search

volatilityfoundation / volatility

An advanced memory forensics framework
http://volatilityfoundation.org/
GNU General Public License v2.0
7.19k stars 1.27k forks source link

linux_arp: OverflowError: range() result has too many items #274

Closed fpusersuggest closed 7 years ago

fpusersuggest commented 8 years ago

Hi, I have found many bugs with volatility and Centos 7.1. OS version: Linux Centos 7.1 Kernel: Linux forensics 3.10.0-327.3.1.el7.x86_64 #1 SMP Wed Dec 9 14:09:15 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux Volatility version: 2.5 downloaded from github 27 december 2015 Plugin affected: linux_arp

Short error:

# ./vol.py -f /root/4ensix.lime --profile=Linuxcentos7_1x64 linux_arp
Volatility Foundation Volatility Framework 2.5
[ff02::2                                   ] at 33:33:00:00:00:02    on eth0
[ff02::1:ffe8:8201                         ] at 33:33:ff:e8:82:01    on eth0
[ff02::16                                  ] at 33:33:00:00:00:16    on eth0
Traceback (most recent call last):
  File "./vol.py", line 192, in <module>
    main()
  File "./vol.py", line 183, in main
    command.execute()
  File "/root/volatility/volatility/plugins/linux/common.py", line 63, in execute
    commands.Command.execute(self, *args, **kwargs)
  File "/root/volatility/volatility/commands.py", line 145, in execute
    func(outfd, data)
  File "/root/volatility/volatility/plugins/linux/arp.py", line 109, in render_text
    for ent in data:
  File "/root/volatility/volatility/plugins/linux/arp.py", line 56, in calculate
    for aent in self.handle_table(ntable):
  File "/root/volatility/volatility/plugins/linux/arp.py", line 76, in handle_table
    for i in range(hash_size):
OverflowError: range() result has too many items

Error with debug:

Volatility Foundation Volatility Framework 2.5
DEBUG   : volatility.debug    : centos7.1: Found dwarf file boot/System.map-3.10.0-327.3.1.el7.x86_64 with 760 symbols
DEBUG   : volatility.debug    : centos7.1: Found system file boot/System.map-3.10.0-327.3.1.el7.x86_64 with 1 symbols
DEBUG   : volatility.debug    : Applying modification from BashHashTypes
DEBUG   : volatility.debug    : Applying modification from BashTypes
DEBUG   : volatility.debug    : Applying modification from BasicObjectClasses
DEBUG   : volatility.debug    : Applying modification from ELF32Modification
DEBUG   : volatility.debug    : Applying modification from ELF64Modification
DEBUG   : volatility.debug    : Applying modification from ELFModification
DEBUG   : volatility.debug    : Applying modification from EditBoxObjectClasses
DEBUG   : volatility.debug    : Applying modification from HPAKVTypes
DEBUG   : volatility.debug    : Applying modification from LimeTypes
DEBUG   : volatility.debug    : Applying modification from LinuxIDTTypes
DEBUG   : volatility.debug    : Applying modification from LinuxTruecryptModification
DEBUG   : volatility.debug    : Applying modification from MachoModification
DEBUG   : volatility.debug    : Applying modification from MachoTypes
DEBUG   : volatility.debug    : Applying modification from MbrObjectTypes
DEBUG   : volatility.debug    : Applying modification from VMwareVTypesModification
DEBUG   : volatility.debug    : Applying modification from VirtualBoxModification
DEBUG   : volatility.debug    : Applying modification from LinuxGate64Overlay
DEBUG   : volatility.debug    : Applying modification from LinuxIntelOverlay
DEBUG   : volatility.debug    : Applying modification from LinuxKmemCacheOverlay
DEBUG   : volatility.debug    : Requested symbol cache_chain not found in module kernel

DEBUG   : volatility.debug    : Applying modification from LinuxMountOverlay
DEBUG   : volatility.debug    : Applying modification from LinuxObjectClasses
DEBUG   : volatility.debug    : Applying modification from LinuxOverlay
DEBUG   : volatility.debug    : Voting round
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG   : volatility.debug    : centos7.1: Found dwarf file boot/System.map-3.10.0-327.3.1.el7.x86_64 with 760 symbols
DEBUG   : volatility.debug    : centos7.1: Found system file boot/System.map-3.10.0-327.3.1.el7.x86_64 with 1 symbols
DEBUG   : volatility.debug    : Applying modification from BashHashTypes
DEBUG   : volatility.debug    : Applying modification from BashTypes
DEBUG   : volatility.debug    : Applying modification from BasicObjectClasses
DEBUG   : volatility.debug    : Applying modification from ELF32Modification
DEBUG   : volatility.debug    : Applying modification from ELF64Modification
DEBUG   : volatility.debug    : Applying modification from ELFModification
DEBUG   : volatility.debug    : Applying modification from EditBoxObjectClasses
DEBUG   : volatility.debug    : Applying modification from HPAKVTypes
DEBUG   : volatility.debug    : Applying modification from LimeTypes
DEBUG   : volatility.debug    : Applying modification from LinuxIDTTypes
DEBUG   : volatility.debug    : Applying modification from LinuxTruecryptModification
DEBUG   : volatility.debug    : Applying modification from MachoModification
DEBUG   : volatility.debug    : Applying modification from MachoTypes
DEBUG   : volatility.debug    : Applying modification from MbrObjectTypes
DEBUG   : volatility.debug    : Applying modification from VMwareVTypesModification
DEBUG   : volatility.debug    : Applying modification from VirtualBoxModification
DEBUG   : volatility.debug    : Applying modification from LinuxGate64Overlay
DEBUG   : volatility.debug    : Applying modification from LinuxIntelOverlay
DEBUG   : volatility.debug    : Applying modification from LinuxKmemCacheOverlay
DEBUG   : volatility.debug    : Requested symbol cache_chain not found in module kernel
DEBUG   : volatility.debug    : Applying modification from LinuxMountOverlay
DEBUG   : volatility.debug    : Applying modification from LinuxObjectClasses
DEBUG   : volatility.debug    : Applying modification from LinuxOverlay
DEBUG   : volatility.debug    : Succeeded instantiating <volatility.plugins.addrspaces.standard.FileAddressSpace object at 0x9d38f50>
DEBUG   : volatility.debug    : Voting round
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG   : volatility.debug    : Succeeded instantiating <volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x9d38f90>
DEBUG   : volatility.debug    : Voting round
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG   : volatility.debug    : Succeeded instantiating <volatility.plugins.addrspaces.amd64.AMD64PagedMemory object at 0x80a85d0>
DEBUG   : volatility.debug    : Voting round
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
[ff02::2                                   ] at 33:33:00:00:00:02    on eth0
[ff02::1:ffe8:8201                         ] at 33:33:ff:e8:82:01    on eth0
[ff02::16                                  ] at 33:33:00:00:00:16    on eth0
> /root/volatility/volatility/plugins/linux/arp.py(76)handle_table()
-> for i in range(hash_size):
atcuno commented 7 years ago

Hello,

Thanks for the report. This should be fixed:

https://github.com/volatilityfoundation/volatility/commit/33d461c31212db5fddeee12b019eefa4727f8c28

I have closed the ticket, but please let me know if you have any further issues.