Sanitize dumped stacks to remove data that may be identifiable.

In order to sanitize the stack contents we erase any pointer-aligned
word that could not be interpreted as a pointer into one of the
processes' memory mappings, or a small integer (+/-4096).

This still retains enough information to unwind stack frames, and also
to recover some register values.

BUG=682278

Change-Id: I541a13b2e92a9d1aea2c06a50bd769a9e25601d3
Reviewed-on: https://chromium-review.googlesource.com/430050
Reviewed-by: Robert Sesek <rsesek@chromium.org>

1 files changed, 102 insertions, 3 deletions

diff --git a/src/client/linux/minidump_writer/linux_dumper.cc b/src/client/linux/minidump_writer/linux_dumper.cc
index 4a15f0cc..e1e7b49c 100644
--- a/src/client/linux/minidump_writer/linux_dumper.cc
+++ b/src/client/linux/minidump_writer/linux_dumper.cc
@@ -84,10 +84,15 @@ inline static bool IsMappedFileOpenUnsafe(
 
 namespace google_breakpad {
 
-#if defined(__CHROMEOS__)
-
 namespace {
 
+bool MappingContainsAddress(const MappingInfo& mapping, uintptr_t address) {
+  return mapping.system_mapping_info.start_addr <= address &&
+         address < mapping.system_mapping_info.end_addr;
+}
+
+#if defined(__CHROMEOS__)
+
 // Recover memory mappings before writing dump on ChromeOS
 //
 // On Linux, breakpad relies on /proc/[pid]/maps to associate symbols from
@@ -248,9 +253,10 @@ void CrOSPostProcessMappings(wasteful_vector<MappingInfo*>& mappings) {
   mappings.resize(f);
 }
 
-}  // namespace
 #endif  // __CHROMEOS__
 
+}  // namespace
+
 // All interesting auvx entry types are below AT_SYSINFO_EHDR
 #define AT_MAX AT_SYSINFO_EHDR
 
@@ -705,6 +711,99 @@ bool LinuxDumper::GetStackInfo(const void** stack, size_t* stack_len,
   return true;
 }
 
+void LinuxDumper::SanitizeStackCopy(uint8_t* stack_copy, size_t stack_len,
+                                    uintptr_t stack_pointer,
+                                    uintptr_t sp_offset) {
+  // We optimize the search for containing mappings in three ways:
+  // 1) We expect that pointers into the stack mapping will be common, so
+  //    we cache that address range.
+  // 2) The last referenced mapping is a reasonable predictor for the next
+  //    referenced mapping, so we test that first.
+  // 3) We precompute a bitfield based upon bits 32:32-n of the start and
+  //    stop addresses, and use that to short circuit any values that can
+  //    not be pointers. (n=11)
+  const uintptr_t defaced =
+#if defined(__LP64__)
+      0x0defaced0defaced;
+#else
+      0x0defaced;
+#endif
+  // the bitfield length is 2^test_bits long.
+  const unsigned int test_bits = 11;
+  // byte length of the corresponding array.
+  const unsigned int array_size = 1 << (test_bits - 3);
+  const unsigned int array_mask = array_size - 1;
+  // The amount to right shift pointers by. This captures the top bits
+  // on 32 bit architectures. On 64 bit architectures this would be
+  // uninformative so we take the same range of bits.
+  const unsigned int shift = 32 - 11;
+  const MappingInfo* last_hit_mapping = nullptr;
+  const MappingInfo* hit_mapping = nullptr;
+  const MappingInfo* stack_mapping = FindMappingNoBias(stack_pointer);
+  // The magnitude below which integers are considered to be to be
+  // 'small', and not constitute a PII risk. These are included to
+  // avoid eliding useful register values.
+  const ssize_t small_int_magnitude = 4096;
+
+  char could_hit_mapping[array_size];
+  my_memset(could_hit_mapping, 0, array_size);
+
+  // Initialize the bitfield such that if the (pointer >> shift)'th
+  // bit, modulo the bitfield size, is not set then there does not
+  // exist a mapping in mappings_ that would contain that pointer.
+  for (size_t i = 0; i < mappings_.size(); ++i) {
+    // For each mapping, work out the (unmodulo'ed) range of bits to
+    // set.
+    uintptr_t start = mappings_[i]->start_addr;
+    uintptr_t end = start + mappings_[i]->size;
+    start >>= shift;
+    end >>= shift;
+    for (size_t bit = start; bit <= end; ++bit) {
+      // Set each bit in the range, applying the modulus.
+      could_hit_mapping[(bit >> 3) & array_mask] |= 1 << (bit & 7);
+    }
+  }
+
+  // Zero memory that is below the current stack pointer.
+  const uintptr_t offset =
+      (sp_offset + sizeof(uintptr_t) - 1) & ~(sizeof(uintptr_t) - 1);
+  if (offset) {
+    my_memset(stack_copy, 0, offset);
+  }
+
+  // Apply sanitization to each complete pointer-aligned word in the
+  // stack.
+  uint8_t* sp;
+  for (sp = stack_copy + offset;
+       sp <= stack_copy + stack_len - sizeof(uintptr_t);
+       sp += sizeof(uintptr_t)) {
+    uintptr_t addr;
+    my_memcpy(&addr, sp, sizeof(uintptr_t));
+    if (static_cast<intptr_t>(addr) <= small_int_magnitude &&
+        static_cast<intptr_t>(addr) >= -small_int_magnitude) {
+      continue;
+    }
+    if (stack_mapping && MappingContainsAddress(*stack_mapping, addr)) {
+      continue;
+    }
+    if (last_hit_mapping && MappingContainsAddress(*last_hit_mapping, addr)) {
+      continue;
+    }
+    uintptr_t test = addr >> shift;
+    if (could_hit_mapping[(test >> 3) & array_mask] & (1 << (test & 7)) &&
+        (hit_mapping = FindMappingNoBias(addr)) != nullptr) {
+      last_hit_mapping = hit_mapping;
+      continue;
+    }
+    my_memcpy(sp, &defaced, sizeof(uintptr_t));
+  }
+  // Zero any partial word at the top of the stack, if alignment is
+  // such that that is required.
+  if (sp < stack_copy + stack_len) {
+    my_memset(sp, 0, stack_copy + stack_len - sp);
+  }
+}
+
 bool LinuxDumper::StackHasPointerToMapping(const uint8_t* stack_copy,
                                            size_t stack_len,
                                            uintptr_t sp_offset,