Add check for executable stack/heap when rating Linux exploitability.

src/processor/exploitability_linux.cc

 // Copyright (c) 2013 Google Inc.
 // All rights reserved.
 //
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 // notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
@@ skipping 106 matching lines @@
   }
 
   // Getting the stack pointer.
   if (!context->GetStackPointer(&stack_ptr)) {
     BPLOG(INFO) << "Failed to retrieve stack pointer.";
     return EXPLOITABILITY_ERR_PROCESSING;
   }
 
   // Checking for the instruction pointer in a valid instruction region.
   if (!this->InstructionPointerInCode(instruction_ptr) ||
-       this->StackPointerOffStack(stack_ptr)) {
+       this->StackPointerOffStack(stack_ptr) ||
+       this->ExecutableStackOrHeap()) {
     return EXPLOITABILITY_HIGH;
   }
 
   // There was no strong evidence suggesting exploitability, but the minidump
   // does not appear totally benign either.
   return EXPLOITABILITY_INTERESTING;
 }
 
 bool ExploitabilityLinux::StackPointerOffStack(uint64_t stack_ptr) {
   MinidumpLinuxMapsList *linux_maps_list = dump_->GetLinuxMapsList();
   // Inconclusive if there are no mappings available.
   if (!linux_maps_list) {
     return false;
   }
   const MinidumpLinuxMaps *linux_maps =
       linux_maps_list->GetLinuxMapsForAddress(stack_ptr);
   // Checks if the stack pointer maps to a valid mapping and if the mapping
   // is not the stack. If the mapping has no name, it is inconclusive whether
   // it is off the stack.
   return !linux_maps ||
          (linux_maps->GetPathname().compare("") &&
           linux_maps->GetPathname().compare("[stack]"));
 }
 
+bool ExploitabilityLinux::ExecutableStackOrHeap() {
+  MinidumpLinuxMapsList *linux_maps_list = dump_->GetLinuxMapsList();
+  if (linux_maps_list) {
+    for (size_t i = 0; i < linux_maps_list->get_maps_count(); i++) {
+      const MinidumpLinuxMaps *linux_maps =
+          linux_maps_list->GetLinuxMapsAtIndex(i);
+      // Check for executable stack or heap for each mapping.
+      if (linux_maps &&
+          (!linux_maps->GetPathname().compare("[stack]") ||
+           !linux_maps->GetPathname().compare("[heap]")) &&
+          linux_maps->IsExecutable()) {
+        return true;
+      }
+    }
+  }
+  return false;
+}
+
 bool ExploitabilityLinux::InstructionPointerInCode(uint64_t instruction_ptr) {
   // Get Linux memory mapping from /proc/self/maps. Checking whether the
   // region the instruction pointer is in has executable permission can tell
   // whether it is in a valid code region. If there is no mapping for the
   // instruction pointer, it is indicative that the instruction pointer is
   // not within a module, which implies that it is outside a valid area.
   MinidumpLinuxMapsList *linux_maps_list = dump_->GetLinuxMapsList();
   const MinidumpLinuxMaps *linux_maps =
       linux_maps_list ?
       linux_maps_list->GetLinuxMapsForAddress(instruction_ptr) : NULL;
@@ skipping 36 matching lines @@
     case MD_EXCEPTION_CODE_LIN_DUMP_REQUESTED:
       return true;
       break;
     default:
       return false;
       break;
   }
 }
 
 }  // namespace google_breakpad