Add support for Linux memory mapping stream and remove ELF header usage

src/processor/exploitability_linux.cc

 // Copyright (c) 2013 Google Inc.
 // All rights reserved.
 //
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 // notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
@@ skipping 18 matching lines @@
 
 // exploitability_linux.cc: Linux specific exploitability engine.
 //
 // Provides a guess at the exploitability of the crash for the Linux
 // platform given a minidump and process_state.
 //
 // Author: Matthew Riley
 
 #include "processor/exploitability_linux.h"
 
-#include <elf.h>
-
 #include "google_breakpad/common/minidump_exception_linux.h"
 #include "google_breakpad/processor/call_stack.h"
 #include "google_breakpad/processor/process_state.h"
 #include "google_breakpad/processor/stack_frame.h"
 #include "processor/logging.h"
 
 namespace {
 
 // This function in libc is called if the program was compiled with
 // -fstack-protector and a function's stack canary changes.
@@ skipping 103 matching lines @@
       return LINUX_64_BIT;
     default:
       // This should not happen. The four architectures above should be
       // the only Linux architectures.
       BPLOG(INFO) << "Unsupported architecture.";
       return UNSUPPORTED_ARCHITECTURE;
   }
 }
 
 bool ExploitabilityLinux::InstructionPointerInCode(uint64_t instruction_ptr) {
-  // Get memory mapping. Most minidumps will not contain a memory
-  // mapping, so processing will commonly resort to checking modules.
-  MinidumpMemoryInfoList *mem_info_list = dump_->GetMemoryInfoList();
-  const MinidumpMemoryInfo *mem_info =
-      mem_info_list ?
-      mem_info_list->GetMemoryInfoForAddress(instruction_ptr) : NULL;
-
-  // Check if the memory mapping at the instruction pointer is executable.
-  // If there is no memory mapping, processing will use modules as reference.
-  if (mem_info != NULL) {
-    return mem_info->IsExecutable();
-  }
-
-  // If the memory mapping retrieval fails, check the modules
-  // to see if the instruction pointer is inside a module.
-  MinidumpModuleList *minidump_module_list = dump_->GetModuleList();
-  const MinidumpModule *minidump_module =
-      minidump_module_list ?
-      minidump_module_list->GetModuleForAddress(instruction_ptr) : NULL;
-
-  // If the instruction pointer isn't in a module, return false.
-  if (minidump_module == NULL) {
-    return false;
-  }
-
-  // Get ELF header data from the instruction pointer's module.
-  const uint64_t base_address = minidump_module->base_address();
-  MinidumpMemoryList *memory_list = dump_->GetMemoryList();
-  MinidumpMemoryRegion *memory_region =
-      memory_list ?
-      memory_list->GetMemoryRegionForAddress(base_address) : NULL;
-
-  // The minidump does not have the correct memory region.
-  // This returns true because even though there is no memory data available,
-  // the evidence so far suggests that the instruction pointer is not at a
-  // bad location.
-  if (memory_region == NULL) {
-    return true;
-  }
-
-  // Examine ELF headers. Depending on the architecture, the size of the
-  // ELF headers can differ.
-  LinuxArchitectureType architecture =  this->ArchitectureType();
-  if (architecture == LINUX_32_BIT) {
-    // Check if the ELF header is within the memory region and if the
-    // instruction pointer lies within the ELF header.
-    if (memory_region->GetSize() < sizeof(Elf32_Ehdr) ||
-        instruction_ptr < base_address + sizeof(Elf32_Ehdr)) {
-      return false;
-    }
-    // Load 32-bit ELF header.
-    Elf32_Ehdr header;
-    this->LoadElfHeader(memory_region, base_address, &header);
-    // Check if the program header table is within the memory region, and
-    // validate that the program header entry size is correct.
-    if (header.e_phentsize != sizeof(Elf32_Phdr) ||
-        memory_region->GetSize() <
-        header.e_phoff +
-        ((uint64_t) header.e_phentsize * (uint64_t) header.e_phnum)) {
-      return false;
-    }
-    // Load 32-bit Program Header Table.
-    scoped_array<Elf32_Phdr> program_headers(new Elf32_Phdr[header.e_phnum]);
-    this->LoadElfHeaderTable(memory_region,
-                             base_address + header.e_phoff,
-                             header.e_phnum,
-                             program_headers.get());
-    // Find correct program header that corresponds to the instruction pointer.
-    for (int i = 0; i < header.e_phnum; i++) {
-      const Elf32_Phdr& program_header = program_headers[i];
-      // Check if instruction pointer lies within this program header's region.
-      if (instruction_ptr >= program_header.p_vaddr &&
-          instruction_ptr < program_header.p_vaddr + program_header.p_memsz) {
-        // Return whether this program header region is executable.
-        return program_header.p_flags & PF_X;
-      }
-    }
-  } else if (architecture == LINUX_64_BIT) {
-    // Check if the ELF header is within the memory region and if the
-    // instruction pointer lies within the ELF header.
-    if (memory_region->GetSize() < sizeof(Elf64_Ehdr) ||
-        instruction_ptr < base_address + sizeof(Elf64_Ehdr)) {
-      return false;
-    }
-    // Load 64-bit ELF header.
-    Elf64_Ehdr header;
-    this->LoadElfHeader(memory_region, base_address, &header);

[ivanpe, 2015/07/23 01:17:12]

Please, make sure to cleanup all functions that are not needed anymore.

[liuandrew, 2015/07/24 23:25:36]

Done.

-    // Check if the program header table is within the memory region, and
-    // validate that the program header entry size is correct.
-    if (header.e_phentsize != sizeof(Elf64_Phdr) ||
-        memory_region->GetSize() <
-        header.e_phoff +
-        ((uint64_t) header.e_phentsize * (uint64_t) header.e_phnum)) {
-      return false;
-    }
-    // Load 64-bit Program Header Table.
-    scoped_array<Elf64_Phdr> program_headers(new Elf64_Phdr[header.e_phnum]);
-    this->LoadElfHeaderTable(memory_region,
-                             base_address + header.e_phoff,
-                             header.e_phnum,
-                             program_headers.get());
-    // Find correct program header that corresponds to the instruction pointer.
-    for (int i = 0; i < header.e_phnum; i++) {
-      const Elf64_Phdr& program_header = program_headers[i];
-      // Check if instruction pointer lies within this program header's region.
-      if (instruction_ptr >= program_header.p_vaddr &&
-          instruction_ptr < program_header.p_vaddr + program_header.p_memsz) {
-        // Return whether this program header region is executable.
-        return program_header.p_flags & PF_X;
-      }
-    }
-  }
-
-  // The instruction pointer was not in an area identified by the ELF headers.
-  return false;
+  // Get Linux memory mapping from /proc/self/maps. Checking whether the
+  // region the instruction pointer is in has executable permission can tell
+  // whether it is in a valid code region. If there is no mapping for the
+  // instruction pointer, it is indicative that the instruction pointer is
+  // not within a module, which implies that it is outside a valid area.
+  MinidumpLinuxMapsList *linux_maps_list = dump_->GetLinuxMapsList();
+  const MinidumpLinuxMaps *linux_maps =
+      linux_maps_list ?
+      linux_maps_list->GetLinuxMapsForAddress(instruction_ptr) : NULL;
+  return linux_maps ? linux_maps->IsExecutable() : false;
 }
 
 bool ExploitabilityLinux::BenignCrashTrigger(const MDRawExceptionStream
                                                   *raw_exception_stream) {
   // Check the cause of crash.
   // If the exception of the crash is a benign exception,
   // it is probably not exploitable.
   switch (raw_exception_stream->exception_record.exception_code) {
     case MD_EXCEPTION_CODE_LIN_SIGHUP:
     case MD_EXCEPTION_CODE_LIN_SIGINT:
@@ skipping 25 matching lines @@
     case MD_EXCEPTION_CODE_LIN_DUMP_REQUESTED:
       return true;
       break;
     default:
       return false;
       break;
   }
 }
 
 }  // namespace google_breakpad