Add check for executable stack/heap when rating Linux exploitability.
This CL also consequentially adds a public method to get the number of mappings in a Linux minidump. R=ivanpe@chromium.org Review URL: https://codereview.chromium.org/1291603002 git-svn-id: http://google-breakpad.googlecode.com/svn/trunk@1488 4c0a9323-5329-0410-9bdc-e9ce6186880e
This commit is contained in:
		| @@ -916,6 +916,9 @@ class MinidumpLinuxMapsList : public MinidumpStream { | |||||||
|  public: |  public: | ||||||
|   virtual ~MinidumpLinuxMapsList(); |   virtual ~MinidumpLinuxMapsList(); | ||||||
|  |  | ||||||
|  |   // Get number of mappings. | ||||||
|  |   unsigned int get_maps_count() const { return valid_ ? maps_count_ : 0; } | ||||||
|  |  | ||||||
|   // Get mapping at the given memory address. The caller owns the pointer. |   // Get mapping at the given memory address. The caller owns the pointer. | ||||||
|   const MinidumpLinuxMaps *GetLinuxMapsForAddress(uint64_t address) const; |   const MinidumpLinuxMaps *GetLinuxMapsForAddress(uint64_t address) const; | ||||||
|   // Get mapping at the given index. The caller owns the pointer. |   // Get mapping at the given index. The caller owns the pointer. | ||||||
|   | |||||||
| @@ -124,7 +124,8 @@ ExploitabilityRating ExploitabilityLinux::CheckPlatformExploitability() { | |||||||
|  |  | ||||||
|   // Checking for the instruction pointer in a valid instruction region. |   // Checking for the instruction pointer in a valid instruction region. | ||||||
|   if (!this->InstructionPointerInCode(instruction_ptr) || |   if (!this->InstructionPointerInCode(instruction_ptr) || | ||||||
|        this->StackPointerOffStack(stack_ptr)) { |        this->StackPointerOffStack(stack_ptr) || | ||||||
|  |        this->ExecutableStackOrHeap()) { | ||||||
|     return EXPLOITABILITY_HIGH; |     return EXPLOITABILITY_HIGH; | ||||||
|   } |   } | ||||||
|  |  | ||||||
| @@ -149,6 +150,24 @@ bool ExploitabilityLinux::StackPointerOffStack(uint64_t stack_ptr) { | |||||||
|           linux_maps->GetPathname().compare("[stack]")); |           linux_maps->GetPathname().compare("[stack]")); | ||||||
| } | } | ||||||
|  |  | ||||||
|  | bool ExploitabilityLinux::ExecutableStackOrHeap() { | ||||||
|  |   MinidumpLinuxMapsList *linux_maps_list = dump_->GetLinuxMapsList(); | ||||||
|  |   if (linux_maps_list) { | ||||||
|  |     for (size_t i = 0; i < linux_maps_list->get_maps_count(); i++) { | ||||||
|  |       const MinidumpLinuxMaps *linux_maps = | ||||||
|  |           linux_maps_list->GetLinuxMapsAtIndex(i); | ||||||
|  |       // Check for executable stack or heap for each mapping. | ||||||
|  |       if (linux_maps && | ||||||
|  |           (!linux_maps->GetPathname().compare("[stack]") || | ||||||
|  |            !linux_maps->GetPathname().compare("[heap]")) && | ||||||
|  |           linux_maps->IsExecutable()) { | ||||||
|  |         return true; | ||||||
|  |       } | ||||||
|  |     } | ||||||
|  |   } | ||||||
|  |   return false; | ||||||
|  | } | ||||||
|  |  | ||||||
| bool ExploitabilityLinux::InstructionPointerInCode(uint64_t instruction_ptr) { | bool ExploitabilityLinux::InstructionPointerInCode(uint64_t instruction_ptr) { | ||||||
|   // Get Linux memory mapping from /proc/self/maps. Checking whether the |   // Get Linux memory mapping from /proc/self/maps. Checking whether the | ||||||
|   // region the instruction pointer is in has executable permission can tell |   // region the instruction pointer is in has executable permission can tell | ||||||
|   | |||||||
| @@ -51,17 +51,21 @@ class ExploitabilityLinux : public Exploitability { | |||||||
|   virtual ExploitabilityRating CheckPlatformExploitability(); |   virtual ExploitabilityRating CheckPlatformExploitability(); | ||||||
|  |  | ||||||
|  private: |  private: | ||||||
|   // This method takes the address of the instruction pointer and returns |   // Takes the address of the instruction pointer and returns | ||||||
|   // whether the instruction pointer lies in a valid instruction region. |   // whether the instruction pointer lies in a valid instruction region. | ||||||
|   bool InstructionPointerInCode(uint64_t instruction_ptr); |   bool InstructionPointerInCode(uint64_t instruction_ptr); | ||||||
|  |  | ||||||
|   // This method checks the exception that triggered the creation of the |   // Checks the exception that triggered the creation of the | ||||||
|   // minidump and reports whether the exception suggests no exploitability. |   // minidump and reports whether the exception suggests no exploitability. | ||||||
|   bool BenignCrashTrigger(const MDRawExceptionStream *raw_exception_stream); |   bool BenignCrashTrigger(const MDRawExceptionStream *raw_exception_stream); | ||||||
|  |  | ||||||
|   // Checks if the stack pointer points to a memory mapping that is not |   // Checks if the stack pointer points to a memory mapping that is not | ||||||
|   // labelled as the stack. |   // labelled as the stack. | ||||||
|   bool StackPointerOffStack(uint64_t stack_ptr); |   bool StackPointerOffStack(uint64_t stack_ptr); | ||||||
|  |  | ||||||
|  |   // Checks if the stack or heap are marked executable according | ||||||
|  |   // to the memory mappings. | ||||||
|  |   bool ExecutableStackOrHeap(); | ||||||
| }; | }; | ||||||
|  |  | ||||||
| }  // namespace google_breakpad | }  // namespace google_breakpad | ||||||
|   | |||||||
| @@ -131,6 +131,10 @@ TEST(ExploitabilityTest, TestLinuxEngine) { | |||||||
|             ExploitabilityFor("linux_stack_pointer_in_stack.dmp")); |             ExploitabilityFor("linux_stack_pointer_in_stack.dmp")); | ||||||
|   ASSERT_EQ(google_breakpad::EXPLOITABILITY_HIGH, |   ASSERT_EQ(google_breakpad::EXPLOITABILITY_HIGH, | ||||||
|             ExploitabilityFor("linux_stack_pointer_in_module.dmp")); |             ExploitabilityFor("linux_stack_pointer_in_module.dmp")); | ||||||
|  |   ASSERT_EQ(google_breakpad::EXPLOITABILITY_HIGH, | ||||||
|  |             ExploitabilityFor("linux_executable_stack.dmp")); | ||||||
|  |   ASSERT_EQ(google_breakpad::EXPLOITABILITY_HIGH, | ||||||
|  |             ExploitabilityFor("linux_executable_heap.dmp")); | ||||||
|  |  | ||||||
| } | } | ||||||
| } | } | ||||||
|   | |||||||
							
								
								
									
										
											BIN
										
									
								
								src/processor/testdata/linux_executable_heap.dmp
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										
											BIN
										
									
								
								src/processor/testdata/linux_executable_heap.dmp
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
										
											Binary file not shown.
										
									
								
							
							
								
								
									
										
											BIN
										
									
								
								src/processor/testdata/linux_executable_stack.dmp
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										
											BIN
										
									
								
								src/processor/testdata/linux_executable_stack.dmp
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
										
											Binary file not shown.
										
									
								
							
		Reference in New Issue
	
	Block a user
	 Liu.andrew.x@gmail.com
					Liu.andrew.x@gmail.com