Add check for Linux minidump ending on bad write for exploitability rating.

src/processor/exploitability_unittest.cc

 // Copyright (c) 2010, Google Inc.
 // All rights reserved.
 //
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 // notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
@@ skipping 15 matching lines @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE
 
 #include <stdlib.h>
 #include <unistd.h>
 
 #include <string>
 
 #include "breakpad_googletest_includes.h"
+#include "common/scoped_ptr.h"
 #include "common/using_std_string.h"
 #include "google_breakpad/processor/basic_source_line_resolver.h"
 #include "google_breakpad/processor/minidump_processor.h"
 #include "google_breakpad/processor/process_state.h"
+#include "processor/exploitability_linux.h"
 #include "processor/simple_symbol_supplier.h"
 
+#ifndef _WIN32
+namespace google_breakpad {
+
+class ExploitabilityLinuxTest : public ExploitabilityLinux {
+ public:
+  using ExploitabilityLinux::DisassembleBytes;
+  using ExploitabilityLinux::TokenizeObjdumpInstruction;
+  using ExploitabilityLinux::CalculateAddress;
+};
+
+class ExploitabilityLinuxTestMinidumpContext : public MinidumpContext {
+ public:
+  explicit ExploitabilityLinuxTestMinidumpContext(const MDRawContextAMD64&
+                                                  context)
+       : MinidumpContext(NULL) {
+    valid_ = true;
+    SetContextAMD64(new MDRawContextAMD64(context));
+    SetContextFlags(MD_CONTEXT_AMD64);
+  }
+};
+
+}  // namespace google_breakpad
+#endif  // _WIN32
+
 namespace {
 
 using google_breakpad::BasicSourceLineResolver;
+#ifndef _WIN32
+using google_breakpad::ExploitabilityLinuxTest;
+using google_breakpad::ExploitabilityLinuxTestMinidumpContext;
+#endif  // _WIN32
 using google_breakpad::MinidumpProcessor;
 using google_breakpad::ProcessState;
+using google_breakpad::scoped_ptr;
 using google_breakpad::SimpleSymbolSupplier;
 
 string TestDataDir() {
   return string(getenv("srcdir") ? getenv("srcdir") : ".") +
       "/src/processor/testdata";
 }
 
 // Find the given dump file in <srcdir>/src/processor/testdata, process it,
 // and get the exploitability rating. Returns EXPLOITABILITY_ERR_PROCESSING
 // if the crash dump can't be processed.
@@ skipping 35 matching lines @@
             ExploitabilityFor("null_read_av.dmp"));
   ASSERT_EQ(google_breakpad::EXPLOITABILITY_NONE,
             ExploitabilityFor("null_write_av.dmp"));
   ASSERT_EQ(google_breakpad::EXPLOITABILITY_NONE,
             ExploitabilityFor("stack_exhaustion.dmp"));
   ASSERT_EQ(google_breakpad::EXPLOITABILITY_HIGH,
             ExploitabilityFor("exec_av_on_stack.dmp"));
   ASSERT_EQ(google_breakpad::EXPLOITABILITY_MEDIUM,
             ExploitabilityFor("write_av_non_null.dmp"));
   ASSERT_EQ(google_breakpad::EXPLOITABILITY_LOW,
-            ExploitabilityFor("read_av_non_null.dmp"));
-  ASSERT_EQ(google_breakpad::EXPLOITABILITY_LOW,
             ExploitabilityFor("read_av_clobber_write.dmp"));
   ASSERT_EQ(google_breakpad::EXPLOITABILITY_LOW,
             ExploitabilityFor("read_av_conditional.dmp"));
 }
 
 TEST(ExploitabilityTest, TestLinuxEngine) {
   ASSERT_EQ(google_breakpad::EXPLOITABILITY_INTERESTING,
             ExploitabilityFor("linux_null_read_av.dmp"));
   ASSERT_EQ(google_breakpad::EXPLOITABILITY_HIGH,
             ExploitabilityFor("linux_overflow.dmp"));
@@ skipping 14 matching lines @@
   ASSERT_EQ(google_breakpad::EXPLOITABILITY_INTERESTING,
             ExploitabilityFor("linux_inside_module_exe_region2.dmp"));
   ASSERT_EQ(google_breakpad::EXPLOITABILITY_INTERESTING,
             ExploitabilityFor("linux_stack_pointer_in_stack.dmp"));
   ASSERT_EQ(google_breakpad::EXPLOITABILITY_HIGH,
             ExploitabilityFor("linux_stack_pointer_in_module.dmp"));
   ASSERT_EQ(google_breakpad::EXPLOITABILITY_HIGH,
             ExploitabilityFor("linux_executable_stack.dmp"));
   ASSERT_EQ(google_breakpad::EXPLOITABILITY_HIGH,
             ExploitabilityFor("linux_executable_heap.dmp"));
+  ASSERT_EQ(google_breakpad::EXPLOITABILITY_HIGH,
+            ExploitabilityFor("linux_jmp_to_module_not_exe_region.dmp"));
+#ifndef _WIN32
+  ASSERT_EQ(google_breakpad::EXPLOITABILITY_HIGH,
+            ExploitabilityFor("linux_write_to_nonwritable_module.dmp"));
+  ASSERT_EQ(google_breakpad::EXPLOITABILITY_HIGH,
+            ExploitabilityFor("linux_write_to_nonwritable_region_math.dmp"));
+  ASSERT_EQ(google_breakpad::EXPLOITABILITY_HIGH,
+            ExploitabilityFor("linux_write_to_outside_module.dmp"));
+  ASSERT_EQ(google_breakpad::EXPLOITABILITY_HIGH,
+            ExploitabilityFor("linux_write_to_outside_module_via_math.dmp"));
+#endif  // _WIN32
+  ASSERT_EQ(google_breakpad::EXPLOITABILITY_INTERESTING,
+            ExploitabilityFor("linux_write_to_under_4k.dmp"));
+}
 
+#ifndef _WIN32
+TEST(ExploitabilityLinuxUtilsTest, DisassembleBytesTest) {
+  ASSERT_FALSE(ExploitabilityLinuxTest::DisassembleBytes("", NULL, 5, NULL));
+  uint8_t bytes[6] = {0xc7, 0x0, 0x5, 0x0, 0x0, 0x0};
+  char buffer[1024] = {0};
+  ASSERT_TRUE(ExploitabilityLinuxTest::DisassembleBytes("i386:x86-64",
+                                                        bytes,
+                                                        1024,
+                                                        buffer));
+  regex_t regex;
+  regcomp(&regex, "0:", REG_EXTENDED | REG_NOSUB);
+  std::stringstream objdump_stream;
+  objdump_stream.str(string(buffer));
+  string line;
+  while (regexec(&regex, line.c_str(), 0, NULL, 0) &&
+         getline(objdump_stream, line)) {
+  }
+  ASSERT_EQ(line, "   0:\tc7 00 05 00 00 00    \tmov    DWORD PTR [rax],0x5");
 }
+
+TEST(ExploitabilityLinuxUtilsTest, TokenizeObjdumpInstructionTest) {
+  ASSERT_FALSE(ExploitabilityLinuxTest::TokenizeObjdumpInstruction("",
+                                                                   NULL,
+                                                                   NULL,
+                                                                   NULL));
+  string line = "0: c7 00 05 00 00 00     mov    DWORD PTR [rax],0x5";
+  string operation = "";
+  string dest = "";
+  string src = "";
+  ASSERT_TRUE(ExploitabilityLinuxTest::TokenizeObjdumpInstruction(line,
+                                                                  &operation,
+                                                                  &dest,
+                                                                  &src));
+  ASSERT_EQ(operation, "mov");
+  ASSERT_EQ(dest, "[rax]");
+  ASSERT_EQ(src, "0x5");
+  line = "0: c3 ret";
+  ASSERT_TRUE(ExploitabilityLinuxTest::TokenizeObjdumpInstruction(line,
+                                                                  &operation,
+                                                                  &dest,
+                                                                  &src));
+  ASSERT_EQ(operation, "ret");
+  ASSERT_EQ(dest, "");
+  ASSERT_EQ(src, "");
+  line = "0: 5f pop rdi";
+  ASSERT_TRUE(ExploitabilityLinuxTest::TokenizeObjdumpInstruction(line,
+                                                                  &operation,
+                                                                  &dest,
+                                                                  &src));
+  ASSERT_EQ(operation, "pop");
+  ASSERT_EQ(dest, "rdi");
+  ASSERT_EQ(src, "");
 }
+
+TEST(ExploitabilityLinuxUtilsTest, CalculateAddressTest) {
+  MDRawContextAMD64 raw_context;
+  raw_context.rdx = 12345;
+  ExploitabilityLinuxTestMinidumpContext context(raw_context);
+  ASSERT_EQ(context.GetContextAMD64()->rdx, 12345);
+  ASSERT_FALSE(ExploitabilityLinuxTest::CalculateAddress("", context, NULL));
+  uint64_t write_address = 0;
+  ASSERT_TRUE(ExploitabilityLinuxTest::CalculateAddress("rdx-0x4D2",
+                                                        context,
+                                                        &write_address));
+  ASSERT_EQ(write_address, 11111);
+  ASSERT_TRUE(ExploitabilityLinuxTest::CalculateAddress("rdx+0x4D2",
+                                                        context,
+                                                        &write_address));
+  ASSERT_EQ(write_address, 13579);
+  ASSERT_FALSE(ExploitabilityLinuxTest::CalculateAddress("rdx+rax",
+                                                         context,
+                                                         &write_address));
+  ASSERT_FALSE(ExploitabilityLinuxTest::CalculateAddress("0x3482+0x4D2",
+                                                         context,
+                                                         &write_address));
+}
+#endif  // _WIN32
+
+}  // namespace