volatilityfoundation
linux.kallsyms Backtrace
I've run into 2 snapshots where running linux.kallsyms crashes the framework. Based on the backtrace, I can see that this probably happens when listing snd_intel8x0's symbols, since running kallsyms with --core finishes correctly.
I can privately provide samples of the snapshots in question.
Edit: Running latest git develop
[...]
0xffffc0916680 r 960 False module snd_intel8x0 __mod_pci__snd_intel8x0_ids_device_table Symbol is in a read only data section
0xffffc090e590 t 16 False module snd_intel8x0 __pfx_cleanup_module Symbol is in the text (code) sectionTraceback (most recent call last):
File "/home/canopus/dev/diss/volatility3/vol.py", line 11, in <module>
volatility3.cli.main()
~~~~~~~~~~~~~~~~~~~~^^
File "/home/canopus/dev/diss/volatility3/volatility3/cli/__init__.py", line 927, in main
CommandLine().run()
~~~~~~~~~~~~~~~~~^^
File "/home/canopus/dev/diss/volatility3/volatility3/cli/__init__.py", line 515, in run
renderer.render(grid)
~~~~~~~~~~~~~~~^^^^^^
File "/home/canopus/dev/diss/volatility3/volatility3/cli/text_renderer.py", line 330, in render
grid.populate(visitor, outfd)
~~~~~~~~~~~~~^^^^^^^^^^^^^^^^
File "/home/canopus/dev/diss/volatility3/volatility3/framework/renderers/__init__.py", line 317, in populate
for level, item in self._generator:
^^^^^^^^^^^^^^^
File "/home/canopus/dev/diss/volatility3/volatility3/framework/plugins/linux/kallsyms.py", line 112, in _generator
for kassymbol in symbols_generator:
^^^^^^^^^^^^^^^^^
File "/home/canopus/dev/diss/volatility3/volatility3/framework/symbols/linux/kallsyms.py", line 1180, in get_modules_symbols
is_exported = self._is_symbol_exported(sym_name, sym_address, module)
File "/home/canopus/dev/diss/volatility3/volatility3/framework/symbols/linux/kallsyms.py", line 764, in _is_symbol_exported
kernel_symbol = self._find_exported_symbol_in_range(
name, start_mod_ksymtab, stop_mod_ksymtab
)
File "/home/canopus/dev/diss/volatility3/volatility3/framework/symbols/linux/kallsyms.py", line 1090, in _find_exported_symbol_in_range
return self._search_kernel_symbol_object_by_name(
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^
name,
^^^^^
base=start,
^^^^^^^^^^^
num_elems=num_elems,
^^^^^^^^^^^^^^^^^^^^
)
^
File "/home/canopus/dev/diss/volatility3/volatility3/framework/symbols/linux/kallsyms.py", line 1142, in _search_kernel_symbol_object_by_name
result = self._cmp_kernel_symbol_name(name, kernel_symbol_pivot)
File "/home/canopus/dev/diss/volatility3/volatility3/framework/symbols/linux/kallsyms.py", line 1101, in _cmp_kernel_symbol_name
return self._cmp_symbol_name(name, kernel_symbol.get_name())
~~~~~~~~~~~~~~~~~~~~~~^^
File "/home/canopus/dev/diss/volatility3/volatility3/framework/symbols/linux/extensions/__init__.py", line 3074, in get_name
return self._do_get_name()
~~~~~~~~~~~~~~~~~^^
File "/home/canopus/dev/diss/volatility3/volatility3/framework/symbols/linux/extensions/__init__.py", line 3068, in _do_get_name
return utility.pointer_to_string(
~~~~~~~~~~~~~~~~~~~~~~~~~^
name_offset, linux_constants.KSYM_NAME_LEN, errors="ignore"
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
)
^
File "/home/canopus/dev/diss/volatility3/volatility3/framework/objects/utility.py", line 90, in pointer_to_string
raise TypeError("pointer_to_string takes a Pointer")
TypeError: pointer_to_string takes a Pointer
Thanks for the report! This is a really interesting bug as we find the member of interest, but then its type is not what we expect. Can you send the exact kernel version for this sample? Its in the symbol table as linux_banner or you can run the banners plugin.
DEBUG volatility3.framework.automagic.linux: Identified banner: b'Linux version 6.11.0-24-generic (buildd@lcy02-amd64-034) (x86_64-linux-gnu-gcc-13 (Ubuntu 13.3.0-6ubuntu2~24.04) 13.3.0, GNU ld (GNU Binutils for Ubuntu) 2.42) #24~24.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Mar 25 20:14:34 UTC 2 (Ubuntu 6.11.0-24.24~24.04.1-generic 6.11.11)\n\x00'
This issue is stale because it has been open for 200 days with no activity.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
