Add check for executable stack/heap when rating Linux exploitability.

This CL also consequentially adds a public method to get the number of
mappings in a Linux minidump.

R=ivanpe@chromium.org

Review URL: https://codereview.chromium.org/1291603002

git-svn-id: http://google-breakpad.googlecode.com/svn/trunk@1488 4c0a9323-5329-0410-9bdc-e9ce6186880e
This commit is contained in:
Liu.andrew.x@gmail.com 2015-08-15 00:37:14 +00:00
parent ab5ffb8b6c
commit e3687f92c2
6 changed files with 33 additions and 3 deletions

View file

@ -916,6 +916,9 @@ class MinidumpLinuxMapsList : public MinidumpStream {
public: public:
virtual ~MinidumpLinuxMapsList(); virtual ~MinidumpLinuxMapsList();
// Get number of mappings.
unsigned int get_maps_count() const { return valid_ ? maps_count_ : 0; }
// Get mapping at the given memory address. The caller owns the pointer. // Get mapping at the given memory address. The caller owns the pointer.
const MinidumpLinuxMaps *GetLinuxMapsForAddress(uint64_t address) const; const MinidumpLinuxMaps *GetLinuxMapsForAddress(uint64_t address) const;
// Get mapping at the given index. The caller owns the pointer. // Get mapping at the given index. The caller owns the pointer.

View file

@ -124,7 +124,8 @@ ExploitabilityRating ExploitabilityLinux::CheckPlatformExploitability() {
// Checking for the instruction pointer in a valid instruction region. // Checking for the instruction pointer in a valid instruction region.
if (!this->InstructionPointerInCode(instruction_ptr) || if (!this->InstructionPointerInCode(instruction_ptr) ||
this->StackPointerOffStack(stack_ptr)) { this->StackPointerOffStack(stack_ptr) ||
this->ExecutableStackOrHeap()) {
return EXPLOITABILITY_HIGH; return EXPLOITABILITY_HIGH;
} }
@ -149,6 +150,24 @@ bool ExploitabilityLinux::StackPointerOffStack(uint64_t stack_ptr) {
linux_maps->GetPathname().compare("[stack]")); linux_maps->GetPathname().compare("[stack]"));
} }
bool ExploitabilityLinux::ExecutableStackOrHeap() {
MinidumpLinuxMapsList *linux_maps_list = dump_->GetLinuxMapsList();
if (linux_maps_list) {
for (size_t i = 0; i < linux_maps_list->get_maps_count(); i++) {
const MinidumpLinuxMaps *linux_maps =
linux_maps_list->GetLinuxMapsAtIndex(i);
// Check for executable stack or heap for each mapping.
if (linux_maps &&
(!linux_maps->GetPathname().compare("[stack]") ||
!linux_maps->GetPathname().compare("[heap]")) &&
linux_maps->IsExecutable()) {
return true;
}
}
}
return false;
}
bool ExploitabilityLinux::InstructionPointerInCode(uint64_t instruction_ptr) { bool ExploitabilityLinux::InstructionPointerInCode(uint64_t instruction_ptr) {
// Get Linux memory mapping from /proc/self/maps. Checking whether the // Get Linux memory mapping from /proc/self/maps. Checking whether the
// region the instruction pointer is in has executable permission can tell // region the instruction pointer is in has executable permission can tell

View file

@ -51,17 +51,21 @@ class ExploitabilityLinux : public Exploitability {
virtual ExploitabilityRating CheckPlatformExploitability(); virtual ExploitabilityRating CheckPlatformExploitability();
private: private:
// This method takes the address of the instruction pointer and returns // Takes the address of the instruction pointer and returns
// whether the instruction pointer lies in a valid instruction region. // whether the instruction pointer lies in a valid instruction region.
bool InstructionPointerInCode(uint64_t instruction_ptr); bool InstructionPointerInCode(uint64_t instruction_ptr);
// This method checks the exception that triggered the creation of the // Checks the exception that triggered the creation of the
// minidump and reports whether the exception suggests no exploitability. // minidump and reports whether the exception suggests no exploitability.
bool BenignCrashTrigger(const MDRawExceptionStream *raw_exception_stream); bool BenignCrashTrigger(const MDRawExceptionStream *raw_exception_stream);
// Checks if the stack pointer points to a memory mapping that is not // Checks if the stack pointer points to a memory mapping that is not
// labelled as the stack. // labelled as the stack.
bool StackPointerOffStack(uint64_t stack_ptr); bool StackPointerOffStack(uint64_t stack_ptr);
// Checks if the stack or heap are marked executable according
// to the memory mappings.
bool ExecutableStackOrHeap();
}; };
} // namespace google_breakpad } // namespace google_breakpad

View file

@ -131,6 +131,10 @@ TEST(ExploitabilityTest, TestLinuxEngine) {
ExploitabilityFor("linux_stack_pointer_in_stack.dmp")); ExploitabilityFor("linux_stack_pointer_in_stack.dmp"));
ASSERT_EQ(google_breakpad::EXPLOITABILITY_HIGH, ASSERT_EQ(google_breakpad::EXPLOITABILITY_HIGH,
ExploitabilityFor("linux_stack_pointer_in_module.dmp")); ExploitabilityFor("linux_stack_pointer_in_module.dmp"));
ASSERT_EQ(google_breakpad::EXPLOITABILITY_HIGH,
ExploitabilityFor("linux_executable_stack.dmp"));
ASSERT_EQ(google_breakpad::EXPLOITABILITY_HIGH,
ExploitabilityFor("linux_executable_heap.dmp"));
} }
} }

Binary file not shown.

Binary file not shown.