Add check for executable stack/heap when rating Linux exploitability.

This CL also consequentially adds a public method to get the number of
mappings in a Linux minidump.

R=ivanpe@chromium.org

Review URL: https://codereview.chromium.org/1291603002

git-svn-id: http://google-breakpad.googlecode.com/svn/trunk@1488 4c0a9323-5329-0410-9bdc-e9ce6186880e
This commit is contained in:
Liu.andrew.x@gmail.com 2015-08-15 00:37:14 +00:00
parent ab5ffb8b6c
commit e3687f92c2
6 changed files with 33 additions and 3 deletions

View File

@ -916,6 +916,9 @@ class MinidumpLinuxMapsList : public MinidumpStream {
public:
virtual ~MinidumpLinuxMapsList();
// Get number of mappings.
unsigned int get_maps_count() const { return valid_ ? maps_count_ : 0; }
// Get mapping at the given memory address. The caller owns the pointer.
const MinidumpLinuxMaps *GetLinuxMapsForAddress(uint64_t address) const;
// Get mapping at the given index. The caller owns the pointer.

View File

@ -124,7 +124,8 @@ ExploitabilityRating ExploitabilityLinux::CheckPlatformExploitability() {
// Checking for the instruction pointer in a valid instruction region.
if (!this->InstructionPointerInCode(instruction_ptr) ||
this->StackPointerOffStack(stack_ptr)) {
this->StackPointerOffStack(stack_ptr) ||
this->ExecutableStackOrHeap()) {
return EXPLOITABILITY_HIGH;
}
@ -149,6 +150,24 @@ bool ExploitabilityLinux::StackPointerOffStack(uint64_t stack_ptr) {
linux_maps->GetPathname().compare("[stack]"));
}
bool ExploitabilityLinux::ExecutableStackOrHeap() {
MinidumpLinuxMapsList *linux_maps_list = dump_->GetLinuxMapsList();
if (linux_maps_list) {
for (size_t i = 0; i < linux_maps_list->get_maps_count(); i++) {
const MinidumpLinuxMaps *linux_maps =
linux_maps_list->GetLinuxMapsAtIndex(i);
// Check for executable stack or heap for each mapping.
if (linux_maps &&
(!linux_maps->GetPathname().compare("[stack]") ||
!linux_maps->GetPathname().compare("[heap]")) &&
linux_maps->IsExecutable()) {
return true;
}
}
}
return false;
}
bool ExploitabilityLinux::InstructionPointerInCode(uint64_t instruction_ptr) {
// Get Linux memory mapping from /proc/self/maps. Checking whether the
// region the instruction pointer is in has executable permission can tell

View File

@ -51,17 +51,21 @@ class ExploitabilityLinux : public Exploitability {
virtual ExploitabilityRating CheckPlatformExploitability();
private:
// This method takes the address of the instruction pointer and returns
// Takes the address of the instruction pointer and returns
// whether the instruction pointer lies in a valid instruction region.
bool InstructionPointerInCode(uint64_t instruction_ptr);
// This method checks the exception that triggered the creation of the
// Checks the exception that triggered the creation of the
// minidump and reports whether the exception suggests no exploitability.
bool BenignCrashTrigger(const MDRawExceptionStream *raw_exception_stream);
// Checks if the stack pointer points to a memory mapping that is not
// labelled as the stack.
bool StackPointerOffStack(uint64_t stack_ptr);
// Checks if the stack or heap are marked executable according
// to the memory mappings.
bool ExecutableStackOrHeap();
};
} // namespace google_breakpad

View File

@ -131,6 +131,10 @@ TEST(ExploitabilityTest, TestLinuxEngine) {
ExploitabilityFor("linux_stack_pointer_in_stack.dmp"));
ASSERT_EQ(google_breakpad::EXPLOITABILITY_HIGH,
ExploitabilityFor("linux_stack_pointer_in_module.dmp"));
ASSERT_EQ(google_breakpad::EXPLOITABILITY_HIGH,
ExploitabilityFor("linux_executable_stack.dmp"));
ASSERT_EQ(google_breakpad::EXPLOITABILITY_HIGH,
ExploitabilityFor("linux_executable_heap.dmp"));
}
}

Binary file not shown.

Binary file not shown.