Add check for executable stack/heap when rating Linux exploitability.

This CL also consequentially adds a public method to get the number of
mappings in a Linux minidump.

R=ivanpe@chromium.org

Review URL: https://codereview.chromium.org/1291603002

git-svn-id: http://google-breakpad.googlecode.com/svn/trunk@1488 4c0a9323-5329-0410-9bdc-e9ce6186880e

src/google_breakpad/processor/minidump.h

@@ -916,6 +916,9 @@ class MinidumpLinuxMapsList : public MinidumpStream {
  public:
   virtual ~MinidumpLinuxMapsList();
 
+  // Get number of mappings.
+  unsigned int get_maps_count() const { return valid_ ? maps_count_ : 0; }
+
   // Get mapping at the given memory address. The caller owns the pointer.
   const MinidumpLinuxMaps *GetLinuxMapsForAddress(uint64_t address) const;
   // Get mapping at the given index. The caller owns the pointer.

src/processor/exploitability_linux.cc

@@ -124,7 +124,8 @@ ExploitabilityRating ExploitabilityLinux::CheckPlatformExploitability() {
 
   // Checking for the instruction pointer in a valid instruction region.
   if (!this->InstructionPointerInCode(instruction_ptr) ||
-       this->StackPointerOffStack(stack_ptr)) {
+       this->StackPointerOffStack(stack_ptr) ||
+       this->ExecutableStackOrHeap()) {
     return EXPLOITABILITY_HIGH;
   }
 
@@ -149,6 +150,24 @@ bool ExploitabilityLinux::StackPointerOffStack(uint64_t stack_ptr) {
           linux_maps->GetPathname().compare("[stack]"));
 }
 
+bool ExploitabilityLinux::ExecutableStackOrHeap() {
+  MinidumpLinuxMapsList *linux_maps_list = dump_->GetLinuxMapsList();
+  if (linux_maps_list) {
+    for (size_t i = 0; i < linux_maps_list->get_maps_count(); i++) {
+      const MinidumpLinuxMaps *linux_maps =
+          linux_maps_list->GetLinuxMapsAtIndex(i);
+      // Check for executable stack or heap for each mapping.
+      if (linux_maps &&
+          (!linux_maps->GetPathname().compare("[stack]") ||
+           !linux_maps->GetPathname().compare("[heap]")) &&
+          linux_maps->IsExecutable()) {
+        return true;
+      }
+    }
+  }
+  return false;
+}
+
 bool ExploitabilityLinux::InstructionPointerInCode(uint64_t instruction_ptr) {
   // Get Linux memory mapping from /proc/self/maps. Checking whether the
   // region the instruction pointer is in has executable permission can tell

src/processor/exploitability_linux.h

@@ -51,17 +51,21 @@ class ExploitabilityLinux : public Exploitability {
   virtual ExploitabilityRating CheckPlatformExploitability();
 
  private:
-  // This method takes the address of the instruction pointer and returns
+  // Takes the address of the instruction pointer and returns
   // whether the instruction pointer lies in a valid instruction region.
   bool InstructionPointerInCode(uint64_t instruction_ptr);
 
-  // This method checks the exception that triggered the creation of the
+  // Checks the exception that triggered the creation of the
   // minidump and reports whether the exception suggests no exploitability.
   bool BenignCrashTrigger(const MDRawExceptionStream *raw_exception_stream);
 
   // Checks if the stack pointer points to a memory mapping that is not
   // labelled as the stack.
   bool StackPointerOffStack(uint64_t stack_ptr);
+
+  // Checks if the stack or heap are marked executable according
+  // to the memory mappings.
+  bool ExecutableStackOrHeap();
 };
 
 }  // namespace google_breakpad

src/processor/exploitability_unittest.cc

@@ -131,6 +131,10 @@ TEST(ExploitabilityTest, TestLinuxEngine) {
             ExploitabilityFor("linux_stack_pointer_in_stack.dmp"));
   ASSERT_EQ(google_breakpad::EXPLOITABILITY_HIGH,
             ExploitabilityFor("linux_stack_pointer_in_module.dmp"));
+  ASSERT_EQ(google_breakpad::EXPLOITABILITY_HIGH,
+            ExploitabilityFor("linux_executable_stack.dmp"));
+  ASSERT_EQ(google_breakpad::EXPLOITABILITY_HIGH,
+            ExploitabilityFor("linux_executable_heap.dmp"));
 
 }
 }