diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/google_breakpad/common/minidump_exception_win32.h | 9 | ||||
-rw-r--r-- | src/google_breakpad/processor/exploitability.h | 6 | ||||
-rw-r--r-- | src/processor/exploitability.cc | 9 | ||||
-rw-r--r-- | src/processor/exploitability_win.cc | 168 | ||||
-rw-r--r-- | src/processor/exploitability_win.h | 55 | ||||
-rw-r--r-- | src/processor/minidump_processor.cc | 24 | ||||
-rw-r--r-- | src/processor/minidump_processor_unittest.cc | 16 |
7 files changed, 261 insertions, 26 deletions
diff --git a/src/google_breakpad/common/minidump_exception_win32.h b/src/google_breakpad/common/minidump_exception_win32.h index 85eb598d..458a7054 100644 --- a/src/google_breakpad/common/minidump_exception_win32.h +++ b/src/google_breakpad/common/minidump_exception_win32.h @@ -34,7 +34,7 @@ * * Author: Mark Mentovai * Split into its own file: Neal Sidhwaney */ - + #ifndef GOOGLE_BREAKPAD_COMMON_MINIDUMP_EXCEPTION_WIN32_H__ #define GOOGLE_BREAKPAD_COMMON_MINIDUMP_EXCEPTION_WIN32_H__ @@ -105,5 +105,12 @@ typedef enum { generated by Visual C++ compiler */ } MDExceptionCodeWin; +// These constants are defined in the MSDN documentation of +// the EXCEPTION_RECORD structure. +typedef enum { + MD_ACCESS_VIOLATION_WIN_READ = 0, + MD_ACCESS_VIOLATION_WIN_WRITE = 1, + MD_ACCESS_VIOLATION_WIN_EXEC = 8 +} MDAccessViolationTypeWin; #endif /* GOOGLE_BREAKPAD_COMMON_MINIDUMP_EXCEPTION_WIN32_H__ */ diff --git a/src/google_breakpad/processor/exploitability.h b/src/google_breakpad/processor/exploitability.h index 41ca551c..24eed82e 100644 --- a/src/google_breakpad/processor/exploitability.h +++ b/src/google_breakpad/processor/exploitability.h @@ -59,12 +59,12 @@ class Exploitability { Exploitability(Minidump *dump, ProcessState *process_state); - private: - virtual ExploitabilityRating CheckPlatformExploitability() = 0; - Minidump *dump_; ProcessState *process_state_; SystemInfo *system_info_; + + private: + virtual ExploitabilityRating CheckPlatformExploitability() = 0; }; } // namespace google_breakpad diff --git a/src/processor/exploitability.cc b/src/processor/exploitability.cc index 74810e70..fc015201 100644 --- a/src/processor/exploitability.cc +++ b/src/processor/exploitability.cc @@ -39,6 +39,7 @@ #include "google_breakpad/processor/exploitability.h" #include "google_breakpad/processor/minidump.h" #include "google_breakpad/processor/process_state.h" +#include "processor/exploitability_win.h" #include "processor/logging.h" #include "processor/scoped_ptr.h" @@ -68,10 +69,14 @@ Exploitability *Exploitability::ExploitabilityForPlatform( switch (raw_system_info->platform_id) { case MD_OS_WIN32_NT: - case MD_OS_WIN32_WINDOWS: - case MD_OS_UNIX: + case MD_OS_WIN32_WINDOWS: { + platform_exploitability = new ExploitabilityWin(dump, + process_state); + break; + } case MD_OS_MAC_OS_X: case MD_OS_LINUX: + case MD_OS_UNIX: case MD_OS_SOLARIS: default: { platform_exploitability = NULL; diff --git a/src/processor/exploitability_win.cc b/src/processor/exploitability_win.cc new file mode 100644 index 00000000..b5ecb7b9 --- /dev/null +++ b/src/processor/exploitability_win.cc @@ -0,0 +1,168 @@ +// Copyright (c) 2010 Google Inc. +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// +// * Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following disclaimer +// in the documentation and/or other materials provided with the +// distribution. +// * Neither the name of Google Inc. nor the names of its +// contributors may be used to endorse or promote products derived from +// this software without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +// exploitability_win.cc: Windows specific exploitability engine. +// +// Provides a guess at the exploitability of the crash for the Windows +// platform given a minidump and process_state. +// +// Author: Cris Neckar + +#include "processor/exploitability_win.h" + +#include "google_breakpad/common/minidump_exception_win32.h" +#include "processor/logging.h" +#include "processor/scoped_ptr.h" + +namespace google_breakpad { + +// The cutoff that we use to judge if and address is likely an offset +// from null. +static const u_int64_t kProbableNullOffset = 4096; + +// The various cutoffs for the different ratings. +static const size_t kHighCutoff = 85; +static const size_t kMediumCutoff = 65; +static const size_t kLowCutoff = 45; +static const size_t kInterestingCutoff = 25; + +// Predefined incremental values for conditional weighting. +static const size_t kTinyBump = 5; +static const size_t kSmallBump = 20; +static const size_t kMediumBump = 50; +static const size_t kLargeBump = 70; +static const size_t kHugeBump = 90; + +ExploitabilityWin::ExploitabilityWin(Minidump *dump, + ProcessState *process_state) + : Exploitability(dump, process_state) { } + +ExploitabilityRating ExploitabilityWin::CheckPlatformExploitability() { + MinidumpException *exception = dump_->GetException(); + if (!exception) + return EXPLOITABILITY_ERR_PROCESSING; + + const MDRawExceptionStream *raw_exception = exception->exception(); + if (!raw_exception) + return EXPLOITABILITY_ERR_PROCESSING; + + u_int64_t address = raw_exception->exception_record.exception_address; + u_int32_t exception_code = raw_exception->exception_record.exception_code; + u_int32_t exception_flags = raw_exception->exception_record.exception_flags; + + u_int32_t exploitability_weight = 0; + + switch (exception_code) { + // This is almost certainly recursion. + case MD_EXCEPTION_CODE_WIN_STACK_OVERFLOW: + exploitability_weight += kTinyBump; + break; + + // These exceptions tend to be benign and we can generally ignore them. + case MD_EXCEPTION_CODE_WIN_INTEGER_DIVIDE_BY_ZERO: + case MD_EXCEPTION_CODE_WIN_INTEGER_OVERFLOW: + case MD_EXCEPTION_CODE_WIN_FLOAT_DIVIDE_BY_ZERO: + case MD_EXCEPTION_CODE_WIN_FLOAT_INEXACT_RESULT: + case MD_EXCEPTION_CODE_WIN_FLOAT_OVERFLOW: + case MD_EXCEPTION_CODE_WIN_FLOAT_UNDERFLOW: + case MD_EXCEPTION_CODE_WIN_IN_PAGE_ERROR: + exploitability_weight += kTinyBump; + break; + + // These exceptions will typically mean that we have jumped where we + // shouldn't. + case MD_EXCEPTION_CODE_WIN_ILLEGAL_INSTRUCTION: + case MD_EXCEPTION_CODE_WIN_FLOAT_INVALID_OPERATION: + case MD_EXCEPTION_CODE_WIN_PRIVILEGED_INSTRUCTION: + exploitability_weight += kLargeBump; + break; + + // These represent bugs in exception handlers. + case MD_EXCEPTION_CODE_WIN_INVALID_DISPOSITION: + case MD_EXCEPTION_CODE_WIN_NONCONTINUABLE_EXCEPTION: + exploitability_weight += kSmallBump; + break; + + case MD_EXCEPTION_CODE_WIN_HEAP_CORRUPTION: + case MD_EXCEPTION_CODE_WIN_STACK_BUFFER_OVERRUN: + exploitability_weight += kHugeBump; + break; + + case MD_EXCEPTION_CODE_WIN_GUARD_PAGE_VIOLATION: + exploitability_weight += kLargeBump; + break; + + case MD_EXCEPTION_CODE_WIN_ACCESS_VIOLATION: + bool near_null = (address <= kProbableNullOffset); + if (raw_exception->exception_record.number_parameters >= 1) { + MDAccessViolationTypeWin av_type = + static_cast<MDAccessViolationTypeWin> + (raw_exception->exception_record.exception_information[0]); + switch (av_type) { + case MD_ACCESS_VIOLATION_WIN_READ: + if (near_null) + exploitability_weight += kSmallBump; + else + exploitability_weight += kMediumBump; + break; + case MD_ACCESS_VIOLATION_WIN_WRITE: + if (near_null) + exploitability_weight += kSmallBump; + else + exploitability_weight += kHugeBump; + break; + case MD_ACCESS_VIOLATION_WIN_EXEC: + if (near_null) + exploitability_weight += kSmallBump; + else + exploitability_weight += kHugeBump; + break; + default: + return EXPLOITABILITY_ERR_PROCESSING; + break; + } + } else { + return EXPLOITABILITY_ERR_PROCESSING; + } + } + + // Based on the calculated weight we return a simplified classification. + if (exploitability_weight > kHighCutoff) + return EXPLOITABILITY_HIGH; + if (exploitability_weight > kMediumCutoff) + return EXPLOITABLITY_MEDIUM; + if (exploitability_weight > kLowCutoff) + return EXPLOITABILITY_LOW; + if (exploitability_weight > kInterestingCutoff) + return EXPLOITABILITY_INTERESTING; + + return EXPLOITABILITY_NONE; +} + +} // namespace google_breakpad diff --git a/src/processor/exploitability_win.h b/src/processor/exploitability_win.h new file mode 100644 index 00000000..4e08aef0 --- /dev/null +++ b/src/processor/exploitability_win.h @@ -0,0 +1,55 @@ +// Copyright (c) 2010 Google Inc. +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// +// * Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following disclaimer +// in the documentation and/or other materials provided with the +// distribution. +// * Neither the name of Google Inc. nor the names of its +// contributors may be used to endorse or promote products derived from +// this software without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +// exploitability_win.h: Windows specific exploitability engine. +// +// Provides a guess at the exploitability of the crash for the Windows +// platform given a minidump and process_state. +// +// Author: Cris Neckar + +#ifndef GOOGLE_BREAKPAD_PROCESSOR_EXPLOITABILITY_WIN_H_ +#define GOOGLE_BREAKPAD_PROCESSOR_EXPLOITABILITY_WIN_H_ + +#include "google_breakpad/common/breakpad_types.h" +#include "google_breakpad/processor/exploitability.h" + +namespace google_breakpad { + +class ExploitabilityWin : public Exploitability { + public: + ExploitabilityWin(Minidump *dump, + ProcessState *process_state); + + virtual ExploitabilityRating CheckPlatformExploitability(); +}; + +} // namespace google_breakpad + +#endif // GOOGLE_BREAKPAD_PROCESSOR_EXPLOITABILITY_WIN_H_ diff --git a/src/processor/minidump_processor.cc b/src/processor/minidump_processor.cc index 057b342d..a74db327 100644 --- a/src/processor/minidump_processor.cc +++ b/src/processor/minidump_processor.cc @@ -96,8 +96,8 @@ ProcessResult MinidumpProcessor::Process( dump, &process_state->crash_address_); } - // This will just return an empty string if it doesn't exist. - process_state->assertion_ = GetAssertion(dump); + // This will just return an empty string if it doesn't exist. + process_state->assertion_ = GetAssertion(dump); MinidumpModuleList *module_list = dump->GetModuleList(); @@ -267,7 +267,7 @@ ProcessResult MinidumpProcessor::Process( if (!dump.Read()) { BPLOG(ERROR) << "Minidump " << dump.path() << " could not be read"; return PROCESS_ERROR_MINIDUMP_NOT_FOUND; - } + } return Process(&dump, process_state); } @@ -730,14 +730,17 @@ string MinidumpProcessor::GetCrashReason(Minidump *dump, u_int64_t *address) { // This information is useful in addition to the code address, which // will be present in the crash thread's instruction field anyway. if (raw_exception->exception_record.number_parameters >= 1) { - switch (raw_exception->exception_record.exception_information[0]) { - case 0: + MDAccessViolationTypeWin av_type = + static_cast<MDAccessViolationTypeWin> + (raw_exception->exception_record.exception_information[0]); + switch (av_type) { + case MD_ACCESS_VIOLATION_WIN_READ: reason = "EXCEPTION_ACCESS_VIOLATION_READ"; break; - case 1: + case MD_ACCESS_VIOLATION_WIN_WRITE: reason = "EXCEPTION_ACCESS_VIOLATION_WRITE"; break; - case 8: + case MD_ACCESS_VIOLATION_WIN_EXEC: reason = "EXCEPTION_ACCESS_VIOLATION_EXEC"; break; default: @@ -814,8 +817,8 @@ string MinidumpProcessor::GetCrashReason(Minidump *dump, u_int64_t *address) { reason = "EXCEPTION_HEAP_CORRUPTION"; break; case MD_EXCEPTION_CODE_WIN_UNHANDLED_CPP_EXCEPTION: - reason = "Unhandled C++ Exception"; - break; + reason = "Unhandled C++ Exception"; + break; default: BPLOG(INFO) << "Unknown exception reason " << reason; break; @@ -1064,8 +1067,7 @@ string MinidumpProcessor::GetCrashReason(Minidump *dump, u_int64_t *address) { } // static -string MinidumpProcessor::GetAssertion(Minidump *dump) -{ +string MinidumpProcessor::GetAssertion(Minidump *dump) { MinidumpAssertion *assertion = dump->GetAssertion(); if (!assertion) return ""; diff --git a/src/processor/minidump_processor_unittest.cc b/src/processor/minidump_processor_unittest.cc index d2872867..89195c98 100644 --- a/src/processor/minidump_processor_unittest.cc +++ b/src/processor/minidump_processor_unittest.cc @@ -58,10 +58,10 @@ class MockMinidump : public Minidump { MockMinidump() : Minidump("") { } - MOCK_METHOD0(Read,bool()); + MOCK_METHOD0(Read, bool()); MOCK_CONST_METHOD0(path, string()); - MOCK_CONST_METHOD0(header,const MDRawHeader*()); - MOCK_METHOD0(GetThreadList,MinidumpThreadList*()); + MOCK_CONST_METHOD0(header, const MDRawHeader*()); + MOCK_METHOD0(GetThreadList, MinidumpThreadList*()); }; } @@ -179,7 +179,6 @@ class MockSymbolSupplier : public SymbolSupplier { }; class MinidumpProcessorTest : public ::testing::Test { - }; TEST_F(MinidumpProcessorTest, TestCorruptMinidumps) { @@ -257,9 +256,9 @@ TEST_F(MinidumpProcessorTest, TestExploitilityEngine) { ASSERT_EQ(processor.Process(minidump_file, &state), google_breakpad::PROCESS_OK); - // Test that exploitability module correctly fails to supply - // an engine for this platform - ASSERT_EQ(google_breakpad::EXPLOITABILITY_ERR_NOENGINE, + // Test that the supplied dump registers as HIGH. This dump demonstrates + // a write access violation to an address which is not near null. + ASSERT_EQ(google_breakpad::EXPLOITABILITY_HIGH, state.exploitability()); } @@ -342,8 +341,7 @@ TEST_F(MinidumpProcessorTest, TestBasicProcessing) { state.Clear(); supplier.set_interrupt(true); ASSERT_EQ(processor.Process(minidump_file, &state), - google_breakpad::PROCESS_SYMBOL_SUPPLIER_INTERRUPTED - ); + google_breakpad::PROCESS_SYMBOL_SUPPLIER_INTERRUPTED); } } // namespace |