volatilityfoundation
Linux: enhance VMA enumeration smearing protection
Hi,
During mass testing, we observed many VMA entries being broken due to smearing. This PR introduces sanity checks to ensure that the extracted values (start, end, length...) are coherent.
Here are a few examples of broken entries that are now filtered out:
{"PID":1057,"Process":"python","Start":9223372037176023143,"End":9223372037176047719,"Flags":"rwx","PgOff":37778931864109161279488,"Major":0,"Minor":0,"Inode":0,"File Path":null,"File output":"Disabled"}
{"End": 140210914017280, "File Path": "/usr/lib/x86_64-linux-gnu/libsmime3.so", "File output": "Disabled", "Flags": "r-x", "Inode": 396487, "Major": 8, "Minor": 1, "PID": 2710, "PgOff": 0, "Process": "thunderbird", "Start": 649032930659012321, "__children": []}
Oh, I missed that, I thought it was all part of the same struct.
Yeah, it will be tricky, but otherwise we need to be really careful about changes (even additions) because any changes down the line will be with us for a couple of years at a minimum and are tricky to clear up. is_valid seems reasonable and not too complex, but it also isn't clear how useful it would be to many others.
I'm not sure how we cope with this? We could do it this way, or could just put the changes into the only consumer of the code at the moment. We probably can't avoid endless bumps, but there's got to be a better way for something as trivial as adding an is_valid method... 5:S
