Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Broken access, instance.pointer.member, to i_mapping causes backtrace #1525

Open
atcuno opened this issue Jan 4, 2025 · 0 comments
Open

Broken access, instance.pointer.member, to i_mapping causes backtrace #1525

atcuno opened this issue Jan 4, 2025 · 0 comments
Assignees
@gcmoreira
Labels
parity-release

Comments

@atcuno
Copy link
Contributor

atcuno commented Jan 4, 2025
edited
Loading

I started a run of pagecache.Files against all samples with the d_inode in try/except like in #1516 so that any deeper bugs would be exposed. This is the first of those.

The pagecache plugin does the instance.pointer.member pattern on i_mappings of inode and causes a backtrace on samples.

Note that my PR for the broken cached file hanlding (https://github.com/volatilityfoundation/volatility3/pull/1516/files#diff-dc8047d2b21ebae7092368b7efe49ec11221e192735929c2be49998e31335956R2517) fixes this in get_pages, but it looks like i_mapping should be sent through a new get_i_mapping() like we discussed for dentry, superblock, etc. since it will be a problem every time its accessed.

We don't need PR explosion for no reason, so if the fix for this (accessor + switching current calls to it) becomes part of #1516 then that is fine.

Sample: broken_rhel_load_as_2.zip
Sample 2: gmemday1.dmp
Sample 3: Tillary_email_server.raw

Plugin: linux.pagecache.Files

25-01-04 17:26:59 volatility3.cli DEBUG    Traceback (most recent call last):
  File "/home/ub/volatility3/volatility3/cli/__init__.py", line 501, in run
    renderer.render(grid)
  File "/home/ub/volatility3/volatility3/cli/text_renderer.py", line 232, in render
    grid.populate(visitor, outfd)
  File "/home/ub/volatility3/volatility3/framework/renderers/__init__.py", line 240, in populate
    for level, item in self._generator:
  File "/home/ub/volatility3/volatility3/framework/plugins/linux/pagecache.py", line 354, in format_fields_with_headers
    for level, fields in generator:
  File "/home/ub/volatility3/volatility3/framework/plugins/linux/pagecache.py", line 326, in _generator
    inode_out = inode_in.to_user(vmlinux_layer)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/ub/volatility3/volatility3/framework/plugins/linux/pagecache.py", line 78, in to_user
    cached_pages = int(self.inode.i_mapping.nrpages)
                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/ub/volatility3/volatility3/framework/objects/__init__.py", line 453, in __getattr__
    return getattr(self.dereference(), attr)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/ub/volatility3/volatility3/framework/objects/__init__.py", line 961, in __getattr__
    member = template(context=self._context, object_info=object_info)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/ub/volatility3/volatility3/framework/objects/templates.py", line 96, in __call__
    return self.vol.object_class(
           ^^^^^^^^^^^^^^^^^^^^^^
  File "/home/ub/volatility3/volatility3/framework/objects/__init__.py", line 168, in __new__
    value = cls._unmarshall(context, data_format, object_info)
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/ub/volatility3/volatility3/framework/objects/__init__.py", line 202, in _unmarshall
    data = context.layers.read(
           ^^^^^^^^^^^^^^^^^^^^
  File "/home/ub/volatility3/volatility3/framework/interfaces/layers.py", line 635, in read
    return self[layer].read(offset, length, pad)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/ub/volatility3/volatility3/framework/layers/linear.py", line 45, in read
    for offset, _, mapped_offset, mapped_length, layer in self.mapping(
  File "/home/ub/volatility3/volatility3/framework/layers/intel.py", line 302, in mapping
    for offset, size, mapped_offset, mapped_size, map_layer in self._mapping(
  File "/home/ub/volatility3/volatility3/framework/layers/intel.py", line 358, in _mapping
    chunk_offset, page_size, layer_name = self._translate(offset)
                                          ^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/ub/volatility3/volatility3/framework/layers/intel.py", line 162, in _translate
    entry, position = self._translate_entry(offset)
                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/ub/volatility3/volatility3/framework/layers/intel.py", line 210, in _translate_entry
    raise exceptions.PagedInvalidAddressException(
volatility3.framework.exceptions.PagedInvalidAddressException: Page Fault at entry 0x0 in table page directory pointer
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gcmoreira gcmoreira

Labels
parity-release
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@atcuno @gcmoreira