Bug 20299

Summary: DOMSubTreeModified event handler can cause 100% CPU use and stack exhaustion
Product: WebKit Reporter: Berend-Jan Wever <skylined>
Component: DOMAssignee: Nobody <webkit-unassigned>
Status: NEW    
Severity: Normal CC: eric, inferno, sam, yong.li.webkit
Priority: P1 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Windows Vista   
URL: http://skypher.com/SkyLined/Repro/Safari/document.body%20DOMSubTreeModified%20event%20loop/100%25%20CPU.html
Attachments:
Description Flags
stack overflow crash none

Berend-Jan Wever
Reported 2008-08-06 06:01:09 PDT
Call loops can be triggered with this code (100% CPU use): http://skypher.com/SkyLined/Repro/Safari/document.body%20DOMSubTreeModified%20event%20loop/100%25%20CPU.html <SCRIPT> document.addEventListener("DOMSubtreeModified", function () { event.srcElement.innerHTML='<BR>'; }, true); document.body.setAttribute('x',0) </SCRIPT> Recursive function calls can be triggered with this code (stack exhaustion): http://skypher.com/SkyLined/Repro/Safari/document.body%20DOMSubTreeModified%20event%20loop/Stackoverflow.html <SCRIPT> document.addEventListener("DOMSubtreeModified", function () { event.srcElement.innerHTML = '<TH><title></title>'; }, true); document.body.setAttribute('x',0) </SCRIPT>
Attachments
stack overflow crash (107.45 KB, text/plain)
2009-03-03 13:07 PST, Eric Seidel (no email) 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Mark Rowe (bdash)
Comment 1 2008-08-06 15:46:17 PDT
<rdar://problem/6131021>
Berend-Jan Wever
Comment 2 2008-08-28 09:04:44 PDT
The second example I provided actually ends up overwriting EIP with NULL in WebKit nightly. Marking as security sensitive - control over EIP could lead to arbitrary code execution. I have no proof that this can be used to overwrite EIP with anything but NULL, but I can't prove that it's impossible.
Eric Seidel (no email)
Comment 3 2009-03-03 12:02:56 PST
I'm surprised we don't already have an arbitrary JS recursion limit for number of calls back into JS from C++. Maybe we do and I'm just not aware of it. That would be a simple way to fix this class of problems. Marking this as p1 since it's a reproducible crash.
Eric Seidel (no email)
Comment 4 2009-03-03 13:07:07 PST
Created attachment 28236 [details] stack overflow crash
Eric Seidel (no email)
Comment 5 2012-08-03 00:42:43 PDT
Should this be a security bug? I thought there were many ways one could accomplish stack exhaustion or 100% cpu in JS?
Abhishek Arya
Comment 6 2012-08-03 00:44:05 PDT
No OOM crashes are not considered security. there should be numerous ways for 100% cpu usage.
Berend-Jan Wever
Comment 7 2012-08-03 01:18:07 PDT
Yes, I reported this way back when we (briefly) treated renderer DoS as a security issue. I've updated the flags, except importance as I have no idea what to set it to. You can probably just close this out, as we have more important things to focus on.
Lucas Forschler
Comment 8 2019-02-06 09:18:56 PST
Mass move bugs into the DOM component.
Note You need to log in before you can comment on or make changes to this bug.