Sanitize dumped stacks to remove data that may be identifiable.

In order to sanitize the stack contents we erase any pointer-aligned word that could not be interpreted as a pointer into one of the processes' memory mappings, or a small integer (+/-4096). This still retains enough information to unwind stack frames, and also to recover some register values. BUG=682278 Change-Id: I541a13b2e92a9d1aea2c06a50bd769a9e25601d3 Reviewed-on: https://chromium-review.googlesource.com/430050 Reviewed-by: Robert Sesek <rsesek@chromium.org>
author: Tobias Sargeant <tobiasjs@google.com> 2017-01-31 13:42:52 +0000
committer: Tobias Sargeant <tobiasjs@chromium.org> 2017-01-31 14:13:48 +0000
commit: 7c2799f3ba6f8a8186c8883b213c3e59768b1287 (patch)
tree: ee80449b56b37400892627baf1414871e2db6948 /src/client/linux/handler
parent: Fixed a bug where cv record size was not correctly checked. (diff)
download: breakpad-7c2799f3ba6f8a8186c8883b213c3e59768b1287.tar.xz
3 files changed, 21 insertions, 3 deletions
diff --git a/src/client/linux/handler/exception_handler.cc b/src/client/linux/handler/exception_handler.cc
index 8565bbb0..dd3cbc67 100644
--- a/src/client/linux/handler/exception_handler.cc
+++ b/src/client/linux/handler/exception_handler.cc
@@ -594,6 +594,7 @@ bool ExceptionHandler::DoDump(pid_t crashing_process, const void* context,
         mapping_list_,
         minidump_descriptor_.skip_dump_if_principal_mapping_not_referenced(),
         minidump_descriptor_.address_within_principal_mapping(),
+        minidump_descriptor_.sanitize_stacks(),
         *minidump_descriptor_.microdump_extra_info());
   }
   if (minidump_descriptor_.IsFD()) {
diff --git a/src/client/linux/handler/minidump_descriptor.cc b/src/client/linux/handler/minidump_descriptor.cc
index cdb5bf03..bd94474e 100644
--- a/src/client/linux/handler/minidump_descriptor.cc
+++ b/src/client/linux/handler/minidump_descriptor.cc
@@ -49,6 +49,7 @@ MinidumpDescriptor::MinidumpDescriptor(const MinidumpDescriptor& descriptor)
           descriptor.address_within_principal_mapping_),
       skip_dump_if_principal_mapping_not_referenced_(
           descriptor.skip_dump_if_principal_mapping_not_referenced_),
+      sanitize_stacks_(descriptor.sanitize_stacks_),
       microdump_extra_info_(descriptor.microdump_extra_info_) {
   // The copy constructor is not allowed to be called on a MinidumpDescriptor
   // with a valid path_, as getting its c_path_ would require the heap which
@@ -74,6 +75,7 @@ MinidumpDescriptor& MinidumpDescriptor::operator=(
       descriptor.address_within_principal_mapping_;
   skip_dump_if_principal_mapping_not_referenced_ =
       descriptor.skip_dump_if_principal_mapping_not_referenced_;
+  sanitize_stacks_ = descriptor.sanitize_stacks_;
   microdump_extra_info_ = descriptor.microdump_extra_info_;
   return *this;
 }
diff --git a/src/client/linux/handler/minidump_descriptor.h b/src/client/linux/handler/minidump_descriptor.h
index f601427c..911beaef 100644
--- a/src/client/linux/handler/minidump_descriptor.h
+++ b/src/client/linux/handler/minidump_descriptor.h
@@ -64,7 +64,8 @@ class MinidumpDescriptor {
         c_path_(NULL),
         size_limit_(-1),
         address_within_principal_mapping_(0),
-        skip_dump_if_principal_mapping_not_referenced_(false) {
+        skip_dump_if_principal_mapping_not_referenced_(false),
+        sanitize_stacks_(false) {
     assert(!directory.empty());
   }
 
@@ -74,7 +75,8 @@ class MinidumpDescriptor {
         c_path_(NULL),
         size_limit_(-1),
         address_within_principal_mapping_(0),
-        skip_dump_if_principal_mapping_not_referenced_(false) {
+        skip_dump_if_principal_mapping_not_referenced_(false),
+        sanitize_stacks_(false) {
     assert(fd != -1);
   }
 
@@ -83,7 +85,8 @@ class MinidumpDescriptor {
         fd_(-1),
         size_limit_(-1),
         address_within_principal_mapping_(0),
-        skip_dump_if_principal_mapping_not_referenced_(false) {}
+        skip_dump_if_principal_mapping_not_referenced_(false),
+        sanitize_stacks_(false) {}
 
   explicit MinidumpDescriptor(const MinidumpDescriptor& descriptor);
   MinidumpDescriptor& operator=(const MinidumpDescriptor& descriptor);
@@ -126,6 +129,11 @@ class MinidumpDescriptor {
         skip_dump_if_principal_mapping_not_referenced;
   }
 
+  bool sanitize_stacks() const { return sanitize_stacks_; }
+  void set_sanitize_stacks(bool sanitize_stacks) {
+    sanitize_stacks_ = sanitize_stacks;
+  }
+
   MicrodumpExtraInfo* microdump_extra_info() {
     assert(IsMicrodumpOnConsole());
     return &microdump_extra_info_;
@@ -167,6 +175,13 @@ class MinidumpDescriptor {
   // stacks logged.
   bool skip_dump_if_principal_mapping_not_referenced_;
 
+  // If set, stacks are sanitized to remove PII. This involves
+  // overwriting any pointer-aligned words that are not either
+  // pointers into a process mapping or small integers (+/-4096). This
+  // leaves enough information to unwind stacks, and preserve some
+  // register values, but elides strings and other program data.
+  bool sanitize_stacks_;
+
   // The extra microdump data (e.g. product name/version, build
   // fingerprint, gpu fingerprint) that should be appended to the dump
   // (microdump only). Microdumps don't have the ability of appending
author	Tobias Sargeant <tobiasjs@google.com>	2017-01-31 13:42:52 +0000
committer	Tobias Sargeant <tobiasjs@chromium.org>	2017-01-31 14:13:48 +0000
commit	7c2799f3ba6f8a8186c8883b213c3e59768b1287 (patch)
tree	ee80449b56b37400892627baf1414871e2db6948 /src/client/linux/handler
parent	Fixed a bug where cv record size was not correctly checked. (diff)
download	breakpad-7c2799f3ba6f8a8186c8883b213c3e59768b1287.tar.xz