1 // Copyright (c) 2010 Google Inc.
2 // All rights reserved.
3 //
4 // Redistribution and use in source and binary forms, with or without
5 // modification, are permitted provided that the following conditions are
6 // met:
7 //
8 //     * Redistributions of source code must retain the above copyright
9 // notice, this list of conditions and the following disclaimer.
10 //     * Redistributions in binary form must reproduce the above
11 // copyright notice, this list of conditions and the following disclaimer
12 // in the documentation and/or other materials provided with the
13 // distribution.
14 //     * Neither the name of Google Inc. nor the names of its
15 // contributors may be used to endorse or promote products derived from
16 // this software without specific prior written permission.
17 //
18 // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19 // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20 // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
21 // A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
22 // OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
23 // SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
24 // LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
25 // DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
26 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
27 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 
30 // exploitability_win.cc: Windows specific exploitability engine.
31 //
32 // Provides a guess at the exploitability of the crash for the Windows
33 // platform given a minidump and process_state.
34 //
35 // Author: Cris Neckar
36 
37 #include <vector>
38 
39 #include "processor/exploitability_win.h"
40 
41 #include "common/scoped_ptr.h"
42 #include "google_breakpad/common/minidump_exception_win32.h"
43 #include "google_breakpad/processor/minidump.h"
44 #include "processor/disassembler_x86.h"
45 #include "processor/logging.h"
46 
47 #include "third_party/libdisasm/libdis.h"
48 
49 namespace google_breakpad {
50 
51 // The cutoff that we use to judge if and address is likely an offset
52 // from various interesting addresses.
53 static const uint64_t kProbableNullOffset = 4096;
54 static const uint64_t kProbableStackOffset = 8192;
55 
56 // The various cutoffs for the different ratings.
57 static const size_t kHighCutoff        = 100;
58 static const size_t kMediumCutoff      = 80;
59 static const size_t kLowCutoff         = 50;
60 static const size_t kInterestingCutoff = 25;
61 
62 // Predefined incremental values for conditional weighting.
63 static const size_t kTinyBump          = 5;
64 static const size_t kSmallBump         = 20;
65 static const size_t kMediumBump        = 50;
66 static const size_t kLargeBump         = 70;
67 static const size_t kHugeBump          = 90;
68 
69 // The maximum number of bytes to disassemble past the program counter.
70 static const size_t kDisassembleBytesBeyondPC = 2048;
71 
ExploitabilityWin(Minidump * dump,ProcessState * process_state)72 ExploitabilityWin::ExploitabilityWin(Minidump *dump,
73                                      ProcessState *process_state)
74     : Exploitability(dump, process_state) { }
75 
CheckPlatformExploitability()76 ExploitabilityRating ExploitabilityWin::CheckPlatformExploitability() {
77   MinidumpException *exception = dump_->GetException();
78   if (!exception) {
79     BPLOG(INFO) << "Minidump does not have exception record.";
80     return EXPLOITABILITY_ERR_PROCESSING;
81   }
82 
83   const MDRawExceptionStream *raw_exception = exception->exception();
84   if (!raw_exception) {
85     BPLOG(INFO) << "Could not obtain raw exception info.";
86     return EXPLOITABILITY_ERR_PROCESSING;
87   }
88 
89   const MinidumpContext *context = exception->GetContext();
90   if (!context) {
91     BPLOG(INFO) << "Could not obtain exception context.";
92     return EXPLOITABILITY_ERR_PROCESSING;
93   }
94 
95   MinidumpMemoryList *memory_list = dump_->GetMemoryList();
96   bool memory_available = true;
97   if (!memory_list) {
98     BPLOG(INFO) << "Minidump memory segments not available.";
99     memory_available = false;
100   }
101   uint64_t address = process_state_->crash_address();
102   uint32_t exception_code = raw_exception->exception_record.exception_code;
103 
104   uint32_t exploitability_weight = 0;
105 
106   uint64_t stack_ptr = 0;
107   uint64_t instruction_ptr = 0;
108 
109   switch (context->GetContextCPU()) {
110     case MD_CONTEXT_X86:
111       stack_ptr = context->GetContextX86()->esp;
112       instruction_ptr = context->GetContextX86()->eip;
113       break;
114     case MD_CONTEXT_AMD64:
115       stack_ptr = context->GetContextAMD64()->rsp;
116       instruction_ptr = context->GetContextAMD64()->rip;
117       break;
118     default:
119       BPLOG(INFO) << "Unsupported architecture.";
120       return EXPLOITABILITY_ERR_PROCESSING;
121   }
122 
123   // Check if we are executing on the stack.
124   if (instruction_ptr <= (stack_ptr + kProbableStackOffset) &&
125       instruction_ptr >= (stack_ptr - kProbableStackOffset))
126     exploitability_weight += kHugeBump;
127 
128   switch (exception_code) {
129     // This is almost certainly recursion.
130     case MD_EXCEPTION_CODE_WIN_STACK_OVERFLOW:
131       exploitability_weight += kTinyBump;
132       break;
133 
134     // These exceptions tend to be benign and we can generally ignore them.
135     case MD_EXCEPTION_CODE_WIN_INTEGER_DIVIDE_BY_ZERO:
136     case MD_EXCEPTION_CODE_WIN_INTEGER_OVERFLOW:
137     case MD_EXCEPTION_CODE_WIN_FLOAT_DIVIDE_BY_ZERO:
138     case MD_EXCEPTION_CODE_WIN_FLOAT_INEXACT_RESULT:
139     case MD_EXCEPTION_CODE_WIN_FLOAT_OVERFLOW:
140     case MD_EXCEPTION_CODE_WIN_FLOAT_UNDERFLOW:
141     case MD_EXCEPTION_CODE_WIN_IN_PAGE_ERROR:
142       exploitability_weight += kTinyBump;
143       break;
144 
145     // These exceptions will typically mean that we have jumped where we
146     // shouldn't.
147     case MD_EXCEPTION_CODE_WIN_ILLEGAL_INSTRUCTION:
148     case MD_EXCEPTION_CODE_WIN_FLOAT_INVALID_OPERATION:
149     case MD_EXCEPTION_CODE_WIN_PRIVILEGED_INSTRUCTION:
150       exploitability_weight += kLargeBump;
151       break;
152 
153     // These represent bugs in exception handlers.
154     case MD_EXCEPTION_CODE_WIN_INVALID_DISPOSITION:
155     case MD_EXCEPTION_CODE_WIN_NONCONTINUABLE_EXCEPTION:
156       exploitability_weight += kSmallBump;
157       break;
158 
159     case MD_EXCEPTION_CODE_WIN_HEAP_CORRUPTION:
160     case MD_EXCEPTION_CODE_WIN_STACK_BUFFER_OVERRUN:
161       exploitability_weight += kHugeBump;
162       break;
163 
164     case MD_EXCEPTION_CODE_WIN_GUARD_PAGE_VIOLATION:
165       exploitability_weight += kLargeBump;
166       break;
167 
168     case MD_EXCEPTION_CODE_WIN_ACCESS_VIOLATION:
169       bool near_null = (address <= kProbableNullOffset);
170       bool bad_read = false;
171       bool bad_write = false;
172       if (raw_exception->exception_record.number_parameters >= 1) {
173         MDAccessViolationTypeWin av_type =
174             static_cast<MDAccessViolationTypeWin>
175             (raw_exception->exception_record.exception_information[0]);
176         switch (av_type) {
177           case MD_ACCESS_VIOLATION_WIN_READ:
178             bad_read = true;
179             if (near_null)
180               exploitability_weight += kSmallBump;
181             else
182               exploitability_weight += kMediumBump;
183             break;
184           case MD_ACCESS_VIOLATION_WIN_WRITE:
185             bad_write = true;
186             if (near_null)
187               exploitability_weight += kSmallBump;
188             else
189               exploitability_weight += kHugeBump;
190             break;
191           case MD_ACCESS_VIOLATION_WIN_EXEC:
192             if (near_null)
193               exploitability_weight += kSmallBump;
194             else
195               exploitability_weight += kHugeBump;
196             break;
197           default:
198             BPLOG(INFO) << "Unrecognized access violation type.";
199             return EXPLOITABILITY_ERR_PROCESSING;
200             break;
201         }
202         MinidumpMemoryRegion *instruction_region = 0;
203         if (memory_available) {
204           instruction_region =
205               memory_list->GetMemoryRegionForAddress(instruction_ptr);
206         }
207         if (!near_null && instruction_region &&
208             context->GetContextCPU() == MD_CONTEXT_X86 &&
209             (bad_read || bad_write)) {
210           // Perform checks related to memory around instruction pointer.
211           uint32_t memory_offset =
212               instruction_ptr - instruction_region->GetBase();
213           uint32_t available_memory =
214               instruction_region->GetSize() - memory_offset;
215           available_memory = available_memory > kDisassembleBytesBeyondPC ?
216               kDisassembleBytesBeyondPC : available_memory;
217           if (available_memory) {
218             const uint8_t *raw_memory =
219                 instruction_region->GetMemory() + memory_offset;
220             DisassemblerX86 disassembler(raw_memory,
221                                          available_memory,
222                                          instruction_ptr);
223             disassembler.NextInstruction();
224             if (bad_read)
225               disassembler.setBadRead();
226             else
227               disassembler.setBadWrite();
228             if (disassembler.currentInstructionValid()) {
229               // Check if the faulting instruction falls into one of
230               // several interesting groups.
231               switch (disassembler.currentInstructionGroup()) {
232                 case libdis::insn_controlflow:
233                   exploitability_weight += kLargeBump;
234                   break;
235                 case libdis::insn_string:
236                   exploitability_weight += kHugeBump;
237                   break;
238                 default:
239                   break;
240               }
241               // Loop the disassembler through the code and check if it
242               // IDed any interesting conditions in the near future.
243               // Multiple flags may be set so treat each equally.
244               while (disassembler.NextInstruction() &&
245                      disassembler.currentInstructionValid() &&
246                      !disassembler.endOfBlock())
247                 continue;
248               if (disassembler.flags() & DISX86_BAD_BRANCH_TARGET)
249                 exploitability_weight += kLargeBump;
250               if (disassembler.flags() & DISX86_BAD_ARGUMENT_PASSED)
251                 exploitability_weight += kTinyBump;
252               if (disassembler.flags() & DISX86_BAD_WRITE)
253                 exploitability_weight += kMediumBump;
254               if (disassembler.flags() & DISX86_BAD_BLOCK_WRITE)
255                 exploitability_weight += kMediumBump;
256               if (disassembler.flags() & DISX86_BAD_READ)
257                 exploitability_weight += kTinyBump;
258               if (disassembler.flags() & DISX86_BAD_BLOCK_READ)
259                 exploitability_weight += kTinyBump;
260               if (disassembler.flags() & DISX86_BAD_COMPARISON)
261                 exploitability_weight += kTinyBump;
262             }
263           }
264         }
265         if (!near_null && AddressIsAscii(address))
266           exploitability_weight += kMediumBump;
267       } else {
268         BPLOG(INFO) << "Access violation type parameter missing.";
269         return EXPLOITABILITY_ERR_PROCESSING;
270       }
271   }
272 
273   // Based on the calculated weight we return a simplified classification.
274   BPLOG(INFO) << "Calculated exploitability weight: " << exploitability_weight;
275   if (exploitability_weight >= kHighCutoff)
276     return EXPLOITABILITY_HIGH;
277   if (exploitability_weight >= kMediumCutoff)
278     return EXPLOITABLITY_MEDIUM;
279   if (exploitability_weight >= kLowCutoff)
280     return EXPLOITABILITY_LOW;
281   if (exploitability_weight >= kInterestingCutoff)
282     return EXPLOITABILITY_INTERESTING;
283 
284   return EXPLOITABILITY_NONE;
285 }
286 
287 }  // namespace google_breakpad
288