Merge pull request #1260 from gcmoreira/linux_pidhashtable_plugin_pointer_verification_improvements

ikelos · web-flow · commit 5525ce5b9b2e · 2024-09-15T20:33:48.000+01:00
Linux pidhashtable plugin pointer verification improvements
diff --git a/volatility3/framework/plugins/linux/pidhashtable.py b/volatility3/framework/plugins/linux/pidhashtable.py
@@ -20,7 +20,7 @@ class PIDHashTable(plugins.PluginInterface):
 
     _required_framework_version = (2, 0, 0)
 
-    _version = (1, 0, 0)
+    _version = (1, 0, 1)
 
     @classmethod
     def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
@@ -45,9 +45,7 @@ def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]
         ]
 
     def _is_valid_task(self, task) -> bool:
-        vmlinux = self.context.modules[self.config["kernel"]]
-        vmlinux_layer = self.context.layers[vmlinux.layer_name]
-        return bool(task and task.pid > 0 and vmlinux_layer.is_valid(task.parent))
+        return bool(task and task.pid > 0 and task.parent.is_readable())
 
     def _get_pidtype_pid(self):
         vmlinux = self.context.modules[self.config["kernel"]]
@@ -96,7 +94,7 @@ def _walk_upid(self, seen_upids, upid):
             seen_upids.add(upid.vol.offset)
 
             pid_chain = upid.pid_chain
-            if not (pid_chain and vmlinux_layer.is_valid(pid_chain.vol.offset)):
+            if not (pid_chain.next and pid_chain.next.is_readable()):
                 break
 
             upid = linux.LinuxUtilities.container_of(
@@ -105,7 +103,6 @@ def _walk_upid(self, seen_upids, upid):
 
     def _get_upids(self):
         vmlinux = self.context.modules[self.config["kernel"]]
-        vmlinux_layer = self.context.layers[vmlinux.layer_name]
 
         # 2.6.24 <= kernels < 4.15
         pidhash = self._get_pidhash_array()
@@ -115,7 +112,7 @@ def _get_upids(self):
             # each entry in the hlist is a upid which is wrapped in a pid
             ent = hlist.first
 
-            while ent and vmlinux_layer.is_valid(ent.vol.offset):
+            while ent and ent.is_readable():
                 # upid->pid_chain exists 2.6.24 <= kernel < 4.15
                 upid = linux.LinuxUtilities.container_of(
                     ent.vol.offset, "upid", "pid_chain", vmlinux
@@ -143,7 +140,7 @@ def _pid_hash_implementation(self):
                 continue
 
             pid_tasks_0 = pid.tasks[pidtype_pid].first
-            if not pid_tasks_0:
+            if not (pid_tasks_0 and pid_tasks_0.is_readable()):
                 continue
 
             task = vmlinux.object(
@@ -160,7 +157,7 @@ def _task_for_radix_pid_node(self, nodep):
         pidtype_pid = self._get_pidtype_pid()
 
         pid_tasks_0 = pid.tasks[pidtype_pid].first
-        if not pid_tasks_0:
+        if not (pid_tasks_0 and pid_tasks_0.is_readable()):
             return None
 
         task_struct_type = vmlinux.get_type("task_struct")
