Bug 20299 - DOMSubTreeModified event handler can cause 100% CPU use and stack exhaustion
Summary: DOMSubTreeModified event handler can cause 100% CPU use and stack exhaustion
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Windows Vista
: P1 Normal
Assignee: Nobody
URL: http://skypher.com/SkyLined/Repro/Saf...
Keywords: InRadar
Depends on:
Reported: 2008-08-06 06:01 PDT by Berend-Jan Wever
Modified: 2019-02-06 09:18 PST (History)
4 users (show)

See Also:

stack overflow crash (107.45 KB, text/plain)
2009-03-03 13:07 PST, Eric Seidel (no email)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Berend-Jan Wever 2008-08-06 06:01:09 PDT
Call loops can be triggered with this code (100% CPU use):
document.addEventListener("DOMSubtreeModified", function () {
}, true);

Recursive function calls can be triggered with this code (stack exhaustion):
document.addEventListener("DOMSubtreeModified", function () {
	event.srcElement.innerHTML = '<TH><title></title>';
}, true);
Comment 1 Mark Rowe (bdash) 2008-08-06 15:46:17 PDT
Comment 2 Berend-Jan Wever 2008-08-28 09:04:44 PDT
The second example I provided actually ends up overwriting EIP with NULL in WebKit nightly. Marking as security sensitive - control over EIP could lead to arbitrary code execution. I have no proof that this can be used to overwrite EIP with anything but NULL, but I can't prove that it's impossible.
Comment 3 Eric Seidel (no email) 2009-03-03 12:02:56 PST
I'm surprised we don't already have an arbitrary JS recursion limit for number of calls back into JS from C++. Maybe we do and I'm just not aware of it.  That would be a simple way to fix this class of problems.

Marking this as p1 since it's a reproducible crash.
Comment 4 Eric Seidel (no email) 2009-03-03 13:07:07 PST
Created attachment 28236 [details]
stack overflow crash
Comment 5 Eric Seidel (no email) 2012-08-03 00:42:43 PDT
Should this be a security bug?  I thought there were many ways one could accomplish stack exhaustion or 100% cpu in JS?
Comment 6 Abhishek Arya 2012-08-03 00:44:05 PDT
No OOM crashes are not considered security. there should be numerous ways for 100% cpu usage.
Comment 7 Berend-Jan Wever 2012-08-03 01:18:07 PDT
Yes, I reported this way back when we (briefly) treated renderer DoS as a security issue. I've updated the flags, except importance as I have no idea what to set it to. You can probably just close this out, as we have more important things to focus on.
Comment 8 Lucas Forschler 2019-02-06 09:18:56 PST
Mass move bugs into the DOM component.