1 | // Copyright (c) 2013 Google Inc. |
2 | // All rights reserved. |
3 | // |
4 | // Redistribution and use in source and binary forms, with or without |
5 | // modification, are permitted provided that the following conditions are |
6 | // met: |
7 | // |
8 | // * Redistributions of source code must retain the above copyright |
9 | // notice, this list of conditions and the following disclaimer. |
10 | // * Redistributions in binary form must reproduce the above |
11 | // copyright notice, this list of conditions and the following disclaimer |
12 | // in the documentation and/or other materials provided with the |
13 | // distribution. |
14 | // * Neither the name of Google Inc. nor the names of its |
15 | // contributors may be used to endorse or promote products derived from |
16 | // this software without specific prior written permission. |
17 | // |
18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS |
19 | // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT |
20 | // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR |
21 | // A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT |
22 | // OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
23 | // SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT |
24 | // LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
25 | // DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
26 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
27 | // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE |
28 | // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
29 | |
30 | // exploitability_linux.h: Linux specific exploitability engine. |
31 | // |
32 | // Provides a guess at the exploitability of the crash for the Linux |
33 | // platform given a minidump and process_state. |
34 | // |
35 | // Author: Matthew Riley |
36 | |
37 | #ifndef GOOGLE_BREAKPAD_PROCESSOR_EXPLOITABILITY_LINUX_H_ |
38 | #define GOOGLE_BREAKPAD_PROCESSOR_EXPLOITABILITY_LINUX_H_ |
39 | |
40 | #include "google_breakpad/common/breakpad_types.h" |
41 | #include "google_breakpad/processor/exploitability.h" |
42 | |
43 | namespace google_breakpad { |
44 | |
45 | class ExploitabilityLinux : public Exploitability { |
46 | public: |
47 | ExploitabilityLinux(Minidump* dump, |
48 | ProcessState* process_state); |
49 | |
50 | // Parameters are the minidump to analyze, the object representing process |
51 | // state, and whether to enable objdump disassembly. |
52 | // Enabling objdump will allow exploitability analysis to call out to |
53 | // objdump for diassembly. It is used to check the identity of the |
54 | // instruction that caused the program to crash. If there are any |
55 | // portability concerns, this should not be enabled. |
56 | ExploitabilityLinux(Minidump* dump, |
57 | ProcessState* process_state, |
58 | bool enable_objdump); |
59 | |
60 | virtual ExploitabilityRating CheckPlatformExploitability(); |
61 | |
62 | private: |
63 | friend class ExploitabilityLinuxTest; |
64 | |
65 | // Takes the address of the instruction pointer and returns |
66 | // whether the instruction pointer lies in a valid instruction region. |
67 | bool InstructionPointerInCode(uint64_t instruction_ptr); |
68 | |
69 | // Checks the exception that triggered the creation of the |
70 | // minidump and reports whether the exception suggests no exploitability. |
71 | bool BenignCrashTrigger(const MDRawExceptionStream* raw_exception_stream); |
72 | |
73 | // This method checks if the crash occurred during a write to read-only or |
74 | // invalid memory. It does so by checking if the instruction at the |
75 | // instruction pointer is a write instruction, and if the target of the |
76 | // instruction is at a spot in memory that prohibits writes. |
77 | bool EndedOnIllegalWrite(uint64_t instruction_ptr); |
78 | |
79 | #ifndef _WIN32 |
80 | // Disassembles raw bytes via objdump and pipes the output into the provided |
81 | // buffer, given the desired architecture, the file from which objdump will |
82 | // read, and the buffer length. The method returns whether the disassembly |
83 | // was a success, and the caller owns all pointers. |
84 | static bool DisassembleBytes(const string& architecture, |
85 | const uint8_t* raw_bytes, |
86 | const unsigned int MAX_OBJDUMP_BUFFER_LEN, |
87 | char* objdump_output_buffer); |
88 | |
89 | // Parses the objdump output given in |objdump_output_buffer| and extracts |
90 | // the line of the first instruction into |instruction_line|. Returns true |
91 | // when the instruction line is successfully extracted. |
92 | static bool GetObjdumpInstructionLine( |
93 | const char* objdump_output_buffer, |
94 | string* instruction_line); |
95 | |
96 | // Tokenizes out the operation and operands from a line of instruction |
97 | // disassembled by objdump. This method modifies the pointers to match the |
98 | // tokens of the instruction, and returns if the tokenizing was a success. |
99 | // The caller owns all pointers. |
100 | static bool TokenizeObjdumpInstruction(const string& line, |
101 | string* operation, |
102 | string* dest, |
103 | string* src); |
104 | |
105 | // Calculates the effective address of an expression in the form reg+a or |
106 | // reg-a, where 'reg' is a register and 'a' is a constant, and writes the |
107 | // result in the pointer. The method returns whether the calculation was |
108 | // a success. The caller owns the pointer. |
109 | static bool CalculateAddress(const string& address_expression, |
110 | const DumpContext& context, |
111 | uint64_t* write_address); |
112 | #endif // _WIN32 |
113 | |
114 | // Checks if the stack pointer points to a memory mapping that is not |
115 | // labelled as the stack. |
116 | bool StackPointerOffStack(uint64_t stack_ptr); |
117 | |
118 | // Checks if the stack or heap are marked executable according |
119 | // to the memory mappings. |
120 | bool ExecutableStackOrHeap(); |
121 | |
122 | // Whether this exploitability engine is permitted to shell out to objdump |
123 | // to disassemble raw bytes. |
124 | bool enable_objdump_; |
125 | }; |
126 | |
127 | } // namespace google_breakpad |
128 | |
129 | #endif // GOOGLE_BREAKPAD_PROCESSOR_EXPLOITABILITY_LINUX_H_ |
130 | |