-
Notifications
You must be signed in to change notification settings - Fork 481
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Linux: Add error handling to elf extension magic bytes check #1010
Linux: Add error handling to elf extension magic bytes check #1010
Conversation
…ith smear and missing pages
…id addresses rather than crashing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A little bit cumbersome. I get why we read the state here, and why we can't just use the ELF layer's checks, but it feels as though we now have three different places where this checking happens. We should probably include in this fix something to remove the specific handling from the linux.Elfs
plugin, which you presumably inherit this fix when it's made?
…prefix and _hdr attrs instead
Hello @ikelos sorry it took so long to make progress on your comments, I was getting in a twist about how to correctly read What do you think of the way I've handled that, adding in a check for those attributes first? The other option would be not doing the magic bytes checks at all and creating the full object regardless, then adding more logic to the It might mean more work for this PR, or if you'd rather merge this one so that vol stops crashing as in issue #1009 and then I can work on that upgrade after? I'm happy either way. Thanks again! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm happy to commit this once the has_member
change is in place if you'd like, but also happy to delay if there's further work that needs doing on the PR and it makes sense to do it all together? Happy to take your lead on the decision... 5:)
@@ -72,7 +84,10 @@ def is_valid(self): | |||
""" | |||
Determine whether it is a valid object | |||
""" | |||
return self._type_prefix is not None and self._hdr is not None | |||
if hasattr(self, "_type_prefix") and hasattr(self, "_hdr"): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just to check does hasattr
work on properties that are dynamically created (since Object
s generate their members dynamically? I feel as though has_member
might be a better/the right way to achieve this?
Marking this as draft for a moment, it's not possible to use vols It'll just take me a little longer to work out what exactly to do here, any and all thoughts/ideas/suggestions are welcome as always. |
So, we typically expect plugins to override members as a property if they're redefining them, or if they're a method to calculate them, then they tend to be |
Having said that, a quick search of the codebase shows we use |
Merging would allow the plugin to work when there are errors, and I'm keen to fix the issue. Could you merge it to fix that issue? Then longer term we can think about how has member could work with extensions like this or how to do them better. 🙏 Thanks again. |
Hello
This PR adds some error handling to the Linux ELF extension when it checks for the ELF magic bytes.
It was @garanews that spotted the issue #1009. It causes
linux.pslist
to crash as soon as it hits the first process where the magic bytes are not available.This doesn't happen with the
linux.elfs
plugin as it has its own protection here: https://github.com/volatilityfoundation/volatility3/blob/develop/volatility3/framework/plugins/linux/elfs.py#L141-L149I originally used a padded read in the extension, but thought that a try/expect was better? I could also add the protections to the
linux.pslist
plugin instead, but I thought that having them in the extension was better?The original behavior of the extension is to return None and not check any other parts of the ELF if the magic bytes are wrong or unavailable. I've not changed that here, do you think it would be a good idea to allow the option to override this if needed? Likely better left to a different PR.
Thanks!