TUCoPS :: Unix :: General
:: unix5421.htm
Mozilla remote DoS, thanx to libXfont
11th Jun 2002 [SBWID-5421]
COMMAND
Mozilla remote DoS, thanx to libXfont
SYSTEMS AFFECTED
Mozilla 1.0 and previous, with X server using libXfont
PROBLEM
Tom Vogt [http://web.lemuria.org/] found following:
When loading pages with a specially prepared (or erroneous) stylesheet,
mozilla and X windows (not restricted to XFree) exhibit any of two
undesireable behaviours. This seems to depend on the local system
configuration, especially to the presence of xfs, but bug reports so
far are inconclusive. In one scenario, X simply crashes, taking
everything with it. This will result in the loss of unsaved work. In
scenario two, memory useage of the X server explodes until the machine
reaches the thrashing point, at which point only a hard kill (-9) of
the X server can save it, provided there are enough system resources
left to issue the kill.
Some systems see no crash, but random misbehaviour of X components that
often require a shutdown of the X server to fix. See the follow ups in
bugzilla for a full description of these various behaviours.
The bug is triggered by a huge font setting done through CSS. Depending
on the end user\'s system configuration, this will either trigger an
abort in the XFree86 code (\"Beziers this large not supported\") or
cause an explosive use of memory. It is unknown how much memory could
get consumed, but follow-ups to the mozilla bug verify that machines
with 1 GB of memory still reach the thrashing point.
Example
========
Include a huge font size in your style sheet definition, e.g.: body {
font-size: 1666666px; }
http://www.adeliesolutions.com/Projects/
http://bugzilla.mozilla.org/attachment.cgi?id=87009&action=view
Update (13 June 2002)
======
Jakub Bogusz precised it\'s libXfont.
Here\'s the end of strace before xfs dies:
| open(\"/usr/share/fonts/Type1/ariam___-ISO-8859-2.pfb\", O_RDONLY) = 7
| read(7, \"\200円\1円\352円\26円\0円\0円%!PS-AdobeFont-1.0: Arial-\"..., 512) = 512
[...]
| read(7, \"\375円KlWqU\200円\321円\20円\2274円;\214円k\207円\222円\357円\7円[Q0\235円\213円\"..., 512) = 512
| close(7) = 0
| old_mmap(NULL, 6311936, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x408d7000
| old_mmap(NULL, 13180928, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40edc000
| old_mmap(NULL, 31662080, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x41b6e000
| old_mmap(NULL, 33607680, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x439a0000
| old_mmap(NULL, 46592000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x459ad000
| write(2, \"xfs error: \", 11) = -1 EBADF (Bad file descriptor)
| write(2, \"Beziers this big not yet support\"..., 34) = -1 EBADF (Bad file descriptor)
| rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0
| getpid() = 21200
| kill(21200, SIGABRT) = 0
| --- SIGABRT (Aborted) ---
In XFree86 (4.2.0) in xc/lib/font/Type1/curves.c about line 219 there
is:
| struct segment *
| StepBezier(struct region *R, /* Region under construction or NULL */
[...]
| if ( TOOBIG(xB) || TOOBIG(yB) || TOOBIG(xC) || TOOBIG(yC)
| || TOOBIG(xD) || TOOBIG(yD) )
| abort(\"Beziers this big not yet supported\");
It isn\'t very good idea to abort() on wrong parameters in shared
library function...
SOLUTION
No patches have been issued so far, though the mozilla team appears to
be at work and a patch should be available soon.
Another solution would be turning off stylesheets. Mozilla does not
have an option for doing so in the preferences dialog, so this must be
done either in the preferences file manually, or by editing the source
code. I have not reviewed this option further. Unchecking the \"allow
documents to use other fonts\" button in preferences does NOT provide a
workaround.