Add simple exploitability analysis for Linux crashes.

https://breakpad.appspot.com/622002/



git-svn-id: http://google-breakpad.googlecode.com/svn/trunk@1226 4c0a9323-5329-0410-9bdc-e9ce6186880e

src/processor/exploitability_linux.cc

@@ -0,0 +1,86 @@
+// Copyright (c) 2013 Google Inc.
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following disclaimer
+// in the documentation and/or other materials provided with the
+// distribution.
+//     * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived from
+// this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// exploitability_linux.cc: Linux specific exploitability engine.
+//
+// Provides a guess at the exploitability of the crash for the Linux
+// platform given a minidump and process_state.
+//
+// Author: Matthew Riley
+
+#include "processor/exploitability_linux.h"
+
+#include "google_breakpad/processor/process_state.h"
+#include "google_breakpad/processor/call_stack.h"
+#include "google_breakpad/processor/stack_frame.h"
+
+namespace {
+
+// This function in libc is called if the program was compiled with
+// -fstack-protector and a function's stack canary changes.
+const char kStackCheckFailureFunction[] = "__stack_chk_fail";
+
+// This function in libc is called if the program was compiled with
+// -D_FORTIFY_SOURCE=2, a function like strcpy() is called, and the runtime
+// can determine that the call would overflow the target buffer.
+const char kBoundsCheckFailureFunction[] = "__chk_fail";
+
+}  // namespace
+
+namespace google_breakpad {
+
+ExploitabilityLinux::ExploitabilityLinux(Minidump *dump,
+                                         ProcessState *process_state)
+    : Exploitability(dump, process_state) { }
+
+ExploitabilityRating ExploitabilityLinux::CheckPlatformExploitability() {
+  // Check the crashing thread for functions suggesting a buffer overflow or
+  // stack smash.
+  if (process_state_->requesting_thread() != -1) {
+    CallStack* crashing_thread =
+        process_state_->threads()->at(process_state_->requesting_thread());
+    const vector<StackFrame*>& crashing_thread_frames =
+        *crashing_thread->frames();
+    for (size_t i = 0; i < crashing_thread_frames.size(); ++i) {
+      if (crashing_thread_frames[i]->function_name ==
+          kStackCheckFailureFunction) {
+        return EXPLOITABILITY_HIGH;
+      }
+
+      if (crashing_thread_frames[i]->function_name ==
+          kBoundsCheckFailureFunction) {
+        return EXPLOITABILITY_HIGH;
+      }
+    }
+  }
+
+  return EXPLOITABILITY_NONE;
+}
+
+}  // namespace google_breakpad