455257 - Distinguish "random address" crashes based on page location and permissions

Status: RESOLVED WONTFIX

(Socorro :: Backend, task)

Description

[Jesse Ruderman]

Now that Firefox has a JIT, not all crashes with a "random address" at the top of the stack are likely to be security holes.  The following information would make it easier to tell which ones are likely to be security holes:

* page "location" (e.g. stack, malloc, mmap, not mapped at all)

* page permissions (e.g. RX, RW)

JITted code is in mmap memory and has RX permissions when it runs.

See also bug 411349.

Comment 1

[(not currently active) Ted Mielczarek]

We'll have to find out if we have enough info in the minidump to give you this, or if we need to add features to breakpad to make this work.

Comment 2

[(not currently active) Ted Mielczarek]

The minidump module struct doesn't have this info:
http://code.google.com/p/google-breakpad/source/browse/trunk/src/google_breakpad/common/minidump_format.h#358

We'd have to collect some extra info client-side to provide this.

Comment 3

[(not currently active) Ted Mielczarek]

We could do this on crashes from Windows 7 systems now since we fixed bug 620974.

Also, exposing additional information from minidump_stackwalk in general will be easier once we've fixed bug 573100 (it's planned for Socorro 1.7.8).

Comment 4

[Lonnen :lonnen]

still desired or wontfix?

Comment 5

[(not currently active) Ted Mielczarek]

This is probably useful, but I'm pretty sure the exploitability analysis takes this into consideration as well, so there might not be additional value beyond just looking at the existing `exploitable` classification.

Comment 6

[Lonnen :lonnen]

Thanks! When we have clear scope and value, we can reopen or file new.