1 // Copyright (c) 2010 Google Inc.
2 // All rights reserved.
3 //
4 // Redistribution and use in source and binary forms, with or without
5 // modification, are permitted provided that the following conditions are
6 // met:
7 //
8 // * Redistributions of source code must retain the above copyright
9 // notice, this list of conditions and the following disclaimer.
10 // * Redistributions in binary form must reproduce the above
11 // copyright notice, this list of conditions and the following disclaimer
12 // in the documentation and/or other materials provided with the
13 // distribution.
14 // * Neither the name of Google Inc. nor the names of its
15 // contributors may be used to endorse or promote products derived from
16 // this software without specific prior written permission.
17 //
18 // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19 // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20 // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
21 // A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
22 // OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
23 // SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
24 // LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
25 // DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
26 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
27 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29
30 // exploitability_win.cc: Windows specific exploitability engine.
31 //
32 // Provides a guess at the exploitability of the crash for the Windows
33 // platform given a minidump and process_state.
34 //
35 // Author: Cris Neckar
36
37 #include <vector>
38
39 #include "processor/exploitability_win.h"
40
41 #include "common/scoped_ptr.h"
42 #include "google_breakpad/common/minidump_exception_win32.h"
43 #include "google_breakpad/processor/minidump.h"
44 #include "processor/disassembler_x86.h"
45 #include "processor/logging.h"
46
47 #include "third_party/libdisasm/libdis.h"
48
49 namespace google_breakpad {
50
51 // The cutoff that we use to judge if and address is likely an offset
52 // from various interesting addresses.
53 static const uint64_t kProbableNullOffset = 4096;
54 static const uint64_t kProbableStackOffset = 8192;
55
56 // The various cutoffs for the different ratings.
57 static const size_t kHighCutoff = 100;
58 static const size_t kMediumCutoff = 80;
59 static const size_t kLowCutoff = 50;
60 static const size_t kInterestingCutoff = 25;
61
62 // Predefined incremental values for conditional weighting.
63 static const size_t kTinyBump = 5;
64 static const size_t kSmallBump = 20;
65 static const size_t kMediumBump = 50;
66 static const size_t kLargeBump = 70;
67 static const size_t kHugeBump = 90;
68
69 // The maximum number of bytes to disassemble past the program counter.
70 static const size_t kDisassembleBytesBeyondPC = 2048;
71
ExploitabilityWin(Minidump * dump,ProcessState * process_state)72 ExploitabilityWin::ExploitabilityWin(Minidump *dump,
73 ProcessState *process_state)
74 : Exploitability(dump, process_state) { }
75
CheckPlatformExploitability()76 ExploitabilityRating ExploitabilityWin::CheckPlatformExploitability() {
77 MinidumpException *exception = dump_->GetException();
78 if (!exception) {
79 BPLOG(INFO) << "Minidump does not have exception record.";
80 return EXPLOITABILITY_ERR_PROCESSING;
81 }
82
83 const MDRawExceptionStream *raw_exception = exception->exception();
84 if (!raw_exception) {
85 BPLOG(INFO) << "Could not obtain raw exception info.";
86 return EXPLOITABILITY_ERR_PROCESSING;
87 }
88
89 const MinidumpContext *context = exception->GetContext();
90 if (!context) {
91 BPLOG(INFO) << "Could not obtain exception context.";
92 return EXPLOITABILITY_ERR_PROCESSING;
93 }
94
95 MinidumpMemoryList *memory_list = dump_->GetMemoryList();
96 bool memory_available = true;
97 if (!memory_list) {
98 BPLOG(INFO) << "Minidump memory segments not available.";
99 memory_available = false;
100 }
101 uint64_t address = process_state_->crash_address();
102 uint32_t exception_code = raw_exception->exception_record.exception_code;
103
104 uint32_t exploitability_weight = 0;
105
106 uint64_t stack_ptr = 0;
107 uint64_t instruction_ptr = 0;
108
109 // Getting the instruction pointer.
110 if (!context->GetInstructionPointer(&instruction_ptr)) {
111 return EXPLOITABILITY_ERR_PROCESSING;
112 }
113
114 // Getting the stack pointer.
115 if (!context->GetStackPointer(&stack_ptr)) {
116 return EXPLOITABILITY_ERR_PROCESSING;
117 }
118
119 // Check if we are executing on the stack.
120 if (instruction_ptr <= (stack_ptr + kProbableStackOffset) &&
121 instruction_ptr >= (stack_ptr - kProbableStackOffset))
122 exploitability_weight += kHugeBump;
123
124 switch (exception_code) {
125 // This is almost certainly recursion.
126 case MD_EXCEPTION_CODE_WIN_STACK_OVERFLOW:
127 exploitability_weight += kTinyBump;
128 break;
129
130 // These exceptions tend to be benign and we can generally ignore them.
131 case MD_EXCEPTION_CODE_WIN_INTEGER_DIVIDE_BY_ZERO:
132 case MD_EXCEPTION_CODE_WIN_INTEGER_OVERFLOW:
133 case MD_EXCEPTION_CODE_WIN_FLOAT_DIVIDE_BY_ZERO:
134 case MD_EXCEPTION_CODE_WIN_FLOAT_INEXACT_RESULT:
135 case MD_EXCEPTION_CODE_WIN_FLOAT_OVERFLOW:
136 case MD_EXCEPTION_CODE_WIN_FLOAT_UNDERFLOW:
137 case MD_EXCEPTION_CODE_WIN_IN_PAGE_ERROR:
138 exploitability_weight += kTinyBump;
139 break;
140
141 // These exceptions will typically mean that we have jumped where we
142 // shouldn't.
143 case MD_EXCEPTION_CODE_WIN_ILLEGAL_INSTRUCTION:
144 case MD_EXCEPTION_CODE_WIN_FLOAT_INVALID_OPERATION:
145 case MD_EXCEPTION_CODE_WIN_PRIVILEGED_INSTRUCTION:
146 exploitability_weight += kLargeBump;
147 break;
148
149 // These represent bugs in exception handlers.
150 case MD_EXCEPTION_CODE_WIN_INVALID_DISPOSITION:
151 case MD_EXCEPTION_CODE_WIN_NONCONTINUABLE_EXCEPTION:
152 exploitability_weight += kSmallBump;
153 break;
154
155 case MD_EXCEPTION_CODE_WIN_HEAP_CORRUPTION:
156 case MD_EXCEPTION_CODE_WIN_STACK_BUFFER_OVERRUN:
157 exploitability_weight += kHugeBump;
158 break;
159
160 case MD_EXCEPTION_CODE_WIN_GUARD_PAGE_VIOLATION:
161 exploitability_weight += kLargeBump;
162 break;
163
164 case MD_EXCEPTION_CODE_WIN_ACCESS_VIOLATION:
165 bool near_null = (address <= kProbableNullOffset);
166 bool bad_read = false;
167 bool bad_write = false;
168 if (raw_exception->exception_record.number_parameters >= 1) {
169 MDAccessViolationTypeWin av_type =
170 static_cast<MDAccessViolationTypeWin>
171 (raw_exception->exception_record.exception_information[0]);
172 switch (av_type) {
173 case MD_ACCESS_VIOLATION_WIN_READ:
174 bad_read = true;
175 if (near_null)
176 exploitability_weight += kSmallBump;
177 else
178 exploitability_weight += kMediumBump;
179 break;
180 case MD_ACCESS_VIOLATION_WIN_WRITE:
181 bad_write = true;
182 if (near_null)
183 exploitability_weight += kSmallBump;
184 else
185 exploitability_weight += kHugeBump;
186 break;
187 case MD_ACCESS_VIOLATION_WIN_EXEC:
188 if (near_null)
189 exploitability_weight += kSmallBump;
190 else
191 exploitability_weight += kHugeBump;
192 break;
193 default:
194 BPLOG(INFO) << "Unrecognized access violation type.";
195 return EXPLOITABILITY_ERR_PROCESSING;
196 break;
197 }
198 MinidumpMemoryRegion *instruction_region = 0;
199 if (memory_available) {
200 instruction_region =
201 memory_list->GetMemoryRegionForAddress(instruction_ptr);
202 }
203 if (!near_null && instruction_region &&
204 context->GetContextCPU() == MD_CONTEXT_X86 &&
205 (bad_read || bad_write)) {
206 // Perform checks related to memory around instruction pointer.
207 uint32_t memory_offset =
208 instruction_ptr - instruction_region->GetBase();
209 uint32_t available_memory =
210 instruction_region->GetSize() - memory_offset;
211 available_memory = available_memory > kDisassembleBytesBeyondPC ?
212 kDisassembleBytesBeyondPC : available_memory;
213 if (available_memory) {
214 const uint8_t *raw_memory =
215 instruction_region->GetMemory() + memory_offset;
216 DisassemblerX86 disassembler(raw_memory,
217 available_memory,
218 instruction_ptr);
219 disassembler.NextInstruction();
220 if (bad_read)
221 disassembler.setBadRead();
222 else
223 disassembler.setBadWrite();
224 if (disassembler.currentInstructionValid()) {
225 // Check if the faulting instruction falls into one of
226 // several interesting groups.
227 switch (disassembler.currentInstructionGroup()) {
228 case libdis::insn_controlflow:
229 exploitability_weight += kLargeBump;
230 break;
231 case libdis::insn_string:
232 exploitability_weight += kHugeBump;
233 break;
234 default:
235 break;
236 }
237 // Loop the disassembler through the code and check if it
238 // IDed any interesting conditions in the near future.
239 // Multiple flags may be set so treat each equally.
240 while (disassembler.NextInstruction() &&
241 disassembler.currentInstructionValid() &&
242 !disassembler.endOfBlock())
243 continue;
244 if (disassembler.flags() & DISX86_BAD_BRANCH_TARGET)
245 exploitability_weight += kLargeBump;
246 if (disassembler.flags() & DISX86_BAD_ARGUMENT_PASSED)
247 exploitability_weight += kTinyBump;
248 if (disassembler.flags() & DISX86_BAD_WRITE)
249 exploitability_weight += kMediumBump;
250 if (disassembler.flags() & DISX86_BAD_BLOCK_WRITE)
251 exploitability_weight += kMediumBump;
252 if (disassembler.flags() & DISX86_BAD_READ)
253 exploitability_weight += kTinyBump;
254 if (disassembler.flags() & DISX86_BAD_BLOCK_READ)
255 exploitability_weight += kTinyBump;
256 if (disassembler.flags() & DISX86_BAD_COMPARISON)
257 exploitability_weight += kTinyBump;
258 }
259 }
260 }
261 if (!near_null && AddressIsAscii(address))
262 exploitability_weight += kMediumBump;
263 } else {
264 BPLOG(INFO) << "Access violation type parameter missing.";
265 return EXPLOITABILITY_ERR_PROCESSING;
266 }
267 }
268
269 // Based on the calculated weight we return a simplified classification.
270 BPLOG(INFO) << "Calculated exploitability weight: " << exploitability_weight;
271 if (exploitability_weight >= kHighCutoff)
272 return EXPLOITABILITY_HIGH;
273 if (exploitability_weight >= kMediumCutoff)
274 return EXPLOITABLITY_MEDIUM;
275 if (exploitability_weight >= kLowCutoff)
276 return EXPLOITABILITY_LOW;
277 if (exploitability_weight >= kInterestingCutoff)
278 return EXPLOITABILITY_INTERESTING;
279
280 return EXPLOITABILITY_NONE;
281 }
282
283 } // namespace google_breakpad
284