aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/google_breakpad/common/minidump_exception_win32.h9
-rw-r--r--src/google_breakpad/processor/exploitability.h6
-rw-r--r--src/processor/exploitability.cc9
-rw-r--r--src/processor/exploitability_win.cc168
-rw-r--r--src/processor/exploitability_win.h55
-rw-r--r--src/processor/minidump_processor.cc24
-rw-r--r--src/processor/minidump_processor_unittest.cc16
7 files changed, 261 insertions, 26 deletions
diff --git a/src/google_breakpad/common/minidump_exception_win32.h b/src/google_breakpad/common/minidump_exception_win32.h
index 85eb598d..458a7054 100644
--- a/src/google_breakpad/common/minidump_exception_win32.h
+++ b/src/google_breakpad/common/minidump_exception_win32.h
@@ -34,7 +34,7 @@
*
* Author: Mark Mentovai
* Split into its own file: Neal Sidhwaney */
-
+
#ifndef GOOGLE_BREAKPAD_COMMON_MINIDUMP_EXCEPTION_WIN32_H__
#define GOOGLE_BREAKPAD_COMMON_MINIDUMP_EXCEPTION_WIN32_H__
@@ -105,5 +105,12 @@ typedef enum {
generated by Visual C++ compiler */
} MDExceptionCodeWin;
+// These constants are defined in the MSDN documentation of
+// the EXCEPTION_RECORD structure.
+typedef enum {
+ MD_ACCESS_VIOLATION_WIN_READ = 0,
+ MD_ACCESS_VIOLATION_WIN_WRITE = 1,
+ MD_ACCESS_VIOLATION_WIN_EXEC = 8
+} MDAccessViolationTypeWin;
#endif /* GOOGLE_BREAKPAD_COMMON_MINIDUMP_EXCEPTION_WIN32_H__ */
diff --git a/src/google_breakpad/processor/exploitability.h b/src/google_breakpad/processor/exploitability.h
index 41ca551c..24eed82e 100644
--- a/src/google_breakpad/processor/exploitability.h
+++ b/src/google_breakpad/processor/exploitability.h
@@ -59,12 +59,12 @@ class Exploitability {
Exploitability(Minidump *dump,
ProcessState *process_state);
- private:
- virtual ExploitabilityRating CheckPlatformExploitability() = 0;
-
Minidump *dump_;
ProcessState *process_state_;
SystemInfo *system_info_;
+
+ private:
+ virtual ExploitabilityRating CheckPlatformExploitability() = 0;
};
} // namespace google_breakpad
diff --git a/src/processor/exploitability.cc b/src/processor/exploitability.cc
index 74810e70..fc015201 100644
--- a/src/processor/exploitability.cc
+++ b/src/processor/exploitability.cc
@@ -39,6 +39,7 @@
#include "google_breakpad/processor/exploitability.h"
#include "google_breakpad/processor/minidump.h"
#include "google_breakpad/processor/process_state.h"
+#include "processor/exploitability_win.h"
#include "processor/logging.h"
#include "processor/scoped_ptr.h"
@@ -68,10 +69,14 @@ Exploitability *Exploitability::ExploitabilityForPlatform(
switch (raw_system_info->platform_id) {
case MD_OS_WIN32_NT:
- case MD_OS_WIN32_WINDOWS:
- case MD_OS_UNIX:
+ case MD_OS_WIN32_WINDOWS: {
+ platform_exploitability = new ExploitabilityWin(dump,
+ process_state);
+ break;
+ }
case MD_OS_MAC_OS_X:
case MD_OS_LINUX:
+ case MD_OS_UNIX:
case MD_OS_SOLARIS:
default: {
platform_exploitability = NULL;
diff --git a/src/processor/exploitability_win.cc b/src/processor/exploitability_win.cc
new file mode 100644
index 00000000..b5ecb7b9
--- /dev/null
+++ b/src/processor/exploitability_win.cc
@@ -0,0 +1,168 @@
+// Copyright (c) 2010 Google Inc.
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+// * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+// * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following disclaimer
+// in the documentation and/or other materials provided with the
+// distribution.
+// * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived from
+// this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// exploitability_win.cc: Windows specific exploitability engine.
+//
+// Provides a guess at the exploitability of the crash for the Windows
+// platform given a minidump and process_state.
+//
+// Author: Cris Neckar
+
+#include "processor/exploitability_win.h"
+
+#include "google_breakpad/common/minidump_exception_win32.h"
+#include "processor/logging.h"
+#include "processor/scoped_ptr.h"
+
+namespace google_breakpad {
+
+// The cutoff that we use to judge if and address is likely an offset
+// from null.
+static const u_int64_t kProbableNullOffset = 4096;
+
+// The various cutoffs for the different ratings.
+static const size_t kHighCutoff = 85;
+static const size_t kMediumCutoff = 65;
+static const size_t kLowCutoff = 45;
+static const size_t kInterestingCutoff = 25;
+
+// Predefined incremental values for conditional weighting.
+static const size_t kTinyBump = 5;
+static const size_t kSmallBump = 20;
+static const size_t kMediumBump = 50;
+static const size_t kLargeBump = 70;
+static const size_t kHugeBump = 90;
+
+ExploitabilityWin::ExploitabilityWin(Minidump *dump,
+ ProcessState *process_state)
+ : Exploitability(dump, process_state) { }
+
+ExploitabilityRating ExploitabilityWin::CheckPlatformExploitability() {
+ MinidumpException *exception = dump_->GetException();
+ if (!exception)
+ return EXPLOITABILITY_ERR_PROCESSING;
+
+ const MDRawExceptionStream *raw_exception = exception->exception();
+ if (!raw_exception)
+ return EXPLOITABILITY_ERR_PROCESSING;
+
+ u_int64_t address = raw_exception->exception_record.exception_address;
+ u_int32_t exception_code = raw_exception->exception_record.exception_code;
+ u_int32_t exception_flags = raw_exception->exception_record.exception_flags;
+
+ u_int32_t exploitability_weight = 0;
+
+ switch (exception_code) {
+ // This is almost certainly recursion.
+ case MD_EXCEPTION_CODE_WIN_STACK_OVERFLOW:
+ exploitability_weight += kTinyBump;
+ break;
+
+ // These exceptions tend to be benign and we can generally ignore them.
+ case MD_EXCEPTION_CODE_WIN_INTEGER_DIVIDE_BY_ZERO:
+ case MD_EXCEPTION_CODE_WIN_INTEGER_OVERFLOW:
+ case MD_EXCEPTION_CODE_WIN_FLOAT_DIVIDE_BY_ZERO:
+ case MD_EXCEPTION_CODE_WIN_FLOAT_INEXACT_RESULT:
+ case MD_EXCEPTION_CODE_WIN_FLOAT_OVERFLOW:
+ case MD_EXCEPTION_CODE_WIN_FLOAT_UNDERFLOW:
+ case MD_EXCEPTION_CODE_WIN_IN_PAGE_ERROR:
+ exploitability_weight += kTinyBump;
+ break;
+
+ // These exceptions will typically mean that we have jumped where we
+ // shouldn't.
+ case MD_EXCEPTION_CODE_WIN_ILLEGAL_INSTRUCTION:
+ case MD_EXCEPTION_CODE_WIN_FLOAT_INVALID_OPERATION:
+ case MD_EXCEPTION_CODE_WIN_PRIVILEGED_INSTRUCTION:
+ exploitability_weight += kLargeBump;
+ break;
+
+ // These represent bugs in exception handlers.
+ case MD_EXCEPTION_CODE_WIN_INVALID_DISPOSITION:
+ case MD_EXCEPTION_CODE_WIN_NONCONTINUABLE_EXCEPTION:
+ exploitability_weight += kSmallBump;
+ break;
+
+ case MD_EXCEPTION_CODE_WIN_HEAP_CORRUPTION:
+ case MD_EXCEPTION_CODE_WIN_STACK_BUFFER_OVERRUN:
+ exploitability_weight += kHugeBump;
+ break;
+
+ case MD_EXCEPTION_CODE_WIN_GUARD_PAGE_VIOLATION:
+ exploitability_weight += kLargeBump;
+ break;
+
+ case MD_EXCEPTION_CODE_WIN_ACCESS_VIOLATION:
+ bool near_null = (address <= kProbableNullOffset);
+ if (raw_exception->exception_record.number_parameters >= 1) {
+ MDAccessViolationTypeWin av_type =
+ static_cast<MDAccessViolationTypeWin>
+ (raw_exception->exception_record.exception_information[0]);
+ switch (av_type) {
+ case MD_ACCESS_VIOLATION_WIN_READ:
+ if (near_null)
+ exploitability_weight += kSmallBump;
+ else
+ exploitability_weight += kMediumBump;
+ break;
+ case MD_ACCESS_VIOLATION_WIN_WRITE:
+ if (near_null)
+ exploitability_weight += kSmallBump;
+ else
+ exploitability_weight += kHugeBump;
+ break;
+ case MD_ACCESS_VIOLATION_WIN_EXEC:
+ if (near_null)
+ exploitability_weight += kSmallBump;
+ else
+ exploitability_weight += kHugeBump;
+ break;
+ default:
+ return EXPLOITABILITY_ERR_PROCESSING;
+ break;
+ }
+ } else {
+ return EXPLOITABILITY_ERR_PROCESSING;
+ }
+ }
+
+ // Based on the calculated weight we return a simplified classification.
+ if (exploitability_weight > kHighCutoff)
+ return EXPLOITABILITY_HIGH;
+ if (exploitability_weight > kMediumCutoff)
+ return EXPLOITABLITY_MEDIUM;
+ if (exploitability_weight > kLowCutoff)
+ return EXPLOITABILITY_LOW;
+ if (exploitability_weight > kInterestingCutoff)
+ return EXPLOITABILITY_INTERESTING;
+
+ return EXPLOITABILITY_NONE;
+}
+
+} // namespace google_breakpad
diff --git a/src/processor/exploitability_win.h b/src/processor/exploitability_win.h
new file mode 100644
index 00000000..4e08aef0
--- /dev/null
+++ b/src/processor/exploitability_win.h
@@ -0,0 +1,55 @@
+// Copyright (c) 2010 Google Inc.
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+// * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+// * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following disclaimer
+// in the documentation and/or other materials provided with the
+// distribution.
+// * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived from
+// this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// exploitability_win.h: Windows specific exploitability engine.
+//
+// Provides a guess at the exploitability of the crash for the Windows
+// platform given a minidump and process_state.
+//
+// Author: Cris Neckar
+
+#ifndef GOOGLE_BREAKPAD_PROCESSOR_EXPLOITABILITY_WIN_H_
+#define GOOGLE_BREAKPAD_PROCESSOR_EXPLOITABILITY_WIN_H_
+
+#include "google_breakpad/common/breakpad_types.h"
+#include "google_breakpad/processor/exploitability.h"
+
+namespace google_breakpad {
+
+class ExploitabilityWin : public Exploitability {
+ public:
+ ExploitabilityWin(Minidump *dump,
+ ProcessState *process_state);
+
+ virtual ExploitabilityRating CheckPlatformExploitability();
+};
+
+} // namespace google_breakpad
+
+#endif // GOOGLE_BREAKPAD_PROCESSOR_EXPLOITABILITY_WIN_H_
diff --git a/src/processor/minidump_processor.cc b/src/processor/minidump_processor.cc
index 057b342d..a74db327 100644
--- a/src/processor/minidump_processor.cc
+++ b/src/processor/minidump_processor.cc
@@ -96,8 +96,8 @@ ProcessResult MinidumpProcessor::Process(
dump, &process_state->crash_address_);
}
- // This will just return an empty string if it doesn't exist.
- process_state->assertion_ = GetAssertion(dump);
+ // This will just return an empty string if it doesn't exist.
+ process_state->assertion_ = GetAssertion(dump);
MinidumpModuleList *module_list = dump->GetModuleList();
@@ -267,7 +267,7 @@ ProcessResult MinidumpProcessor::Process(
if (!dump.Read()) {
BPLOG(ERROR) << "Minidump " << dump.path() << " could not be read";
return PROCESS_ERROR_MINIDUMP_NOT_FOUND;
- }
+ }
return Process(&dump, process_state);
}
@@ -730,14 +730,17 @@ string MinidumpProcessor::GetCrashReason(Minidump *dump, u_int64_t *address) {
// This information is useful in addition to the code address, which
// will be present in the crash thread's instruction field anyway.
if (raw_exception->exception_record.number_parameters >= 1) {
- switch (raw_exception->exception_record.exception_information[0]) {
- case 0:
+ MDAccessViolationTypeWin av_type =
+ static_cast<MDAccessViolationTypeWin>
+ (raw_exception->exception_record.exception_information[0]);
+ switch (av_type) {
+ case MD_ACCESS_VIOLATION_WIN_READ:
reason = "EXCEPTION_ACCESS_VIOLATION_READ";
break;
- case 1:
+ case MD_ACCESS_VIOLATION_WIN_WRITE:
reason = "EXCEPTION_ACCESS_VIOLATION_WRITE";
break;
- case 8:
+ case MD_ACCESS_VIOLATION_WIN_EXEC:
reason = "EXCEPTION_ACCESS_VIOLATION_EXEC";
break;
default:
@@ -814,8 +817,8 @@ string MinidumpProcessor::GetCrashReason(Minidump *dump, u_int64_t *address) {
reason = "EXCEPTION_HEAP_CORRUPTION";
break;
case MD_EXCEPTION_CODE_WIN_UNHANDLED_CPP_EXCEPTION:
- reason = "Unhandled C++ Exception";
- break;
+ reason = "Unhandled C++ Exception";
+ break;
default:
BPLOG(INFO) << "Unknown exception reason " << reason;
break;
@@ -1064,8 +1067,7 @@ string MinidumpProcessor::GetCrashReason(Minidump *dump, u_int64_t *address) {
}
// static
-string MinidumpProcessor::GetAssertion(Minidump *dump)
-{
+string MinidumpProcessor::GetAssertion(Minidump *dump) {
MinidumpAssertion *assertion = dump->GetAssertion();
if (!assertion)
return "";
diff --git a/src/processor/minidump_processor_unittest.cc b/src/processor/minidump_processor_unittest.cc
index d2872867..89195c98 100644
--- a/src/processor/minidump_processor_unittest.cc
+++ b/src/processor/minidump_processor_unittest.cc
@@ -58,10 +58,10 @@ class MockMinidump : public Minidump {
MockMinidump() : Minidump("") {
}
- MOCK_METHOD0(Read,bool());
+ MOCK_METHOD0(Read, bool());
MOCK_CONST_METHOD0(path, string());
- MOCK_CONST_METHOD0(header,const MDRawHeader*());
- MOCK_METHOD0(GetThreadList,MinidumpThreadList*());
+ MOCK_CONST_METHOD0(header, const MDRawHeader*());
+ MOCK_METHOD0(GetThreadList, MinidumpThreadList*());
};
}
@@ -179,7 +179,6 @@ class MockSymbolSupplier : public SymbolSupplier {
};
class MinidumpProcessorTest : public ::testing::Test {
-
};
TEST_F(MinidumpProcessorTest, TestCorruptMinidumps) {
@@ -257,9 +256,9 @@ TEST_F(MinidumpProcessorTest, TestExploitilityEngine) {
ASSERT_EQ(processor.Process(minidump_file, &state),
google_breakpad::PROCESS_OK);
- // Test that exploitability module correctly fails to supply
- // an engine for this platform
- ASSERT_EQ(google_breakpad::EXPLOITABILITY_ERR_NOENGINE,
+ // Test that the supplied dump registers as HIGH. This dump demonstrates
+ // a write access violation to an address which is not near null.
+ ASSERT_EQ(google_breakpad::EXPLOITABILITY_HIGH,
state.exploitability());
}
@@ -342,8 +341,7 @@ TEST_F(MinidumpProcessorTest, TestBasicProcessing) {
state.Clear();
supplier.set_interrupt(true);
ASSERT_EQ(processor.Process(minidump_file, &state),
- google_breakpad::PROCESS_SYMBOL_SUPPLIER_INTERRUPTED
- );
+ google_breakpad::PROCESS_SYMBOL_SUPPLIER_INTERRUPTED);
}
} // namespace