Checking for benign exceptions that trigger a minidump.

If the exception reponsible for the crash is benign, such as a floating point
exception, we can rule out the possibility that the code is exploitable. This
CL checks for such exceptions and marks the dump as not exploitable if such an
exception is found.

R=ivanpe@chromium.org

Review URL: https://codereview.chromium.org/1212383004

git-svn-id: http://google-breakpad.googlecode.com/svn/trunk@1467 4c0a9323-5329-0410-9bdc-e9ce6186880e
This commit is contained in:
Liu.andrew.x@gmail.com 2015-06-30 20:34:39 +00:00
parent a3f0a28b69
commit ca21e62ecf
3 changed files with 62 additions and 3 deletions

View File

@ -36,6 +36,7 @@
#include "processor/exploitability_linux.h"
#include "google_breakpad/common/minidump_exception_linux.h"
#include "google_breakpad/processor/process_state.h"
#include "google_breakpad/processor/call_stack.h"
#include "google_breakpad/processor/stack_frame.h"
@ -119,11 +120,23 @@ ExploitabilityRating ExploitabilityLinux::CheckPlatformExploitability() {
return EXPLOITABILITY_ERR_PROCESSING;
}
// Checking for the instruction pointer in a valid instruction region.
if (!this->InstructionPointerInCode(instruction_ptr)) {
return EXPLOITABILITY_HIGH;
}
return EXPLOITABILITY_NONE;
const MDRawExceptionStream *raw_exception_stream = exception->exception();
if (raw_exception_stream == NULL) {
BPLOG(INFO) << "No raw exception stream.";
return EXPLOITABILITY_ERR_PROCESSING;
}
// Checking for benign exceptions that caused the crash.
if (this->BenignCrashTrigger(raw_exception_stream)) {
return EXPLOITABILITY_NONE;
}
return EXPLOITABILITY_INTERESTING;
}
bool ExploitabilityLinux::InstructionPointerInCode(uint64_t instruction_ptr) {
@ -149,4 +162,46 @@ bool ExploitabilityLinux::InstructionPointerInCode(uint64_t instruction_ptr) {
minidump_module_list->GetModuleForAddress(instruction_ptr);
}
bool ExploitabilityLinux::BenignCrashTrigger(const MDRawExceptionStream
*raw_exception_stream) {
// Here we check the cause of crash.
// If the exception of the crash is a benign exception,
// it is probably not exploitable.
switch (raw_exception_stream->exception_record.exception_code) {
case MD_EXCEPTION_CODE_LIN_SIGHUP:
case MD_EXCEPTION_CODE_LIN_SIGINT:
case MD_EXCEPTION_CODE_LIN_SIGQUIT:
case MD_EXCEPTION_CODE_LIN_SIGTRAP:
case MD_EXCEPTION_CODE_LIN_SIGABRT:
case MD_EXCEPTION_CODE_LIN_SIGFPE:
case MD_EXCEPTION_CODE_LIN_SIGKILL:
case MD_EXCEPTION_CODE_LIN_SIGUSR1:
case MD_EXCEPTION_CODE_LIN_SIGUSR2:
case MD_EXCEPTION_CODE_LIN_SIGPIPE:
case MD_EXCEPTION_CODE_LIN_SIGALRM:
case MD_EXCEPTION_CODE_LIN_SIGTERM:
case MD_EXCEPTION_CODE_LIN_SIGCHLD:
case MD_EXCEPTION_CODE_LIN_SIGCONT:
case MD_EXCEPTION_CODE_LIN_SIGSTOP:
case MD_EXCEPTION_CODE_LIN_SIGTSTP:
case MD_EXCEPTION_CODE_LIN_SIGTTIN:
case MD_EXCEPTION_CODE_LIN_SIGTTOU:
case MD_EXCEPTION_CODE_LIN_SIGURG:
case MD_EXCEPTION_CODE_LIN_SIGXCPU:
case MD_EXCEPTION_CODE_LIN_SIGXFSZ:
case MD_EXCEPTION_CODE_LIN_SIGVTALRM:
case MD_EXCEPTION_CODE_LIN_SIGPROF:
case MD_EXCEPTION_CODE_LIN_SIGWINCH:
case MD_EXCEPTION_CODE_LIN_SIGIO:
case MD_EXCEPTION_CODE_LIN_SIGPWR:
case MD_EXCEPTION_CODE_LIN_SIGSYS:
case MD_EXCEPTION_CODE_LIN_DUMP_REQUESTED:
return true;
break;
default:
return false;
break;
}
}
} // namespace google_breakpad

View File

@ -53,6 +53,10 @@ class ExploitabilityLinux : public Exploitability {
// This method takes the address of the instruction pointer and returns
// whether the instruction pointer lies in a valid instruction region.
bool InstructionPointerInCode(uint64_t instruction_ptr);
// This method checks the exception that triggered the creation of the
// minidump and reports whether the exception suggests no exploitability.
bool BenignCrashTrigger(const MDRawExceptionStream *raw_exception_stream);
};
} // namespace google_breakpad

View File

@ -107,7 +107,7 @@ TEST(ExploitabilityTest, TestWindowsEngine) {
}
TEST(ExploitabilityTest, TestLinuxEngine) {
ASSERT_EQ(google_breakpad::EXPLOITABILITY_NONE,
ASSERT_EQ(google_breakpad::EXPLOITABILITY_INTERESTING,
ExploitabilityFor("linux_null_read_av.dmp"));
ASSERT_EQ(google_breakpad::EXPLOITABILITY_HIGH,
ExploitabilityFor("linux_overflow.dmp"));
@ -115,7 +115,7 @@ TEST(ExploitabilityTest, TestLinuxEngine) {
ExploitabilityFor("linux_stacksmash.dmp"));
ASSERT_EQ(google_breakpad::EXPLOITABILITY_NONE,
ExploitabilityFor("linux_divide_by_zero.dmp"));
ASSERT_EQ(google_breakpad::EXPLOITABILITY_NONE,
ASSERT_EQ(google_breakpad::EXPLOITABILITY_INTERESTING,
ExploitabilityFor("linux_null_dereference.dmp"));
ASSERT_EQ(google_breakpad::EXPLOITABILITY_HIGH,
ExploitabilityFor("linux_jmp_to_0.dmp"));