Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Linux: fix bug with iomem plugin due to absolute address misuse #1051

Merged
merged 1 commit into from
Nov 29, 2023
Merged

Linux: fix bug with iomem plugin due to absolute address misuse #1051

merged 1 commit into from
Nov 29, 2023

Conversation

eve-mem
Copy link
Contributor

@eve-mem eve-mem commented Nov 29, 2023

Hello 🚀

This PR fixes a bug spotted by @4n6-fl and reported via slack.

Essentially an absolute address is used to create an object, but the absolute flag is not set. This means when there is shifting the address will be wrong and cause the problems.

I didn't spot that when testing the plugin when it was first made, sorry...!

Pre patch it isn't possible to run the iomem plugin on this sample:


$ python vol.py -f v6.1.15.dmp linux.iomem
Volatility 3 Framework 2.5.2
Progress:  100.00               Stacking attempts finished
Name    Start   End
WARNING  volatility3.plugins.linux.iomem: Unable to follow pointer to name for resource object at 0xffff89841080, replaced with UnreadableValue


Volatility was unable to read a requested page:
Page error 0xffff90e41080 in layer layer_name (Page Fault at entry 0x0 in table page table)

        * Memory smear during acquisition (try re-acquiring if possible)
        * An intentionally invalid page lookup (operating system protection)
        * A bug in the plugin/volatility3 (re-run with -vvv and file a bug)

No further results will be produced

However with this fix the plugin works as expected:

$ python vol.py -f v6.1.15.dmp linux.iomem
Volatility 3 Framework 2.5.2
Progress:  100.00               Stacking attempts finished
Name    Start   End

PCI mem 0x0     0xffffffffff
* Reserved      0x0     0xfff
* System RAM    0x1000  0x9fbff
* Reserved      0x9fc00 0x9ffff
* PCI Bus 0000:00       0xa0000 0xbffff
* Video ROM     0xc0000 0xc99ff
* Adapter ROM   0xca000 0xcadff
* Adapter ROM   0xcb000 0xcd3ff
* Reserved      0xf0000 0xfffff
** System ROM   0xf0000 0xfffff
* System RAM    0x100000        0xbffd9fff
* Reserved      0xbffda000      0xbfffffff
* PCI Bus 0000:00       0xc0000000      0xfebfffff
** 0000:00:02.0 0xfc000000      0xfcffffff
*** bochs-drm   0xfc000000      0xfcffffff
** PCI Bus 0000:03      0xfd000000      0xfd1fffff
** PCI Bus 0000:02      0xfd200000      0xfd3fffff
** PCI Bus 0000:01      0xfd400000      0xfd5fffff
*** 0000:01:01.0        0xfd400000      0xfd403fff
**** virtio-pci-modern  0xfd400000      0xfd403fff
** 0000:00:03.0 0xfd600000      0xfd603fff
*** virtio-pci-modern   0xfd600000      0xfd603fff
** 0000:00:12.0 0xfd604000      0xfd607fff
*** virtio-pci-modern   0xfd604000      0xfd607fff
** PCI Bus 0000:03      0xfe400000      0xfe5fffff

@eve-mem
Linux: fix bug with iomem plugin where an absolute address is used to…
099403d 
… make an object but the absolute flag is not set
@ikelos ikelos self-requested a review November 29, 2023 21:01
ikelos
ikelos approved these changes Nov 29, 2023
View reviewed changes
Copy link
Member

@ikelos ikelos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, all looks good, thanks for bumping the version number! 5;D

@ikelos ikelos merged commit 292bef9 into volatilityfoundation:develop Nov 29, 2023
14 checks passed
@eve-mem eve-mem deleted the linux_iomem_absolute_address_bugfix branch December 1, 2023 13:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ikelos ikelos ikelos approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@eve-mem @ikelos