From 9ff9e9bb9103d63cbb278e991209aa11cffc61ce Mon Sep 17 00:00:00 2001 From: Mikael Szreder Date: Mon, 29 May 2023 15:41:32 +0200 Subject: [PATCH 1/2] Update Linux DTB scanner to handle newer Linux kernel versions Since commit 2f064a5 in the Linux kernel (5.14-rc1) the task state field is no longer called "state" but is instead called "__state". This commit adds support to first look for "state" and if that is not found, attempt to look for the "__state" field. --- volatility/plugins/overlays/linux/linux.py | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/volatility/plugins/overlays/linux/linux.py b/volatility/plugins/overlays/linux/linux.py index d0df4ecc3..28f0c9fbb 100644 --- a/volatility/plugins/overlays/linux/linux.py +++ b/volatility/plugins/overlays/linux/linux.py @@ -2364,7 +2364,14 @@ def generate_suggestions(self): comm_offset = profile.get_obj_offset("task_struct", "comm") pid_offset = profile.get_obj_offset("task_struct", "pid") - state_offset = profile.get_obj_offset("task_struct", "state") + + try: + # For Linux kernels < v5.14-rc1 + state_offset = profile.get_obj_offset("task_struct", "state") + except: + # For Linux kernels >= v5.14-rc1, based on commit 2f064a59a11ff9bc22e52e9678bc601404c7cb34 + state_offset = profile.get_obj_offset("task_struct", "__state") + files_offset = profile.get_obj_offset("task_struct", "files") mm_offset = profile.get_obj_offset("task_struct", "active_mm") From d07c69a7811d8e18ab186c9fbdf5b050529d06d2 Mon Sep 17 00:00:00 2001 From: Mikael Szreder Date: Tue, 30 May 2023 07:41:29 +0200 Subject: [PATCH 2/2] Update Linux DTB scanner with more specific exception catching Updated try-except to only catch KeyError. --- volatility/plugins/overlays/linux/linux.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/volatility/plugins/overlays/linux/linux.py b/volatility/plugins/overlays/linux/linux.py index 28f0c9fbb..b1d1d87bf 100644 --- a/volatility/plugins/overlays/linux/linux.py +++ b/volatility/plugins/overlays/linux/linux.py @@ -2368,7 +2368,7 @@ def generate_suggestions(self): try: # For Linux kernels < v5.14-rc1 state_offset = profile.get_obj_offset("task_struct", "state") - except: + except KeyError: # For Linux kernels >= v5.14-rc1, based on commit 2f064a59a11ff9bc22e52e9678bc601404c7cb34 state_offset = profile.get_obj_offset("task_struct", "__state")