dwarf2json rust type confusion sanity check

Abyss-W4tcher · Abyss-W4tcher · commit e739d96a3321 · 2024-10-14T14:03:38.000+02:00
diff --git a/volatility3/schemas/__init__.py b/volatility3/schemas/__init__.py
@@ -6,8 +6,8 @@
 import json
 import logging
 import os
-from typing import Any, Dict, Optional, Set
-
+import re
+from typing import Any, Dict, Optional, Set, Tuple
 from volatility3.framework import constants
 
 vollog = logging.getLogger(__name__)
@@ -77,6 +77,17 @@ def valid(
     input: Dict[str, Any], schema: Dict[str, Any], use_cache: bool = True
 ) -> bool:
     """Validates a json schema."""
+    producer = input.get("metadata", {}).get("producer", {})
+    if producer and producer.get("name") == "dwarf2json":
+        dwarf2json_version = parse_producer_version(producer.get("version", ""))
+        # No warnings if version couldn't be parsed, as it's not our role here
+        # to validate the schema.
+        if dwarf2json_version:
+            if dwarf2json_check_rust_type_confusion(input, dwarf2json_version):
+                vollog.warning(
+                    "This ISF was generated by dwarf2json < 0.9.0, which is known to produce inaccurate results (see dwarf2json GitHub issue #63)."
+                )
+
     input_hash = create_json_hash(input, schema)
     if input_hash in cached_validations and use_cache:
         return True
@@ -98,3 +109,42 @@ def valid(
 
     record_cached_validations(cached_validations)
     return True
+
+
+def parse_producer_version(version_string: str) -> Optional[Tuple[int]]:
+    """Parses a producer version and returns a tuple of identifiers.
+
+    Args:
+        version_string: string containing dot-separated integers,
+    expected to follow the Volatility3 versioning schema
+
+    Returns:
+        A tuple containing each version identifier
+    """
+    identifiers = re.search("^(\\d+)[.](\\d+)[.](\\d+)$", version_string)
+    if not identifiers:
+        return None
+
+    return tuple(int(d) for d in identifiers.groups())
+
+
+# dwarf2json sanity checks #
+def dwarf2json_check_rust_type_confusion(
+    input: Dict[str, Any], dwarf2json_version: Tuple[int]
+) -> bool:
+    """dwarf2json sanity check for Rust and C types confusion:
+     - dwarf2json #63
+     - volatility3 #1305
+
+    Args:
+        dwarf2json_version: a tuple containing each version identifier
+
+    Returns:
+        True if the issue was detected
+    """
+
+    return "rust_helper_BUG" in input.get("symbols", {}) and dwarf2json_version < (
+        0,
+        9,
+        0,
+    )
