Add ELF header analysis when checking for instruction pointer in code.

src/processor/exploitability_linux.cc

 // Copyright (c) 2013 Google Inc.
 // All rights reserved.
 //
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 // notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
@@ skipping 18 matching lines @@
 
 // exploitability_linux.cc: Linux specific exploitability engine.
 //
 // Provides a guess at the exploitability of the crash for the Linux
 // platform given a minidump and process_state.
 //
 // Author: Matthew Riley
 
 #include "processor/exploitability_linux.h"
 
+#include <assert.h>
+#include <elf.h>
+#include <stdlib.h>
+#include <string.h>
+
 #include "google_breakpad/common/minidump_exception_linux.h"
 #include "google_breakpad/processor/call_stack.h"
 #include "google_breakpad/processor/process_state.h"
 #include "google_breakpad/processor/stack_frame.h"
 #include "processor/logging.h"
 
 namespace {
 
 // This function in libc is called if the program was compiled with
 // -fstack-protector and a function's stack canary changes.
@@ skipping 53 matching lines @@
   // Check if the instruction pointer is in a valid instruction region
   // by finding if it maps to an executable part of memory.
   uint64_t instruction_ptr = 0;
 
   const MinidumpContext *context = exception->GetContext();
   if (context == NULL) {
     BPLOG(INFO) << "No exception context.";
     return EXPLOITABILITY_ERR_PROCESSING;
   }
 
+  if (this->ArchitectureType() == UNSUPPORTED_ARCHITECTURE) {
+    BPLOG(INFO) << "Unsupported architecture.";
+    return EXPLOITABILITY_ERR_PROCESSING;
+  }
   // Getting the instruction pointer.
   if (!context->GetInstructionPointer(&instruction_ptr)) {
+    BPLOG(INFO) << "Failed to retrieve instruction pointer.";
     return EXPLOITABILITY_ERR_PROCESSING;
   }
 
   // Checking for the instruction pointer in a valid instruction region.
   if (!this->InstructionPointerInCode(instruction_ptr)) {
     return EXPLOITABILITY_HIGH;
   }
 
+  // There was no strong evidence suggesting exploitability, but the minidump
+  // does not appear totally benign either.
   return EXPLOITABILITY_INTERESTING;
 }
 
+LinuxArchitectureType ExploitabilityLinux::ArchitectureType() {
+  // GetContextCPU() should have already been successfully called before
+  // calling this method. Thus there should be a raw exception stream for
+  // the minidump.
+  MinidumpException *exception = dump_->GetException();
+  const DumpContext *dump_context =
+      exception ?
+      exception->GetContext() : NULL;
+  if (dump_context == NULL) {
+    BPLOG(INFO) << "No raw dump context.";
+    return UNSUPPORTED_ARCHITECTURE;
+  }
+
+  // Check the architecture type.
+  switch (dump_context->GetContextCPU()) {
+    case MD_CONTEXT_ARM:
+    case MD_CONTEXT_X86:
+      return LINUX_32_BIT;
+    case MD_CONTEXT_ARM64:
+    case MD_CONTEXT_AMD64:
+      return LINUX_64_BIT;
+    default:
+      // This should not happen. The four architectures above should be
+      // the only Linux architectures.
+      BPLOG(INFO) << "Unsupported architecture.";
+      return UNSUPPORTED_ARCHITECTURE;
+  }
+}
+
 bool ExploitabilityLinux::InstructionPointerInCode(uint64_t instruction_ptr) {
-  // Here we get memory mapping. Most minidumps will not contain a memory
-  // mapping, so we will commonly resort to checking modules.
+  // Get memory mapping. Most minidumps will not contain a memory
+  // mapping, so processing will commonly resort to checking modules.
   MinidumpMemoryInfoList *mem_info_list = dump_->GetMemoryInfoList();
   const MinidumpMemoryInfo *mem_info =
       mem_info_list ?
       mem_info_list->GetMemoryInfoForAddress(instruction_ptr) : NULL;
 
-  // Checking if the memory mapping at the instruction pointer is executable.
-  // If there is no memory mapping, we will use the modules as reference.
+  // Check if the memory mapping at the instruction pointer is executable.
+  // If there is no memory mapping, processing will use the modules as reference.
   if (mem_info != NULL) {
     return mem_info->IsExecutable();
   }
 
-  // If the memory mapping retrieval fails, we will check the modules
+  // If the memory mapping retrieval fails, check the modules
   // to see if the instruction pointer is inside a module.
-  // TODO(liuandrew): Check if the instruction pointer lies in an executable
-  // region within the module.
   MinidumpModuleList *minidump_module_list = dump_->GetModuleList();
-  return !minidump_module_list ||
-          minidump_module_list->GetModuleForAddress(instruction_ptr);
+  const MinidumpModule *minidump_module =
+      minidump_module_list ?
+      minidump_module_list->GetModuleForAddress(instruction_ptr) : NULL;
+
+  // If the instruction pointer isn't in a module, return false.
+  if (minidump_module == NULL) {
+    return false;
+  }
+
+  // Get ELF header data from the instruction pointer's module.
+  const uint64_t base_address = minidump_module->base_address();
+  MinidumpMemoryList *memory_list = dump_->GetMemoryList();
+  MinidumpMemoryRegion *memory_region =
+      memory_list ?
+      memory_list->GetMemoryRegionForAddress(base_address) : NULL;
+
+  // The minidump does not have the correct memory region.
+  // This returns true because even though there is no memory data available,
+  // the evidence so far suggests that the instruction pointer is not at a
+  // bad location.
+  if (memory_region == NULL) {
+    return true;
+  }
+
+  // Examine ELF headers. Depending on the architecture, the size of the
+  // ELF headers can differ.
+  LinuxArchitectureType architecture =  this->ArchitectureType();
+  if (architecture == LINUX_32_BIT) {
+    // Check if the ELF header is within the memory region and if the
+    // instruction pointer lies within the ELF header.
+    if (memory_region->GetSize() < sizeof(Elf32_Ehdr) ||
+        instruction_ptr < base_address + sizeof(Elf32_Ehdr)) {
+      return false;
+    }
+    // Load 32-bit ELF header.
+    scoped_ptr<Elf32_Ehdr> header(new Elf32_Ehdr);

[ivanpe, 2015/07/16 00:45:23]

Is this header needed only in the scope of this method?  If yes, then you can
allocate it on the stack:

  Elf32_Ehdr header;

[liuandrew, 2015/07/16 17:07:02]

Done.

You're right; it is only needed within the method. Having the ELF header be a
pointer was a vestige from the design of the first patch set.

+    this->LoadElfHeader(header, memory_region, base_address);
+    // Check if the program header table is within the memory region, and
+    // validate that the program header entry size is correct.
+    if (header->e_phentsize != sizeof(Elf32_Phdr) ||
+        memory_region->GetSize() <
+        header->e_phoff + (header->e_phentsize * header->e_phnum)) {
+      return false;
+    }
+    // Load 32-bit Program Header Table.
+    scoped_array<Elf32_Phdr> program_headers(new Elf32_Phdr[header->e_phnum]);
+    this->LoadElfHeaderTable(program_headers,
+                             memory_region,
+                             base_address + header->e_phoff,
+                             header->e_phnum);
+    // Find correct program header that corresponds to the instruction pointer.
+    for (int i = 0; i < header->e_phnum; i++) {
+      const Elf32_Phdr& program_header = program_headers[i];
+      // Check if instruction pointer lies within this program header's region.
+      if (instruction_ptr >= program_header.p_vaddr &&
+          instruction_ptr < program_header.p_vaddr + program_header.p_memsz) {
+        // Return whether this program header region is executable.
+        return program_header.p_flags & PF_X;
+      }
+    }
+  } else if (architecture == LINUX_64_BIT) {
+    // Check if the ELF header is within the memory region and if the
+    // instruction pointer lies within the ELF header.
+    if (memory_region->GetSize() < sizeof(Elf64_Ehdr) ||
+        instruction_ptr < base_address + sizeof(Elf64_Ehdr)) {
+      return false;
+    }
+    // Load 64-bit ELF header.
+    scoped_ptr<Elf64_Ehdr> header(new Elf64_Ehdr);

[ivanpe, 2015/07/16 00:45:23]

Elf64_Ehdr header;

[liuandrew, 2015/07/16 17:07:02]

Done.

+    this->LoadElfHeader(header, memory_region, base_address);
+    // Check if the program header table is within the memory region, and
+    // validate that the program header entry size is correct.
+    if (header->e_phentsize != sizeof(Elf64_Phdr) || 
+        memory_region->GetSize() <
+        header->e_phoff + (header->e_phentsize * header->e_phnum)) {
+      return false;
+    }
+    // Load 64-bit Program Header Table.
+    scoped_array<Elf64_Phdr> program_headers(new Elf64_Phdr[header->e_phnum]);
+    this->LoadElfHeaderTable(program_headers,
+                             memory_region,
+                             base_address + header->e_phoff,
+                             header->e_phnum);
+    // Find correct program header that corresponds to the instruction pointer.
+    for (int i = 0; i < header->e_phnum; i++) {
+      const Elf64_Phdr& program_header = program_headers[i];
+      // Check if instruction pointer lies within this program header's region.
+      if (instruction_ptr >= program_header.p_vaddr &&
+          instruction_ptr < program_header.p_vaddr + program_header.p_memsz) {
+        // Return whether this program header region is executable.
+        return program_header.p_flags & PF_X;
+      }
+    }
+  }
+
+  // The instruction pointer was not in an area identified by the ELF headers.
+  return false;
 }
 
 bool ExploitabilityLinux::BenignCrashTrigger(const MDRawExceptionStream
                                                   *raw_exception_stream) {
-  // Here we check the cause of crash.
+  // Check the cause of crash.
   // If the exception of the crash is a benign exception,
   // it is probably not exploitable.
   switch (raw_exception_stream->exception_record.exception_code) {
     case MD_EXCEPTION_CODE_LIN_SIGHUP:
     case MD_EXCEPTION_CODE_LIN_SIGINT:
     case MD_EXCEPTION_CODE_LIN_SIGQUIT:
     case MD_EXCEPTION_CODE_LIN_SIGTRAP:
     case MD_EXCEPTION_CODE_LIN_SIGABRT:
     case MD_EXCEPTION_CODE_LIN_SIGFPE:
     case MD_EXCEPTION_CODE_LIN_SIGKILL:
@@ skipping 20 matching lines @@
     case MD_EXCEPTION_CODE_LIN_DUMP_REQUESTED:
       return true;
       break;
     default:
       return false;
       break;
   }
 }
 
 }  // namespace google_breakpad