search

tking2 / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 1 forks source link

Dwarf.py - DW_AT_data_member_location empty offset #367

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Create a profile under Fedora 15 64bit (2.6.38.8-35.fc15.x86_64) using this 
procedure:
https://code.google.com/p/volatility/issues/detail?id=355#c4

2. Execute linux_pslist on a LiME memory dump:
python vol.py -f p:\Fedora-15-64bit\Fedora-15-64bit.padded 
--profile=LinuxFedora-15-64bitx64 linux_pslist

What is the expected output? What do you see instead?
L:\Volatility2.3SVN>python vol.py -f p:\Fedora-15-64bit\Fedora-15-64bit.padded 
--profile=LinuxFedora-15-64bitx64 linux_pslist
Volatile Systems Volatility Framework 2.3_alpha
Traceback (most recent call last):
  File "vol.py", line 186, in <module>
    main()
  File "vol.py", line 177, in main
    command.execute()
  File "L:\Volatility2.3SVN\volatility\plugins\linux\common.py", line 57, in execute
    commands.Command.execute(self, *args, **kwargs)
  File "L:\Volatility2.3SVN\volatility\commands.py", line 111, in execute
    func(outfd, data)
  File "L:\Volatility2.3SVN\volatility\plugins\linux\pslist.py", line 60, in render_text
    ("Start Time", "")])
  File "L:\Volatility2.3SVN\volatility\commands.py", line 172, in table_header
    profile = addrspace.BufferAddressSpace(self._config).profile
  File "L:\Volatility2.3SVN\volatility\addrspace.py", line 169, in __init__
    BaseAddressSpace.__init__(self, None, config, **kwargs)
  File "L:\Volatility2.3SVN\volatility\addrspace.py", line 71, in __init__
    self.profile = self._set_profile(config.PROFILE)
  File "L:\Volatility2.3SVN\volatility\addrspace.py", line 94, in _set_profile
    ret = profs[profile_name]()
  File "L:\Volatility2.3SVN\volatility\plugins\overlays\linux\linux.py", line 148, in __init__
    obj.Profile.__init__(self, *args, **kwargs)
  File "L:\Volatility2.3SVN\volatility\obj.py", line 857, in __init__
    self.reset()
  File "L:\Volatility2.3SVN\volatility\plugins\overlays\linux\linux.py", line 158, in reset
    self.load_vtypes()
  File "L:\Volatility2.3SVN\volatility\plugins\overlays\linux\linux.py", line 195, in load_vtypes
    vtypesvar = dwarf.DWARFParser(dwarfdata).finalize()
  File "L:\Volatility2.3SVN\volatility\dwarf.py", line 70, in __init__
    self.feed_line(line)
  File "L:\Volatility2.3SVN\volatility\dwarf.py", line 161, in feed_line
    self.process_statement(**parsed) #pylint: disable-msg=W0142
  File "L:\Volatility2.3SVN\volatility\dwarf.py", line 260, in process_statement
    off = int(d)
ValueError: invalid literal for int() with base 10: ''

What version of the product are you using? On what operating system?
- Dwarf.py r2267
- Windows Seven SP1 64bit
- Python 2.7.3 (default, Apr 10 2012, 23:31:26) [MSC v.1500 32 bit (Intel)] on 
win32

Please provide any additional information below.

I have 10 DW_TAG_member in my profile that have no offset:

<2><0x350e><DW_TAG_member> DW_AT_name<nr_zones> DW_AT_decl_file<0x00000024 
include/linux/mmzone.h> DW_AT_decl_line<0x00000267> DW_AT_type<<0x00000070>> 
DW_AT_data_member_location<>
<2><0x351e><DW_TAG_member> DW_AT_name<node_size_lock> 
DW_AT_decl_file<0x00000024 include/linux/mmzone.h> DW_AT_decl_line<0x00000279> 
DW_AT_type<<0x00002eaa>> DW_AT_data_member_location<>
<2><0x352e><DW_TAG_member> DW_AT_name<node_start_pfn> 
DW_AT_decl_file<0x00000024 include/linux/mmzone.h> DW_AT_decl_line<0x0000027b> 
DW_AT_type<<0x00000119>> DW_AT_data_member_location<>
<2><0x353e><DW_TAG_member> DW_AT_name<node_present_pages> 
DW_AT_decl_file<0x00000024 include/linux/mmzone.h> DW_AT_decl_line<0x0000027c> 
DW_AT_type<<0x00000119>> DW_AT_data_member_location<>
<2><0x354e><DW_TAG_member> DW_AT_name<node_spanned_pages> 
DW_AT_decl_file<0x00000024 include/linux/mmzone.h> DW_AT_decl_line<0x0000027d> 
DW_AT_type<<0x00000119>> DW_AT_data_member_location<>
<2><0x355e><DW_TAG_member> DW_AT_name<node_id> DW_AT_decl_file<0x00000024 
include/linux/mmzone.h> DW_AT_decl_line<0x0000027f> DW_AT_type<<0x00000070>> 
DW_AT_data_member_location<>
<2><0x356e><DW_TAG_member> DW_AT_name<kswapd_wait> DW_AT_decl_file<0x00000024 
include/linux/mmzone.h> DW_AT_decl_line<0x00000280> DW_AT_type<<0x00002ff3>> 
DW_AT_data_member_location<>
<2><0x357e><DW_TAG_member> DW_AT_name<kswapd> DW_AT_decl_file<0x00000024 
include/linux/mmzone.h> DW_AT_decl_line<0x00000281> DW_AT_type<<0x00001001>> 
DW_AT_data_member_location<>
<2><0x358e><DW_TAG_member> DW_AT_name<kswapd_max_order> 
DW_AT_decl_file<0x00000024 include/linux/mmzone.h> DW_AT_decl_line<0x00000282> 
DW_AT_type<<0x00000070>> DW_AT_data_member_location<>
<2><0x359e><DW_TAG_member> DW_AT_name<classzone_idx> DW_AT_decl_file<0x00000024 
include/linux/mmzone.h> DW_AT_decl_line<0x00000283> DW_AT_type<<0x00003274>> 
DW_AT_data_member_location<>

If I skip the problem during the DW_TAG_member parsing (see the attached file), 
everything seems to work fine.

However, I'm not sure that skipping the problem is the best solution ;)

Thanks in advance for your help,

Sebastien

Original issue reported on code.google.com by sebastie...@gmail.com on 18 Dec 2012 at 10:03

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by jamie.l...@gmail.com on 18 Dec 2012 at 11:16

GoogleCodeExporter commented 9 years ago 
This is the same root cause as the other issue related to Fedora.

Original comment by atc...@gmail.com on 29 Jan 2013 at 12:59