handler/mac: Log a warning when an exception message has a suspicious

handler/mac/crash_report_exception_handler.cc

Index: handler/mac/crash_report_exception_handler.cc
diff --git a/handler/mac/crash_report_exception_handler.cc b/handler/mac/crash_report_exception_handler.cc
index b3b9605f8e7560b1dd7751404658570a996eed97..313d4e3b4a22f60102bd7808a15da831e86dd052 100644
--- a/handler/mac/crash_report_exception_handler.cc
+++ b/handler/mac/crash_report_exception_handler.cc
@@ -29,6 +29,7 @@
 #include "util/mach/exc_client_variants.h"
 #include "util/mach/exception_behaviors.h"
 #include "util/mach/mach_extensions.h"
+#include "util/mach/mach_message.h"
 #include "util/mach/scoped_task_suspend.h"
 #include "util/misc/tri_state.h"
 #include "util/misc/uuid.h"
@@ -119,6 +120,22 @@ kern_return_t CrashReportExceptionHandler::CatchMachException(
     return KERN_FAILURE;
   }
 
+  // Check for suspicious message sources. A suspicious exception message comes
+  // from a source other than the kernel or the process that the exception
+  // purportedly occurred in.
+  //
+  // TODO(mark): Consider exceptions outside of the range (0, 32) from the
+  // kernel to be suspicious, and exceptions other than kMachExceptionSimulated
+  // from the process itself to be suspicious.
+  pid_t audit_pid = AuditPIDFromMachMessageTrailer(trailer);
+  if (audit_pid != -1 && audit_pid != 0) {
+    pid_t exception_pid = process_snapshot.ProcessID();
+    if (exception_pid != audit_pid) {
+      LOG(WARNING) << "exception for pid " << exception_pid << " sent by pid "
+                   << audit_pid;
+    }
+  }
+
   CrashpadInfoClientOptions client_options;
   process_snapshot.GetCrashpadOptions(&client_options);