Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update fbdev plugin to gracefully handle old/broken symbol tables #1686

Open
wants to merge 2 commits into
base: develop
Choose a base branch
from
Open

Update fbdev plugin to gracefully handle old/broken symbol tables #1686

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a8b3d4e
Update fbdev plugin to gracefully handle old/broken symbol tables
atcuno Mar 8, 2025
242a081
Update fbdev plugin to gracefully handle old/broken symbol tables
atcuno Mar 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 13 additions & 7 deletions volatility3/framework/plugins/linux/graphics/fbdev.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -255,22 +255,28 @@ def _generator(self):
vollog.error(
"PIL (pillow) module is required to use this plugin. Please install it manually or through pyproject.toml."
)
return None
return

kernel_name = self.config["kernel"]
kernel = self.context.modules[kernel_name]

if not kernel.has_symbol("num_registered_fb"):
raise exceptions.SymbolError(
"num_registered_fb",
kernel.symbol_table_name,
"The provided symbol does not exist in the symbol table. This means you are either analyzing an unsupported kernel version or that your symbol table is corrupt.",
vollog.error(
'"num_registered_fb" symbol does not exist in the symbol table. This means you are either analyzing an unsupported kernel version, your symbol table is corrupt, or the fbdev driver is compiled as a kernel module.'
)
return

try:
num_registered_fb = kernel.object_from_symbol("num_registered_fb")
except exceptions.SymbolError:
vollog.error(
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we know the exact lowest required version number of dwarf2json? I think we've got code that can check and warn on such things? (see here )

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hmm the thing there is that, if the fbdev driver is compiled into the kernel, then the plugin will work with the old symbols tables. The object_from_symbol call only fails when both conditions are met (compiled as module + old symbol table).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, so then the check belongs in here? The point is we should be able to tell whether their symbol table is too old or if that's not the problem?

'Creating an object from "num_registered_fb" caused a symbol error. This is a sign that the symbol table is outdated. Please re-generate your symbol table using the latest dwarf2json'
)
return

num_registered_fb = kernel.object_from_symbol("num_registered_fb")
if num_registered_fb < 1:
vollog.info("No registered framebuffer in the fbdev API.")
return None
return

registered_fb = kernel.object_from_symbol("registered_fb")
fb_info_list = utility.array_of_pointers(
Expand Down
Loading