diff options
author | Liu.andrew.x@gmail.com <Liu.andrew.x@gmail.com> | 2015-06-25 23:05:16 +0000 |
---|---|---|
committer | Liu.andrew.x@gmail.com <Liu.andrew.x@gmail.com> | 2015-06-25 23:05:16 +0000 |
commit | cca153368ad99492c4bff6dc1ca5d48b5daad1e9 (patch) | |
tree | 81adfcd98b9eb770b8ec6d918c7373b5fbae617b /src | |
parent | Update the upload.py code review server. (diff) | |
download | breakpad-cca153368ad99492c4bff6dc1ca5d48b5daad1e9.tar.xz |
Checking location of the instruction pointer to see if it is
in valid code for Linux exploitability rating.
This CL adds to the Linux exploitability checker by verifying that the
instruction pointer is in valid code. Verification is done by obtaining a
memory mapping of the crash and checking if the instruction pointer lies in
an executable region. If there is no memory mapping, the instruction pointer
is checked to determine if it lies within a known module.
R=ivanpe@chromium.org
Review URL: https://codereview.chromium.org/1210493003
git-svn-id: http://google-breakpad.googlecode.com/svn/trunk@1464 4c0a9323-5329-0410-9bdc-e9ce6186880e
Diffstat (limited to 'src')
-rw-r--r-- | src/processor/exploitability_linux.cc | 59 | ||||
-rw-r--r-- | src/processor/exploitability_linux.h | 5 | ||||
-rw-r--r-- | src/processor/exploitability_unittest.cc | 7 | ||||
-rw-r--r-- | src/processor/testdata/linux_divide_by_zero.dmp | bin | 0 -> 38760 bytes | |||
-rw-r--r-- | src/processor/testdata/linux_jmp_to_0.dmp | bin | 0 -> 38544 bytes | |||
-rw-r--r-- | src/processor/testdata/linux_null_dereference.dmp | bin | 0 -> 38760 bytes |
6 files changed, 71 insertions, 0 deletions
diff --git a/src/processor/exploitability_linux.cc b/src/processor/exploitability_linux.cc index 13ebad12..c11aed4c 100644 --- a/src/processor/exploitability_linux.cc +++ b/src/processor/exploitability_linux.cc @@ -39,6 +39,7 @@ #include "google_breakpad/processor/process_state.h" #include "google_breakpad/processor/call_stack.h" #include "google_breakpad/processor/stack_frame.h" +#include "processor/logging.h" namespace { @@ -80,7 +81,65 @@ ExploitabilityRating ExploitabilityLinux::CheckPlatformExploitability() { } } + // Check if the instruction pointer is in a valid instruction region + // by finding if it maps to an executable part of memory. + uint64_t instruction_ptr = 0; + + // Getting exception data. (It should exist for all minidumps.) + MinidumpException *exception = dump_->GetException(); + if (exception == NULL) { + BPLOG(INFO) << "No exception record."; + return EXPLOITABILITY_ERR_PROCESSING; + } + const MinidumpContext *context = exception->GetContext(); + if (context == NULL) { + BPLOG(INFO) << "No exception context."; + return EXPLOITABILITY_ERR_PROCESSING; + } + + // Getting instruction pointer based off architecture. + uint32_t architecture = context->GetContextCPU(); + switch (architecture) { + case MD_CONTEXT_X86: + instruction_ptr = context->GetContextX86()->eip; + break; + case MD_CONTEXT_AMD64: + instruction_ptr = context->GetContextAMD64()->rip; + break; + default: + // TODO(liuandrew): Add support ARM and arm64 architectures. + BPLOG(INFO) << "Unsupported architecture."; + return EXPLOITABILITY_ERR_PROCESSING; + } + + if (!this->InstructionPointerInCode(instruction_ptr)) { + return EXPLOITABILITY_HIGH; + } + return EXPLOITABILITY_NONE; } +bool ExploitabilityLinux::InstructionPointerInCode(uint64_t instruction_ptr) { + // Here we get memory mapping. Most minidumps will not contain a memory + // mapping, so we will commonly resort to checking modules. + MinidumpMemoryInfoList *mem_info_list = dump_->GetMemoryInfoList(); + const MinidumpMemoryInfo *mem_info = + mem_info_list ? + mem_info_list->GetMemoryInfoForAddress(instruction_ptr) : NULL; + + // Checking if the memory mapping at the instruction pointer is executable. + // If there is no memory mapping, we will use the modules as reference. + if (mem_info != NULL) { + return mem_info->IsExecutable(); + } + + // If the memory mapping retrieval fails, we will check the modules + // to see if the instruction pointer is inside a module. + // TODO(liuandrew): Check if the instruction pointer lies in an executable + // region within the module. + MinidumpModuleList *minidump_module_list = dump_->GetModuleList(); + return !minidump_module_list || + minidump_module_list->GetModuleForAddress(instruction_ptr); +} + } // namespace google_breakpad diff --git a/src/processor/exploitability_linux.h b/src/processor/exploitability_linux.h index c63c0457..95607602 100644 --- a/src/processor/exploitability_linux.h +++ b/src/processor/exploitability_linux.h @@ -48,6 +48,11 @@ class ExploitabilityLinux : public Exploitability { ProcessState *process_state); virtual ExploitabilityRating CheckPlatformExploitability(); + + private: + // This method takes the address of the instruction pointer and returns + // whether the instruction pointer lies in a valid instruction region. + bool InstructionPointerInCode(uint64_t instruction_ptr); }; } // namespace google_breakpad diff --git a/src/processor/exploitability_unittest.cc b/src/processor/exploitability_unittest.cc index 72994d5a..509ae230 100644 --- a/src/processor/exploitability_unittest.cc +++ b/src/processor/exploitability_unittest.cc @@ -113,5 +113,12 @@ TEST(ExploitabilityTest, TestLinuxEngine) { ExploitabilityFor("linux_overflow.dmp")); ASSERT_EQ(google_breakpad::EXPLOITABILITY_HIGH, ExploitabilityFor("linux_stacksmash.dmp")); + ASSERT_EQ(google_breakpad::EXPLOITABILITY_NONE, + ExploitabilityFor("linux_divide_by_zero.dmp")); + ASSERT_EQ(google_breakpad::EXPLOITABILITY_NONE, + ExploitabilityFor("linux_null_dereference.dmp")); + ASSERT_EQ(google_breakpad::EXPLOITABILITY_HIGH, + ExploitabilityFor("linux_jmp_to_0.dmp")); + } } diff --git a/src/processor/testdata/linux_divide_by_zero.dmp b/src/processor/testdata/linux_divide_by_zero.dmp Binary files differnew file mode 100644 index 00000000..e7b37cf2 --- /dev/null +++ b/src/processor/testdata/linux_divide_by_zero.dmp diff --git a/src/processor/testdata/linux_jmp_to_0.dmp b/src/processor/testdata/linux_jmp_to_0.dmp Binary files differnew file mode 100644 index 00000000..40e4b15f --- /dev/null +++ b/src/processor/testdata/linux_jmp_to_0.dmp diff --git a/src/processor/testdata/linux_null_dereference.dmp b/src/processor/testdata/linux_null_dereference.dmp Binary files differnew file mode 100644 index 00000000..d216a802 --- /dev/null +++ b/src/processor/testdata/linux_null_dereference.dmp |