1// Copyright (c) 2013 Google Inc.
2// All rights reserved.
3//
4// Redistribution and use in source and binary forms, with or without
5// modification, are permitted provided that the following conditions are
6// met:
7//
8// * Redistributions of source code must retain the above copyright
9// notice, this list of conditions and the following disclaimer.
10// * Redistributions in binary form must reproduce the above
11// copyright notice, this list of conditions and the following disclaimer
12// in the documentation and/or other materials provided with the
13// distribution.
14// * Neither the name of Google Inc. nor the names of its
15// contributors may be used to endorse or promote products derived from
16// this software without specific prior written permission.
17//
18// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
21// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
22// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
23// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
24// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
25// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
26// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
27// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29
30// exploitability_linux.h: Linux specific exploitability engine.
31//
32// Provides a guess at the exploitability of the crash for the Linux
33// platform given a minidump and process_state.
34//
35// Author: Matthew Riley
36
37#ifndef GOOGLE_BREAKPAD_PROCESSOR_EXPLOITABILITY_LINUX_H_
38#define GOOGLE_BREAKPAD_PROCESSOR_EXPLOITABILITY_LINUX_H_
39
40#include "google_breakpad/common/breakpad_types.h"
41#include "google_breakpad/processor/exploitability.h"
42
43namespace google_breakpad {
44
45class ExploitabilityLinux : public Exploitability {
46 public:
47 ExploitabilityLinux(Minidump* dump,
48 ProcessState* process_state);
49
50 // Parameters are the minidump to analyze, the object representing process
51 // state, and whether to enable objdump disassembly.
52 // Enabling objdump will allow exploitability analysis to call out to
53 // objdump for diassembly. It is used to check the identity of the
54 // instruction that caused the program to crash. If there are any
55 // portability concerns, this should not be enabled.
56 ExploitabilityLinux(Minidump* dump,
57 ProcessState* process_state,
58 bool enable_objdump);
59
60 virtual ExploitabilityRating CheckPlatformExploitability();
61
62 private:
63 friend class ExploitabilityLinuxTest;
64
65 // Takes the address of the instruction pointer and returns
66 // whether the instruction pointer lies in a valid instruction region.
67 bool InstructionPointerInCode(uint64_t instruction_ptr);
68
69 // Checks the exception that triggered the creation of the
70 // minidump and reports whether the exception suggests no exploitability.
71 bool BenignCrashTrigger(const MDRawExceptionStream* raw_exception_stream);
72
73 // This method checks if the crash occurred during a write to read-only or
74 // invalid memory. It does so by checking if the instruction at the
75 // instruction pointer is a write instruction, and if the target of the
76 // instruction is at a spot in memory that prohibits writes.
77 bool EndedOnIllegalWrite(uint64_t instruction_ptr);
78
79#ifndef _WIN32
80 // Disassembles raw bytes via objdump and pipes the output into the provided
81 // buffer, given the desired architecture, the file from which objdump will
82 // read, and the buffer length. The method returns whether the disassembly
83 // was a success, and the caller owns all pointers.
84 static bool DisassembleBytes(const string& architecture,
85 const uint8_t* raw_bytes,
86 const unsigned int MAX_OBJDUMP_BUFFER_LEN,
87 char* objdump_output_buffer);
88
89 // Parses the objdump output given in |objdump_output_buffer| and extracts
90 // the line of the first instruction into |instruction_line|. Returns true
91 // when the instruction line is successfully extracted.
92 static bool GetObjdumpInstructionLine(
93 const char* objdump_output_buffer,
94 string* instruction_line);
95
96 // Tokenizes out the operation and operands from a line of instruction
97 // disassembled by objdump. This method modifies the pointers to match the
98 // tokens of the instruction, and returns if the tokenizing was a success.
99 // The caller owns all pointers.
100 static bool TokenizeObjdumpInstruction(const string& line,
101 string* operation,
102 string* dest,
103 string* src);
104
105 // Calculates the effective address of an expression in the form reg+a or
106 // reg-a, where 'reg' is a register and 'a' is a constant, and writes the
107 // result in the pointer. The method returns whether the calculation was
108 // a success. The caller owns the pointer.
109 static bool CalculateAddress(const string& address_expression,
110 const DumpContext& context,
111 uint64_t* write_address);
112#endif // _WIN32
113
114 // Checks if the stack pointer points to a memory mapping that is not
115 // labelled as the stack.
116 bool StackPointerOffStack(uint64_t stack_ptr);
117
118 // Checks if the stack or heap are marked executable according
119 // to the memory mappings.
120 bool ExecutableStackOrHeap();
121
122 // Whether this exploitability engine is permitted to shell out to objdump
123 // to disassemble raw bytes.
124 bool enable_objdump_;
125};
126
127} // namespace google_breakpad
128
129#endif // GOOGLE_BREAKPAD_PROCESSOR_EXPLOITABILITY_LINUX_H_
130