Add check to see if stack pointer is off the stack according to the memory

mappings when rating Linux exploitability.

R=ivanpe@chromium.org

Review URL: https://codereview.chromium.org/1286033002

git-svn-id: http://google-breakpad.googlecode.com/svn/trunk@1487 4c0a9323-5329-0410-9bdc-e9ce6186880e
This commit is contained in:
Liu.andrew.x@gmail.com 2015-08-15 00:27:27 +00:00
parent 8794e39888
commit ab5ffb8b6c
5 changed files with 33 additions and 1 deletions

View file

@ -102,6 +102,7 @@ ExploitabilityRating ExploitabilityLinux::CheckPlatformExploitability() {
// Check if the instruction pointer is in a valid instruction region // Check if the instruction pointer is in a valid instruction region
// by finding if it maps to an executable part of memory. // by finding if it maps to an executable part of memory.
uint64_t instruction_ptr = 0; uint64_t instruction_ptr = 0;
uint64_t stack_ptr = 0;
const MinidumpContext *context = exception->GetContext(); const MinidumpContext *context = exception->GetContext();
if (context == NULL) { if (context == NULL) {
@ -115,8 +116,15 @@ ExploitabilityRating ExploitabilityLinux::CheckPlatformExploitability() {
return EXPLOITABILITY_ERR_PROCESSING; return EXPLOITABILITY_ERR_PROCESSING;
} }
// Getting the stack pointer.
if (!context->GetStackPointer(&stack_ptr)) {
BPLOG(INFO) << "Failed to retrieve stack pointer.";
return EXPLOITABILITY_ERR_PROCESSING;
}
// Checking for the instruction pointer in a valid instruction region. // Checking for the instruction pointer in a valid instruction region.
if (!this->InstructionPointerInCode(instruction_ptr)) { if (!this->InstructionPointerInCode(instruction_ptr) ||
this->StackPointerOffStack(stack_ptr)) {
return EXPLOITABILITY_HIGH; return EXPLOITABILITY_HIGH;
} }
@ -125,6 +133,22 @@ ExploitabilityRating ExploitabilityLinux::CheckPlatformExploitability() {
return EXPLOITABILITY_INTERESTING; return EXPLOITABILITY_INTERESTING;
} }
bool ExploitabilityLinux::StackPointerOffStack(uint64_t stack_ptr) {
MinidumpLinuxMapsList *linux_maps_list = dump_->GetLinuxMapsList();
// Inconclusive if there are no mappings available.
if (!linux_maps_list) {
return false;
}
const MinidumpLinuxMaps *linux_maps =
linux_maps_list->GetLinuxMapsForAddress(stack_ptr);
// Checks if the stack pointer maps to a valid mapping and if the mapping
// is not the stack. If the mapping has no name, it is inconclusive whether
// it is off the stack.
return !linux_maps ||
(linux_maps->GetPathname().compare("") &&
linux_maps->GetPathname().compare("[stack]"));
}
bool ExploitabilityLinux::InstructionPointerInCode(uint64_t instruction_ptr) { bool ExploitabilityLinux::InstructionPointerInCode(uint64_t instruction_ptr) {
// Get Linux memory mapping from /proc/self/maps. Checking whether the // Get Linux memory mapping from /proc/self/maps. Checking whether the
// region the instruction pointer is in has executable permission can tell // region the instruction pointer is in has executable permission can tell

View file

@ -58,6 +58,10 @@ class ExploitabilityLinux : public Exploitability {
// This method checks the exception that triggered the creation of the // This method checks the exception that triggered the creation of the
// minidump and reports whether the exception suggests no exploitability. // minidump and reports whether the exception suggests no exploitability.
bool BenignCrashTrigger(const MDRawExceptionStream *raw_exception_stream); bool BenignCrashTrigger(const MDRawExceptionStream *raw_exception_stream);
// Checks if the stack pointer points to a memory mapping that is not
// labelled as the stack.
bool StackPointerOffStack(uint64_t stack_ptr);
}; };
} // namespace google_breakpad } // namespace google_breakpad

View file

@ -127,6 +127,10 @@ TEST(ExploitabilityTest, TestLinuxEngine) {
ExploitabilityFor("linux_inside_module_exe_region1.dmp")); ExploitabilityFor("linux_inside_module_exe_region1.dmp"));
ASSERT_EQ(google_breakpad::EXPLOITABILITY_INTERESTING, ASSERT_EQ(google_breakpad::EXPLOITABILITY_INTERESTING,
ExploitabilityFor("linux_inside_module_exe_region2.dmp")); ExploitabilityFor("linux_inside_module_exe_region2.dmp"));
ASSERT_EQ(google_breakpad::EXPLOITABILITY_INTERESTING,
ExploitabilityFor("linux_stack_pointer_in_stack.dmp"));
ASSERT_EQ(google_breakpad::EXPLOITABILITY_HIGH,
ExploitabilityFor("linux_stack_pointer_in_module.dmp"));
} }
} }

Binary file not shown.

Binary file not shown.