Add check to see if stack pointer is off the stack according to the memory
mappings when rating Linux exploitability. R=ivanpe@chromium.org Review URL: https://codereview.chromium.org/1286033002 git-svn-id: http://google-breakpad.googlecode.com/svn/trunk@1487 4c0a9323-5329-0410-9bdc-e9ce6186880e
This commit is contained in:
parent
8794e39888
commit
ab5ffb8b6c
5 changed files with 33 additions and 1 deletions
|
@ -102,6 +102,7 @@ ExploitabilityRating ExploitabilityLinux::CheckPlatformExploitability() {
|
||||||
// Check if the instruction pointer is in a valid instruction region
|
// Check if the instruction pointer is in a valid instruction region
|
||||||
// by finding if it maps to an executable part of memory.
|
// by finding if it maps to an executable part of memory.
|
||||||
uint64_t instruction_ptr = 0;
|
uint64_t instruction_ptr = 0;
|
||||||
|
uint64_t stack_ptr = 0;
|
||||||
|
|
||||||
const MinidumpContext *context = exception->GetContext();
|
const MinidumpContext *context = exception->GetContext();
|
||||||
if (context == NULL) {
|
if (context == NULL) {
|
||||||
|
@ -115,8 +116,15 @@ ExploitabilityRating ExploitabilityLinux::CheckPlatformExploitability() {
|
||||||
return EXPLOITABILITY_ERR_PROCESSING;
|
return EXPLOITABILITY_ERR_PROCESSING;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Getting the stack pointer.
|
||||||
|
if (!context->GetStackPointer(&stack_ptr)) {
|
||||||
|
BPLOG(INFO) << "Failed to retrieve stack pointer.";
|
||||||
|
return EXPLOITABILITY_ERR_PROCESSING;
|
||||||
|
}
|
||||||
|
|
||||||
// Checking for the instruction pointer in a valid instruction region.
|
// Checking for the instruction pointer in a valid instruction region.
|
||||||
if (!this->InstructionPointerInCode(instruction_ptr)) {
|
if (!this->InstructionPointerInCode(instruction_ptr) ||
|
||||||
|
this->StackPointerOffStack(stack_ptr)) {
|
||||||
return EXPLOITABILITY_HIGH;
|
return EXPLOITABILITY_HIGH;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -125,6 +133,22 @@ ExploitabilityRating ExploitabilityLinux::CheckPlatformExploitability() {
|
||||||
return EXPLOITABILITY_INTERESTING;
|
return EXPLOITABILITY_INTERESTING;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
bool ExploitabilityLinux::StackPointerOffStack(uint64_t stack_ptr) {
|
||||||
|
MinidumpLinuxMapsList *linux_maps_list = dump_->GetLinuxMapsList();
|
||||||
|
// Inconclusive if there are no mappings available.
|
||||||
|
if (!linux_maps_list) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
const MinidumpLinuxMaps *linux_maps =
|
||||||
|
linux_maps_list->GetLinuxMapsForAddress(stack_ptr);
|
||||||
|
// Checks if the stack pointer maps to a valid mapping and if the mapping
|
||||||
|
// is not the stack. If the mapping has no name, it is inconclusive whether
|
||||||
|
// it is off the stack.
|
||||||
|
return !linux_maps ||
|
||||||
|
(linux_maps->GetPathname().compare("") &&
|
||||||
|
linux_maps->GetPathname().compare("[stack]"));
|
||||||
|
}
|
||||||
|
|
||||||
bool ExploitabilityLinux::InstructionPointerInCode(uint64_t instruction_ptr) {
|
bool ExploitabilityLinux::InstructionPointerInCode(uint64_t instruction_ptr) {
|
||||||
// Get Linux memory mapping from /proc/self/maps. Checking whether the
|
// Get Linux memory mapping from /proc/self/maps. Checking whether the
|
||||||
// region the instruction pointer is in has executable permission can tell
|
// region the instruction pointer is in has executable permission can tell
|
||||||
|
|
|
@ -58,6 +58,10 @@ class ExploitabilityLinux : public Exploitability {
|
||||||
// This method checks the exception that triggered the creation of the
|
// This method checks the exception that triggered the creation of the
|
||||||
// minidump and reports whether the exception suggests no exploitability.
|
// minidump and reports whether the exception suggests no exploitability.
|
||||||
bool BenignCrashTrigger(const MDRawExceptionStream *raw_exception_stream);
|
bool BenignCrashTrigger(const MDRawExceptionStream *raw_exception_stream);
|
||||||
|
|
||||||
|
// Checks if the stack pointer points to a memory mapping that is not
|
||||||
|
// labelled as the stack.
|
||||||
|
bool StackPointerOffStack(uint64_t stack_ptr);
|
||||||
};
|
};
|
||||||
|
|
||||||
} // namespace google_breakpad
|
} // namespace google_breakpad
|
||||||
|
|
|
@ -127,6 +127,10 @@ TEST(ExploitabilityTest, TestLinuxEngine) {
|
||||||
ExploitabilityFor("linux_inside_module_exe_region1.dmp"));
|
ExploitabilityFor("linux_inside_module_exe_region1.dmp"));
|
||||||
ASSERT_EQ(google_breakpad::EXPLOITABILITY_INTERESTING,
|
ASSERT_EQ(google_breakpad::EXPLOITABILITY_INTERESTING,
|
||||||
ExploitabilityFor("linux_inside_module_exe_region2.dmp"));
|
ExploitabilityFor("linux_inside_module_exe_region2.dmp"));
|
||||||
|
ASSERT_EQ(google_breakpad::EXPLOITABILITY_INTERESTING,
|
||||||
|
ExploitabilityFor("linux_stack_pointer_in_stack.dmp"));
|
||||||
|
ASSERT_EQ(google_breakpad::EXPLOITABILITY_HIGH,
|
||||||
|
ExploitabilityFor("linux_stack_pointer_in_module.dmp"));
|
||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
BIN
src/processor/testdata/linux_stack_pointer_in_module.dmp
vendored
Normal file
BIN
src/processor/testdata/linux_stack_pointer_in_module.dmp
vendored
Normal file
Binary file not shown.
BIN
src/processor/testdata/linux_stack_pointer_in_stack.dmp
vendored
Normal file
BIN
src/processor/testdata/linux_stack_pointer_in_stack.dmp
vendored
Normal file
Binary file not shown.
Loading…
Reference in a new issue