aboutsummaryrefslogtreecommitdiff
path: root/src/processor/exploitability_unittest.cc
Commit message (Collapse)AuthorAgeFilesLines
* Updating ExploitabilityLinux to check memory mapping names against a prefixBen Scarlato2016-08-291-0/+2
| | | | | | | | | | | instead of a specific name. This will prevent false positives on systems which use a format such as “[stack:69616]” for stack memory mapping names. Change-Id: I51aeda2fe856c1f37f0d18ac06cce69fec2fffa2 Reviewed-on: https://chromium-review.googlesource.com/377086 Reviewed-by: Mike Frysinger <vapier@chromium.org>
* Fixing a flaky Linux exploitability unittest.Ivan Penkov2016-02-161-1/+44
| | | | | | | BUG=https://code.google.com/p/chromium/issues/detail?id=584174 R=mmandlis@chromium.org Review URL: https://codereview.chromium.org/1697963002 .
* exploitability_unittest: fix warningsMike Frysinger2016-01-211-7/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The std::getline function always returns its first arg (which is an iostream object) and cannot return anything else. Thus, testing its value is pointless, and even leads to build errors w/at least gcc-5 due to gtest ASSERT_TRUE funcs only taking bool types: .../exploitability_unittest.cc: In member function 'virtual void {anonymous}::ExploitabilityLinuxUtilsTest_DisassembleBytesTest_Test::TestBody()': .../exploitability_unittest.cc:200:136: error: no matching function for call to 'testing::AssertionResult::AssertionResult(std::basic_istream<char>&)' In file included from .../breakpad_googletest_includes.h:33:0, from .../exploitability_unittest.cc:35: .../gtest.h:262:12: note: candidate: testing::AssertionResult::AssertionResult(bool) Since we know this never fails, simply drop the ASSERT_TRUE usage. The next line already checks the content of the buffer we read. Further on in the file, we hit some signed warnings: In file included from .../breakpad_googletest_includes.h:33:0, from .../exploitability_unittest.cc:35: .../gtest.h: In instantiation of 'testing::AssertionResult testing::internal::CmpHelperEQ(const char*, const char*, const T1&, const T2&) [with T1 = long unsigned int; T2 = int]': .../gtest.h:1484:23: required from 'static testing::AssertionResult testing::internal::EqHelper<lhs_is_null_literal>::Compare(const char*, const char*, const T1&, const T2&) [with T1 = long unsigned int; T2 = int; bool lhs_is_null_literal = false]' .../exploitability_unittest.cc:241:289: required from here .../gtest.h:1448:16: error: comparison between signed and unsigned integer expressions [-Werror=sign-compare] if (expected == actual) { This is because we compare the register value (a uint64_t) directly to an integer constant, and those are signed by default. Stick a U suffix on them to fix things up. BUG=chromium:579384 TEST=`make check` passes R=ivanpe@chromium.org Review URL: https://codereview.chromium.org/1611763002 .
* Fix ExploitabilityLinuxUtilsTest::DisassembleBytesTest to not fail when temp ↵Ted Mielczarek2015-11-301-1/+3
| | | | | | | | | file ends with 0 R=ivanpe@chromium.org BUG=https://bugs.chromium.org/p/google-breakpad/issues/detail?id=668 Review URL: https://codereview.chromium.org/1482363003 .
* Add check for Linux minidump ending on bad write for exploitability rating.Liu.andrew.x@gmail.com2015-08-211-0/+120
| | | | | | | | | | | | | | | If a crash occurred as a result to a write to unwritable memory, it is reason to suggest exploitability. The processor checks for a bad write by disassembling the command that caused the crash by piping the raw bytes near the instruction pointer through objdump. This allows the processor to see if the instruction that caused the crash is a write to memory and where the target of the address is located. R=ivanpe@chromium.org Review URL: https://codereview.chromium.org/1273823004 git-svn-id: http://google-breakpad.googlecode.com/svn/trunk@1497 4c0a9323-5329-0410-9bdc-e9ce6186880e
* Add check for executable stack/heap when rating Linux exploitability.Liu.andrew.x@gmail.com2015-08-151-0/+4
| | | | | | | | | | | This CL also consequentially adds a public method to get the number of mappings in a Linux minidump. R=ivanpe@chromium.org Review URL: https://codereview.chromium.org/1291603002 git-svn-id: http://google-breakpad.googlecode.com/svn/trunk@1488 4c0a9323-5329-0410-9bdc-e9ce6186880e
* Add check to see if stack pointer is off the stack according to the memoryLiu.andrew.x@gmail.com2015-08-151-0/+4
| | | | | | | | | | mappings when rating Linux exploitability. R=ivanpe@chromium.org Review URL: https://codereview.chromium.org/1286033002 git-svn-id: http://google-breakpad.googlecode.com/svn/trunk@1487 4c0a9323-5329-0410-9bdc-e9ce6186880e
* Add support for Linux memory mapping stream and remove ELF header usageLiu.andrew.x@gmail.com2015-07-281-4/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | when checking exploitability rating. Linux minidumps do not support MD_MEMORY_INFO_LIST_STREAM, meaning the processor cannot retrieve its memory mappings. However, it has its own stream, MD_LINUX_MAPS, which contains memory mappings specific to Linux (it contains the contents of /proc/self/maps). This CL allows the minidump to gather information from the memory mappings for Linux minidumps. In addition, exploitability rating for Linux dumps now use memory mappings instead of checking the ELF headers of binaries. The basis for the change is that checking the ELF headers requires the minidumps to store the memory from the ELF headers, while the memory mapping data is already present, meaning the size of a minidump will be unchanged. As a result, of removing ELF header analysis, two unit tests have been removed. Arguably, the cases that those unit tests check do not merit a high exploitability rating and do not warrant a solid conclusion that was given earlier. R=ivanpe@chromium.org Review URL: https://codereview.chromium.org/1251593007 git-svn-id: http://google-breakpad.googlecode.com/svn/trunk@1476 4c0a9323-5329-0410-9bdc-e9ce6186880e
* Add ELF header analysis when checking for instruction pointer in code.Liu.andrew.x@gmail.com2015-07-161-0/+12
| | | | | | | | | | | | | | If the minidump module containing the instruction pointer has memory containing the ELF header and program header table, when checking the exploitability rating, the processor will use the ELF header data to determine if the instruction pointer lies in an executable region of the module, rather than just checking if it lies in a module. R=ivanpe@chromium.org Review URL: https://codereview.chromium.org/1233973002 git-svn-id: http://google-breakpad.googlecode.com/svn/trunk@1472 4c0a9323-5329-0410-9bdc-e9ce6186880e
* Checking for benign exceptions that trigger a minidump.Liu.andrew.x@gmail.com2015-06-301-2/+2
| | | | | | | | | | | | | If the exception reponsible for the crash is benign, such as a floating point exception, we can rule out the possibility that the code is exploitable. This CL checks for such exceptions and marks the dump as not exploitable if such an exception is found. R=ivanpe@chromium.org Review URL: https://codereview.chromium.org/1212383004 git-svn-id: http://google-breakpad.googlecode.com/svn/trunk@1467 4c0a9323-5329-0410-9bdc-e9ce6186880e
* Checking location of the instruction pointer to see if it isLiu.andrew.x@gmail.com2015-06-251-0/+7
| | | | | | | | | | | | | | | | in valid code for Linux exploitability rating. This CL adds to the Linux exploitability checker by verifying that the instruction pointer is in valid code. Verification is done by obtaining a memory mapping of the crash and checking if the instruction pointer lies in an executable region. If there is no memory mapping, the instruction pointer is checked to determine if it lies within a known module. R=ivanpe@chromium.org Review URL: https://codereview.chromium.org/1210493003 git-svn-id: http://google-breakpad.googlecode.com/svn/trunk@1464 4c0a9323-5329-0410-9bdc-e9ce6186880e
* Add simple exploitability analysis for Linux crashes.mattdr.breakpad@gmail.com2013-10-291-176/+46
| | | | | | | | https://breakpad.appspot.com/622002/ git-svn-id: http://google-breakpad.googlecode.com/svn/trunk@1226 4c0a9323-5329-0410-9bdc-e9ce6186880e
* Detect corrupt symbol files during minidump processing. Recover from the ↵ivan.penkov@gmail.com2013-07-111-2/+4
| | | | | | | | | | | | | | | | | | | | | errors and use the good data if possible. More specifically: - Detect corrupt symbols during minidump processing and provide the list of modules with corrupt symbols in the ProcessState. This will allow listing the corrupt symbol files in the final crash report. - Skip and recover from symbol data parse errors - don't give up until 100 parse errors are seen. - In order to recover from '\0' (null terminator) in the middle of a symbol file, a couple of methods have to be updated to require both buffer pointer and length. Previously they required only a buffer pointer (char *) and the size of the buffer was evaluated using strlen which is not reliable when the data is corrupt. Most of the changes are due to these signature updates. - Added and updated unittests. Also, updated minidump_stackwalk to show a WARNING for corrupt symbols. Output looks like this: ... Loaded modules: 0x000da000 - 0x000dafff Google Chrome Canary ??? (main) 0x000e0000 - 0x0417dfff Google Chrome Framework 0.1500.0.3 (WARNING: Corrupt symbols, Google Chrome Framework, 4682A6B4136436C4BFECEB62D498020E0) 0x044a8000 - 0x04571fff IOBluetooth 0.1.0.0 ... Review URL: https://breakpad.appspot.com/613002 git-svn-id: http://google-breakpad.googlecode.com/svn/trunk@1200 4c0a9323-5329-0410-9bdc-e9ce6186880e
* Cleanup: Remove duplicate wording in license headers.thestig@chromium.org2013-04-231-12/+2
| | | | | | | | BUG=505 Review URL: https://breakpad.appspot.com/498002 git-svn-id: http://google-breakpad.googlecode.com/svn/trunk@1159 4c0a9323-5329-0410-9bdc-e9ce6186880e
* This change allows compiling the google-breakpad code using a global ↵ivan.penkov@gmail.com2012-06-281-1/+1
| | | | | | ::string class instead of std::string. For more details take a look at common/using_std_string.h git-svn-id: http://google-breakpad.googlecode.com/svn/trunk@974 4c0a9323-5329-0410-9bdc-e9ce6186880e
* Restrict ownership of symbol data buffers to symbol supplier.SiyangXie@gmail.com2010-11-011-0/+1
| | | | git-svn-id: http://google-breakpad.googlecode.com/svn/trunk@721 4c0a9323-5329-0410-9bdc-e9ce6186880e
* Refactor source line resolver, add interface in supplier and resolver.SiyangXie@gmail.com2010-10-071-0/+13
| | | | git-svn-id: http://google-breakpad.googlecode.com/svn/trunk@711 4c0a9323-5329-0410-9bdc-e9ce6186880e
* Added method to exploitability class which checks if a given address ↵cdn@chromium.org2010-10-011-17/+45
| | | | | | | | | | contains all ascii characters. BUG=NONE TEST=ExploitabilityTest.TestWindowsEngine Review URL: http://breakpad.appspot.com/207001 git-svn-id: http://google-breakpad.googlecode.com/svn/trunk@706 4c0a9323-5329-0410-9bdc-e9ce6186880e
* Added libdisasm to the repository. This library is no longer under ↵cdn@chromium.org2010-10-011-0/+213
development so there is no reason not to keep it locally. Implemented a basic disassembler which can be used to scan bytecode for interesting conditions. This should be pretty easy to add to for things other than exploitability if there is a desire. This also adds several tests to the windows exploitability ranking code to take advantage of the disassembler for x86 code. BUG=None TEST=DisassemblerX86Test.* Review URL: http://breakpad.appspot.com/203001 git-svn-id: http://google-breakpad.googlecode.com/svn/trunk@705 4c0a9323-5329-0410-9bdc-e9ce6186880e