diff options
| author | cdn@chromium.org <cdn@chromium.org@4c0a9323-5329-0410-9bdc-e9ce6186880e> | 2010-10-01 23:25:48 +0000 |
|---|---|---|
| committer | cdn@chromium.org <cdn@chromium.org@4c0a9323-5329-0410-9bdc-e9ce6186880e> | 2010-10-01 23:25:48 +0000 |
| commit | 8b2e6865e54d52fcd45514e12e90ee425b82cb52 (patch) | |
| tree | f84f681e0afeedfade2d0078cc2494963414353c /src/processor | |
| parent | Added libdisasm to the repository. This library is no longer under developmen... (diff) | |
| download | breakpad-8b2e6865e54d52fcd45514e12e90ee425b82cb52.tar.xz | |
Added method to exploitability class which checks if a given address contains all ascii characters.
BUG=NONE
TEST=ExploitabilityTest.TestWindowsEngine
Review URL: http://breakpad.appspot.com/207001
git-svn-id: http://google-breakpad.googlecode.com/svn/trunk@706 4c0a9323-5329-0410-9bdc-e9ce6186880e
Diffstat (limited to 'src/processor')
| -rw-r--r-- | src/processor/exploitability.cc | 10 | ||||
| -rw-r--r-- | src/processor/exploitability_unittest.cc | 62 | ||||
| -rw-r--r-- | src/processor/exploitability_win.cc | 21 |
3 files changed, 70 insertions, 23 deletions
diff --git a/src/processor/exploitability.cc b/src/processor/exploitability.cc index fc015201..d8821d4b 100644 --- a/src/processor/exploitability.cc +++ b/src/processor/exploitability.cc @@ -90,5 +90,15 @@ Exploitability *Exploitability::ExploitabilityForPlatform( return platform_exploitability; } +bool Exploitability::AddressIsAscii(u_int64_t address) { + for (int i = 0; i < 8; i++) { + u_int8_t byte = (address >> (8*i)) & 0xff; + if ((byte >= ' ' && byte <= '~') || byte == 0) + continue; + return false; + } + return true; +} + } // namespace google_breakpad diff --git a/src/processor/exploitability_unittest.cc b/src/processor/exploitability_unittest.cc index fab4b448..d365e610 100644 --- a/src/processor/exploitability_unittest.cc +++ b/src/processor/exploitability_unittest.cc @@ -127,87 +127,115 @@ TEST(ExploitabilityTest, TestWindowsEngine) { ProcessState state; string minidump_file = string(getenv("srcdir") ? getenv("srcdir") : ".") + - "/src/processor/testdata/ascii_read_av.dmp"; + "/src/processor/testdata/ascii_read_av.dmp"; ASSERT_EQ(processor.Process(minidump_file, &state), google_breakpad::PROCESS_OK); - ASSERT_EQ(google_breakpad::EXPLOITABILITY_LOW, + ASSERT_EQ(google_breakpad::EXPLOITABILITY_HIGH, state.exploitability()); minidump_file = string(getenv("srcdir") ? getenv("srcdir") : ".") + - "/src/processor/testdata/ascii_read_av_block_write.dmp"; + "/src/processor/testdata/ascii_read_av_block_write.dmp"; ASSERT_EQ(processor.Process(minidump_file, &state), google_breakpad::PROCESS_OK); ASSERT_EQ(google_breakpad::EXPLOITABILITY_HIGH, state.exploitability()); minidump_file = string(getenv("srcdir") ? getenv("srcdir") : ".") + - "/src/processor/testdata/ascii_read_av_clobber_write.dmp"; + "/src/processor/testdata/ascii_read_av_clobber_write.dmp"; ASSERT_EQ(processor.Process(minidump_file, &state), google_breakpad::PROCESS_OK); - ASSERT_EQ(google_breakpad::EXPLOITABILITY_LOW, + ASSERT_EQ(google_breakpad::EXPLOITABILITY_HIGH, state.exploitability()); minidump_file = string(getenv("srcdir") ? getenv("srcdir") : ".") + - "/src/processor/testdata/ascii_read_av_conditional.dmp"; + "/src/processor/testdata/ascii_read_av_conditional.dmp"; ASSERT_EQ(processor.Process(minidump_file, &state), google_breakpad::PROCESS_OK); - ASSERT_EQ(google_breakpad::EXPLOITABILITY_LOW, + ASSERT_EQ(google_breakpad::EXPLOITABILITY_HIGH, state.exploitability()); minidump_file = string(getenv("srcdir") ? getenv("srcdir") : ".") + - "/src/processor/testdata/ascii_read_av_then_jmp.dmp"; + "/src/processor/testdata/ascii_read_av_then_jmp.dmp"; ASSERT_EQ(processor.Process(minidump_file, &state), google_breakpad::PROCESS_OK); ASSERT_EQ(google_breakpad::EXPLOITABILITY_HIGH, state.exploitability()); minidump_file = string(getenv("srcdir") ? getenv("srcdir") : ".") + - "/src/processor/testdata/ascii_read_av_xchg_write.dmp"; + "/src/processor/testdata/ascii_read_av_xchg_write.dmp"; ASSERT_EQ(processor.Process(minidump_file, &state), google_breakpad::PROCESS_OK); ASSERT_EQ(google_breakpad::EXPLOITABILITY_HIGH, state.exploitability()); minidump_file = string(getenv("srcdir") ? getenv("srcdir") : ".") + - "/src/processor/testdata/ascii_write_av.dmp"; + "/src/processor/testdata/ascii_write_av.dmp"; ASSERT_EQ(processor.Process(minidump_file, &state), google_breakpad::PROCESS_OK); - ASSERT_EQ(google_breakpad::EXPLOITABLITY_MEDIUM, + ASSERT_EQ(google_breakpad::EXPLOITABILITY_HIGH, state.exploitability()); minidump_file = string(getenv("srcdir") ? getenv("srcdir") : ".") + - "/src/processor/testdata/ascii_write_av_arg_to_call.dmp"; + "/src/processor/testdata/ascii_write_av_arg_to_call.dmp"; ASSERT_EQ(processor.Process(minidump_file, &state), google_breakpad::PROCESS_OK); - ASSERT_EQ(google_breakpad::EXPLOITABLITY_MEDIUM, + ASSERT_EQ(google_breakpad::EXPLOITABILITY_HIGH, state.exploitability()); minidump_file = string(getenv("srcdir") ? getenv("srcdir") : ".") + - "/src/processor/testdata/null_read_av.dmp"; + "/src/processor/testdata/null_read_av.dmp"; ASSERT_EQ(processor.Process(minidump_file, &state), google_breakpad::PROCESS_OK); ASSERT_EQ(google_breakpad::EXPLOITABILITY_NONE, state.exploitability()); minidump_file = string(getenv("srcdir") ? getenv("srcdir") : ".") + - "/src/processor/testdata/null_write_av.dmp"; + "/src/processor/testdata/null_write_av.dmp"; ASSERT_EQ(processor.Process(minidump_file, &state), google_breakpad::PROCESS_OK); ASSERT_EQ(google_breakpad::EXPLOITABILITY_NONE, state.exploitability()); minidump_file = string(getenv("srcdir") ? getenv("srcdir") : ".") + - "/src/processor/testdata/stack_exhaustion.dmp"; + "/src/processor/testdata/stack_exhaustion.dmp"; ASSERT_EQ(processor.Process(minidump_file, &state), google_breakpad::PROCESS_OK); ASSERT_EQ(google_breakpad::EXPLOITABILITY_NONE, state.exploitability()); minidump_file = string(getenv("srcdir") ? getenv("srcdir") : ".") + - "/src/processor/testdata/exec_av_on_stack.dmp"; + "/src/processor/testdata/exec_av_on_stack.dmp"; ASSERT_EQ(processor.Process(minidump_file, &state), google_breakpad::PROCESS_OK); ASSERT_EQ(google_breakpad::EXPLOITABILITY_HIGH, state.exploitability()); + + minidump_file = string(getenv("srcdir") ? getenv("srcdir") : ".") + + "/src/processor/testdata/write_av_non_null.dmp"; + ASSERT_EQ(processor.Process(minidump_file, &state), + google_breakpad::PROCESS_OK); + ASSERT_EQ(google_breakpad::EXPLOITABLITY_MEDIUM, + state.exploitability()); + + minidump_file = string(getenv("srcdir") ? getenv("srcdir") : ".") + + "/src/processor/testdata/read_av_non_null.dmp"; + ASSERT_EQ(processor.Process(minidump_file, &state), + google_breakpad::PROCESS_OK); + ASSERT_EQ(google_breakpad::EXPLOITABILITY_LOW, + state.exploitability()); + + minidump_file = string(getenv("srcdir") ? getenv("srcdir") : ".") + + "/src/processor/testdata/read_av_clobber_write.dmp"; + ASSERT_EQ(processor.Process(minidump_file, &state), + google_breakpad::PROCESS_OK); + ASSERT_EQ(google_breakpad::EXPLOITABILITY_LOW, + state.exploitability()); + + minidump_file = string(getenv("srcdir") ? getenv("srcdir") : ".") + + "/src/processor/testdata/read_av_conditional.dmp"; + ASSERT_EQ(processor.Process(minidump_file, &state), + google_breakpad::PROCESS_OK); + ASSERT_EQ(google_breakpad::EXPLOITABILITY_LOW, + state.exploitability()); } } diff --git a/src/processor/exploitability_win.cc b/src/processor/exploitability_win.cc index 3d5a9195..9837b791 100644 --- a/src/processor/exploitability_win.cc +++ b/src/processor/exploitability_win.cc @@ -204,19 +204,26 @@ ExploitabilityRating ExploitabilityWin::CheckPlatformExploitability() { break; } MinidumpMemoryRegion *instruction_region = 0; - if (memory_available) - instruction_region = memory_list->GetMemoryRegionForAddress(instruction_ptr); + if (memory_available) { + instruction_region = + memory_list->GetMemoryRegionForAddress(instruction_ptr); + } if (!near_null && instruction_region && context->GetContextCPU() == MD_CONTEXT_X86 && (bad_read || bad_write)) { // Perform checks related to memory around instruction pointer. - u_int32_t memory_offset = instruction_ptr - instruction_region->GetBase(); - u_int32_t available_memory = instruction_region->GetSize() - memory_offset; + u_int32_t memory_offset = + instruction_ptr - instruction_region->GetBase(); + u_int32_t available_memory = + instruction_region->GetSize() - memory_offset; available_memory = available_memory > kDisassembleBytesBeyondPC ? kDisassembleBytesBeyondPC : available_memory; if (available_memory) { - const u_int8_t *raw_memory = instruction_region->GetMemory() + memory_offset; - DisassemblerX86 disassembler(raw_memory, available_memory, instruction_ptr); + const u_int8_t *raw_memory = + instruction_region->GetMemory() + memory_offset; + DisassemblerX86 disassembler(raw_memory, + available_memory, + instruction_ptr); disassembler.NextInstruction(); if (bad_read) disassembler.setBadRead(); @@ -257,6 +264,8 @@ ExploitabilityRating ExploitabilityWin::CheckPlatformExploitability() { } } } + if (!near_null && AddressIsAscii(address)) + exploitability_weight += kMediumBump; } else { BPLOG(INFO) << "Access violation type parameter missing."; return EXPLOITABILITY_ERR_PROCESSING; |