search

volatilityfoundation / volatility3

Volatility 3.0 development
http://volatilityfoundation.org/
Other
2.44k stars 430 forks source link

linux.mountinfo.MountInfo: broken on kernel 6.8+ #1187

Open ptrcnull opened 1 month ago

ptrcnull commented 1 month ago

Describe the bug The mnt_namespace.list field got removed in kernel version 6.8, replaced with an rb-tree at mnt_namespace.mounts

Context Volatility Version: 2.7.1 ( ac5769cf ) Operating System: Linux Python Version: 3.12.2 Suspected Operating System: Ubuntu 24.10 Command: vol linux.mountinfo

To Reproduce Steps to reproduce the behavior:

  1. Acquire a memory dump of Ubuntu 24.10, kernel 6.8 or newer
  2. Extract symbols from the kernel, applying patch from https://github.com/volatilityfoundation/dwarf2json/issues/57#issuecomment-2198205637 to dwarf2json
  3. Try to use linux.mountinfo

Expected behavior Mounts are getting printed

Example output

Traceback (most recent call last):
  File "/home/patrycja/Downloads/volatility3/vol.py", line 10, in <module>
    volatility3.cli.main()
  File "/home/patrycja/Downloads/volatility3/volatility3/cli/__init__.py", line 877, in main
    CommandLine().run()
  File "/home/patrycja/Downloads/volatility3/volatility3/cli/__init__.py", line 469, in run
    renderer.render(grid)
  File "/home/patrycja/Downloads/volatility3/volatility3/cli/text_renderer.py", line 198, in render
    grid.populate(visitor, outfd)
  File "/home/patrycja/Downloads/volatility3/volatility3/framework/renderers/__init__.py", line 245, in populate
    for level, item in self._generator:
  File "/home/patrycja/Downloads/volatility3/volatility3/framework/plugins/linux/mountinfo.py", line 191, in _generator
    for task, mnt, mnt_ns_id in self._get_tasks_mountpoints(
  File "/home/patrycja/Downloads/volatility3/volatility3/framework/plugins/linux/mountinfo.py", line 170, in _get_tasks_mountpoints
    for mount in mnt_namespace.get_mount_points():
  File "/home/patrycja/Downloads/volatility3/volatility3/framework/symbols/linux/extensions/__init__.py", line 1305, in get_mount_points
    for mount in self.list.to_list(mnt_type, "mnt_list"):
                 ^^^^^^^^^
  File "/home/patrycja/Downloads/volatility3/volatility3/framework/objects/__init__.py", line 971, in __getattr__
    raise AttributeError(
AttributeError: StructType has no attribute: symbol_table_name1!mnt_namespace.list
eve-mem commented 3 weeks ago

Yes looks like list is removed. Need to parse via rb_root mounts on these versions?

struct mnt_namespace {
    struct ns_common    ns;
    struct mount *  root;
    struct rb_root      mounts; /* Protected by namespace_sem */
    struct user_namespace   *user_ns;
    struct ucounts      *ucounts;
    u64         seq;    /* Sequence number to prevent loops */
    wait_queue_head_t poll;
    u64 event;
    unsigned int        nr_mounts; /* # of mounts in the namespace */
    unsigned int        pending_mounts;
} __randomize_layout;

Here is the commit where it happened: https://github.com/torvalds/linux/commit/2eea9ce4310d8c0f8ef1dbe7b0e7d9219ff02b97

Bringing the reb black tree parsing to vol3 will be needed to get this working. That's actually quite useful as that is also needed for a few other linux plugins (e.g. a dumpfiles plugin). I'd done a little bit of work on it, but nowhere near close - so someone else should feel free to jump in. 😄

For reference here is some of the rb code in vol2: https://github.com/volatilityfoundation/volatility/blob/master/volatility/plugins/overlays/linux/linux.py#L1932

Edit: I've just realized that @ptrcnull put all that information in the issue already.

gcmoreira commented 1 week ago

@ikelos I will handle this soon, please assign this issue to me