Re: Re: MS Internet Explorer 7 Denial Of Service Exploit

craig@xxxxxxxxxx wrote:

On Konqueror 3.5.9, what happens is that this childish code builds a
huge string, eats memory, causes swapping, and finally blows away
Konq. Linux and X and everything else stay up and recover nicely.
(Gentoo/AMD64X2/3G mem)

This isn't an exploit -- at least not on Linux -- it's just kiddie
stupidity. It doesn't take any particular cleverness to blow memory by
dynamically creating bigger and bigger data structures. With virtual
memory and 64-bit pointers, when exactly do we return -ENOMEM?

When RLIMIT_AS has been exceeded.

If you disable the use of mmap'd-malloc() via mallopt(M_MMAP_MAX, 0),
you can effectively limit malloc() via RLIMIT_DATA.

If you really want to allow a single process to use all available RAM
for itself, you can; but you don't have to.

It might be nice if the browser limited the amount of memory which
could be used by e.g. JavaScript (although for Firefox, you would
probably want the limit to only be applied to "external" JavaScript,
given that much of the browser itself is written in JavaScript).

Glynn Clements <glynn@xxxxxxxxxxxxxxxxxx>

Relevant Pages

  • Re: extend prototype chain?
    ... var proto = Person.prototype; ... reads from when called are there on the calling object, ... That concern might not be an issue of memory at all, just convenience, ... Prototype.js was written by people who don't know javascript for people ...
  • Re: Query about failure of Debian 6 64 bit to swap properly
    ... Each window of it shows as using 14GB of virtual memory. ... Then for the web sites that require Javascript I ... I have seen multiple CERT advisories for the Mozilla and Microsoft web browsers. ... It used to work, much better, with Debian 3 and 3.1; I can't remember much about Debian 4, then, as previously mentioned, I had the problem and the solution as such, with Debian 5, and, now, with Debian 6, memory management appears to simply not work, making Debian 6, at least in the 64 bit version, of the nature of the attributes used to describe the experimental version of Debian. ...
  • Re: Deleting a preloaded image from memory
    ... not at the high javascript code level - but it does at the ... say as well that JScript operates with binary data only. ... memory block address. ...
  • Re: Deleting a preloaded image from memory
    ... Browsers are not the only software that executes javascript ... data as a combination of 0's and 1's into memory addresses. ... In machine code there are no pointers. ... | the browser compiles the javascript to something ...
  • Re: Deleting a preloaded image from memory
    ... value to a variable in javascript. ... "The memory address"? ... where each bit pattern represents 1 ... The traditional representation of a bit pattern ...