1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/toolkit/crashreporter/google-breakpad/src/processor/exploitability_win.cc Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,290 @@
1.4 +// Copyright (c) 2010 Google Inc.
1.5 +// All rights reserved.
1.6 +//
1.7 +// Redistribution and use in source and binary forms, with or without
1.8 +// modification, are permitted provided that the following conditions are
1.9 +// met:
1.10 +//
1.11 +// * Redistributions of source code must retain the above copyright
1.12 +// notice, this list of conditions and the following disclaimer.
1.13 +// * Redistributions in binary form must reproduce the above
1.14 +// copyright notice, this list of conditions and the following disclaimer
1.15 +// in the documentation and/or other materials provided with the
1.16 +// distribution.
1.17 +// * Neither the name of Google Inc. nor the names of its
1.18 +// contributors may be used to endorse or promote products derived from
1.19 +// this software without specific prior written permission.
1.20 +//
1.21 +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
1.22 +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
1.23 +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
1.24 +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
1.25 +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
1.26 +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
1.27 +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
1.28 +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
1.29 +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
1.30 +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
1.31 +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1.32 +
1.33 +// exploitability_win.cc: Windows specific exploitability engine.
1.34 +//
1.35 +// Provides a guess at the exploitability of the crash for the Windows
1.36 +// platform given a minidump and process_state.
1.37 +//
1.38 +// Author: Cris Neckar
1.39 +
1.40 +#include <vector>
1.41 +
1.42 +#include "processor/exploitability_win.h"
1.43 +
1.44 +#include "common/scoped_ptr.h"
1.45 +#include "google_breakpad/common/minidump_exception_win32.h"
1.46 +#include "google_breakpad/processor/minidump.h"
1.47 +#include "processor/disassembler_x86.h"
1.48 +#include "processor/logging.h"
1.49 +
1.50 +#include "third_party/libdisasm/libdis.h"
1.51 +
1.52 +namespace google_breakpad {
1.53 +
1.54 +// The cutoff that we use to judge if and address is likely an offset
1.55 +// from various interesting addresses.
1.56 +static const uint64_t kProbableNullOffset = 4096;
1.57 +static const uint64_t kProbableStackOffset = 8192;
1.58 +
1.59 +// The various cutoffs for the different ratings.
1.60 +static const size_t kHighCutoff = 100;
1.61 +static const size_t kMediumCutoff = 80;
1.62 +static const size_t kLowCutoff = 50;
1.63 +static const size_t kInterestingCutoff = 25;
1.64 +
1.65 +// Predefined incremental values for conditional weighting.
1.66 +static const size_t kTinyBump = 5;
1.67 +static const size_t kSmallBump = 20;
1.68 +static const size_t kMediumBump = 50;
1.69 +static const size_t kLargeBump = 70;
1.70 +static const size_t kHugeBump = 90;
1.71 +
1.72 +// The maximum number of bytes to disassemble past the program counter.
1.73 +static const size_t kDisassembleBytesBeyondPC = 2048;
1.74 +
1.75 +ExploitabilityWin::ExploitabilityWin(Minidump *dump,
1.76 + ProcessState *process_state)
1.77 + : Exploitability(dump, process_state) { }
1.78 +
1.79 +ExploitabilityRating ExploitabilityWin::CheckPlatformExploitability() {
1.80 + MinidumpException *exception = dump_->GetException();
1.81 + if (!exception) {
1.82 + BPLOG(INFO) << "Minidump does not have exception record.";
1.83 + return EXPLOITABILITY_ERR_PROCESSING;
1.84 + }
1.85 +
1.86 + const MDRawExceptionStream *raw_exception = exception->exception();
1.87 + if (!raw_exception) {
1.88 + BPLOG(INFO) << "Could not obtain raw exception info.";
1.89 + return EXPLOITABILITY_ERR_PROCESSING;
1.90 + }
1.91 +
1.92 + const MinidumpContext *context = exception->GetContext();
1.93 + if (!context) {
1.94 + BPLOG(INFO) << "Could not obtain exception context.";
1.95 + return EXPLOITABILITY_ERR_PROCESSING;
1.96 + }
1.97 +
1.98 + MinidumpMemoryList *memory_list = dump_->GetMemoryList();
1.99 + bool memory_available = true;
1.100 + if (!memory_list) {
1.101 + BPLOG(INFO) << "Minidump memory segments not available.";
1.102 + memory_available = false;
1.103 + }
1.104 + uint64_t address = process_state_->crash_address();
1.105 + uint32_t exception_code = raw_exception->exception_record.exception_code;
1.106 +
1.107 + uint32_t exploitability_weight = 0;
1.108 +
1.109 + uint64_t stack_ptr = 0;
1.110 + uint64_t instruction_ptr = 0;
1.111 + uint64_t this_ptr = 0;
1.112 +
1.113 + switch (context->GetContextCPU()) {
1.114 + case MD_CONTEXT_X86:
1.115 + stack_ptr = context->GetContextX86()->esp;
1.116 + instruction_ptr = context->GetContextX86()->eip;
1.117 + this_ptr = context->GetContextX86()->ecx;
1.118 + break;
1.119 + case MD_CONTEXT_AMD64:
1.120 + stack_ptr = context->GetContextAMD64()->rsp;
1.121 + instruction_ptr = context->GetContextAMD64()->rip;
1.122 + this_ptr = context->GetContextAMD64()->rcx;
1.123 + break;
1.124 + default:
1.125 + BPLOG(INFO) << "Unsupported architecture.";
1.126 + return EXPLOITABILITY_ERR_PROCESSING;
1.127 + }
1.128 +
1.129 + // Check if we are executing on the stack.
1.130 + if (instruction_ptr <= (stack_ptr + kProbableStackOffset) &&
1.131 + instruction_ptr >= (stack_ptr - kProbableStackOffset))
1.132 + exploitability_weight += kHugeBump;
1.133 +
1.134 + switch (exception_code) {
1.135 + // This is almost certainly recursion.
1.136 + case MD_EXCEPTION_CODE_WIN_STACK_OVERFLOW:
1.137 + exploitability_weight += kTinyBump;
1.138 + break;
1.139 +
1.140 + // These exceptions tend to be benign and we can generally ignore them.
1.141 + case MD_EXCEPTION_CODE_WIN_INTEGER_DIVIDE_BY_ZERO:
1.142 + case MD_EXCEPTION_CODE_WIN_INTEGER_OVERFLOW:
1.143 + case MD_EXCEPTION_CODE_WIN_FLOAT_DIVIDE_BY_ZERO:
1.144 + case MD_EXCEPTION_CODE_WIN_FLOAT_INEXACT_RESULT:
1.145 + case MD_EXCEPTION_CODE_WIN_FLOAT_OVERFLOW:
1.146 + case MD_EXCEPTION_CODE_WIN_FLOAT_UNDERFLOW:
1.147 + case MD_EXCEPTION_CODE_WIN_IN_PAGE_ERROR:
1.148 + exploitability_weight += kTinyBump;
1.149 + break;
1.150 +
1.151 + // These exceptions will typically mean that we have jumped where we
1.152 + // shouldn't.
1.153 + case MD_EXCEPTION_CODE_WIN_ILLEGAL_INSTRUCTION:
1.154 + case MD_EXCEPTION_CODE_WIN_FLOAT_INVALID_OPERATION:
1.155 + case MD_EXCEPTION_CODE_WIN_PRIVILEGED_INSTRUCTION:
1.156 + exploitability_weight += kLargeBump;
1.157 + break;
1.158 +
1.159 + // These represent bugs in exception handlers.
1.160 + case MD_EXCEPTION_CODE_WIN_INVALID_DISPOSITION:
1.161 + case MD_EXCEPTION_CODE_WIN_NONCONTINUABLE_EXCEPTION:
1.162 + exploitability_weight += kSmallBump;
1.163 + break;
1.164 +
1.165 + case MD_EXCEPTION_CODE_WIN_HEAP_CORRUPTION:
1.166 + case MD_EXCEPTION_CODE_WIN_STACK_BUFFER_OVERRUN:
1.167 + exploitability_weight += kHugeBump;
1.168 + break;
1.169 +
1.170 + case MD_EXCEPTION_CODE_WIN_GUARD_PAGE_VIOLATION:
1.171 + exploitability_weight += kLargeBump;
1.172 + break;
1.173 +
1.174 + case MD_EXCEPTION_CODE_WIN_ACCESS_VIOLATION:
1.175 + bool near_null = (address <= kProbableNullOffset);
1.176 + bool bad_read = false;
1.177 + bool bad_write = false;
1.178 + if (raw_exception->exception_record.number_parameters >= 1) {
1.179 + MDAccessViolationTypeWin av_type =
1.180 + static_cast<MDAccessViolationTypeWin>
1.181 + (raw_exception->exception_record.exception_information[0]);
1.182 + switch (av_type) {
1.183 + case MD_ACCESS_VIOLATION_WIN_READ:
1.184 + bad_read = true;
1.185 + if (near_null)
1.186 + exploitability_weight += kSmallBump;
1.187 + else
1.188 + exploitability_weight += kMediumBump;
1.189 + break;
1.190 + case MD_ACCESS_VIOLATION_WIN_WRITE:
1.191 + bad_write = true;
1.192 + if (near_null)
1.193 + exploitability_weight += kSmallBump;
1.194 + else
1.195 + exploitability_weight += kHugeBump;
1.196 + break;
1.197 + case MD_ACCESS_VIOLATION_WIN_EXEC:
1.198 + if (near_null)
1.199 + exploitability_weight += kSmallBump;
1.200 + else
1.201 + exploitability_weight += kHugeBump;
1.202 + break;
1.203 + default:
1.204 + BPLOG(INFO) << "Unrecognized access violation type.";
1.205 + return EXPLOITABILITY_ERR_PROCESSING;
1.206 + break;
1.207 + }
1.208 + MinidumpMemoryRegion *instruction_region = 0;
1.209 + if (memory_available) {
1.210 + instruction_region =
1.211 + memory_list->GetMemoryRegionForAddress(instruction_ptr);
1.212 + }
1.213 + if (!near_null && instruction_region &&
1.214 + context->GetContextCPU() == MD_CONTEXT_X86 &&
1.215 + (bad_read || bad_write)) {
1.216 + // Perform checks related to memory around instruction pointer.
1.217 + uint32_t memory_offset =
1.218 + instruction_ptr - instruction_region->GetBase();
1.219 + uint32_t available_memory =
1.220 + instruction_region->GetSize() - memory_offset;
1.221 + available_memory = available_memory > kDisassembleBytesBeyondPC ?
1.222 + kDisassembleBytesBeyondPC : available_memory;
1.223 + if (available_memory) {
1.224 + const uint8_t *raw_memory =
1.225 + instruction_region->GetMemory() + memory_offset;
1.226 + DisassemblerX86 disassembler(raw_memory,
1.227 + available_memory,
1.228 + instruction_ptr);
1.229 + disassembler.NextInstruction();
1.230 + if (bad_read)
1.231 + disassembler.setBadRead();
1.232 + else
1.233 + disassembler.setBadWrite();
1.234 + if (disassembler.currentInstructionValid()) {
1.235 + // Check if the faulting instruction falls into one of
1.236 + // several interesting groups.
1.237 + switch (disassembler.currentInstructionGroup()) {
1.238 + case libdis::insn_controlflow:
1.239 + exploitability_weight += kLargeBump;
1.240 + break;
1.241 + case libdis::insn_string:
1.242 + exploitability_weight += kHugeBump;
1.243 + break;
1.244 + default:
1.245 + break;
1.246 + }
1.247 + // Loop the disassembler through the code and check if it
1.248 + // IDed any interesting conditions in the near future.
1.249 + // Multiple flags may be set so treat each equally.
1.250 + while (disassembler.NextInstruction() &&
1.251 + disassembler.currentInstructionValid() &&
1.252 + !disassembler.endOfBlock())
1.253 + continue;
1.254 + if (disassembler.flags() & DISX86_BAD_BRANCH_TARGET)
1.255 + exploitability_weight += kLargeBump;
1.256 + if (disassembler.flags() & DISX86_BAD_ARGUMENT_PASSED)
1.257 + exploitability_weight += kTinyBump;
1.258 + if (disassembler.flags() & DISX86_BAD_WRITE)
1.259 + exploitability_weight += kMediumBump;
1.260 + if (disassembler.flags() & DISX86_BAD_BLOCK_WRITE)
1.261 + exploitability_weight += kMediumBump;
1.262 + if (disassembler.flags() & DISX86_BAD_READ)
1.263 + exploitability_weight += kTinyBump;
1.264 + if (disassembler.flags() & DISX86_BAD_BLOCK_READ)
1.265 + exploitability_weight += kTinyBump;
1.266 + if (disassembler.flags() & DISX86_BAD_COMPARISON)
1.267 + exploitability_weight += kTinyBump;
1.268 + }
1.269 + }
1.270 + }
1.271 + if (!near_null && AddressIsAscii(address))
1.272 + exploitability_weight += kMediumBump;
1.273 + } else {
1.274 + BPLOG(INFO) << "Access violation type parameter missing.";
1.275 + return EXPLOITABILITY_ERR_PROCESSING;
1.276 + }
1.277 + }
1.278 +
1.279 + // Based on the calculated weight we return a simplified classification.
1.280 + BPLOG(INFO) << "Calculated exploitability weight: " << exploitability_weight;
1.281 + if (exploitability_weight >= kHighCutoff)
1.282 + return EXPLOITABILITY_HIGH;
1.283 + if (exploitability_weight >= kMediumCutoff)
1.284 + return EXPLOITABLITY_MEDIUM;
1.285 + if (exploitability_weight >= kLowCutoff)
1.286 + return EXPLOITABILITY_LOW;
1.287 + if (exploitability_weight >= kInterestingCutoff)
1.288 + return EXPLOITABILITY_INTERESTING;
1.289 +
1.290 + return EXPLOITABILITY_NONE;
1.291 +}
1.292 +
1.293 +} // namespace google_breakpad
