Bug 94019 - Malicious javascriptlet crashes konqueror (FreeBSD)
Summary: Malicious javascriptlet crashes konqueror (FreeBSD)
Status: REPORTED
Alias: None
Product: konqueror
Classification: Applications
Component: kjs (show other bugs)
Version: unspecified
Platform: FreeBSD Ports FreeBSD
: NOR crash
Target Milestone: ---
Assignee: Konqueror Developers
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-11-27 12:53 UTC by Michael Nottebrock
Modified: 2022-11-28 09:35 UTC (History)
4 users (show)

See Also:
Latest Commit:
Version Fixed In:


Attachments
Little malicious javascript. (255 bytes, application/x-javascript)
2004-11-27 12:54 UTC, Michael Nottebrock
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Nottebrock 2004-11-27 12:53:39 UTC
Version:            (using KDE KDE 3.3.1)
Installed from:    FreeBSD Ports
OS:                FreeBSD

This little piece of script manages to crash konqueror (and about every other javascript-enabled browser out there) in fabulous ways.

Backtrace (edited):

Core was generated by `konqueror'.
Program terminated with signal 10, Bus error.
#0  0x000000080648fa34 in KJS::ValueImp::mark (this=)
    at /mnt/src/kde-3.3//kdelibs/kjs/value.cpp:62
62      {
#0  0x000000080648fa34 in KJS::ValueImp::mark (this=)
    at /mnt/src/kde-3.3//kdelibs/kjs/value.cpp:62
No locals.
#1  0x0000000806491e65 in KJS::ObjectImp::mark (this=0xc89100)
    at /mnt/src/kde-3.3//kdelibs/kjs/object.cpp:107
No locals.
#2  0x00000008064829b5 in KJS::ArrayInstanceImp::mark (this=0xc89100)
    at /mnt/src/kde-3.3//kdelibs/kjs/array_object.cpp:285
        l = 0
#3  0x0000000806482a11 in KJS::ArrayInstanceImp::mark (this=0xc89180)
    at /mnt/src/kde-3.3//kdelibs/kjs/array_object.cpp:290
        imp = (class KJS::ValueImp *) 0xc89100
        i = 0
        l = 1
#4  0x0000000806482a11 in KJS::ArrayInstanceImp::mark (this=0xc89200)
    at /mnt/src/kde-3.3//kdelibs/kjs/array_object.cpp:290
        imp = (class KJS::ValueImp *) 0xc89180
        i = 0
        l = 1
#5  0x0000000806482a11 in KJS::ArrayInstanceImp::mark (this=0xc89280)
    at /mnt/src/kde-3.3//kdelibs/kjs/array_object.cpp:290
        imp = (class KJS::ValueImp *) 0xc89200
        i = 0
        l = 1


This goes on for at least another 18000 stack frames, 

#18587 0x0000000806482a11 in KJS::ArrayInstanceImp::mark (this=0xf57d80)
    at /mnt/src/kde-3.3//kdelibs/kjs/array_object.cpp:290
        imp = (class KJS::ValueImp *) 0xf57d00
        i = 0
        l = 1
Comment 1 Michael Nottebrock 2004-11-27 12:54:32 UTC
Created attachment 8461 [details]
Little malicious javascript.
Comment 2 Stephan Kulow 2004-11-29 12:06:13 UTC
I get two CPU guards telling that the script freezes konqueror. When I cancel, it cancels. This is as good as I would expect
Comment 3 Harri Porten 2005-05-21 19:18:16 UTC
Confirmed by Mathieu Chouinard on a FreeBSD machine. Must be system specific.
Comment 4 FiNeX 2008-05-13 23:30:58 UTC
Could someone with BSD test this bug using Konqueror 3.5.9 and 4?

Thanks a lot!
Comment 5 Max 2009-04-20 22:40:18 UTC
Confirm for Konqueror 4.2.2 on FreeBSD 7.1
Arora (QtWebkit based browser) crashes also.
Comment 6 Justin Zobel 2020-12-03 21:55:26 UTC
Thank you for the report, Michael.

As it has been a while since this was reported, can you please test and confirm if this issue is still occurring or if this bug report can be marked as resolved.

I have set the bug status to "needsinfo" pending your response, please change back to "reported" or "resolved/worksforme" when you respond, thank you.
Comment 7 Bug Janitor Service 2020-12-18 04:34:37 UTC
Dear Bug Submitter,

This bug has been in NEEDSINFO status with no change for at least
15 days. Please provide the requested information as soon as
possible and set the bug status as REPORTED. Due to regular bug
tracker maintenance, if the bug is still in NEEDSINFO status with
no change in 30 days the bug will be closed as RESOLVED > WORKSFORME
due to lack of needed information.

For more information about our bug triaging procedures please read the
wiki located here:
https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging

If you have already provided the requested information, please
mark the bug as REPORTED so that the KDE team knows that the bug is
ready to be confirmed.

Thank you for helping us make KDE software even better for everyone!
Comment 8 Max 2020-12-18 09:21:54 UTC
(In reply to Justin Zobel from comment #6)
> Thank you for the report, Michael.
> 
> As it has been a while since this was reported, can you please test and
> confirm if this issue is still occurring or if this bug report can be marked
> as resolved.

I've just tested Konqueror with KHTML engine, and it crashes the same way.

FreeBSD 12.2-STABLE
kf5-kjs-5.75.0
konqueror-20.08.3
Comment 9 Justin Zobel 2022-11-21 08:11:54 UTC
Thank you for reporting this issue in KDE software. As it has been a while since this issue was reported, can we please ask you to see if you can reproduce the issue with a recent software version?

If you can reproduce the issue, please change the status to "REPORTED" when replying. Thank you!
Comment 10 Max 2022-11-27 19:30:14 UTC
It still can be reproduced with Konqueror 22.08.3 and KDE Frameworks 5.99.0
Comment 11 Stefano Crocco 2022-11-27 20:02:48 UTC
(In reply to Max from comment #10)
> It still can be reproduced with Konqueror 22.08.3 and KDE Frameworks 5.99.0

Unfortunately, I don't think there's much that Konqueror can do about that, as javascript code is run by QtWebEngine which, as far as I can tell, doesn't provide any way for the application to control it.
Comment 12 Max 2022-11-28 09:35:43 UTC
(In reply to Stefano Crocco from comment #11)
> (In reply to Max from comment #10)
> > It still can be reproduced with Konqueror 22.08.3 and KDE Frameworks 5.99.0
> 
> Unfortunately, I don't think there's much that Konqueror can do about that,
> as javascript code is run by QtWebEngine which, as far as I can tell,
> doesn't provide any way for the application to control it.

Konqueror crashes only when using KHTML as a web engine. With QtWebEngine, the underlying process runs out of memory without crashing the Konqueror.

KHTML:
Thread 1 received signal SIGSEGV, Segmentation fault.
Invalid permissions for mapped object.
0x00000008236c02f4 in KJS::JSObject::mark() () from /usr/local/lib/libKF5JS.so.5
(gdb) 

QtWebEngine:
<--- Last few GCs --->
[80062:0x1e3700000000]    79252 ms: Scavenge 3951.1 (3964.3) -> 3950.2 (3965.3) MB, 17.8 / 0.0 ms  (average mu = 0.322, current mu = 0.179) allocation failure 
[80062:0x1e3700000000]    82245 ms: Scavenge 3952.1 (3965.3) -> 3951.5 (3967.5) MB, 2984.8 / 0.0 ms  (average mu = 0.322, current mu = 0.179) allocation failure 
[80062:0x1e3700000000]    82424 ms: Scavenge 3954.4 (3967.5) -> 3954.3 (3967.5) MB, 165.4 / 0.0 ms  (average mu = 0.322, current mu = 0.179) allocation failure 

<--- JS stacktrace --->
[80062:417406976:1128/121407.732800:FATAL:memory.cc(38)] Out of memory. size=0
[New LWP 193811 of process 80023]
[LWP 193811 of process 80023 exited]
[LWP 193642 of process 80023 exited]