search

tking2 / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 1 forks source link

Vtypes do not represent/handle anonymous unions #322

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Linux uses anonymous unions in many places in the kernel, and we need to be 
able to access the members inside of them in some sane way. As an example, here 
is the structure that represents arguments to kernel modules:

  struct kernel_param {
          const char *name;
          u16 perm;
          u16 flags;
          param_set_fn set;
          param_get_fn get;
          union {
                  void *arg;
                  const struct kparam_string *str;
                  const struct kparam_array *arr;
          };
  };

To get the value of the arguments, we need to be able to access the "arg", 
"str", and "arr" members, but the vtype names look like this for the structure:

['set', 'name', 'get', 'perm', '__unnamed_13519', 'flags']

Where obviously the __unnamed_13519 is the anon union...

MHL suggested doing an overlay where, each piece of the union would be mapped 
to after the 'get' function, which will work in this instance assuming the 
structure does not change between kernel versions, but it is not a long term 
solution. 

Future plugins will need to reference many anon unions and I know of a few 
structures with anon unions whose members and layouts do change so we cannot 
just overlay them.

Original issue reported on code.google.com by atc...@gmail.com on 8 Aug 2012 at 2:30

GoogleCodeExporter commented 9 years ago 
Just CC-ing mooyix too

Original comment by michael.hale@gmail.com on 8 Aug 2012 at 2:33

GoogleCodeExporter commented 9 years ago 
So just to keep the records up-to-date, the suggestion is, as far as I'm aware, 
for the dwarfparsing code to generate vtypes where each of the union items is 
added directly to the structure at the union's offset.

Original comment by mike.auty@gmail.com on 8 Aug 2012 at 10:42

GoogleCodeExporter commented 9 years ago 
attc/ikelos fixed this earlier and just forgot to close

Original comment by michael.hale@gmail.com on 24 Sep 2012 at 8:44

GoogleCodeExporter commented 9 years ago 
fixed in r2464

Original comment by michael.hale@gmail.com on 24 Sep 2012 at 9:25