From 55b27a68d5918abdba557db3aa0dcf02b4b2eae9 Mon Sep 17 00:00:00 2001 From: Andrew Case Date: Fri, 31 Jan 2025 18:10:12 +0000 Subject: [PATCH 1/2] Add mnt_parent check to kernel version validation --- volatility3/framework/symbols/linux/extensions/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/volatility3/framework/symbols/linux/extensions/__init__.py b/volatility3/framework/symbols/linux/extensions/__init__.py index 8893e6e52f..232e905b8e 100644 --- a/volatility3/framework/symbols/linux/extensions/__init__.py +++ b/volatility3/framework/symbols/linux/extensions/__init__.py @@ -1574,7 +1574,7 @@ def _is_kernel_prior_to_struct_mount(self) -> bool: 'True' if the kernel lacks the 'mount' struct, typically indicating kernel < 3.3. """ - return not self._context.symbol_space.has_type("mount") + return (not self._context.symbol_space.has_type("mount")) and self.has_member("mnt_parent") def is_equal(self, vfsmount_ptr) -> bool: """Helper to make sure it is comparing two pointers to 'vfsmount'. From 1132bd98304abf87b5ce1812309344047f5a907c Mon Sep 17 00:00:00 2001 From: Andrew Case Date: Fri, 31 Jan 2025 18:11:22 +0000 Subject: [PATCH 2/2] Add mnt_parent check to kernel version validation --- volatility3/framework/symbols/linux/extensions/__init__.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/volatility3/framework/symbols/linux/extensions/__init__.py b/volatility3/framework/symbols/linux/extensions/__init__.py index 232e905b8e..7103a2068e 100644 --- a/volatility3/framework/symbols/linux/extensions/__init__.py +++ b/volatility3/framework/symbols/linux/extensions/__init__.py @@ -1574,7 +1574,9 @@ def _is_kernel_prior_to_struct_mount(self) -> bool: 'True' if the kernel lacks the 'mount' struct, typically indicating kernel < 3.3. """ - return (not self._context.symbol_space.has_type("mount")) and self.has_member("mnt_parent") + return (not self._context.symbol_space.has_type("mount")) and self.has_member( + "mnt_parent" + ) def is_equal(self, vfsmount_ptr) -> bool: """Helper to make sure it is comparing two pointers to 'vfsmount'.