linux.mountinfo.MountInfo: broken on kernel 6.8+

[ptrcnull]

Describe the bug
The mnt_namespace.list field got removed in kernel version 6.8, replaced with an rb-tree at mnt_namespace.mounts

Context
Volatility Version: 2.7.1 ( ac5769c )
Operating System: Linux
Python Version: 3.12.2
Suspected Operating System: Ubuntu 24.10
Command: vol linux.mountinfo

To Reproduce
Steps to reproduce the behavior:

1. Acquire a memory dump of Ubuntu 24.10, kernel 6.8 or newer
2. Extract symbols from the kernel, applying patch from fs_struct type is not converted correctly dwarf2json#57 (comment) to dwarf2json
3. Try to use linux.mountinfo

Expected behavior
Mounts are getting printed

Example output

Traceback (most recent call last):
  File "/home/patrycja/Downloads/volatility3/vol.py", line 10, in <module>
    volatility3.cli.main()
  File "/home/patrycja/Downloads/volatility3/volatility3/cli/__init__.py", line 877, in main
    CommandLine().run()
  File "/home/patrycja/Downloads/volatility3/volatility3/cli/__init__.py", line 469, in run
    renderer.render(grid)
  File "/home/patrycja/Downloads/volatility3/volatility3/cli/text_renderer.py", line 198, in render
    grid.populate(visitor, outfd)
  File "/home/patrycja/Downloads/volatility3/volatility3/framework/renderers/__init__.py", line 245, in populate
    for level, item in self._generator:
  File "/home/patrycja/Downloads/volatility3/volatility3/framework/plugins/linux/mountinfo.py", line 191, in _generator
    for task, mnt, mnt_ns_id in self._get_tasks_mountpoints(
  File "/home/patrycja/Downloads/volatility3/volatility3/framework/plugins/linux/mountinfo.py", line 170, in _get_tasks_mountpoints
    for mount in mnt_namespace.get_mount_points():
  File "/home/patrycja/Downloads/volatility3/volatility3/framework/symbols/linux/extensions/__init__.py", line 1305, in get_mount_points
    for mount in self.list.to_list(mnt_type, "mnt_list"):
                 ^^^^^^^^^
  File "/home/patrycja/Downloads/volatility3/volatility3/framework/objects/__init__.py", line 971, in __getattr__
    raise AttributeError(
AttributeError: StructType has no attribute: symbol_table_name1!mnt_namespace.list

[eve-mem]

Yes looks like list is removed. Need to parse via rb_root mounts on these versions?

struct mnt_namespace {
	struct ns_common	ns;
	struct mount *	root;
	struct rb_root		mounts; /* Protected by namespace_sem */
	struct user_namespace	*user_ns;
	struct ucounts		*ucounts;
	u64			seq;	/* Sequence number to prevent loops */
	wait_queue_head_t poll;
	u64 event;
	unsigned int		nr_mounts; /* # of mounts in the namespace */
	unsigned int		pending_mounts;
} __randomize_layout;

Here is the commit where it happened: torvalds/linux@2eea9ce

Bringing the reb black tree parsing to vol3 will be needed to get this working. That's actually quite useful as that is also needed for a few other linux plugins (e.g. a dumpfiles plugin). I'd done a little bit of work on it, but nowhere near close - so someone else should feel free to jump in. 😄

For reference here is some of the rb code in vol2: https://github.com/volatilityfoundation/volatility/blob/master/volatility/plugins/overlays/linux/linux.py#L1932

Edit: I've just realized that @ptrcnull put all that information in the issue already.

[gcmoreira]

@ikelos I will handle this soon, please assign this issue to me

[gcmoreira]

Fixed in volatilityfoundation/volatility3!1238.
@ptrcnull / @eve-mem Could you please check if this works in your environment? Thanks!

This requires the @ptrcnull patch for dwarf2json from here -> dwarf2json patch

[atcuno]

@gcmoreira @Abyss-W4tcher -- can you summarize here where this one is?

I see patches to dwarf2json and also #1238.

So then:

1. If 1238 is merged/used, does analysis still fail in the same way without the dwarf2json patch and an updated ISF? What happens on current ISFs with just 1238?

2. If the dwarf2json patch is used to build the ISF what is actually changing compared to previous ISFs?

[Abyss-W4tcher]

This issue is related to the rust support in Linux kernel. Ubuntu developers started to incorporate rust bindings, which overlap with some C structures (ex: fs_struct) in the ISF. This is due to dwarf2json parsing each compile unit (C and Rust) in the same pool. You have the full investigation here : volatilityfoundation/dwarf2json#63.

This does not only impact linux.mountinfo, but any structure which has a rust binding. I proposed a dwarf2json PR right here : volatilityfoundation/dwarf2json#65, but it hasn't been reviewed yet.

"My fix" prepends each rust element with a rust. namespace identifier, as proposed by ikelos in the same issue I linked. Again, you can inspect a "before"/"after" ISF linked in the PR to see directly what it looks like.

So, latest ISFs will have a "broken" struct declaration, and will need to be regenerated (from what I observed, it only affects some Ubuntu kernels after 6.5).