Add check for Linux minidump ending on bad write for exploitability rating.

If a crash occurred as a result to a write to unwritable memory, it is reason to suggest exploitability. The processor checks for a bad write by disassembling the command that caused the crash by piping the raw bytes near the instruction pointer through objdump. This allows the processor to see if the instruction that caused the crash is a write to memory and where the target of the address is located. R=ivanpe@chromium.org Review URL: https://codereview.chromium.org/1273823004 git-svn-id: http://google-breakpad.googlecode.com/svn/trunk@1497 4c0a9323-5329-0410-9bdc-e9ce6186880e
author: Liu.andrew.x@gmail.com <Liu.andrew.x@gmail.com> 2015-08-21 16:22:19 +0000
committer: Liu.andrew.x@gmail.com <Liu.andrew.x@gmail.com> 2015-08-21 16:22:19 +0000
commit: f073540795b917be5068e119a0888814a767b019 (patch)
tree: 70e983f55556919d989d75a929954e7737e4faf0 /src/processor/exploitability_linux.h
parent: Don't use strtok_s for mingw builds (diff)
download: breakpad-f073540795b917be5068e119a0888814a767b019.tar.xz
1 files changed, 50 insertions, 1 deletions
diff --git a/src/processor/exploitability_linux.h b/src/processor/exploitability_linux.h
index 857185b4..93c5082f 100644
--- a/src/processor/exploitability_linux.h
+++ b/src/processor/exploitability_linux.h
@@ -37,7 +37,6 @@
 #ifndef GOOGLE_BREAKPAD_PROCESSOR_EXPLOITABILITY_LINUX_H_
 #define GOOGLE_BREAKPAD_PROCESSOR_EXPLOITABILITY_LINUX_H_
 
-#include "common/scoped_ptr.h"
 #include "google_breakpad/common/breakpad_types.h"
 #include "google_breakpad/processor/exploitability.h"
 
@@ -48,9 +47,21 @@ class ExploitabilityLinux : public Exploitability {
   ExploitabilityLinux(Minidump *dump,
                       ProcessState *process_state);
 
+  // Parameters are the minidump to analyze, the object representing process
+  // state, and whether to enable objdump disassembly.
+  // Enabling objdump will allow exploitability analysis to call out to
+  // objdump for diassembly. It is used to check the identity of the
+  // instruction that caused the program to crash. If there are any
+  // portability concerns, this should not be enabled.
+  ExploitabilityLinux(Minidump *dump,
+                      ProcessState *process_state,
+                      bool enable_objdump);
+
   virtual ExploitabilityRating CheckPlatformExploitability();
 
  private:
+  friend class ExploitabilityLinuxTest;
+
   // Takes the address of the instruction pointer and returns
   // whether the instruction pointer lies in a valid instruction region.
   bool InstructionPointerInCode(uint64_t instruction_ptr);
@@ -59,6 +70,40 @@ class ExploitabilityLinux : public Exploitability {
   // minidump and reports whether the exception suggests no exploitability.
   bool BenignCrashTrigger(const MDRawExceptionStream *raw_exception_stream);
 
+  // This method checks if the crash occurred during a write to read-only or
+  // invalid memory. It does so by checking if the instruction at the
+  // instruction pointer is a write instruction, and if the target of the
+  // instruction is at a spot in memory that prohibits writes.
+  bool EndedOnIllegalWrite(uint64_t instruction_ptr);
+
+#ifndef _WIN32
+  // Disassembles raw bytes via objdump and pipes the output into the provided
+  // buffer, given the desired architecture, the file from which objdump will
+  // read, and the buffer length. The method returns whether the disassembly
+  // was a success, and the caller owns all pointers.
+  static bool DisassembleBytes(const string &architecture,
+                               const uint8_t *raw_bytes,
+                               const unsigned int MAX_OBJDUMP_BUFFER_LEN,
+                               char *objdump_output_buffer);
+
+  // Tokenizes out the operation and operands from a line of instruction
+  // disassembled by objdump. This method modifies the pointers to match the
+  // tokens of the instruction, and returns if the tokenizing was a success.
+  // The caller owns all pointers.
+  static bool TokenizeObjdumpInstruction(const string &line,
+                                         string *operation,
+                                         string *dest,
+                                         string *src);
+
+  // Calculates the effective address of an expression in the form reg+a or
+  // reg-a, where 'reg' is a register and 'a' is a constant, and writes the
+  // result in the pointer. The method returns whether the calculation was
+  // a success. The caller owns the pointer.
+  static bool CalculateAddress(const string &address_expression,
+                               const DumpContext &context,
+                               uint64_t *write_address);
+#endif  // _WIN32
+
   // Checks if the stack pointer points to a memory mapping that is not
   // labelled as the stack.
   bool StackPointerOffStack(uint64_t stack_ptr);
@@ -66,6 +111,10 @@ class ExploitabilityLinux : public Exploitability {
   // Checks if the stack or heap are marked executable according
   // to the memory mappings.
   bool ExecutableStackOrHeap();
+
+  // Whether this exploitability engine is permitted to shell out to objdump
+  // to disassemble raw bytes.
+  bool enable_objdump_;
 };
 
 }  // namespace google_breakpad
author	Liu.andrew.x@gmail.com <Liu.andrew.x@gmail.com>	2015-08-21 16:22:19 +0000
committer	Liu.andrew.x@gmail.com <Liu.andrew.x@gmail.com>	2015-08-21 16:22:19 +0000
commit	f073540795b917be5068e119a0888814a767b019 (patch)
tree	70e983f55556919d989d75a929954e7737e4faf0 /src/processor/exploitability_linux.h
parent	Don't use strtok_s for mingw builds (diff)
download	breakpad-f073540795b917be5068e119a0888814a767b019.tar.xz