From 12213a5e15b60f0027fb2271908f4d52494a617b Mon Sep 17 00:00:00 2001 From: "Liu.andrew.x@gmail.com" Date: Tue, 30 Jun 2015 20:34:39 +0000 Subject: [PATCH] Checking for benign exceptions that trigger a minidump. If the exception reponsible for the crash is benign, such as a floating point exception, we can rule out the possibility that the code is exploitable. This CL checks for such exceptions and marks the dump as not exploitable if such an exception is found. R=ivanpe@chromium.org Review URL: https://codereview.chromium.org/1212383004 git-svn-id: http://google-breakpad.googlecode.com/svn/trunk@1467 4c0a9323-5329-0410-9bdc-e9ce6186880e --- src/processor/exploitability_linux.cc | 57 +++++++++++++++++++++++- src/processor/exploitability_linux.h | 4 ++ src/processor/exploitability_unittest.cc | 4 +- 3 files changed, 62 insertions(+), 3 deletions(-) diff --git a/src/processor/exploitability_linux.cc b/src/processor/exploitability_linux.cc index 4f98dfeb..875df165 100644 --- a/src/processor/exploitability_linux.cc +++ b/src/processor/exploitability_linux.cc @@ -36,6 +36,7 @@ #include "processor/exploitability_linux.h" +#include "google_breakpad/common/minidump_exception_linux.h" #include "google_breakpad/processor/process_state.h" #include "google_breakpad/processor/call_stack.h" #include "google_breakpad/processor/stack_frame.h" @@ -119,11 +120,23 @@ ExploitabilityRating ExploitabilityLinux::CheckPlatformExploitability() { return EXPLOITABILITY_ERR_PROCESSING; } + // Checking for the instruction pointer in a valid instruction region. if (!this->InstructionPointerInCode(instruction_ptr)) { return EXPLOITABILITY_HIGH; } - return EXPLOITABILITY_NONE; + const MDRawExceptionStream *raw_exception_stream = exception->exception(); + if (raw_exception_stream == NULL) { + BPLOG(INFO) << "No raw exception stream."; + return EXPLOITABILITY_ERR_PROCESSING; + } + + // Checking for benign exceptions that caused the crash. + if (this->BenignCrashTrigger(raw_exception_stream)) { + return EXPLOITABILITY_NONE; + } + + return EXPLOITABILITY_INTERESTING; } bool ExploitabilityLinux::InstructionPointerInCode(uint64_t instruction_ptr) { @@ -149,4 +162,46 @@ bool ExploitabilityLinux::InstructionPointerInCode(uint64_t instruction_ptr) { minidump_module_list->GetModuleForAddress(instruction_ptr); } +bool ExploitabilityLinux::BenignCrashTrigger(const MDRawExceptionStream + *raw_exception_stream) { + // Here we check the cause of crash. + // If the exception of the crash is a benign exception, + // it is probably not exploitable. + switch (raw_exception_stream->exception_record.exception_code) { + case MD_EXCEPTION_CODE_LIN_SIGHUP: + case MD_EXCEPTION_CODE_LIN_SIGINT: + case MD_EXCEPTION_CODE_LIN_SIGQUIT: + case MD_EXCEPTION_CODE_LIN_SIGTRAP: + case MD_EXCEPTION_CODE_LIN_SIGABRT: + case MD_EXCEPTION_CODE_LIN_SIGFPE: + case MD_EXCEPTION_CODE_LIN_SIGKILL: + case MD_EXCEPTION_CODE_LIN_SIGUSR1: + case MD_EXCEPTION_CODE_LIN_SIGUSR2: + case MD_EXCEPTION_CODE_LIN_SIGPIPE: + case MD_EXCEPTION_CODE_LIN_SIGALRM: + case MD_EXCEPTION_CODE_LIN_SIGTERM: + case MD_EXCEPTION_CODE_LIN_SIGCHLD: + case MD_EXCEPTION_CODE_LIN_SIGCONT: + case MD_EXCEPTION_CODE_LIN_SIGSTOP: + case MD_EXCEPTION_CODE_LIN_SIGTSTP: + case MD_EXCEPTION_CODE_LIN_SIGTTIN: + case MD_EXCEPTION_CODE_LIN_SIGTTOU: + case MD_EXCEPTION_CODE_LIN_SIGURG: + case MD_EXCEPTION_CODE_LIN_SIGXCPU: + case MD_EXCEPTION_CODE_LIN_SIGXFSZ: + case MD_EXCEPTION_CODE_LIN_SIGVTALRM: + case MD_EXCEPTION_CODE_LIN_SIGPROF: + case MD_EXCEPTION_CODE_LIN_SIGWINCH: + case MD_EXCEPTION_CODE_LIN_SIGIO: + case MD_EXCEPTION_CODE_LIN_SIGPWR: + case MD_EXCEPTION_CODE_LIN_SIGSYS: + case MD_EXCEPTION_CODE_LIN_DUMP_REQUESTED: + return true; + break; + default: + return false; + break; + } +} + } // namespace google_breakpad diff --git a/src/processor/exploitability_linux.h b/src/processor/exploitability_linux.h index 95607602..42f9bc52 100644 --- a/src/processor/exploitability_linux.h +++ b/src/processor/exploitability_linux.h @@ -53,6 +53,10 @@ class ExploitabilityLinux : public Exploitability { // This method takes the address of the instruction pointer and returns // whether the instruction pointer lies in a valid instruction region. bool InstructionPointerInCode(uint64_t instruction_ptr); + + // This method checks the exception that triggered the creation of the + // minidump and reports whether the exception suggests no exploitability. + bool BenignCrashTrigger(const MDRawExceptionStream *raw_exception_stream); }; } // namespace google_breakpad diff --git a/src/processor/exploitability_unittest.cc b/src/processor/exploitability_unittest.cc index 509ae230..cc46f9ea 100644 --- a/src/processor/exploitability_unittest.cc +++ b/src/processor/exploitability_unittest.cc @@ -107,7 +107,7 @@ TEST(ExploitabilityTest, TestWindowsEngine) { } TEST(ExploitabilityTest, TestLinuxEngine) { - ASSERT_EQ(google_breakpad::EXPLOITABILITY_NONE, + ASSERT_EQ(google_breakpad::EXPLOITABILITY_INTERESTING, ExploitabilityFor("linux_null_read_av.dmp")); ASSERT_EQ(google_breakpad::EXPLOITABILITY_HIGH, ExploitabilityFor("linux_overflow.dmp")); @@ -115,7 +115,7 @@ TEST(ExploitabilityTest, TestLinuxEngine) { ExploitabilityFor("linux_stacksmash.dmp")); ASSERT_EQ(google_breakpad::EXPLOITABILITY_NONE, ExploitabilityFor("linux_divide_by_zero.dmp")); - ASSERT_EQ(google_breakpad::EXPLOITABILITY_NONE, + ASSERT_EQ(google_breakpad::EXPLOITABILITY_INTERESTING, ExploitabilityFor("linux_null_dereference.dmp")); ASSERT_EQ(google_breakpad::EXPLOITABILITY_HIGH, ExploitabilityFor("linux_jmp_to_0.dmp"));