mirror of
https://github.com/yuzu-emu/breakpad.git
synced 2024-12-23 15:45:39 +00:00
Add check for executable stack/heap when rating Linux exploitability.
This CL also consequentially adds a public method to get the number of mappings in a Linux minidump. R=ivanpe@chromium.org Review URL: https://codereview.chromium.org/1291603002 git-svn-id: http://google-breakpad.googlecode.com/svn/trunk@1488 4c0a9323-5329-0410-9bdc-e9ce6186880e
This commit is contained in:
parent
ab5ffb8b6c
commit
e3687f92c2
|
@ -916,6 +916,9 @@ class MinidumpLinuxMapsList : public MinidumpStream {
|
||||||
public:
|
public:
|
||||||
virtual ~MinidumpLinuxMapsList();
|
virtual ~MinidumpLinuxMapsList();
|
||||||
|
|
||||||
|
// Get number of mappings.
|
||||||
|
unsigned int get_maps_count() const { return valid_ ? maps_count_ : 0; }
|
||||||
|
|
||||||
// Get mapping at the given memory address. The caller owns the pointer.
|
// Get mapping at the given memory address. The caller owns the pointer.
|
||||||
const MinidumpLinuxMaps *GetLinuxMapsForAddress(uint64_t address) const;
|
const MinidumpLinuxMaps *GetLinuxMapsForAddress(uint64_t address) const;
|
||||||
// Get mapping at the given index. The caller owns the pointer.
|
// Get mapping at the given index. The caller owns the pointer.
|
||||||
|
|
|
@ -124,7 +124,8 @@ ExploitabilityRating ExploitabilityLinux::CheckPlatformExploitability() {
|
||||||
|
|
||||||
// Checking for the instruction pointer in a valid instruction region.
|
// Checking for the instruction pointer in a valid instruction region.
|
||||||
if (!this->InstructionPointerInCode(instruction_ptr) ||
|
if (!this->InstructionPointerInCode(instruction_ptr) ||
|
||||||
this->StackPointerOffStack(stack_ptr)) {
|
this->StackPointerOffStack(stack_ptr) ||
|
||||||
|
this->ExecutableStackOrHeap()) {
|
||||||
return EXPLOITABILITY_HIGH;
|
return EXPLOITABILITY_HIGH;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -149,6 +150,24 @@ bool ExploitabilityLinux::StackPointerOffStack(uint64_t stack_ptr) {
|
||||||
linux_maps->GetPathname().compare("[stack]"));
|
linux_maps->GetPathname().compare("[stack]"));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
bool ExploitabilityLinux::ExecutableStackOrHeap() {
|
||||||
|
MinidumpLinuxMapsList *linux_maps_list = dump_->GetLinuxMapsList();
|
||||||
|
if (linux_maps_list) {
|
||||||
|
for (size_t i = 0; i < linux_maps_list->get_maps_count(); i++) {
|
||||||
|
const MinidumpLinuxMaps *linux_maps =
|
||||||
|
linux_maps_list->GetLinuxMapsAtIndex(i);
|
||||||
|
// Check for executable stack or heap for each mapping.
|
||||||
|
if (linux_maps &&
|
||||||
|
(!linux_maps->GetPathname().compare("[stack]") ||
|
||||||
|
!linux_maps->GetPathname().compare("[heap]")) &&
|
||||||
|
linux_maps->IsExecutable()) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
bool ExploitabilityLinux::InstructionPointerInCode(uint64_t instruction_ptr) {
|
bool ExploitabilityLinux::InstructionPointerInCode(uint64_t instruction_ptr) {
|
||||||
// Get Linux memory mapping from /proc/self/maps. Checking whether the
|
// Get Linux memory mapping from /proc/self/maps. Checking whether the
|
||||||
// region the instruction pointer is in has executable permission can tell
|
// region the instruction pointer is in has executable permission can tell
|
||||||
|
|
|
@ -51,17 +51,21 @@ class ExploitabilityLinux : public Exploitability {
|
||||||
virtual ExploitabilityRating CheckPlatformExploitability();
|
virtual ExploitabilityRating CheckPlatformExploitability();
|
||||||
|
|
||||||
private:
|
private:
|
||||||
// This method takes the address of the instruction pointer and returns
|
// Takes the address of the instruction pointer and returns
|
||||||
// whether the instruction pointer lies in a valid instruction region.
|
// whether the instruction pointer lies in a valid instruction region.
|
||||||
bool InstructionPointerInCode(uint64_t instruction_ptr);
|
bool InstructionPointerInCode(uint64_t instruction_ptr);
|
||||||
|
|
||||||
// This method checks the exception that triggered the creation of the
|
// Checks the exception that triggered the creation of the
|
||||||
// minidump and reports whether the exception suggests no exploitability.
|
// minidump and reports whether the exception suggests no exploitability.
|
||||||
bool BenignCrashTrigger(const MDRawExceptionStream *raw_exception_stream);
|
bool BenignCrashTrigger(const MDRawExceptionStream *raw_exception_stream);
|
||||||
|
|
||||||
// Checks if the stack pointer points to a memory mapping that is not
|
// Checks if the stack pointer points to a memory mapping that is not
|
||||||
// labelled as the stack.
|
// labelled as the stack.
|
||||||
bool StackPointerOffStack(uint64_t stack_ptr);
|
bool StackPointerOffStack(uint64_t stack_ptr);
|
||||||
|
|
||||||
|
// Checks if the stack or heap are marked executable according
|
||||||
|
// to the memory mappings.
|
||||||
|
bool ExecutableStackOrHeap();
|
||||||
};
|
};
|
||||||
|
|
||||||
} // namespace google_breakpad
|
} // namespace google_breakpad
|
||||||
|
|
|
@ -131,6 +131,10 @@ TEST(ExploitabilityTest, TestLinuxEngine) {
|
||||||
ExploitabilityFor("linux_stack_pointer_in_stack.dmp"));
|
ExploitabilityFor("linux_stack_pointer_in_stack.dmp"));
|
||||||
ASSERT_EQ(google_breakpad::EXPLOITABILITY_HIGH,
|
ASSERT_EQ(google_breakpad::EXPLOITABILITY_HIGH,
|
||||||
ExploitabilityFor("linux_stack_pointer_in_module.dmp"));
|
ExploitabilityFor("linux_stack_pointer_in_module.dmp"));
|
||||||
|
ASSERT_EQ(google_breakpad::EXPLOITABILITY_HIGH,
|
||||||
|
ExploitabilityFor("linux_executable_stack.dmp"));
|
||||||
|
ASSERT_EQ(google_breakpad::EXPLOITABILITY_HIGH,
|
||||||
|
ExploitabilityFor("linux_executable_heap.dmp"));
|
||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
BIN
src/processor/testdata/linux_executable_heap.dmp
vendored
Normal file
BIN
src/processor/testdata/linux_executable_heap.dmp
vendored
Normal file
Binary file not shown.
BIN
src/processor/testdata/linux_executable_stack.dmp
vendored
Normal file
BIN
src/processor/testdata/linux_executable_stack.dmp
vendored
Normal file
Binary file not shown.
Loading…
Reference in a new issue