Add ELF header analysis when checking for instruction pointer in code.

src/processor/exploitability_linux.h

 // Copyright (c) 2013 Google Inc.
 // All rights reserved.
 //
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 // notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
@@ skipping 19 matching lines @@
 // exploitability_linux.h: Linux specific exploitability engine.
 //
 // Provides a guess at the exploitability of the crash for the Linux
 // platform given a minidump and process_state.
 //
 // Author: Matthew Riley
 
 #ifndef GOOGLE_BREAKPAD_PROCESSOR_EXPLOITABILITY_LINUX_H_
 #define GOOGLE_BREAKPAD_PROCESSOR_EXPLOITABILITY_LINUX_H_
 
+#include <elf.h>
+#include <string.h>
+
+#include "common/scoped_ptr.h"
 #include "google_breakpad/common/breakpad_types.h"
 #include "google_breakpad/processor/exploitability.h"
 
 namespace google_breakpad {
 
+enum LinuxArchitectureType {
+  // A 32-bit Linux architecture.
+  LINUX_32_BIT,
+
+  // A 64-bit Linux architecture.
+  LINUX_64_BIT,
+
+  // Some other architecture that is not Linux.
+  UNSUPPORTED_ARCHITECTURE
+};
+
 class ExploitabilityLinux : public Exploitability {
  public:
   ExploitabilityLinux(Minidump *dump,
                       ProcessState *process_state);
 
   virtual ExploitabilityRating CheckPlatformExploitability();
 
  private:
   // This method takes the address of the instruction pointer and returns
   // whether the instruction pointer lies in a valid instruction region.
   bool InstructionPointerInCode(uint64_t instruction_ptr);
 
   // This method checks the exception that triggered the creation of the
   // minidump and reports whether the exception suggests no exploitability.
   bool BenignCrashTrigger(const MDRawExceptionStream *raw_exception_stream);
+
+  // Checks if the minidump architecture is 32-bit or 64-bit.
+  LinuxArchitectureType ArchitectureType();
+
+  // Loads ELF header data of the module present in the given memory
+  // region into the scoped pointer.
+  // This method takes a scoped pointer in which the ELF header data is
+  // loaded, the memory region containing the ELF header, and the base
+  // address of the ELF header.
+  template<typename T>
+  void LoadElfHeader(scoped_ptr<T>& header,

[ivanpe, 2015/07/16 00:45:23]

Please, move the out parameter to the end.  Also the type of the out parameter
should be T*.  No need to pass a reference to a scoped_ptr in this case.

[liuandrew, 2015/07/16 17:07:02]

Done.

+                     MinidumpMemoryRegion *memory,
+                     uint64_t base_address) {
+    for (size_t i = 0; i < sizeof(T); i++) {
+      uint8_t my_byte = 0;
+      memory->GetMemoryAtAddress(base_address + i, &my_byte);
+      memcpy(((char *) header.get()) + i, &my_byte, sizeof(uint8_t));
+    }
+  }
+
+  // Loads the Program Header Table of the module present in the given
+  // memory region into the scoped array.
+  // This method takes a scoped array in which the header table data is
+  // loaded, the memory region containing the table, the base address of
+  // the program header table, and the number of entries in the table.
+  template<typename T>
+  void LoadElfHeaderTable(scoped_array<T>& table,
+                          MinidumpMemoryRegion *memory,
+                          uint64_t base_address,
+                          uint16_t e_phnum) {

[ivanpe, 2015/07/16 00:45:23]

Please, update the function signature as follows:

   template<typename T>
   void LoadElfHeaderTable(MinidumpMemoryRegion *memory,
                           uint64_t base_address,
                           uint16_t e_phnum,
                           T* table)   // or   T table[]

[liuandrew, 2015/07/16 17:07:02]

Done.

+    uint64_t offset = 0;
+    for (size_t i = 0; i < e_phnum; i++) {
+      for (size_t j = 0; j < sizeof(T); j++) {
+        uint8_t my_byte = 0;
+        memory->GetMemoryAtAddress(base_address + offset, &my_byte);
+        memcpy(((char *) table.get()) + offset, &my_byte, sizeof(uint8_t));
+        offset++;

[ivanpe, 2015/07/16 00:45:23]

This is a bit scary.  I'm concerned about padding at the end of the struct (due
to the alignment requirements of T). The next element in the table[] may not
necessarily be adjacent in memory to the previous one.  I think that the n-th
table entry must be written at address &table[n].  Or we should assert that
&table[n] == table.get() + offset when starting a new table entry.

[liuandrew, 2015/07/16 17:07:02]

Done.

Good point. It never occurred to me since it was working for the tests. But it
makes sense especially since this is a method with generic types.

+      }
+    }
+  }
+
 };
 
 }  // namespace google_breakpad
 
 #endif  // GOOGLE_BREAKPAD_PROCESSOR_EXPLOITABILITY_LINUX_H_