Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Linux DTB scanner to handle newer Linux kernel versions (>= 5.14-rc1) #852

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Update Linux DTB scanner to handle newer Linux kernel versions (>= 5.14-rc1) #852

wants to merge 2 commits into from

Conversation

miszr
Copy link

@miszr miszr commented May 29, 2023

Since commit 2f064a5 in the Linux kernel (5.14-rc1) the task state field is no longer called "state" but is instead called "__state".

This commit adds support to first look for "state" and if that is not found, attempt to look for the "__state" field.

This should resolve issues some folks been having with newer Linux kernel releases.

@miszr
Update Linux DTB scanner to handle newer Linux kernel versions
9ff9e9b 
Since commit 2f064a5 in the Linux kernel (5.14-rc1) the task state field is no longer called "state" but is instead called "__state".

This commit adds support to first look for "state" and if that is not found, attempt to look for the "__state" field.
@miszr miszr mentioned this pull request May 29, 2023
Open
@miszr
Update Linux DTB scanner with more specific exception catching
d07c69a 
Updated try-except to only catch KeyError.
@jotunel
Copy link

jotunel commented May 30, 2023

Since getting the same error:

Traceback (most recent call last):
File "vol.py", line 192, in
main()
File "vol.py", line 183, in main
command.execute()
File "/home/odin/Documents/volatility/volatility/plugins/linux/common.py", line 67, in execute
commands.Command.execute(self, *args, **kwargs)
File "/home/odin/Documents/volatility/volatility/commands.py", line 116, in execute
if not self.is_valid_profile(profsself._config.PROFILE):
File "/home/odin/Documents/volatility/volatility/plugins/overlays/linux/linux.py", line 218, in init
obj.Profile.init(self, *args, **kwargs)
File "/home/odin/Documents/volatility/volatility/obj.py", line 862, in init
self.reset()
File "/home/odin/Documents/volatility/volatility/plugins/overlays/linux/linux.py", line 232, in reset
self.load_vtypes()
File "/home/odin/Documents/volatility/volatility/plugins/overlays/linux/linux.py", line 269, in load_vtypes
vtypesvar = dwarf.DWARFParser(dwarfdata).finalize()
File "/home/odin/Documents/volatility/volatility/dwarf.py", line 72, in init
self.feed_line(line)
File "/home/odin/Documents/volatility/volatility/dwarf.py", line 163, in feed_line
self.process_statement(**parsed) #pylint: disable-msg=W0142
File "/home/odin/Documents/volatility/volatility/dwarf.py", line 267, in process_statement
d = data['DW_AT_data_member_location']
KeyError: 'DW_AT_data_member_location'

@miszr
Copy link
Author

miszr commented May 30, 2023

Since getting the same error:

Traceback (most recent call last): File "vol.py", line 192, in main() File "vol.py", line 183, in main command.execute() File "/home/odin/Documents/volatility/volatility/plugins/linux/common.py", line 67, in execute commands.Command.execute(self, *args, **kwargs) File "/home/odin/Documents/volatility/volatility/commands.py", line 116, in execute if not self.is_valid_profile(profsself._config.PROFILE): File "/home/odin/Documents/volatility/volatility/plugins/overlays/linux/linux.py", line 218, in init obj.Profile.init(self, *args, **kwargs) File "/home/odin/Documents/volatility/volatility/obj.py", line 862, in init self.reset() File "/home/odin/Documents/volatility/volatility/plugins/overlays/linux/linux.py", line 232, in reset self.load_vtypes() File "/home/odin/Documents/volatility/volatility/plugins/overlays/linux/linux.py", line 269, in load_vtypes vtypesvar = dwarf.DWARFParser(dwarfdata).finalize() File "/home/odin/Documents/volatility/volatility/dwarf.py", line 72, in init self.feed_line(line) File "/home/odin/Documents/volatility/volatility/dwarf.py", line 163, in feed_line self.process_statement(**parsed) #pylint: disable-msg=W0142 File "/home/odin/Documents/volatility/volatility/dwarf.py", line 267, in process_statement d = data['DW_AT_data_member_location'] KeyError: 'DW_AT_data_member_location'

This PR has nothing to do with errors related to "DW_AT_data_member_location". See #828 for a solution to this.

This PR solves the problem of the inability to process newer kernel memory dumps once the correct DWARF debug version is acquired.

@miszr miszr mentioned this pull request Jun 15, 2023
Open
@kovacs-andras
Copy link

It works for me with a Ubuntu_5.15.0-78-generic dump. Huge thanks and I owe you a beer! (or two)

@BoBppy BoBppy mentioned this pull request Nov 8, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@miszr @jotunel @kovacs-andras