1 | // Copyright (c) 2010 Google Inc. |
2 | // All rights reserved. |
3 | // |
4 | // Redistribution and use in source and binary forms, with or without |
5 | // modification, are permitted provided that the following conditions are |
6 | // met: |
7 | // |
8 | // * Redistributions of source code must retain the above copyright |
9 | // notice, this list of conditions and the following disclaimer. |
10 | // * Redistributions in binary form must reproduce the above |
11 | // copyright notice, this list of conditions and the following disclaimer |
12 | // in the documentation and/or other materials provided with the |
13 | // distribution. |
14 | // * Neither the name of Google Inc. nor the names of its |
15 | // contributors may be used to endorse or promote products derived from |
16 | // this software without specific prior written permission. |
17 | // |
18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS |
19 | // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT |
20 | // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR |
21 | // A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT |
22 | // OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
23 | // SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT |
24 | // LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
25 | // DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
26 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
27 | // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE |
28 | // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
29 | |
30 | // exploitability_win.cc: Windows specific exploitability engine. |
31 | // |
32 | // Provides a guess at the exploitability of the crash for the Windows |
33 | // platform given a minidump and process_state. |
34 | // |
35 | // Author: Cris Neckar |
36 | |
37 | #include <vector> |
38 | |
39 | #include "processor/exploitability_win.h" |
40 | |
41 | #include "common/scoped_ptr.h" |
42 | #include "google_breakpad/common/minidump_exception_win32.h" |
43 | #include "google_breakpad/processor/minidump.h" |
44 | #include "processor/disassembler_x86.h" |
45 | #include "processor/logging.h" |
46 | |
47 | #include "third_party/libdisasm/libdis.h" |
48 | |
49 | namespace google_breakpad { |
50 | |
51 | // The cutoff that we use to judge if and address is likely an offset |
52 | // from various interesting addresses. |
53 | static const uint64_t kProbableNullOffset = 4096; |
54 | static const uint64_t kProbableStackOffset = 8192; |
55 | |
56 | // The various cutoffs for the different ratings. |
57 | static const size_t kHighCutoff = 100; |
58 | static const size_t kMediumCutoff = 80; |
59 | static const size_t kLowCutoff = 50; |
60 | static const size_t kInterestingCutoff = 25; |
61 | |
62 | // Predefined incremental values for conditional weighting. |
63 | static const size_t kTinyBump = 5; |
64 | static const size_t kSmallBump = 20; |
65 | static const size_t kMediumBump = 50; |
66 | static const size_t kLargeBump = 70; |
67 | static const size_t kHugeBump = 90; |
68 | |
69 | // The maximum number of bytes to disassemble past the program counter. |
70 | static const size_t kDisassembleBytesBeyondPC = 2048; |
71 | |
72 | ExploitabilityWin::ExploitabilityWin(Minidump* dump, |
73 | ProcessState* process_state) |
74 | : Exploitability(dump, process_state) { } |
75 | |
76 | ExploitabilityRating ExploitabilityWin::CheckPlatformExploitability() { |
77 | MinidumpException* exception = dump_->GetException(); |
78 | if (!exception) { |
79 | BPLOG(INFO) << "Minidump does not have exception record." ; |
80 | return EXPLOITABILITY_ERR_PROCESSING; |
81 | } |
82 | |
83 | const MDRawExceptionStream* raw_exception = exception->exception(); |
84 | if (!raw_exception) { |
85 | BPLOG(INFO) << "Could not obtain raw exception info." ; |
86 | return EXPLOITABILITY_ERR_PROCESSING; |
87 | } |
88 | |
89 | const MinidumpContext* context = exception->GetContext(); |
90 | if (!context) { |
91 | BPLOG(INFO) << "Could not obtain exception context." ; |
92 | return EXPLOITABILITY_ERR_PROCESSING; |
93 | } |
94 | |
95 | MinidumpMemoryList* memory_list = dump_->GetMemoryList(); |
96 | bool memory_available = true; |
97 | if (!memory_list) { |
98 | BPLOG(INFO) << "Minidump memory segments not available." ; |
99 | memory_available = false; |
100 | } |
101 | uint64_t address = process_state_->crash_address(); |
102 | uint32_t exception_code = raw_exception->exception_record.exception_code; |
103 | |
104 | uint32_t exploitability_weight = 0; |
105 | |
106 | uint64_t stack_ptr = 0; |
107 | uint64_t instruction_ptr = 0; |
108 | |
109 | // Getting the instruction pointer. |
110 | if (!context->GetInstructionPointer(&instruction_ptr)) { |
111 | return EXPLOITABILITY_ERR_PROCESSING; |
112 | } |
113 | |
114 | // Getting the stack pointer. |
115 | if (!context->GetStackPointer(&stack_ptr)) { |
116 | return EXPLOITABILITY_ERR_PROCESSING; |
117 | } |
118 | |
119 | // Check if we are executing on the stack. |
120 | if (instruction_ptr <= (stack_ptr + kProbableStackOffset) && |
121 | instruction_ptr >= (stack_ptr - kProbableStackOffset)) |
122 | exploitability_weight += kHugeBump; |
123 | |
124 | switch (exception_code) { |
125 | // This is almost certainly recursion. |
126 | case MD_EXCEPTION_CODE_WIN_STACK_OVERFLOW: |
127 | exploitability_weight += kTinyBump; |
128 | break; |
129 | |
130 | // These exceptions tend to be benign and we can generally ignore them. |
131 | case MD_EXCEPTION_CODE_WIN_INTEGER_DIVIDE_BY_ZERO: |
132 | case MD_EXCEPTION_CODE_WIN_INTEGER_OVERFLOW: |
133 | case MD_EXCEPTION_CODE_WIN_FLOAT_DIVIDE_BY_ZERO: |
134 | case MD_EXCEPTION_CODE_WIN_FLOAT_INEXACT_RESULT: |
135 | case MD_EXCEPTION_CODE_WIN_FLOAT_OVERFLOW: |
136 | case MD_EXCEPTION_CODE_WIN_FLOAT_UNDERFLOW: |
137 | case MD_EXCEPTION_CODE_WIN_IN_PAGE_ERROR: |
138 | exploitability_weight += kTinyBump; |
139 | break; |
140 | |
141 | // These exceptions will typically mean that we have jumped where we |
142 | // shouldn't. |
143 | case MD_EXCEPTION_CODE_WIN_ILLEGAL_INSTRUCTION: |
144 | case MD_EXCEPTION_CODE_WIN_FLOAT_INVALID_OPERATION: |
145 | case MD_EXCEPTION_CODE_WIN_PRIVILEGED_INSTRUCTION: |
146 | exploitability_weight += kLargeBump; |
147 | break; |
148 | |
149 | // These represent bugs in exception handlers. |
150 | case MD_EXCEPTION_CODE_WIN_INVALID_DISPOSITION: |
151 | case MD_EXCEPTION_CODE_WIN_NONCONTINUABLE_EXCEPTION: |
152 | exploitability_weight += kSmallBump; |
153 | break; |
154 | |
155 | case MD_EXCEPTION_CODE_WIN_HEAP_CORRUPTION: |
156 | case MD_EXCEPTION_CODE_WIN_STACK_BUFFER_OVERRUN: |
157 | exploitability_weight += kHugeBump; |
158 | break; |
159 | |
160 | case MD_EXCEPTION_CODE_WIN_GUARD_PAGE_VIOLATION: |
161 | exploitability_weight += kLargeBump; |
162 | break; |
163 | |
164 | case MD_EXCEPTION_CODE_WIN_ACCESS_VIOLATION: |
165 | bool near_null = (address <= kProbableNullOffset); |
166 | bool bad_read = false; |
167 | bool bad_write = false; |
168 | if (raw_exception->exception_record.number_parameters >= 1) { |
169 | MDAccessViolationTypeWin av_type = |
170 | static_cast<MDAccessViolationTypeWin> |
171 | (raw_exception->exception_record.exception_information[0]); |
172 | switch (av_type) { |
173 | case MD_ACCESS_VIOLATION_WIN_READ: |
174 | bad_read = true; |
175 | if (near_null) |
176 | exploitability_weight += kSmallBump; |
177 | else |
178 | exploitability_weight += kMediumBump; |
179 | break; |
180 | case MD_ACCESS_VIOLATION_WIN_WRITE: |
181 | bad_write = true; |
182 | if (near_null) |
183 | exploitability_weight += kSmallBump; |
184 | else |
185 | exploitability_weight += kHugeBump; |
186 | break; |
187 | case MD_ACCESS_VIOLATION_WIN_EXEC: |
188 | if (near_null) |
189 | exploitability_weight += kSmallBump; |
190 | else |
191 | exploitability_weight += kHugeBump; |
192 | break; |
193 | default: |
194 | BPLOG(INFO) << "Unrecognized access violation type." ; |
195 | return EXPLOITABILITY_ERR_PROCESSING; |
196 | } |
197 | MinidumpMemoryRegion* instruction_region = 0; |
198 | if (memory_available) { |
199 | instruction_region = |
200 | memory_list->GetMemoryRegionForAddress(instruction_ptr); |
201 | } |
202 | if (!near_null && instruction_region && |
203 | context->GetContextCPU() == MD_CONTEXT_X86 && |
204 | (bad_read || bad_write)) { |
205 | // Perform checks related to memory around instruction pointer. |
206 | uint32_t memory_offset = |
207 | instruction_ptr - instruction_region->GetBase(); |
208 | uint32_t available_memory = |
209 | instruction_region->GetSize() - memory_offset; |
210 | available_memory = available_memory > kDisassembleBytesBeyondPC ? |
211 | kDisassembleBytesBeyondPC : available_memory; |
212 | if (available_memory) { |
213 | const uint8_t* raw_memory = |
214 | instruction_region->GetMemory() + memory_offset; |
215 | DisassemblerX86 disassembler(raw_memory, |
216 | available_memory, |
217 | instruction_ptr); |
218 | disassembler.NextInstruction(); |
219 | if (bad_read) |
220 | disassembler.setBadRead(); |
221 | else |
222 | disassembler.setBadWrite(); |
223 | if (disassembler.currentInstructionValid()) { |
224 | // Check if the faulting instruction falls into one of |
225 | // several interesting groups. |
226 | switch (disassembler.currentInstructionGroup()) { |
227 | case libdis::insn_controlflow: |
228 | exploitability_weight += kLargeBump; |
229 | break; |
230 | case libdis::insn_string: |
231 | exploitability_weight += kHugeBump; |
232 | break; |
233 | default: |
234 | break; |
235 | } |
236 | // Loop the disassembler through the code and check if it |
237 | // IDed any interesting conditions in the near future. |
238 | // Multiple flags may be set so treat each equally. |
239 | while (disassembler.NextInstruction() && |
240 | disassembler.currentInstructionValid() && |
241 | !disassembler.endOfBlock()) |
242 | continue; |
243 | if (disassembler.flags() & DISX86_BAD_BRANCH_TARGET) |
244 | exploitability_weight += kLargeBump; |
245 | if (disassembler.flags() & DISX86_BAD_ARGUMENT_PASSED) |
246 | exploitability_weight += kTinyBump; |
247 | if (disassembler.flags() & DISX86_BAD_WRITE) |
248 | exploitability_weight += kMediumBump; |
249 | if (disassembler.flags() & DISX86_BAD_BLOCK_WRITE) |
250 | exploitability_weight += kMediumBump; |
251 | if (disassembler.flags() & DISX86_BAD_READ) |
252 | exploitability_weight += kTinyBump; |
253 | if (disassembler.flags() & DISX86_BAD_BLOCK_READ) |
254 | exploitability_weight += kTinyBump; |
255 | if (disassembler.flags() & DISX86_BAD_COMPARISON) |
256 | exploitability_weight += kTinyBump; |
257 | } |
258 | } |
259 | } |
260 | if (!near_null && AddressIsAscii(address)) |
261 | exploitability_weight += kMediumBump; |
262 | } else { |
263 | BPLOG(INFO) << "Access violation type parameter missing." ; |
264 | return EXPLOITABILITY_ERR_PROCESSING; |
265 | } |
266 | } |
267 | |
268 | // Based on the calculated weight we return a simplified classification. |
269 | BPLOG(INFO) << "Calculated exploitability weight: " << exploitability_weight; |
270 | if (exploitability_weight >= kHighCutoff) |
271 | return EXPLOITABILITY_HIGH; |
272 | if (exploitability_weight >= kMediumCutoff) |
273 | return EXPLOITABLITY_MEDIUM; |
274 | if (exploitability_weight >= kLowCutoff) |
275 | return EXPLOITABILITY_LOW; |
276 | if (exploitability_weight >= kInterestingCutoff) |
277 | return EXPLOITABILITY_INTERESTING; |
278 | |
279 | return EXPLOITABILITY_NONE; |
280 | } |
281 | |
282 | } // namespace google_breakpad |
283 | |