| 1 | // Copyright (c) 2010 Google Inc. |
|---|---|
| 2 | // All rights reserved. |
| 3 | // |
| 4 | // Redistribution and use in source and binary forms, with or without |
| 5 | // modification, are permitted provided that the following conditions are |
| 6 | // met: |
| 7 | // |
| 8 | // * Redistributions of source code must retain the above copyright |
| 9 | // notice, this list of conditions and the following disclaimer. |
| 10 | // * Redistributions in binary form must reproduce the above |
| 11 | // copyright notice, this list of conditions and the following disclaimer |
| 12 | // in the documentation and/or other materials provided with the |
| 13 | // distribution. |
| 14 | // * Neither the name of Google Inc. nor the names of its |
| 15 | // contributors may be used to endorse or promote products derived from |
| 16 | // this software without specific prior written permission. |
| 17 | // |
| 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS |
| 19 | // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT |
| 20 | // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR |
| 21 | // A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT |
| 22 | // OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
| 23 | // SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT |
| 24 | // LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
| 25 | // DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
| 26 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
| 27 | // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE |
| 28 | // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 29 | |
| 30 | // exploitability_win.cc: Windows specific exploitability engine. |
| 31 | // |
| 32 | // Provides a guess at the exploitability of the crash for the Windows |
| 33 | // platform given a minidump and process_state. |
| 34 | // |
| 35 | // Author: Cris Neckar |
| 36 | |
| 37 | #include <vector> |
| 38 | |
| 39 | #include "processor/exploitability_win.h" |
| 40 | |
| 41 | #include "common/scoped_ptr.h" |
| 42 | #include "google_breakpad/common/minidump_exception_win32.h" |
| 43 | #include "google_breakpad/processor/minidump.h" |
| 44 | #include "processor/disassembler_x86.h" |
| 45 | #include "processor/logging.h" |
| 46 | |
| 47 | #include "third_party/libdisasm/libdis.h" |
| 48 | |
| 49 | namespace google_breakpad { |
| 50 | |
| 51 | // The cutoff that we use to judge if and address is likely an offset |
| 52 | // from various interesting addresses. |
| 53 | static const uint64_t kProbableNullOffset = 4096; |
| 54 | static const uint64_t kProbableStackOffset = 8192; |
| 55 | |
| 56 | // The various cutoffs for the different ratings. |
| 57 | static const size_t kHighCutoff = 100; |
| 58 | static const size_t kMediumCutoff = 80; |
| 59 | static const size_t kLowCutoff = 50; |
| 60 | static const size_t kInterestingCutoff = 25; |
| 61 | |
| 62 | // Predefined incremental values for conditional weighting. |
| 63 | static const size_t kTinyBump = 5; |
| 64 | static const size_t kSmallBump = 20; |
| 65 | static const size_t kMediumBump = 50; |
| 66 | static const size_t kLargeBump = 70; |
| 67 | static const size_t kHugeBump = 90; |
| 68 | |
| 69 | // The maximum number of bytes to disassemble past the program counter. |
| 70 | static const size_t kDisassembleBytesBeyondPC = 2048; |
| 71 | |
| 72 | ExploitabilityWin::ExploitabilityWin(Minidump* dump, |
| 73 | ProcessState* process_state) |
| 74 | : Exploitability(dump, process_state) { } |
| 75 | |
| 76 | ExploitabilityRating ExploitabilityWin::CheckPlatformExploitability() { |
| 77 | MinidumpException* exception = dump_->GetException(); |
| 78 | if (!exception) { |
| 79 | BPLOG(INFO) << "Minidump does not have exception record."; |
| 80 | return EXPLOITABILITY_ERR_PROCESSING; |
| 81 | } |
| 82 | |
| 83 | const MDRawExceptionStream* raw_exception = exception->exception(); |
| 84 | if (!raw_exception) { |
| 85 | BPLOG(INFO) << "Could not obtain raw exception info."; |
| 86 | return EXPLOITABILITY_ERR_PROCESSING; |
| 87 | } |
| 88 | |
| 89 | const MinidumpContext* context = exception->GetContext(); |
| 90 | if (!context) { |
| 91 | BPLOG(INFO) << "Could not obtain exception context."; |
| 92 | return EXPLOITABILITY_ERR_PROCESSING; |
| 93 | } |
| 94 | |
| 95 | MinidumpMemoryList* memory_list = dump_->GetMemoryList(); |
| 96 | bool memory_available = true; |
| 97 | if (!memory_list) { |
| 98 | BPLOG(INFO) << "Minidump memory segments not available."; |
| 99 | memory_available = false; |
| 100 | } |
| 101 | uint64_t address = process_state_->crash_address(); |
| 102 | uint32_t exception_code = raw_exception->exception_record.exception_code; |
| 103 | |
| 104 | uint32_t exploitability_weight = 0; |
| 105 | |
| 106 | uint64_t stack_ptr = 0; |
| 107 | uint64_t instruction_ptr = 0; |
| 108 | |
| 109 | // Getting the instruction pointer. |
| 110 | if (!context->GetInstructionPointer(&instruction_ptr)) { |
| 111 | return EXPLOITABILITY_ERR_PROCESSING; |
| 112 | } |
| 113 | |
| 114 | // Getting the stack pointer. |
| 115 | if (!context->GetStackPointer(&stack_ptr)) { |
| 116 | return EXPLOITABILITY_ERR_PROCESSING; |
| 117 | } |
| 118 | |
| 119 | // Check if we are executing on the stack. |
| 120 | if (instruction_ptr <= (stack_ptr + kProbableStackOffset) && |
| 121 | instruction_ptr >= (stack_ptr - kProbableStackOffset)) |
| 122 | exploitability_weight += kHugeBump; |
| 123 | |
| 124 | switch (exception_code) { |
| 125 | // This is almost certainly recursion. |
| 126 | case MD_EXCEPTION_CODE_WIN_STACK_OVERFLOW: |
| 127 | exploitability_weight += kTinyBump; |
| 128 | break; |
| 129 | |
| 130 | // These exceptions tend to be benign and we can generally ignore them. |
| 131 | case MD_EXCEPTION_CODE_WIN_INTEGER_DIVIDE_BY_ZERO: |
| 132 | case MD_EXCEPTION_CODE_WIN_INTEGER_OVERFLOW: |
| 133 | case MD_EXCEPTION_CODE_WIN_FLOAT_DIVIDE_BY_ZERO: |
| 134 | case MD_EXCEPTION_CODE_WIN_FLOAT_INEXACT_RESULT: |
| 135 | case MD_EXCEPTION_CODE_WIN_FLOAT_OVERFLOW: |
| 136 | case MD_EXCEPTION_CODE_WIN_FLOAT_UNDERFLOW: |
| 137 | case MD_EXCEPTION_CODE_WIN_IN_PAGE_ERROR: |
| 138 | exploitability_weight += kTinyBump; |
| 139 | break; |
| 140 | |
| 141 | // These exceptions will typically mean that we have jumped where we |
| 142 | // shouldn't. |
| 143 | case MD_EXCEPTION_CODE_WIN_ILLEGAL_INSTRUCTION: |
| 144 | case MD_EXCEPTION_CODE_WIN_FLOAT_INVALID_OPERATION: |
| 145 | case MD_EXCEPTION_CODE_WIN_PRIVILEGED_INSTRUCTION: |
| 146 | exploitability_weight += kLargeBump; |
| 147 | break; |
| 148 | |
| 149 | // These represent bugs in exception handlers. |
| 150 | case MD_EXCEPTION_CODE_WIN_INVALID_DISPOSITION: |
| 151 | case MD_EXCEPTION_CODE_WIN_NONCONTINUABLE_EXCEPTION: |
| 152 | exploitability_weight += kSmallBump; |
| 153 | break; |
| 154 | |
| 155 | case MD_EXCEPTION_CODE_WIN_HEAP_CORRUPTION: |
| 156 | case MD_EXCEPTION_CODE_WIN_STACK_BUFFER_OVERRUN: |
| 157 | exploitability_weight += kHugeBump; |
| 158 | break; |
| 159 | |
| 160 | case MD_EXCEPTION_CODE_WIN_GUARD_PAGE_VIOLATION: |
| 161 | exploitability_weight += kLargeBump; |
| 162 | break; |
| 163 | |
| 164 | case MD_EXCEPTION_CODE_WIN_ACCESS_VIOLATION: |
| 165 | bool near_null = (address <= kProbableNullOffset); |
| 166 | bool bad_read = false; |
| 167 | bool bad_write = false; |
| 168 | if (raw_exception->exception_record.number_parameters >= 1) { |
| 169 | MDAccessViolationTypeWin av_type = |
| 170 | static_cast<MDAccessViolationTypeWin> |
| 171 | (raw_exception->exception_record.exception_information[0]); |
| 172 | switch (av_type) { |
| 173 | case MD_ACCESS_VIOLATION_WIN_READ: |
| 174 | bad_read = true; |
| 175 | if (near_null) |
| 176 | exploitability_weight += kSmallBump; |
| 177 | else |
| 178 | exploitability_weight += kMediumBump; |
| 179 | break; |
| 180 | case MD_ACCESS_VIOLATION_WIN_WRITE: |
| 181 | bad_write = true; |
| 182 | if (near_null) |
| 183 | exploitability_weight += kSmallBump; |
| 184 | else |
| 185 | exploitability_weight += kHugeBump; |
| 186 | break; |
| 187 | case MD_ACCESS_VIOLATION_WIN_EXEC: |
| 188 | if (near_null) |
| 189 | exploitability_weight += kSmallBump; |
| 190 | else |
| 191 | exploitability_weight += kHugeBump; |
| 192 | break; |
| 193 | default: |
| 194 | BPLOG(INFO) << "Unrecognized access violation type."; |
| 195 | return EXPLOITABILITY_ERR_PROCESSING; |
| 196 | } |
| 197 | MinidumpMemoryRegion* instruction_region = 0; |
| 198 | if (memory_available) { |
| 199 | instruction_region = |
| 200 | memory_list->GetMemoryRegionForAddress(instruction_ptr); |
| 201 | } |
| 202 | if (!near_null && instruction_region && |
| 203 | context->GetContextCPU() == MD_CONTEXT_X86 && |
| 204 | (bad_read || bad_write)) { |
| 205 | // Perform checks related to memory around instruction pointer. |
| 206 | uint32_t memory_offset = |
| 207 | instruction_ptr - instruction_region->GetBase(); |
| 208 | uint32_t available_memory = |
| 209 | instruction_region->GetSize() - memory_offset; |
| 210 | available_memory = available_memory > kDisassembleBytesBeyondPC ? |
| 211 | kDisassembleBytesBeyondPC : available_memory; |
| 212 | if (available_memory) { |
| 213 | const uint8_t* raw_memory = |
| 214 | instruction_region->GetMemory() + memory_offset; |
| 215 | DisassemblerX86 disassembler(raw_memory, |
| 216 | available_memory, |
| 217 | instruction_ptr); |
| 218 | disassembler.NextInstruction(); |
| 219 | if (bad_read) |
| 220 | disassembler.setBadRead(); |
| 221 | else |
| 222 | disassembler.setBadWrite(); |
| 223 | if (disassembler.currentInstructionValid()) { |
| 224 | // Check if the faulting instruction falls into one of |
| 225 | // several interesting groups. |
| 226 | switch (disassembler.currentInstructionGroup()) { |
| 227 | case libdis::insn_controlflow: |
| 228 | exploitability_weight += kLargeBump; |
| 229 | break; |
| 230 | case libdis::insn_string: |
| 231 | exploitability_weight += kHugeBump; |
| 232 | break; |
| 233 | default: |
| 234 | break; |
| 235 | } |
| 236 | // Loop the disassembler through the code and check if it |
| 237 | // IDed any interesting conditions in the near future. |
| 238 | // Multiple flags may be set so treat each equally. |
| 239 | while (disassembler.NextInstruction() && |
| 240 | disassembler.currentInstructionValid() && |
| 241 | !disassembler.endOfBlock()) |
| 242 | continue; |
| 243 | if (disassembler.flags() & DISX86_BAD_BRANCH_TARGET) |
| 244 | exploitability_weight += kLargeBump; |
| 245 | if (disassembler.flags() & DISX86_BAD_ARGUMENT_PASSED) |
| 246 | exploitability_weight += kTinyBump; |
| 247 | if (disassembler.flags() & DISX86_BAD_WRITE) |
| 248 | exploitability_weight += kMediumBump; |
| 249 | if (disassembler.flags() & DISX86_BAD_BLOCK_WRITE) |
| 250 | exploitability_weight += kMediumBump; |
| 251 | if (disassembler.flags() & DISX86_BAD_READ) |
| 252 | exploitability_weight += kTinyBump; |
| 253 | if (disassembler.flags() & DISX86_BAD_BLOCK_READ) |
| 254 | exploitability_weight += kTinyBump; |
| 255 | if (disassembler.flags() & DISX86_BAD_COMPARISON) |
| 256 | exploitability_weight += kTinyBump; |
| 257 | } |
| 258 | } |
| 259 | } |
| 260 | if (!near_null && AddressIsAscii(address)) |
| 261 | exploitability_weight += kMediumBump; |
| 262 | } else { |
| 263 | BPLOG(INFO) << "Access violation type parameter missing."; |
| 264 | return EXPLOITABILITY_ERR_PROCESSING; |
| 265 | } |
| 266 | } |
| 267 | |
| 268 | // Based on the calculated weight we return a simplified classification. |
| 269 | BPLOG(INFO) << "Calculated exploitability weight: "<< exploitability_weight; |
| 270 | if (exploitability_weight >= kHighCutoff) |
| 271 | return EXPLOITABILITY_HIGH; |
| 272 | if (exploitability_weight >= kMediumCutoff) |
| 273 | return EXPLOITABLITY_MEDIUM; |
| 274 | if (exploitability_weight >= kLowCutoff) |
| 275 | return EXPLOITABILITY_LOW; |
| 276 | if (exploitability_weight >= kInterestingCutoff) |
| 277 | return EXPLOITABILITY_INTERESTING; |
| 278 | |
| 279 | return EXPLOITABILITY_NONE; |
| 280 | } |
| 281 | |
| 282 | } // namespace google_breakpad |
| 283 |
Generated on 2022-Feb-21 from project breakpad revision 20220221
Powered by 
Code Browser 2.1
Generator usage only permitted with license.