/thirdparty/breakpad/processor/exploitability_win.cc

http://github.com/tomahawk-player/tomahawk · C++ · 290 lines · 209 code · 29 blank · 52 comment · 36 complexity · 377445abcc374fc109d1a15a20321e87 MD5 · raw file

  1. // Copyright (c) 2010 Google Inc.
  2. // All rights reserved.
  3. //
  4. // Redistribution and use in source and binary forms, with or without
  5. // modification, are permitted provided that the following conditions are
  6. // met:
  7. //
  8. // * Redistributions of source code must retain the above copyright
  9. // notice, this list of conditions and the following disclaimer.
  10. // * Redistributions in binary form must reproduce the above
  11. // copyright notice, this list of conditions and the following disclaimer
  12. // in the documentation and/or other materials provided with the
  13. // distribution.
  14. // * Neither the name of Google Inc. nor the names of its
  15. // contributors may be used to endorse or promote products derived from
  16. // this software without specific prior written permission.
  17. //
  18. // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
  19. // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
  20. // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
  21. // A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
  22. // OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  23. // SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
  24. // LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  25. // DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  26. // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  27. // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  28. // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  29. // exploitability_win.cc: Windows specific exploitability engine.
  30. //
  31. // Provides a guess at the exploitability of the crash for the Windows
  32. // platform given a minidump and process_state.
  33. //
  34. // Author: Cris Neckar
  35. #include <vector>
  36. #include "processor/exploitability_win.h"
  37. #include "google_breakpad/common/minidump_exception_win32.h"
  38. #include "google_breakpad/processor/minidump.h"
  39. #include "processor/disassembler_x86.h"
  40. #include "processor/logging.h"
  41. #include "processor/scoped_ptr.h"
  42. #include "third_party/libdisasm/libdis.h"
  43. namespace google_breakpad {
  44. // The cutoff that we use to judge if and address is likely an offset
  45. // from various interesting addresses.
  46. static const u_int64_t kProbableNullOffset = 4096;
  47. static const u_int64_t kProbableStackOffset = 8192;
  48. // The various cutoffs for the different ratings.
  49. static const size_t kHighCutoff = 100;
  50. static const size_t kMediumCutoff = 80;
  51. static const size_t kLowCutoff = 50;
  52. static const size_t kInterestingCutoff = 25;
  53. // Predefined incremental values for conditional weighting.
  54. static const size_t kTinyBump = 5;
  55. static const size_t kSmallBump = 20;
  56. static const size_t kMediumBump = 50;
  57. static const size_t kLargeBump = 70;
  58. static const size_t kHugeBump = 90;
  59. // The maximum number of bytes to disassemble past the program counter.
  60. static const size_t kDisassembleBytesBeyondPC = 2048;
  61. ExploitabilityWin::ExploitabilityWin(Minidump *dump,
  62. ProcessState *process_state)
  63. : Exploitability(dump, process_state) { }
  64. ExploitabilityRating ExploitabilityWin::CheckPlatformExploitability() {
  65. MinidumpException *exception = dump_->GetException();
  66. if (!exception) {
  67. BPLOG(INFO) << "Minidump does not have exception record.";
  68. return EXPLOITABILITY_ERR_PROCESSING;
  69. }
  70. const MDRawExceptionStream *raw_exception = exception->exception();
  71. if (!raw_exception) {
  72. BPLOG(INFO) << "Could not obtain raw exception info.";
  73. return EXPLOITABILITY_ERR_PROCESSING;
  74. }
  75. const MinidumpContext *context = exception->GetContext();
  76. if (!context) {
  77. BPLOG(INFO) << "Could not obtain exception context.";
  78. return EXPLOITABILITY_ERR_PROCESSING;
  79. }
  80. MinidumpMemoryList *memory_list = dump_->GetMemoryList();
  81. bool memory_available = true;
  82. if (!memory_list) {
  83. BPLOG(INFO) << "Minidump memory segments not available.";
  84. memory_available = false;
  85. }
  86. u_int64_t address = process_state_->crash_address();
  87. u_int32_t exception_code = raw_exception->exception_record.exception_code;
  88. u_int32_t exploitability_weight = 0;
  89. u_int64_t stack_ptr = 0;
  90. u_int64_t instruction_ptr = 0;
  91. u_int64_t this_ptr = 0;
  92. switch (context->GetContextCPU()) {
  93. case MD_CONTEXT_X86:
  94. stack_ptr = context->GetContextX86()->esp;
  95. instruction_ptr = context->GetContextX86()->eip;
  96. this_ptr = context->GetContextX86()->ecx;
  97. break;
  98. case MD_CONTEXT_AMD64:
  99. stack_ptr = context->GetContextAMD64()->rsp;
  100. instruction_ptr = context->GetContextAMD64()->rip;
  101. this_ptr = context->GetContextAMD64()->rcx;
  102. break;
  103. default:
  104. BPLOG(INFO) << "Unsupported architecture.";
  105. return EXPLOITABILITY_ERR_PROCESSING;
  106. }
  107. // Check if we are executing on the stack.
  108. if (instruction_ptr <= (stack_ptr + kProbableStackOffset) &&
  109. instruction_ptr >= (stack_ptr - kProbableStackOffset))
  110. exploitability_weight += kHugeBump;
  111. switch (exception_code) {
  112. // This is almost certainly recursion.
  113. case MD_EXCEPTION_CODE_WIN_STACK_OVERFLOW:
  114. exploitability_weight += kTinyBump;
  115. break;
  116. // These exceptions tend to be benign and we can generally ignore them.
  117. case MD_EXCEPTION_CODE_WIN_INTEGER_DIVIDE_BY_ZERO:
  118. case MD_EXCEPTION_CODE_WIN_INTEGER_OVERFLOW:
  119. case MD_EXCEPTION_CODE_WIN_FLOAT_DIVIDE_BY_ZERO:
  120. case MD_EXCEPTION_CODE_WIN_FLOAT_INEXACT_RESULT:
  121. case MD_EXCEPTION_CODE_WIN_FLOAT_OVERFLOW:
  122. case MD_EXCEPTION_CODE_WIN_FLOAT_UNDERFLOW:
  123. case MD_EXCEPTION_CODE_WIN_IN_PAGE_ERROR:
  124. exploitability_weight += kTinyBump;
  125. break;
  126. // These exceptions will typically mean that we have jumped where we
  127. // shouldn't.
  128. case MD_EXCEPTION_CODE_WIN_ILLEGAL_INSTRUCTION:
  129. case MD_EXCEPTION_CODE_WIN_FLOAT_INVALID_OPERATION:
  130. case MD_EXCEPTION_CODE_WIN_PRIVILEGED_INSTRUCTION:
  131. exploitability_weight += kLargeBump;
  132. break;
  133. // These represent bugs in exception handlers.
  134. case MD_EXCEPTION_CODE_WIN_INVALID_DISPOSITION:
  135. case MD_EXCEPTION_CODE_WIN_NONCONTINUABLE_EXCEPTION:
  136. exploitability_weight += kSmallBump;
  137. break;
  138. case MD_EXCEPTION_CODE_WIN_HEAP_CORRUPTION:
  139. case MD_EXCEPTION_CODE_WIN_STACK_BUFFER_OVERRUN:
  140. exploitability_weight += kHugeBump;
  141. break;
  142. case MD_EXCEPTION_CODE_WIN_GUARD_PAGE_VIOLATION:
  143. exploitability_weight += kLargeBump;
  144. break;
  145. case MD_EXCEPTION_CODE_WIN_ACCESS_VIOLATION:
  146. bool near_null = (address <= kProbableNullOffset);
  147. bool bad_read = false;
  148. bool bad_write = false;
  149. if (raw_exception->exception_record.number_parameters >= 1) {
  150. MDAccessViolationTypeWin av_type =
  151. static_cast<MDAccessViolationTypeWin>
  152. (raw_exception->exception_record.exception_information[0]);
  153. switch (av_type) {
  154. case MD_ACCESS_VIOLATION_WIN_READ:
  155. bad_read = true;
  156. if (near_null)
  157. exploitability_weight += kSmallBump;
  158. else
  159. exploitability_weight += kMediumBump;
  160. break;
  161. case MD_ACCESS_VIOLATION_WIN_WRITE:
  162. bad_write = true;
  163. if (near_null)
  164. exploitability_weight += kSmallBump;
  165. else
  166. exploitability_weight += kHugeBump;
  167. break;
  168. case MD_ACCESS_VIOLATION_WIN_EXEC:
  169. if (near_null)
  170. exploitability_weight += kSmallBump;
  171. else
  172. exploitability_weight += kHugeBump;
  173. break;
  174. default:
  175. BPLOG(INFO) << "Unrecognized access violation type.";
  176. return EXPLOITABILITY_ERR_PROCESSING;
  177. break;
  178. }
  179. MinidumpMemoryRegion *instruction_region = 0;
  180. if (memory_available) {
  181. instruction_region =
  182. memory_list->GetMemoryRegionForAddress(instruction_ptr);
  183. }
  184. if (!near_null && instruction_region &&
  185. context->GetContextCPU() == MD_CONTEXT_X86 &&
  186. (bad_read || bad_write)) {
  187. // Perform checks related to memory around instruction pointer.
  188. u_int32_t memory_offset =
  189. instruction_ptr - instruction_region->GetBase();
  190. u_int32_t available_memory =
  191. instruction_region->GetSize() - memory_offset;
  192. available_memory = available_memory > kDisassembleBytesBeyondPC ?
  193. kDisassembleBytesBeyondPC : available_memory;
  194. if (available_memory) {
  195. const u_int8_t *raw_memory =
  196. instruction_region->GetMemory() + memory_offset;
  197. DisassemblerX86 disassembler(raw_memory,
  198. available_memory,
  199. instruction_ptr);
  200. disassembler.NextInstruction();
  201. if (bad_read)
  202. disassembler.setBadRead();
  203. else
  204. disassembler.setBadWrite();
  205. if (disassembler.currentInstructionValid()) {
  206. // Check if the faulting instruction falls into one of
  207. // several interesting groups.
  208. switch (disassembler.currentInstructionGroup()) {
  209. case libdis::insn_controlflow:
  210. exploitability_weight += kLargeBump;
  211. break;
  212. case libdis::insn_string:
  213. exploitability_weight += kHugeBump;
  214. break;
  215. default:
  216. break;
  217. }
  218. // Loop the disassembler through the code and check if it
  219. // IDed any interesting conditions in the near future.
  220. // Multiple flags may be set so treat each equally.
  221. while (disassembler.NextInstruction() &&
  222. disassembler.currentInstructionValid() &&
  223. !disassembler.endOfBlock())
  224. continue;
  225. if (disassembler.flags() & DISX86_BAD_BRANCH_TARGET)
  226. exploitability_weight += kLargeBump;
  227. if (disassembler.flags() & DISX86_BAD_ARGUMENT_PASSED)
  228. exploitability_weight += kTinyBump;
  229. if (disassembler.flags() & DISX86_BAD_WRITE)
  230. exploitability_weight += kMediumBump;
  231. if (disassembler.flags() & DISX86_BAD_BLOCK_WRITE)
  232. exploitability_weight += kMediumBump;
  233. if (disassembler.flags() & DISX86_BAD_READ)
  234. exploitability_weight += kTinyBump;
  235. if (disassembler.flags() & DISX86_BAD_BLOCK_READ)
  236. exploitability_weight += kTinyBump;
  237. if (disassembler.flags() & DISX86_BAD_COMPARISON)
  238. exploitability_weight += kTinyBump;
  239. }
  240. }
  241. }
  242. if (!near_null && AddressIsAscii(address))
  243. exploitability_weight += kMediumBump;
  244. } else {
  245. BPLOG(INFO) << "Access violation type parameter missing.";
  246. return EXPLOITABILITY_ERR_PROCESSING;
  247. }
  248. }
  249. // Based on the calculated weight we return a simplified classification.
  250. BPLOG(INFO) << "Calculated exploitability weight: " << exploitability_weight;
  251. if (exploitability_weight >= kHighCutoff)
  252. return EXPLOITABILITY_HIGH;
  253. if (exploitability_weight >= kMediumCutoff)
  254. return EXPLOITABLITY_MEDIUM;
  255. if (exploitability_weight >= kLowCutoff)
  256. return EXPLOITABILITY_LOW;
  257. if (exploitability_weight >= kInterestingCutoff)
  258. return EXPLOITABILITY_INTERESTING;
  259. return EXPLOITABILITY_NONE;
  260. }
  261. } // namespace google_breakpad