-
Notifications
You must be signed in to change notification settings - Fork 451
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
linux.mountinfo.MountInfo: broken on kernel 6.8+ #1187
Comments
Yes looks like list is removed. Need to parse via struct mnt_namespace {
struct ns_common ns;
struct mount * root;
struct rb_root mounts; /* Protected by namespace_sem */
struct user_namespace *user_ns;
struct ucounts *ucounts;
u64 seq; /* Sequence number to prevent loops */
wait_queue_head_t poll;
u64 event;
unsigned int nr_mounts; /* # of mounts in the namespace */
unsigned int pending_mounts;
} __randomize_layout; Here is the commit where it happened: torvalds/linux@2eea9ce Bringing the reb black tree parsing to vol3 will be needed to get this working. That's actually quite useful as that is also needed for a few other linux plugins (e.g. a dumpfiles plugin). I'd done a little bit of work on it, but nowhere near close - so someone else should feel free to jump in. 😄 For reference here is some of the rb code in vol2: https://github.com/volatilityfoundation/volatility/blob/master/volatility/plugins/overlays/linux/linux.py#L1932 Edit: I've just realized that @ptrcnull put all that information in the issue already. |
@ikelos I will handle this soon, please assign this issue to me |
Fixed in volatilityfoundation/volatility3!1238. This requires the @ptrcnull patch for dwarf2json from here -> dwarf2json patch |
@gcmoreira @Abyss-W4tcher -- can you summarize here where this one is? I see patches to dwarf2json and also #1238. So then:
|
This issue is related to the rust support in Linux kernel. Ubuntu developers started to incorporate rust bindings, which overlap with some C structures (ex: This does not only impact linux.mountinfo, but any structure which has a rust binding. I proposed a dwarf2json PR right here : volatilityfoundation/dwarf2json#65, but it hasn't been reviewed yet. "My fix" prepends each rust element with a So, latest ISFs will have a "broken" struct declaration, and will need to be regenerated (from what I observed, it only affects some Ubuntu kernels after 6.5). |
Describe the bug
The
mnt_namespace.list
field got removed in kernel version 6.8, replaced with an rb-tree atmnt_namespace.mounts
Context
Volatility Version: 2.7.1 ( ac5769c )
Operating System: Linux
Python Version: 3.12.2
Suspected Operating System: Ubuntu 24.10
Command:
vol linux.mountinfo
To Reproduce
Steps to reproduce the behavior:
fs_struct
type is not converted correctly dwarf2json#57 (comment) to dwarf2jsonlinux.mountinfo
Expected behavior
Mounts are getting printed
Example output
The text was updated successfully, but these errors were encountered: