Checking location of the instruction pointer to see if it is

src/processor/exploitability_linux.cc

 // Copyright (c) 2013 Google Inc.
 // All rights reserved.
 //
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 // notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
@@ skipping 21 matching lines @@
 // Provides a guess at the exploitability of the crash for the Linux
 // platform given a minidump and process_state.
 //
 // Author: Matthew Riley
 
 #include "processor/exploitability_linux.h"
 
 #include "google_breakpad/processor/process_state.h"
 #include "google_breakpad/processor/call_stack.h"
 #include "google_breakpad/processor/stack_frame.h"
+#include "processor/logging.h"
 
 namespace {
 
 // This function in libc is called if the program was compiled with
 // -fstack-protector and a function's stack canary changes.
 const char kStackCheckFailureFunction[] = "__stack_chk_fail";
 
 // This function in libc is called if the program was compiled with
 // -D_FORTIFY_SOURCE=2, a function like strcpy() is called, and the runtime
 // can determine that the call would overflow the target buffer.
@@ skipping 21 matching lines @@
         return EXPLOITABILITY_HIGH;
       }
 
       if (crashing_thread_frames[i]->function_name ==
           kBoundsCheckFailureFunction) {
         return EXPLOITABILITY_HIGH;
       }
     }
   }
 
+  // Check if the instruction pointer is in a valid instruction region
+  // by finding if it maps to an executable part of memory
+  uint64_t instruction_ptr = 0;
+
+  // get exception data (should exist for all minidumps)
+  MinidumpException *exception = dump_->GetException();
+  if (exception == NULL) {
+    BPLOG(INFO) << "No exception record.";
+    return EXPLOITABILITY_ERR_PROCESSING;
+  }
+  const MinidumpContext *context = exception->GetContext();
+  if (context == NULL) {
+    BPLOG(INFO) << "No exception context.";
+    return EXPLOITABILITY_ERR_PROCESSING;
+  }
+
+  // get instruction pointer based off architecture
+  uint32_t architecture = context->GetContextCPU();
+  switch (architecture) {
+    case MD_CONTEXT_X86:
+      instruction_ptr = context->GetContextX86()->eip;
+      break;
+    case MD_CONTEXT_AMD64:
+      instruction_ptr = context->GetContextAMD64()->rip;
+      break;
+    default:
+      // TODO(liuandrew) support ARM and arm64 architectures

[ivanpe, 2015/06/25 20:58:39]

The style should be:

// TODO(liuandrew): Add support for ARM and arm64 architectures.

+      BPLOG(INFO) << "Unsupported architecture.";
+      return EXPLOITABILITY_ERR_PROCESSING;
+  }
+
+  if (!this->InstructionPointerInCode(instruction_ptr)) {
+    return EXPLOITABILITY_HIGH;
+  }
+
   return EXPLOITABILITY_NONE;
 }
 
+bool ExploitabilityLinux::InstructionPointerInCode(uint64_t instruction_ptr) {
+  // get memory mapping

[ivanpe, 2015/06/25 20:58:38]

same

+  // most minidumps will not contain a memory mapping, so we will commonly
+  // resort to stack pointer approximation and checking modules
+  MinidumpMemoryInfoList *mem_info_list = dump_->GetMemoryInfoList();
+  const MinidumpMemoryInfo *mem_info =
+      mem_info_list ?
+      mem_info_list->GetMemoryInfoForAddress(instruction_ptr) : NULL;
+
+  // check if the memory mapping at the instruction pointer is executable

[ivanpe, 2015/06/25 20:58:38]

same

+  // if there is no memory mapping, we will use stack pointer approximation
+  // and the modules as reference
+  if (mem_info != NULL) {
+    return mem_info->IsExecutable();
+  }
+
+  // if the memory mapping retrieval fails, we will approximate check

[ivanpe, 2015/06/25 20:58:39]

same

+  // modules to see if the instruction pointer is inside a module
+  // TODO(liuandrew) the entirety of a module is not necessarily executable

[ivanpe, 2015/06/25 20:58:39]

same:

TODO(liuandrew):

+  // check if the instruction pointer lies in an executable region
+  MinidumpModuleList *minidump_module_list = dump_->GetModuleList();
+  return !minidump_module_list ||
+          minidump_module_list->GetModuleForAddress(instruction_ptr);
+}
+
 }  // namespace google_breakpad