Checking for benign exceptions that trigger a minidump.

src/processor/exploitability_linux.cc

 // Copyright (c) 2013 Google Inc.
 // All rights reserved.
 //
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 // notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
@@ skipping 18 matching lines @@
 
 // exploitability_linux.cc: Linux specific exploitability engine.
 //
 // Provides a guess at the exploitability of the crash for the Linux
 // platform given a minidump and process_state.
 //
 // Author: Matthew Riley
 
 #include "processor/exploitability_linux.h"
 
+#include "google_breakpad/common/minidump_exception_linux.h"
 #include "google_breakpad/processor/process_state.h"
 #include "google_breakpad/processor/call_stack.h"
 #include "google_breakpad/processor/stack_frame.h"
 #include "processor/logging.h"
 
 namespace {
 
 // This function in libc is called if the program was compiled with
 // -fstack-protector and a function's stack canary changes.
 const char kStackCheckFailureFunction[] = "__stack_chk_fail";
@@ skipping 40 matching lines @@
   MinidumpException *exception = dump_->GetException();
   if (exception == NULL) {
     BPLOG(INFO) << "No exception record.";
     return EXPLOITABILITY_ERR_PROCESSING;
   }
   const MinidumpContext *context = exception->GetContext();
   if (context == NULL) {
     BPLOG(INFO) << "No exception context.";
     return EXPLOITABILITY_ERR_PROCESSING;
   }
+  const MDRawExceptionStream *raw_exception_stream = exception->exception();

[ivanpe, 2015/06/26 18:21:36]

Please, move this code new below the InstructionPointerInCode check.

[liuandrew, 2015/06/29 16:13:56]

Done.

+  if (raw_exception_stream == NULL) {
+    BPLOG(INFO) << "No raw exception stream.";
+    return EXPLOITABILITY_ERR_PROCESSING;
+  }
 
   // Getting instruction pointer based off architecture.
   uint32_t architecture = context->GetContextCPU();
   switch (architecture) {
     case MD_CONTEXT_X86:
       instruction_ptr = context->GetContextX86()->eip;
       break;
     case MD_CONTEXT_AMD64:
       instruction_ptr = context->GetContextAMD64()->rip;
       break;
     default:
       // TODO(liuandrew): Add support ARM and arm64 architectures.
       BPLOG(INFO) << "Unsupported architecture.";
       return EXPLOITABILITY_ERR_PROCESSING;
   }
 
   if (!this->InstructionPointerInCode(instruction_ptr)) {
     return EXPLOITABILITY_HIGH;
   }
 
+  // check for benign exceptions

[ivanpe, 2015/06/26 18:21:36]

Capitalize, punctuation, etc.

[liuandrew, 2015/06/29 16:13:56]

Done.

+  if (this->BenignCrashTrigger(raw_exception_stream)) {
+    return EXPLOITABILITY_NONE;
+  }
+
+  // TODO(liuandrew) change default exploitability rating

[ivanpe, 2015/06/26 18:21:36]

Should be // TODO(author): some text

[liuandrew, 2015/06/29 16:13:55]

Done.

   return EXPLOITABILITY_NONE;
 }
 
 bool ExploitabilityLinux::InstructionPointerInCode(uint64_t instruction_ptr) {
   // Here we get memory mapping. Most minidumps will not contain a memory
   // mapping, so we will commonly resort to checking modules.
   MinidumpMemoryInfoList *mem_info_list = dump_->GetMemoryInfoList();
   const MinidumpMemoryInfo *mem_info =
       mem_info_list ?
       mem_info_list->GetMemoryInfoForAddress(instruction_ptr) : NULL;
 
   // Checking if the memory mapping at the instruction pointer is executable.
   // If there is no memory mapping, we will use the modules as reference.
   if (mem_info != NULL) {
     return mem_info->IsExecutable();
   }
 
   // If the memory mapping retrieval fails, we will check the modules
   // to see if the instruction pointer is inside a module.
   // TODO(liuandrew): Check if the instruction pointer lies in an executable
   // region within the module.
   MinidumpModuleList *minidump_module_list = dump_->GetModuleList();
   return !minidump_module_list ||
           minidump_module_list->GetModuleForAddress(instruction_ptr);
 }
 
+bool ExploitabilityLinux::BenignCrashTrigger(const MDRawExceptionStream
+                                                  *raw_exception_stream) {
+  // here we check the cause of crash

[ivanpe, 2015/06/26 18:21:36]

Capitalize, punctuation, etc.

[liuandrew, 2015/06/29 16:13:56]

Done.

+  // if the exception of the crash is a benign exception,
+  // it is probably not exploitable
+  switch (raw_exception_stream->exception_record.exception_code) {
+    case MD_EXCEPTION_CODE_LIN_SIGHUP:

[ivanpe, 2015/06/26 18:21:36]

What is the rationale for considering these benign?  If there a document that
describe these?  Can you add a link to it in a comment?

+    case MD_EXCEPTION_CODE_LIN_SIGABRT:
+    case MD_EXCEPTION_CODE_LIN_SIGFPE:
+    case MD_EXCEPTION_CODE_LIN_SIGUSR1:
+    case MD_EXCEPTION_CODE_LIN_SIGUSR2:
+    case MD_EXCEPTION_CODE_LIN_SIGPIPE:
+    case MD_EXCEPTION_CODE_LIN_SIGALRM:
+    case MD_EXCEPTION_CODE_LIN_SIGTERM:
+    case MD_EXCEPTION_CODE_LIN_SIGCONT:
+    case MD_EXCEPTION_CODE_LIN_SIGSTOP:
+    case MD_EXCEPTION_CODE_LIN_SIGTSTP:
+    case MD_EXCEPTION_CODE_LIN_SIGTTIN:
+    case MD_EXCEPTION_CODE_LIN_SIGTTOU:
+    case MD_EXCEPTION_CODE_LIN_SIGURG:
+    case MD_EXCEPTION_CODE_LIN_SIGXCPU:
+    case MD_EXCEPTION_CODE_LIN_SIGXFSZ:
+    case MD_EXCEPTION_CODE_LIN_SIGVTALRM:
+    case MD_EXCEPTION_CODE_LIN_SIGPROF:
+    case MD_EXCEPTION_CODE_LIN_SIGWINCH:
+    case MD_EXCEPTION_CODE_LIN_SIGIO:
+    case MD_EXCEPTION_CODE_LIN_SIGPWR:
+    case MD_EXCEPTION_CODE_LIN_DUMP_REQUESTED:
+      return true;
+      break;
+    default:
+      return false;
+      break;
+  }
+}
+
 }  // namespace google_breakpad