachment 210884 [details] [diff] [review]
clamp attribute length to 4k
a=timr for drivers
Attachment #210884 -
Flags: approval1.7.13?
Attachment #210884 -
Flags: approval1.7.13+
Attachment #210884 -
Flags: approval-aviary1.0.8?
Attachment #210884 -
Flags: approval-aviary1.0.8+
|
|
Assignee | |
Comment 8•19 years ago
|
||
Fixed on trunk and 1.7, aviary101, and 1.8 branches.
Filed bug 326206 on the parser issue.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Updated•19 years ago
|
Keywords: fixed1.8 → fixed1.8.1
|
|
Assignee | |
Updated•19 years ago
|
Flags: blocking1.8.0.2? → blocking1.8.0.2+
|
||
Updated•19 years ago
|
Status: RESOLVED → VERIFIED
|
|
||
Comment 9•19 years ago
|
||
verified with:
Windows:
Moz - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060214
Fx - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060214
Firefox/1.0.8
|
|
Assignee | |
Comment 10•19 years ago
|
||
Comment on attachment 210884 [details] [diff] [review]
clamp attribute length to 4k
approved for 1.8.0 branch, a=dveditz for drivers
Attachment #210884 -
Flags: approval1.8.0.2? → approval1.8.0.2+
|
||
Updated•19 years ago
|
Flags: testcase+
|
|
Assignee | |
Updated•19 years ago
|
Keywords: fixed1.8.0.2
|
||
Comment 11•19 years ago
|
||
Marking [rft-dl] (ready for testing in Firefox 1.5.0.2 release candidates) since in-testsuite+ indicates a test case exists in the js test library.
Whiteboard: [sg:dos] → [sg:dos][rft-dl]
|
|
Assignee | |
Updated•18 years ago
|
Group: security
|
|
||
Updated•18 years ago
|
Flags: in-testsuite+ → in-testsuite?
You need to log in
before you can comment on or make changes to this bug.
Description
•