search

volatilityfoundation / volatility3

Volatility 3.0 development
http://volatilityfoundation.org/
Other
2.72k stars 461 forks source link

Linux: pagecache broken on kernel versions >= 6.8 #1313

Closed dgmcdona closed 1 month ago

dgmcdona commented 1 month ago

Describe the bug The linux.pagecache.Files plugin crashes on kernel versions > 6.8.

Context Volatility Version: 2.11.0 Operating System: macOS Python Version: 3.8.10 Command: `python3 vol.py -f data.lime linux.pagecache.Files

To Reproduce Run the linux.pagecache.Files command on a Linux sample with a kernel version > 6.8

Expected behavior Proper enumeration of files

Example output

INFO     volatility3.cli: Volatility plugins path: ['/Users/user/volatility3/volatility3/plugins', '/Users/user/volatility3/volatility3/framework/plugins']
INFO     volatility3.cli: Volatility symbols path: ['/Users/user/volatility3/volatility3/symbols', '/Users/user/volatility3/volatility3/framework/symbols']
DETAIL 4 volatility3.framework: Importing from the following paths: /Users/user/volatility3/volatility3/plugins, /Users/user/volatility3/volatility3/framework/plugins
DETAIL 4 volatility3.framework: Importing from the following paths: /Users/user/volatility3/volatility3/framework/automagic
DETAIL 3 volatility3.cli: Cache directory used: /Users/user/.cache/volatility3
INFO     volatility3.framework.automagic: Detected a linux category plugin
DETAIL 4 volatility3.framework: Importing from the following paths: /Users/user/volatility3/volatility3/framework/layers
INFO     volatility3.framework.automagic: Running automagic: ConstructionMagic
DETAIL 4 volatility3.framework: Importing from the following paths: /Users/user/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Files.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Files.kernel.symbol_table_name
DETAIL 4 volatility3.framework: Importing from the following paths: /Users/user/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Files.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Files.kernel.symbol_table_name
DETAIL 4 volatility3.framework: Importing from the following paths: /Users/user/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Files.kernel
DETAIL 4 volatility3.framework: Importing from the following paths: /Users/user/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Files.kernel.layer_name
DETAIL 4 volatility3.framework: Importing from the following paths: /Users/user/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Files.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Files.kernel.layer_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Files.kernel
DETAIL 4 volatility3.framework: Importing from the following paths: /Users/user/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Files.kernel.symbol_table_name
DETAIL 4 volatility3.framework: Importing from the following paths: /Users/user/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Files.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Files.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Files.kernel
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Files.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Files.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Files
DETAIL 4 volatility3.framework: Importing from the following paths: /Users/user/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework: Importing from the following paths: /Users/user/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework.automagic.construct_layers: Construction Exception occurred: Unexpected config value found: None
DETAIL 4 volatility3.framework: Importing from the following paths: /Users/user/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - find requirements only accept str type: None
DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - find requirements only accept str type: None
INFO     volatility3.framework.automagic: Running automagic: SymbolCacheMagic
DETAIL 4 volatility3.framework.symbols.intermed: Searching for symbols in /Users/user/volatility3/volatility3/symbols, /Users/user/volatility3/volatility3/framework/symbols
INFO     volatility3.framework.automagic: Running automagic: LayerStacker
DETAIL 4 volatility3.framework: Importing from the following paths: /Users/user/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Files.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Files.kernel.symbol_table_name
DETAIL 3 volatility3.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, VolatilityHandler, JarHandler, OfflineHandler, S3FileSystemHandler, GSFileSystemHandler
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
DETAIL 2 volatility3.framework.automagic.stacker: Stacked LimeLayer using LimeStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
DETAIL 4 volatility3.framework.layers.elf: Exception: Offset 0x0 does not exist within the base layer
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
DETAIL 4 volatility3.framework.layers.xen: Exception: Offset 0x0 does not exist within the base layer
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
DETAIL 4 volatility3.framework.layers.crash: Exception reading crashdump: Crashdump header not found at offset 0
DETAIL 4 volatility3.framework.layers.crash: Exception reading crashdump: Crashdump header not found at offset 0
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using LinuxIntelStacker
DEBUG    volatility3.framework.automagic.linux: Identified banner: b'Linux version 6.8.0-1013-aws (buildd@lcy02-amd64-108) (x86_64-linux-gnu-gcc-13 (Ubuntu 13.2.0-23ubuntu4) 13.2.0, GNU ld (GNU Binutils for Ubuntu) 2.42) #14-Ubuntu SMP Thu Jul 25 21:19:24 UTC 2024 (Ubuntu 6.8.0-1013.14-aws 6.8.12)\n\x00'
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!assoc_array_ptr
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!netns_ipvs
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!mtd_info
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!can_pkg_stats
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!can_rcv_lists_stats
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!can_dev_rcv_lists
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!mpls_route
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!sctp_mib
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!smc_stats_rsn
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!smc_stats
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!garp_port
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!mpls_dev
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!mrp_port
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!tipc_bearer
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!udp_tunnel_nic
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!phylink
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_conn
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_cached_keys
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_cqm_config
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!sfp
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!libipw_device
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!smc_hashinfo
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!dsa_8021q_context
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!uapi_definition
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!hw_stats_device_data
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!rdma_restrack_root
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_internal_bss
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!ib_port
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!ib_gid_table
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!ib_pkey_cache
DEBUG    volatility3.framework.automagic.linux: Linux ASLR shift values determined: physical 10a00000 virtual 16200000
DEBUG    volatility3.framework.automagic.linux: DTB was found at: 0x13e3c000
DETAIL 2 volatility3.framework.automagic.stacker: Stacked IntelLayer using LinuxIntelStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
DETAIL 4 volatility3.framework.layers.elf: Exception: Offset 0x0 does not exist within the base layer
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
DETAIL 4 volatility3.framework.layers.xen: Exception: Offset 0x0 does not exist within the base layer
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
DETAIL 4 volatility3.framework.layers.crash: Exception reading crashdump: Crashdump header not found at offset 0
DETAIL 4 volatility3.framework.layers.crash: Exception reading crashdump: Crashdump header not found at offset 0
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Files.kernel.layer_name
DETAIL 4 volatility3.framework: Importing from the following paths: /Users/user/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Files.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Files.kernel.symbol_table_name
DETAIL 4 volatility3.framework: Importing from the following paths: /Users/user/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Files.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Files.kernel.symbol_table_name
DETAIL 4 volatility3.framework: Importing from the following paths: /Users/user/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Files.kernel
DETAIL 4 volatility3.framework: Importing from the following paths: /Users/user/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Files.kernel.layer_name
DETAIL 4 volatility3.framework: Importing from the following paths: /Users/user/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework: Importing from the following paths: /Users/user/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Files.kernel.layer_name.memory_layer
DETAIL 4 volatility3.framework: Importing from the following paths: /Users/user/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework: Importing from the following paths: /Users/user/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Files.kernel.layer_name.memory_layer.base_layer
DETAIL 4 volatility3.framework: Importing from the following paths: /Users/user/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework: Importing from the following paths: /Users/user/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework: Importing from the following paths: /Users/user/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework: Importing from the following paths: /Users/user/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework: Importing from the following paths: /Users/user/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework: Importing from the following paths: /Users/user/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework: Importing from the following paths: /Users/user/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Files.kernel.symbol_table_name
DETAIL 4 volatility3.framework: Importing from the following paths: /Users/user/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Files.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Files.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Files.kernel
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Files.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Files
DETAIL 4 volatility3.framework: Importing from the following paths: /Users/user/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework: Importing from the following paths: /Users/user/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework: Importing from the following paths: /Users/user/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - find requirements only accept str type: None
DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - find requirements only accept str type: None
DEBUG    volatility3.framework.automagic.stacker: physical_layer maximum_address: 2147078207
DEBUG    volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'LimeLayer', 'FileLayer']
INFO     volatility3.framework.automagic: Running automagic: SymbolFinder
INFO     volatility3.framework.automagic: Running automagic: LinuxSymbolFinder
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Files.kernel.symbol_table_name
DEBUG    volatility3.framework.automagic.symbol_finder: Identified banner: b'Linux version 6.8.0-1013-aws (buildd@lcy02-amd64-108) (x86_64-linux-gnu-gcc-13 (Ubuntu 13.2.0-23ubuntu4) 13.2.0, GNU ld (GNU Binutils for Ubuntu) 2.42) #14-Ubuntu SMP Thu Jul 25 21:19:24 UTC 2024 (Ubuntu 6.8.0-1013.14-aws 6.8.12)\n\x00'
DEBUG    volatility3.framework.automagic.symbol_finder: Using symbol library: file:///Users/user/volatility3/volatility3/symbols/linux/linux-image-unsigned-6.8.0-1013-aws-dbgsym_6.8.0-1013.14_x86_64.json.xz
INFO     volatility3.framework.automagic: Running automagic: KernelModule
DETAIL 3 volatility3.cli.text_filter: Filters:
[]
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!assoc_array_ptr
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!netns_ipvs
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mtd_info
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!can_pkg_stats
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!can_rcv_lists_stats
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!can_dev_rcv_lists
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mpls_route
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!sctp_mib
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!smc_stats_rsn
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!smc_stats
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!garp_port
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mpls_dev
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mrp_port
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!tipc_bearer
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!udp_tunnel_nic
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!phylink
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_conn
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_cached_keys
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_cqm_config
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!sfp
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!libipw_device
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!smc_hashinfo
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!dsa_8021q_context
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!uapi_definition
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!hw_stats_device_data
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!rdma_restrack_root
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_internal_bss
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!ib_port
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!ib_gid_table
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!ib_pkey_cache
Traceback (most recent call last):
  File "vol.py", line 11, in <module>
    volatility3.cli.main()
  File "/Users/user/volatility3/volatility3/cli/__init__.py", line 923, in main
    CommandLine().run()
  File "/Users/user/volatility3/volatility3/cli/__init__.py", line 515, in run
    renderer.render(grid)
  File "/Users/user/volatility3/volatility3/cli/text_renderer.py", line 203, in render
    grid.populate(visitor, outfd)
  File "/Users/user/volatility3/volatility3/framework/renderers/__init__.py", line 245, in populate
    for level, item in self._generator:
  File "/Users/user/volatility3/volatility3/framework/plugins/linux/pagecache.py", line 350, in format_fields_with_headers
    for level, fields in generator:
  File "/Users/user/volatility3/volatility3/framework/plugins/linux/pagecache.py", line 312, in _generator
    for inode_in in inodes_iter:
  File "/Users/user/volatility3/volatility3/framework/plugins/linux/pagecache.py", line 272, in get_inodes
    for file_path, file_dentry in cls._walk_dentry(
  File "/Users/user/volatility3/volatility3/framework/plugins/linux/pagecache.py", line 177, in _walk_dentry
    for dentry in root_dentry.get_subdirs():
  File "/Users/user/volatility3/volatility3/framework/symbols/linux/extensions/__init__.py", line 856, in get_subdirs
    yield from list_head_member.to_list(dentry_type_name, walk_member)
  File "/Users/user/volatility3/volatility3/framework/objects/__init__.py", line 453, in __getattr__
    return getattr(self.dereference(), attr)
  File "/Users/user/volatility3/volatility3/framework/objects/__init__.py", line 969, in __getattr__
    raise AttributeError(
AttributeError: StructType has no attribute: symbol_table_name1!hlist_node.to_list

Additional information

When the dentry extension class' get_subdirs method was updated due to changes to the dentry struct in Linux 6.8, the member references were updated correctly - d_child and d_subdirs became, respectively, d_sib and d_children (see before and after). However, the change of the member types was not accounted for - what were previously both list_head structures became hlist_node and hlist_head. There is an extension class for list_head that implements to_list, but no extension class or to_list method exists for hlist_node, which results in the exception shown above.

gcmoreira commented 1 month ago

Good catch @dgmcdona! Thanks for the detailed report. What's broken is the dentry cache. The page cache depends on it.