Skip to content

Prevent backtraces when kthread full name is smeared #1592

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ikelos merged 1 commit into from
Feb 1, 2025
Merged

Prevent backtraces when kthread full name is smeared #1592

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 16 additions & 9 deletions volatility3/framework/plugins/linux/kthreads.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,28 +72,35 @@ def _generator(self):

if task.has_member("worker_private"):
# kernels >= 5.17 e32cf5dfbe227b355776948b2c9b5691b84d1cbd
ktread_base_pointer = task.worker_private
kthread_base_pointer = task.worker_private
else:
# 5.8 <= kernels < 5.17 in 52782c92ac85c4e393eb4a903a62e6c24afa633f threadfn
# was added to struct kthread. task.set_child_tid is safe on those versions.
ktread_base_pointer = task.set_child_tid
kthread_base_pointer = task.set_child_tid

if not ktread_base_pointer.is_readable():
if not kthread_base_pointer.is_readable():
continue

kthread = ktread_base_pointer.dereference().cast("kthread")
kthread = kthread_base_pointer.dereference().cast("kthread")
threadfn = kthread.threadfn
if not (threadfn and threadfn.is_readable()):
continue

task_name = utility.array_to_string(task.comm)

thread_name = task_name

# kernels >= 5.17 in d6986ce24fc00b0638bd29efe8fb7ba7619ed2aa full_name was added to kthread
thread_name = (
utility.pointer_to_string(kthread.full_name, count=255)
if kthread.has_member("full_name")
else task_name
)
if kthread.has_member("full_name"):
try:
thread_name = utility.pointer_to_string(
kthread.full_name, count=255
)
except exceptions.InvalidAddressException:
vollog.debug(
f"full_name pointer for thread at {kthread.vol.offset:#x} is paged out."
)

module_name, symbol_name = (
linux_utilities_modules.Modules.lookup_module_address(
self.context, vmlinux.name, handlers, threadfn
Expand Down
Loading