Tuesday, 24 October 2017

Tor Browser IPC crash at MOZ_CRASH()

Hi Internet,
IPC : Inter-process communication is a protocol short form of IPDL is a mozilla specific language to pass messages between  process and threads in secure way.

Note: Most of the IPC based crashes in browser is not eligible for BBB  //Not Sure

Snip Code :

function tor()
    var uristring = unescape("%u4141%u4141");
    for(i=0; i <= 50 ; ++i)
<body onload="tor()">

Running the above code in TOR crashes the tab - 'Gah! This tab has crashed.

Running TOR in debug mode generated this below error :

So, this seems to be kind of a resource exhaustion attack that leads to a crash in TOR,  For instance if you try in a vanilla Firefox it freezes your page and if one disables multiprocess mode one can witness this behavior in a Tor Browser as well.

Running the snip code Asan build gets :

Looking at the particular code you'll see:
      CrashReporter::AnnotateCrashReport(NS_LITERAL_CSTRING("IPCMessageName"), nsDependentCString(msg->name()));
      CrashReporter::AnnotateCrashReport(NS_LITERAL_CSTRING("IPCMessageSize"), nsPrintfCString("%d", msg->size()));
      MOZ_CRASH("IPC message size is too large");

So, what seems to be happening here is that without --disable-crashreporter (which is used for vanilla Firefox builds) the tab loading your code is stuck in the #ifdef MOZ_CRASHREPORTER block while Tor Browser (which uses --disable-crashreporter) is hitting the MOZ_CRASH() call directly.

This crashes at MOZ_CRASH() because IPC Message is too large. This issue was marked as informative  by TOR via H1


0 coment�rios:

Post a comment