Update Linux DTB scanner to handle newer Linux kernel versions (>= 5.14-rc1)

[miszr]

Since commit 2f064a5 in the Linux kernel (5.14-rc1) the task state field is no longer called "state" but is instead called "__state".

This commit adds support to first look for "state" and if that is not found, attempt to look for the "__state" field.

This should resolve issues some folks been having with newer Linux kernel releases.

[jotunel]

Since getting the same error:

Traceback (most recent call last): File "vol.py", line 192, in main() File "vol.py", line 183, in main command.execute() File "/home/odin/Documents/volatility/volatility/plugins/linux/common.py", line 67, in execute commands.Command.execute(self, *args, **kwargs) File "/home/odin/Documents/volatility/volatility/commands.py", line 116, in execute if not self.is_valid_profile(profsself._config.PROFILE): File "/home/odin/Documents/volatility/volatility/plugins/overlays/linux/linux.py", line 218, in init obj.Profile.init(self, *args, **kwargs) File "/home/odin/Documents/volatility/volatility/obj.py", line 862, in init self.reset() File "/home/odin/Documents/volatility/volatility/plugins/overlays/linux/linux.py", line 232, in reset self.load_vtypes() File "/home/odin/Documents/volatility/volatility/plugins/overlays/linux/linux.py", line 269, in load_vtypes vtypesvar = dwarf.DWARFParser(dwarfdata).finalize() File "/home/odin/Documents/volatility/volatility/dwarf.py", line 72, in init self.feed_line(line) File "/home/odin/Documents/volatility/volatility/dwarf.py", line 163, in feed_line self.process_statement(**parsed) #pylint: disable-msg=W0142 File "/home/odin/Documents/volatility/volatility/dwarf.py", line 267, in process_statement d = data['DW_AT_data_member_location'] KeyError: 'DW_AT_data_member_location'

[miszr]

Since getting the same error:

Traceback (most recent call last): File "vol.py", line 192, in main() File "vol.py", line 183, in main command.execute() File "/home/odin/Documents/volatility/volatility/plugins/linux/common.py", line 67, in execute commands.Command.execute(self, *args, **kwargs) File "/home/odin/Documents/volatility/volatility/commands.py", line 116, in execute if not self.is_valid_profile(profsself._config.PROFILE): File "/home/odin/Documents/volatility/volatility/plugins/overlays/linux/linux.py", line 218, in init obj.Profile.init(self, *args, **kwargs) File "/home/odin/Documents/volatility/volatility/obj.py", line 862, in init self.reset() File "/home/odin/Documents/volatility/volatility/plugins/overlays/linux/linux.py", line 232, in reset self.load_vtypes() File "/home/odin/Documents/volatility/volatility/plugins/overlays/linux/linux.py", line 269, in load_vtypes vtypesvar = dwarf.DWARFParser(dwarfdata).finalize() File "/home/odin/Documents/volatility/volatility/dwarf.py", line 72, in init self.feed_line(line) File "/home/odin/Documents/volatility/volatility/dwarf.py", line 163, in feed_line self.process_statement(**parsed) #pylint: disable-msg=W0142 File "/home/odin/Documents/volatility/volatility/dwarf.py", line 267, in process_statement d = data['DW_AT_data_member_location'] KeyError: 'DW_AT_data_member_location'

This PR has nothing to do with errors related to "DW_AT_data_member_location". See #828 for a solution to this.

This PR solves the problem of the inability to process newer kernel memory dumps once the correct DWARF debug version is acquired.

[kovacs-andras]

It works for me with a Ubuntu_5.15.0-78-generic dump. Huge thanks and I owe you a beer! (or two)