Bug 20299

Summary: DOMSubTreeModified event handler can cause 100% CPU use and stack exhaustion
Product: WebKit Reporter: Berend-Jan Wever <skylined>
Component: DOMAssignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal CC: eric, inferno, sam, yong.li.webkit
Priority: P1 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Windows Vista   
URL: http://skypher.com/SkyLined/Repro/Safari/document.body%20DOMSubTreeModified%20event%20loop/100%25%20CPU.html
Attachments:
Description Flags
stack overflow crash none

Description Berend-Jan Wever 2008-08-06 06:01:09 PDT 
Call loops can be triggered with this code (100% CPU use):
http://skypher.com/SkyLined/Repro/Safari/document.body%20DOMSubTreeModified%20event%20loop/100%25%20CPU.html
<SCRIPT>
document.addEventListener("DOMSubtreeModified", function () {
	event.srcElement.innerHTML='<BR>';
}, true);
document.body.setAttribute('x',0)
</SCRIPT>

Recursive function calls can be triggered with this code (stack exhaustion):
http://skypher.com/SkyLined/Repro/Safari/document.body%20DOMSubTreeModified%20event%20loop/Stackoverflow.html
<SCRIPT>
document.addEventListener("DOMSubtreeModified", function () {
	event.srcElement.innerHTML = '<TH><title></title>';
}, true);
document.body.setAttribute('x',0)
</SCRIPT>
Comment 1 Mark Rowe (bdash) 2008-08-06 15:46:17 PDT 
<rdar://problem/6131021>
Comment 2 Berend-Jan Wever 2008-08-28 09:04:44 PDT 
The second example I provided actually ends up overwriting EIP with NULL in WebKit nightly. Marking as security sensitive - control over EIP could lead to arbitrary code execution. I have no proof that this can be used to overwrite EIP with anything but NULL, but I can't prove that it's impossible.
Comment 3 Eric Seidel (no email) 2009-03-03 12:02:56 PST 
I'm surprised we don't already have an arbitrary JS recursion limit for number of calls back into JS from C++. Maybe we do and I'm just not aware of it.  That would be a simple way to fix this class of problems.

Marking this as p1 since it's a reproducible crash.
Comment 4 Eric Seidel (no email) 2009-03-03 13:07:07 PST 
Created attachment 28236 [details]
stack overflow crash
Comment 5 Eric Seidel (no email) 2012-08-03 00:42:43 PDT 
Should this be a security bug?  I thought there were many ways one could accomplish stack exhaustion or 100% cpu in JS?
Comment 6 Abhishek Arya 2012-08-03 00:44:05 PDT 
No OOM crashes are not considered security. there should be numerous ways for 100% cpu usage.
Comment 7 Berend-Jan Wever 2012-08-03 01:18:07 PDT 
Yes, I reported this way back when we (briefly) treated renderer DoS as a security issue. I've updated the flags, except importance as I have no idea what to set it to. You can probably just close this out, as we have more important things to focus on.
Comment 8 Lucas Forschler 2019-02-06 09:18:56 PST 
Mass move bugs into the DOM component.