| 1 | // Copyright (c) 2013 Google Inc. |
|---|---|
| 2 | // All rights reserved. |
| 3 | // |
| 4 | // Redistribution and use in source and binary forms, with or without |
| 5 | // modification, are permitted provided that the following conditions are |
| 6 | // met: |
| 7 | // |
| 8 | // * Redistributions of source code must retain the above copyright |
| 9 | // notice, this list of conditions and the following disclaimer. |
| 10 | // * Redistributions in binary form must reproduce the above |
| 11 | // copyright notice, this list of conditions and the following disclaimer |
| 12 | // in the documentation and/or other materials provided with the |
| 13 | // distribution. |
| 14 | // * Neither the name of Google Inc. nor the names of its |
| 15 | // contributors may be used to endorse or promote products derived from |
| 16 | // this software without specific prior written permission. |
| 17 | // |
| 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS |
| 19 | // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT |
| 20 | // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR |
| 21 | // A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT |
| 22 | // OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
| 23 | // SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT |
| 24 | // LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
| 25 | // DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
| 26 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
| 27 | // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE |
| 28 | // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 29 | |
| 30 | // exploitability_linux.cc: Linux specific exploitability engine. |
| 31 | // |
| 32 | // Provides a guess at the exploitability of the crash for the Linux |
| 33 | // platform given a minidump and process_state. |
| 34 | // |
| 35 | // Author: Matthew Riley |
| 36 | |
| 37 | #include "processor/exploitability_linux.h" |
| 38 | |
| 39 | #ifndef _WIN32 |
| 40 | #include <regex.h> |
| 41 | #include <stdio.h> |
| 42 | #include <stdlib.h> |
| 43 | |
| 44 | #include <sstream> |
| 45 | #include <iterator> |
| 46 | #endif // _WIN32 |
| 47 | |
| 48 | #include <string.h> |
| 49 | |
| 50 | #include "google_breakpad/common/minidump_exception_linux.h" |
| 51 | #include "google_breakpad/processor/call_stack.h" |
| 52 | #include "google_breakpad/processor/process_state.h" |
| 53 | #include "google_breakpad/processor/stack_frame.h" |
| 54 | #include "processor/logging.h" |
| 55 | |
| 56 | namespace { |
| 57 | |
| 58 | // Prefixes for memory mapping names. |
| 59 | constexpr char kHeapPrefix[] = "[heap"; |
| 60 | constexpr char kStackPrefix[] = "[stack"; |
| 61 | |
| 62 | // This function in libc is called if the program was compiled with |
| 63 | // -fstack-protector and a function's stack canary changes. |
| 64 | constexpr char kStackCheckFailureFunction[] = "__stack_chk_fail"; |
| 65 | |
| 66 | // This function in libc is called if the program was compiled with |
| 67 | // -D_FORTIFY_SOURCE=2, a function like strcpy() is called, and the runtime |
| 68 | // can determine that the call would overflow the target buffer. |
| 69 | constexpr char kBoundsCheckFailureFunction[] = "__chk_fail"; |
| 70 | |
| 71 | #ifndef _WIN32 |
| 72 | const unsigned int MAX_INSTRUCTION_LEN = 15; |
| 73 | const unsigned int MAX_OBJDUMP_BUFFER_LEN = 4096; |
| 74 | #endif // _WIN32 |
| 75 | |
| 76 | } // namespace |
| 77 | |
| 78 | namespace google_breakpad { |
| 79 | |
| 80 | ExploitabilityLinux::ExploitabilityLinux(Minidump* dump, |
| 81 | ProcessState* process_state) |
| 82 | : Exploitability(dump, process_state), |
| 83 | enable_objdump_(false) { } |
| 84 | |
| 85 | ExploitabilityLinux::ExploitabilityLinux(Minidump* dump, |
| 86 | ProcessState* process_state, |
| 87 | bool enable_objdump) |
| 88 | : Exploitability(dump, process_state), |
| 89 | enable_objdump_(enable_objdump) { } |
| 90 | |
| 91 | |
| 92 | ExploitabilityRating ExploitabilityLinux::CheckPlatformExploitability() { |
| 93 | // Check the crashing thread for functions suggesting a buffer overflow or |
| 94 | // stack smash. |
| 95 | if (process_state_->requesting_thread() != -1) { |
| 96 | CallStack* crashing_thread = |
| 97 | process_state_->threads()->at(process_state_->requesting_thread()); |
| 98 | const vector<StackFrame*>& crashing_thread_frames = |
| 99 | *crashing_thread->frames(); |
| 100 | for (size_t i = 0; i < crashing_thread_frames.size(); ++i) { |
| 101 | if (crashing_thread_frames[i]->function_name == |
| 102 | kStackCheckFailureFunction) { |
| 103 | return EXPLOITABILITY_HIGH; |
| 104 | } |
| 105 | |
| 106 | if (crashing_thread_frames[i]->function_name == |
| 107 | kBoundsCheckFailureFunction) { |
| 108 | return EXPLOITABILITY_HIGH; |
| 109 | } |
| 110 | } |
| 111 | } |
| 112 | |
| 113 | // Getting exception data. (It should exist for all minidumps.) |
| 114 | MinidumpException* exception = dump_->GetException(); |
| 115 | if (exception == NULL) { |
| 116 | BPLOG(INFO) << "No exception record."; |
| 117 | return EXPLOITABILITY_ERR_PROCESSING; |
| 118 | } |
| 119 | const MDRawExceptionStream* raw_exception_stream = exception->exception(); |
| 120 | if (raw_exception_stream == NULL) { |
| 121 | BPLOG(INFO) << "No raw exception stream."; |
| 122 | return EXPLOITABILITY_ERR_PROCESSING; |
| 123 | } |
| 124 | |
| 125 | // Checking for benign exceptions that caused the crash. |
| 126 | if (this->BenignCrashTrigger(raw_exception_stream)) { |
| 127 | return EXPLOITABILITY_NONE; |
| 128 | } |
| 129 | |
| 130 | // Check if the instruction pointer is in a valid instruction region |
| 131 | // by finding if it maps to an executable part of memory. |
| 132 | uint64_t instruction_ptr = 0; |
| 133 | uint64_t stack_ptr = 0; |
| 134 | |
| 135 | const MinidumpContext* context = exception->GetContext(); |
| 136 | if (context == NULL) { |
| 137 | BPLOG(INFO) << "No exception context."; |
| 138 | return EXPLOITABILITY_ERR_PROCESSING; |
| 139 | } |
| 140 | |
| 141 | // Getting the instruction pointer. |
| 142 | if (!context->GetInstructionPointer(&instruction_ptr)) { |
| 143 | BPLOG(INFO) << "Failed to retrieve instruction pointer."; |
| 144 | return EXPLOITABILITY_ERR_PROCESSING; |
| 145 | } |
| 146 | |
| 147 | // Getting the stack pointer. |
| 148 | if (!context->GetStackPointer(&stack_ptr)) { |
| 149 | BPLOG(INFO) << "Failed to retrieve stack pointer."; |
| 150 | return EXPLOITABILITY_ERR_PROCESSING; |
| 151 | } |
| 152 | |
| 153 | // Checking for the instruction pointer in a valid instruction region, |
| 154 | // a misplaced stack pointer, and an executable stack or heap. |
| 155 | if (!this->InstructionPointerInCode(instruction_ptr) || |
| 156 | this->StackPointerOffStack(stack_ptr) || |
| 157 | this->ExecutableStackOrHeap()) { |
| 158 | return EXPLOITABILITY_HIGH; |
| 159 | } |
| 160 | |
| 161 | // Check for write to read only memory or invalid memory, shelling out |
| 162 | // to objdump is enabled. |
| 163 | if (enable_objdump_ && this->EndedOnIllegalWrite(instruction_ptr)) { |
| 164 | return EXPLOITABILITY_HIGH; |
| 165 | } |
| 166 | |
| 167 | // There was no strong evidence suggesting exploitability, but the minidump |
| 168 | // does not appear totally benign either. |
| 169 | return EXPLOITABILITY_INTERESTING; |
| 170 | } |
| 171 | |
| 172 | bool ExploitabilityLinux::EndedOnIllegalWrite(uint64_t instruction_ptr) { |
| 173 | #ifdef _WIN32 |
| 174 | BPLOG(INFO) << "MinGW does not support fork and exec. Terminating method."; |
| 175 | #else |
| 176 | // Get memory region containing instruction pointer. |
| 177 | MinidumpMemoryList* memory_list = dump_->GetMemoryList(); |
| 178 | MinidumpMemoryRegion* memory_region = |
| 179 | memory_list ? |
| 180 | memory_list->GetMemoryRegionForAddress(instruction_ptr) : NULL; |
| 181 | if (!memory_region) { |
| 182 | BPLOG(INFO) << "No memory region around instruction pointer."; |
| 183 | return false; |
| 184 | } |
| 185 | |
| 186 | // Get exception data to find architecture. |
| 187 | string architecture = ""; |
| 188 | MinidumpException* exception = dump_->GetException(); |
| 189 | // This should never evaluate to true, since this should not be reachable |
| 190 | // without checking for exception data earlier. |
| 191 | if (!exception) { |
| 192 | BPLOG(INFO) << "No exception data."; |
| 193 | return false; |
| 194 | } |
| 195 | const MDRawExceptionStream* raw_exception_stream = exception->exception(); |
| 196 | const MinidumpContext* context = exception->GetContext(); |
| 197 | // This should not evaluate to true, for the same reason mentioned above. |
| 198 | if (!raw_exception_stream || !context) { |
| 199 | BPLOG(INFO) << "No exception or architecture data."; |
| 200 | return false; |
| 201 | } |
| 202 | // Check architecture and set architecture variable to corresponding flag |
| 203 | // in objdump. |
| 204 | switch (context->GetContextCPU()) { |
| 205 | case MD_CONTEXT_X86: |
| 206 | architecture = "i386"; |
| 207 | break; |
| 208 | case MD_CONTEXT_AMD64: |
| 209 | architecture = "i386:x86-64"; |
| 210 | break; |
| 211 | default: |
| 212 | // Unsupported architecture. Note that ARM architectures are not |
| 213 | // supported because objdump does not support ARM. |
| 214 | return false; |
| 215 | } |
| 216 | |
| 217 | // Get memory region around instruction pointer and the number of bytes |
| 218 | // before and after the instruction pointer in the memory region. |
| 219 | const uint8_t* raw_memory = memory_region->GetMemory(); |
| 220 | const uint64_t base = memory_region->GetBase(); |
| 221 | if (base > instruction_ptr) { |
| 222 | BPLOG(ERROR) << "Memory region base value exceeds instruction pointer."; |
| 223 | return false; |
| 224 | } |
| 225 | const uint64_t offset = instruction_ptr - base; |
| 226 | if (memory_region->GetSize() < MAX_INSTRUCTION_LEN + offset) { |
| 227 | BPLOG(INFO) << "Not enough bytes left to guarantee complete instruction."; |
| 228 | return false; |
| 229 | } |
| 230 | |
| 231 | // Convert bytes into objdump output. |
| 232 | char objdump_output_buffer[MAX_OBJDUMP_BUFFER_LEN] = {0}; |
| 233 | DisassembleBytes(architecture, |
| 234 | raw_memory + offset, |
| 235 | MAX_OBJDUMP_BUFFER_LEN, |
| 236 | objdump_output_buffer); |
| 237 | |
| 238 | string line; |
| 239 | if (!GetObjdumpInstructionLine(objdump_output_buffer, &line)) { |
| 240 | return false; |
| 241 | } |
| 242 | |
| 243 | // Convert objdump instruction line into the operation and operands. |
| 244 | string instruction = ""; |
| 245 | string dest = ""; |
| 246 | string src = ""; |
| 247 | TokenizeObjdumpInstruction(line, &instruction, &dest, &src); |
| 248 | |
| 249 | // Check if the operation is a write to memory. First, the instruction |
| 250 | // must one that can write to memory. Second, the write destination |
| 251 | // must be a spot in memory rather than a register. Since there are no |
| 252 | // symbols from objdump, the destination will be enclosed by brackets. |
| 253 | if (dest.size() > 2 && dest.at(0) == '[' && dest.at(dest.size() - 1) == ']' && |
| 254 | (!instruction.compare("mov") || !instruction.compare( "inc") || |
| 255 | !instruction.compare("dec") || !instruction.compare( "and") || |
| 256 | !instruction.compare("or") || !instruction.compare( "xor") || |
| 257 | !instruction.compare("not") || !instruction.compare( "neg") || |
| 258 | !instruction.compare("add") || !instruction.compare( "sub") || |
| 259 | !instruction.compare("shl") || !instruction.compare( "shr"))) { |
| 260 | // Strip away enclosing brackets from the destination address. |
| 261 | dest = dest.substr(1, dest.size() - 2); |
| 262 | uint64_t write_address = 0; |
| 263 | CalculateAddress(dest, *context, &write_address); |
| 264 | |
| 265 | // If the program crashed as a result of a write, the destination of |
| 266 | // the write must have been an address that did not permit writing. |
| 267 | // However, if the address is under 4k, due to program protections, |
| 268 | // the crash does not suggest exploitability for writes with such a |
| 269 | // low target address. |
| 270 | return write_address > 4096; |
| 271 | } |
| 272 | #endif // _WIN32 |
| 273 | return false; |
| 274 | } |
| 275 | |
| 276 | #ifndef _WIN32 |
| 277 | bool ExploitabilityLinux::CalculateAddress(const string& address_expression, |
| 278 | const DumpContext& context, |
| 279 | uint64_t* write_address) { |
| 280 | // The destination should be the format reg+a or reg-a, where reg |
| 281 | // is a register and a is a hexadecimal constant. Although more complex |
| 282 | // expressions can make valid instructions, objdump's disassembly outputs |
| 283 | // it in this simpler format. |
| 284 | // TODO(liuandrew): Handle more complex formats, should they arise. |
| 285 | |
| 286 | if (!write_address) { |
| 287 | BPLOG(ERROR) << "Null parameter."; |
| 288 | return false; |
| 289 | } |
| 290 | |
| 291 | // Clone parameter into a non-const string. |
| 292 | string expression = address_expression; |
| 293 | |
| 294 | // Parse out the constant that is added to the address (if it exists). |
| 295 | size_t delim = expression.find('+'); |
| 296 | bool positive_add_constant = true; |
| 297 | // Check if constant is subtracted instead of added. |
| 298 | if (delim == string::npos) { |
| 299 | positive_add_constant = false; |
| 300 | delim = expression.find('-'); |
| 301 | } |
| 302 | uint32_t add_constant = 0; |
| 303 | // Save constant and remove it from the expression. |
| 304 | if (delim != string::npos) { |
| 305 | if (!sscanf(expression.substr(delim + 1).c_str(), "%x", &add_constant)) { |
| 306 | BPLOG(ERROR) << "Failed to scan constant."; |
| 307 | return false; |
| 308 | } |
| 309 | expression = expression.substr(0, delim); |
| 310 | } |
| 311 | |
| 312 | // Set the the write address to the corresponding register. |
| 313 | // TODO(liuandrew): Add support for partial registers, such as |
| 314 | // the rax/eax/ax/ah/al chain. |
| 315 | switch (context.GetContextCPU()) { |
| 316 | case MD_CONTEXT_X86: |
| 317 | if (!expression.compare("eax")) { |
| 318 | *write_address = context.GetContextX86()->eax; |
| 319 | } else if (!expression.compare("ebx")) { |
| 320 | *write_address = context.GetContextX86()->ebx; |
| 321 | } else if (!expression.compare("ecx")) { |
| 322 | *write_address = context.GetContextX86()->ecx; |
| 323 | } else if (!expression.compare("edx")) { |
| 324 | *write_address = context.GetContextX86()->edx; |
| 325 | } else if (!expression.compare("edi")) { |
| 326 | *write_address = context.GetContextX86()->edi; |
| 327 | } else if (!expression.compare("esi")) { |
| 328 | *write_address = context.GetContextX86()->esi; |
| 329 | } else if (!expression.compare("ebp")) { |
| 330 | *write_address = context.GetContextX86()->ebp; |
| 331 | } else if (!expression.compare("esp")) { |
| 332 | *write_address = context.GetContextX86()->esp; |
| 333 | } else if (!expression.compare("eip")) { |
| 334 | *write_address = context.GetContextX86()->eip; |
| 335 | } else { |
| 336 | BPLOG(ERROR) << "Unsupported register"; |
| 337 | return false; |
| 338 | } |
| 339 | break; |
| 340 | case MD_CONTEXT_AMD64: |
| 341 | if (!expression.compare("rax")) { |
| 342 | *write_address = context.GetContextAMD64()->rax; |
| 343 | } else if (!expression.compare("rbx")) { |
| 344 | *write_address = context.GetContextAMD64()->rbx; |
| 345 | } else if (!expression.compare("rcx")) { |
| 346 | *write_address = context.GetContextAMD64()->rcx; |
| 347 | } else if (!expression.compare("rdx")) { |
| 348 | *write_address = context.GetContextAMD64()->rdx; |
| 349 | } else if (!expression.compare("rdi")) { |
| 350 | *write_address = context.GetContextAMD64()->rdi; |
| 351 | } else if (!expression.compare("rsi")) { |
| 352 | *write_address = context.GetContextAMD64()->rsi; |
| 353 | } else if (!expression.compare("rbp")) { |
| 354 | *write_address = context.GetContextAMD64()->rbp; |
| 355 | } else if (!expression.compare("rsp")) { |
| 356 | *write_address = context.GetContextAMD64()->rsp; |
| 357 | } else if (!expression.compare("rip")) { |
| 358 | *write_address = context.GetContextAMD64()->rip; |
| 359 | } else if (!expression.compare("r8")) { |
| 360 | *write_address = context.GetContextAMD64()->r8; |
| 361 | } else if (!expression.compare("r9")) { |
| 362 | *write_address = context.GetContextAMD64()->r9; |
| 363 | } else if (!expression.compare("r10")) { |
| 364 | *write_address = context.GetContextAMD64()->r10; |
| 365 | } else if (!expression.compare("r11")) { |
| 366 | *write_address = context.GetContextAMD64()->r11; |
| 367 | } else if (!expression.compare("r12")) { |
| 368 | *write_address = context.GetContextAMD64()->r12; |
| 369 | } else if (!expression.compare("r13")) { |
| 370 | *write_address = context.GetContextAMD64()->r13; |
| 371 | } else if (!expression.compare("r14")) { |
| 372 | *write_address = context.GetContextAMD64()->r14; |
| 373 | } else if (!expression.compare("r15")) { |
| 374 | *write_address = context.GetContextAMD64()->r15; |
| 375 | } else { |
| 376 | BPLOG(ERROR) << "Unsupported register"; |
| 377 | return false; |
| 378 | } |
| 379 | break; |
| 380 | default: |
| 381 | // This should not occur since the same switch condition |
| 382 | // should have terminated this method. |
| 383 | return false; |
| 384 | } |
| 385 | |
| 386 | // Add or subtract constant from write address (if applicable). |
| 387 | *write_address = |
| 388 | positive_add_constant ? |
| 389 | *write_address + add_constant : *write_address - add_constant; |
| 390 | |
| 391 | return true; |
| 392 | } |
| 393 | |
| 394 | // static |
| 395 | bool ExploitabilityLinux::GetObjdumpInstructionLine( |
| 396 | const char* objdump_output_buffer, |
| 397 | string* instruction_line) { |
| 398 | // Put buffer data into stream to output line-by-line. |
| 399 | std::stringstream objdump_stream; |
| 400 | objdump_stream.str(string(objdump_output_buffer)); |
| 401 | |
| 402 | // Pipe each output line into the string until the string contains the first |
| 403 | // instruction from objdump. All lines before the "<.data>:" section are |
| 404 | // skipped. Loop until the line shows the first instruction or there are no |
| 405 | // lines left. |
| 406 | bool data_section_seen = false; |
| 407 | do { |
| 408 | if (!getline(objdump_stream, *instruction_line)) { |
| 409 | BPLOG(INFO) << "Objdump instructions not found"; |
| 410 | return false; |
| 411 | } |
| 412 | if (instruction_line->find("<.data>:") != string::npos) { |
| 413 | data_section_seen = true; |
| 414 | } |
| 415 | } while (!data_section_seen || instruction_line->find("0:") == string::npos); |
| 416 | // This first instruction contains the above substring. |
| 417 | |
| 418 | return true; |
| 419 | } |
| 420 | |
| 421 | bool ExploitabilityLinux::TokenizeObjdumpInstruction(const string& line, |
| 422 | string* operation, |
| 423 | string* dest, |
| 424 | string* src) { |
| 425 | if (!operation || !dest || !src) { |
| 426 | BPLOG(ERROR) << "Null parameters passed."; |
| 427 | return false; |
| 428 | } |
| 429 | |
| 430 | // Set all pointer values to empty strings. |
| 431 | *operation = ""; |
| 432 | *dest = ""; |
| 433 | *src = ""; |
| 434 | |
| 435 | // Tokenize the objdump line. |
| 436 | vector<string> tokens; |
| 437 | std::istringstream line_stream(line); |
| 438 | copy(std::istream_iterator<string>(line_stream), |
| 439 | std::istream_iterator<string>(), |
| 440 | std::back_inserter(tokens)); |
| 441 | |
| 442 | // Regex for the data in hex form. Each byte is two hex digits. |
| 443 | regex_t regex; |
| 444 | regcomp(®ex, "^[[:xdigit:]]{2}$", REG_EXTENDED | REG_NOSUB); |
| 445 | |
| 446 | // Find and set the location of the operator. The operator appears |
| 447 | // directly after the chain of bytes that define the instruction. The |
| 448 | // operands will be the last token, given that the instruction has operands. |
| 449 | // If not, the operator is the last token. The loop skips the first token |
| 450 | // because the first token is the instruction number (namely "0:"). |
| 451 | string operands = ""; |
| 452 | for (size_t i = 1; i < tokens.size(); i++) { |
| 453 | // Check if current token no longer is in byte format. |
| 454 | if (regexec(®ex, tokens[i].c_str(), 0, NULL, 0)) { |
| 455 | // instruction = tokens[i]; |
| 456 | *operation = tokens[i]; |
| 457 | // If the operator is the last token, there are no operands. |
| 458 | if (i != tokens.size() - 1) { |
| 459 | operands = tokens[tokens.size() - 1]; |
| 460 | } |
| 461 | break; |
| 462 | } |
| 463 | } |
| 464 | regfree(®ex); |
| 465 | |
| 466 | if (operation->empty()) { |
| 467 | BPLOG(ERROR) << "Failed to parse out operation from objdump instruction."; |
| 468 | return false; |
| 469 | } |
| 470 | |
| 471 | // Split operands into source and destination (if applicable). |
| 472 | if (!operands.empty()) { |
| 473 | size_t delim = operands.find(','); |
| 474 | if (delim == string::npos) { |
| 475 | *dest = operands; |
| 476 | } else { |
| 477 | *dest = operands.substr(0, delim); |
| 478 | *src = operands.substr(delim + 1); |
| 479 | } |
| 480 | } |
| 481 | return true; |
| 482 | } |
| 483 | |
| 484 | bool ExploitabilityLinux::DisassembleBytes(const string& architecture, |
| 485 | const uint8_t* raw_bytes, |
| 486 | const unsigned int buffer_len, |
| 487 | char* objdump_output_buffer) { |
| 488 | if (!raw_bytes || !objdump_output_buffer) { |
| 489 | BPLOG(ERROR) << "Bad input parameters."; |
| 490 | return false; |
| 491 | } |
| 492 | |
| 493 | // Write raw bytes around instruction pointer to a temporary file to |
| 494 | // pass as an argument to objdump. |
| 495 | char raw_bytes_tmpfile[] = "/tmp/breakpad_mem_region-raw_bytes-XXXXXX"; |
| 496 | int raw_bytes_fd = mkstemp(raw_bytes_tmpfile); |
| 497 | if (raw_bytes_fd < 0) { |
| 498 | BPLOG(ERROR) << "Failed to create tempfile."; |
| 499 | unlink(raw_bytes_tmpfile); |
| 500 | return false; |
| 501 | } |
| 502 | if (write(raw_bytes_fd, raw_bytes, MAX_INSTRUCTION_LEN) |
| 503 | != MAX_INSTRUCTION_LEN) { |
| 504 | BPLOG(ERROR) << "Writing of raw bytes failed."; |
| 505 | unlink(raw_bytes_tmpfile); |
| 506 | return false; |
| 507 | } |
| 508 | |
| 509 | char cmd[1024] = {0}; |
| 510 | snprintf(cmd, |
| 511 | 1024, |
| 512 | "objdump -D -b binary -M intel -m %s %s", |
| 513 | architecture.c_str(), |
| 514 | raw_bytes_tmpfile); |
| 515 | FILE* objdump_fp = popen(cmd, "r"); |
| 516 | if (!objdump_fp) { |
| 517 | fclose(objdump_fp); |
| 518 | unlink(raw_bytes_tmpfile); |
| 519 | BPLOG(ERROR) << "Failed to call objdump."; |
| 520 | return false; |
| 521 | } |
| 522 | if (fread(objdump_output_buffer, 1, buffer_len, objdump_fp) <= 0) { |
| 523 | fclose(objdump_fp); |
| 524 | unlink(raw_bytes_tmpfile); |
| 525 | BPLOG(ERROR) << "Failed to read objdump output."; |
| 526 | return false; |
| 527 | } |
| 528 | fclose(objdump_fp); |
| 529 | unlink(raw_bytes_tmpfile); |
| 530 | return true; |
| 531 | } |
| 532 | #endif // _WIN32 |
| 533 | |
| 534 | bool ExploitabilityLinux::StackPointerOffStack(uint64_t stack_ptr) { |
| 535 | MinidumpLinuxMapsList* linux_maps_list = dump_->GetLinuxMapsList(); |
| 536 | // Inconclusive if there are no mappings available. |
| 537 | if (!linux_maps_list) { |
| 538 | return false; |
| 539 | } |
| 540 | const MinidumpLinuxMaps* linux_maps = |
| 541 | linux_maps_list->GetLinuxMapsForAddress(stack_ptr); |
| 542 | // Checks if the stack pointer maps to a valid mapping and if the mapping |
| 543 | // is not the stack. If the mapping has no name, it is inconclusive whether |
| 544 | // it is off the stack. |
| 545 | return !linux_maps || (linux_maps->GetPathname().compare("") && |
| 546 | linux_maps->GetPathname().compare( |
| 547 | 0, strlen(kStackPrefix), kStackPrefix)); |
| 548 | } |
| 549 | |
| 550 | bool ExploitabilityLinux::ExecutableStackOrHeap() { |
| 551 | MinidumpLinuxMapsList* linux_maps_list = dump_->GetLinuxMapsList(); |
| 552 | if (linux_maps_list) { |
| 553 | for (size_t i = 0; i < linux_maps_list->get_maps_count(); i++) { |
| 554 | const MinidumpLinuxMaps* linux_maps = |
| 555 | linux_maps_list->GetLinuxMapsAtIndex(i); |
| 556 | // Check for executable stack or heap for each mapping. |
| 557 | if (linux_maps && (!linux_maps->GetPathname().compare( |
| 558 | 0, strlen(kStackPrefix), kStackPrefix) || |
| 559 | !linux_maps->GetPathname().compare( |
| 560 | 0, strlen(kHeapPrefix), kHeapPrefix)) && |
| 561 | linux_maps->IsExecutable()) { |
| 562 | return true; |
| 563 | } |
| 564 | } |
| 565 | } |
| 566 | return false; |
| 567 | } |
| 568 | |
| 569 | bool ExploitabilityLinux::InstructionPointerInCode(uint64_t instruction_ptr) { |
| 570 | // Get Linux memory mapping from /proc/self/maps. Checking whether the |
| 571 | // region the instruction pointer is in has executable permission can tell |
| 572 | // whether it is in a valid code region. If there is no mapping for the |
| 573 | // instruction pointer, it is indicative that the instruction pointer is |
| 574 | // not within a module, which implies that it is outside a valid area. |
| 575 | MinidumpLinuxMapsList* linux_maps_list = dump_->GetLinuxMapsList(); |
| 576 | const MinidumpLinuxMaps* linux_maps = |
| 577 | linux_maps_list ? |
| 578 | linux_maps_list->GetLinuxMapsForAddress(instruction_ptr) : NULL; |
| 579 | return linux_maps ? linux_maps->IsExecutable() : false; |
| 580 | } |
| 581 | |
| 582 | bool ExploitabilityLinux::BenignCrashTrigger( |
| 583 | const MDRawExceptionStream* raw_exception_stream) { |
| 584 | // Check the cause of crash. |
| 585 | // If the exception of the crash is a benign exception, |
| 586 | // it is probably not exploitable. |
| 587 | switch (raw_exception_stream->exception_record.exception_code) { |
| 588 | case MD_EXCEPTION_CODE_LIN_SIGHUP: |
| 589 | case MD_EXCEPTION_CODE_LIN_SIGINT: |
| 590 | case MD_EXCEPTION_CODE_LIN_SIGQUIT: |
| 591 | case MD_EXCEPTION_CODE_LIN_SIGTRAP: |
| 592 | case MD_EXCEPTION_CODE_LIN_SIGABRT: |
| 593 | case MD_EXCEPTION_CODE_LIN_SIGFPE: |
| 594 | case MD_EXCEPTION_CODE_LIN_SIGKILL: |
| 595 | case MD_EXCEPTION_CODE_LIN_SIGUSR1: |
| 596 | case MD_EXCEPTION_CODE_LIN_SIGUSR2: |
| 597 | case MD_EXCEPTION_CODE_LIN_SIGPIPE: |
| 598 | case MD_EXCEPTION_CODE_LIN_SIGALRM: |
| 599 | case MD_EXCEPTION_CODE_LIN_SIGTERM: |
| 600 | case MD_EXCEPTION_CODE_LIN_SIGCHLD: |
| 601 | case MD_EXCEPTION_CODE_LIN_SIGCONT: |
| 602 | case MD_EXCEPTION_CODE_LIN_SIGSTOP: |
| 603 | case MD_EXCEPTION_CODE_LIN_SIGTSTP: |
| 604 | case MD_EXCEPTION_CODE_LIN_SIGTTIN: |
| 605 | case MD_EXCEPTION_CODE_LIN_SIGTTOU: |
| 606 | case MD_EXCEPTION_CODE_LIN_SIGURG: |
| 607 | case MD_EXCEPTION_CODE_LIN_SIGXCPU: |
| 608 | case MD_EXCEPTION_CODE_LIN_SIGXFSZ: |
| 609 | case MD_EXCEPTION_CODE_LIN_SIGVTALRM: |
| 610 | case MD_EXCEPTION_CODE_LIN_SIGPROF: |
| 611 | case MD_EXCEPTION_CODE_LIN_SIGWINCH: |
| 612 | case MD_EXCEPTION_CODE_LIN_SIGIO: |
| 613 | case MD_EXCEPTION_CODE_LIN_SIGPWR: |
| 614 | case MD_EXCEPTION_CODE_LIN_SIGSYS: |
| 615 | case MD_EXCEPTION_CODE_LIN_DUMP_REQUESTED: |
| 616 | return true; |
| 617 | default: |
| 618 | return false; |
| 619 | } |
| 620 | } |
| 621 | |
| 622 | } // namespace google_breakpad |
| 623 |
Generated on 2022-Feb-21 from project breakpad revision 20220221
Powered by 
Code Browser 2.1
Generator usage only permitted with license.