1 // Copyright (c) 2013 Google Inc. 2 // All rights reserved. 3 // 4 // Redistribution and use in source and binary forms, with or without 5 // modification, are permitted provided that the following conditions are 6 // met: 7 // 8 // * Redistributions of source code must retain the above copyright 9 // notice, this list of conditions and the following disclaimer. 10 // * Redistributions in binary form must reproduce the above 11 // copyright notice, this list of conditions and the following disclaimer 12 // in the documentation and/or other materials provided with the 13 // distribution. 14 // * Neither the name of Google Inc. nor the names of its 15 // contributors may be used to endorse or promote products derived from 16 // this software without specific prior written permission. 17 // 18 // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 19 // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 20 // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 21 // A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 22 // OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 23 // SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 24 // LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 25 // DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 26 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 27 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 28 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 29 30 // exploitability_linux.h: Linux specific exploitability engine. 31 // 32 // Provides a guess at the exploitability of the crash for the Linux 33 // platform given a minidump and process_state. 34 // 35 // Author: Matthew Riley 36 37 #ifndef GOOGLE_BREAKPAD_PROCESSOR_EXPLOITABILITY_LINUX_H_ 38 #define GOOGLE_BREAKPAD_PROCESSOR_EXPLOITABILITY_LINUX_H_ 39 40 #include "google_breakpad/common/breakpad_types.h" 41 #include "google_breakpad/processor/exploitability.h" 42 43 namespace google_breakpad { 44 45 class ExploitabilityLinux : public Exploitability { 46 public: 47 ExploitabilityLinux(Minidump *dump, 48 ProcessState *process_state); 49 50 // Parameters are the minidump to analyze, the object representing process 51 // state, and whether to enable objdump disassembly. 52 // Enabling objdump will allow exploitability analysis to call out to 53 // objdump for diassembly. It is used to check the identity of the 54 // instruction that caused the program to crash. If there are any 55 // portability concerns, this should not be enabled. 56 ExploitabilityLinux(Minidump *dump, 57 ProcessState *process_state, 58 bool enable_objdump); 59 60 virtual ExploitabilityRating CheckPlatformExploitability(); 61 62 private: 63 friend class ExploitabilityLinuxTest; 64 65 // Takes the address of the instruction pointer and returns 66 // whether the instruction pointer lies in a valid instruction region. 67 bool InstructionPointerInCode(uint64_t instruction_ptr); 68 69 // Checks the exception that triggered the creation of the 70 // minidump and reports whether the exception suggests no exploitability. 71 bool BenignCrashTrigger(const MDRawExceptionStream *raw_exception_stream); 72 73 // This method checks if the crash occurred during a write to read-only or 74 // invalid memory. It does so by checking if the instruction at the 75 // instruction pointer is a write instruction, and if the target of the 76 // instruction is at a spot in memory that prohibits writes. 77 bool EndedOnIllegalWrite(uint64_t instruction_ptr); 78 79 #ifndef _WIN32 80 // Disassembles raw bytes via objdump and pipes the output into the provided 81 // buffer, given the desired architecture, the file from which objdump will 82 // read, and the buffer length. The method returns whether the disassembly 83 // was a success, and the caller owns all pointers. 84 static bool DisassembleBytes(const string &architecture, 85 const uint8_t *raw_bytes, 86 const unsigned int MAX_OBJDUMP_BUFFER_LEN, 87 char *objdump_output_buffer); 88 89 // Parses the objdump output given in |objdump_output_buffer| and extracts 90 // the line of the first instruction into |instruction_line|. Returns true 91 // when the instruction line is successfully extracted. 92 static bool GetObjdumpInstructionLine( 93 const char *objdump_output_buffer, 94 string *instruction_line); 95 96 // Tokenizes out the operation and operands from a line of instruction 97 // disassembled by objdump. This method modifies the pointers to match the 98 // tokens of the instruction, and returns if the tokenizing was a success. 99 // The caller owns all pointers. 100 static bool TokenizeObjdumpInstruction(const string &line, 101 string *operation, 102 string *dest, 103 string *src); 104 105 // Calculates the effective address of an expression in the form reg+a or 106 // reg-a, where 'reg' is a register and 'a' is a constant, and writes the 107 // result in the pointer. The method returns whether the calculation was 108 // a success. The caller owns the pointer. 109 static bool CalculateAddress(const string &address_expression, 110 const DumpContext &context, 111 uint64_t *write_address); 112 #endif // _WIN32 113 114 // Checks if the stack pointer points to a memory mapping that is not 115 // labelled as the stack. 116 bool StackPointerOffStack(uint64_t stack_ptr); 117 118 // Checks if the stack or heap are marked executable according 119 // to the memory mappings. 120 bool ExecutableStackOrHeap(); 121 122 // Whether this exploitability engine is permitted to shell out to objdump 123 // to disassemble raw bytes. 124 bool enable_objdump_; 125 }; 126 127 } // namespace google_breakpad 128 129 #endif // GOOGLE_BREAKPAD_PROCESSOR_EXPLOITABILITY_LINUX_H_ 130