Skip to content
This repository was archived by the owner on May 16, 2025. It is now read-only.

Update Linux DTB scanner to handle newer Linux kernel versions (>= 5.14-rc1)#852

Open
miszr wants to merge 2 commits intovolatilityfoundation:masterfrom
miszr:patch-1
Open

Update Linux DTB scanner to handle newer Linux kernel versions (>= 5.14-rc1)#852
miszr wants to merge 2 commits intovolatilityfoundation:masterfrom
miszr:patch-1

Conversation

@miszr
Copy link

@miszr miszr commented May 29, 2023

Since commit 2f064a5 in the Linux kernel (5.14-rc1) the task state field is no longer called "state" but is instead called "__state".

This commit adds support to first look for "state" and if that is not found, attempt to look for the "__state" field.

This should resolve issues some folks been having with newer Linux kernel releases.

@miszr
Update Linux DTB scanner to handle newer Linux kernel versions
9ff9e9b 
Since commit 2f064a5 in the Linux kernel (5.14-rc1) the task state field is no longer called "state" but is instead called "__state".

This commit adds support to first look for "state" and if that is not found, attempt to look for the "__state" field.
@miszr miszr mentioned this pull request May 29, 2023
Open
@miszr
Update Linux DTB scanner with more specific exception catching
d07c69a 
Updated try-except to only catch KeyError.
@jotunel
Copy link

jotunel commented May 30, 2023

Since getting the same error:

Traceback (most recent call last):
File "vol.py", line 192, in
main()
File "vol.py", line 183, in main
command.execute()
File "/home/odin/Documents/volatility/volatility/plugins/linux/common.py", line 67, in execute
commands.Command.execute(self, *args, **kwargs)
File "/home/odin/Documents/volatility/volatility/commands.py", line 116, in execute
if not self.is_valid_profile(profsself._config.PROFILE):
File "/home/odin/Documents/volatility/volatility/plugins/overlays/linux/linux.py", line 218, in init
obj.Profile.init(self, *args, **kwargs)
File "/home/odin/Documents/volatility/volatility/obj.py", line 862, in init
self.reset()
File "/home/odin/Documents/volatility/volatility/plugins/overlays/linux/linux.py", line 232, in reset
self.load_vtypes()
File "/home/odin/Documents/volatility/volatility/plugins/overlays/linux/linux.py", line 269, in load_vtypes
vtypesvar = dwarf.DWARFParser(dwarfdata).finalize()
File "/home/odin/Documents/volatility/volatility/dwarf.py", line 72, in init
self.feed_line(line)
File "/home/odin/Documents/volatility/volatility/dwarf.py", line 163, in feed_line
self.process_statement(**parsed) #pylint: disable-msg=W0142
File "/home/odin/Documents/volatility/volatility/dwarf.py", line 267, in process_statement
d = data['DW_AT_data_member_location']
KeyError: 'DW_AT_data_member_location'

@miszr
Copy link
Author

miszr commented May 30, 2023

Since getting the same error:

Traceback (most recent call last): File "vol.py", line 192, in main() File "vol.py", line 183, in main command.execute() File "/home/odin/Documents/volatility/volatility/plugins/linux/common.py", line 67, in execute commands.Command.execute(self, *args, **kwargs) File "/home/odin/Documents/volatility/volatility/commands.py", line 116, in execute if not self.is_valid_profile(profsself._config.PROFILE): File "/home/odin/Documents/volatility/volatility/plugins/overlays/linux/linux.py", line 218, in init obj.Profile.init(self, *args, **kwargs) File "/home/odin/Documents/volatility/volatility/obj.py", line 862, in init self.reset() File "/home/odin/Documents/volatility/volatility/plugins/overlays/linux/linux.py", line 232, in reset self.load_vtypes() File "/home/odin/Documents/volatility/volatility/plugins/overlays/linux/linux.py", line 269, in load_vtypes vtypesvar = dwarf.DWARFParser(dwarfdata).finalize() File "/home/odin/Documents/volatility/volatility/dwarf.py", line 72, in init self.feed_line(line) File "/home/odin/Documents/volatility/volatility/dwarf.py", line 163, in feed_line self.process_statement(**parsed) #pylint: disable-msg=W0142 File "/home/odin/Documents/volatility/volatility/dwarf.py", line 267, in process_statement d = data['DW_AT_data_member_location'] KeyError: 'DW_AT_data_member_location'

This PR has nothing to do with errors related to "DW_AT_data_member_location". See #828 for a solution to this.

This PR solves the problem of the inability to process newer kernel memory dumps once the correct DWARF debug version is acquired.

@miszr miszr mentioned this pull request Jun 15, 2023
Open
@kovacs-andras
Copy link

kovacs-andras commented Oct 12, 2023

It works for me with a Ubuntu_5.15.0-78-generic dump. Huge thanks and I owe you a beer! (or two)

@BoBppy BoBppy mentioned this pull request Nov 8, 2023
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@miszr @jotunel @kovacs-andras