Fixed a bug where Linux task address spaces wouldn't inherit the profile.

parkisan · parkisan · commit 4cdeec0bb7c0 · 2015-09-09T08:38:41.000-07:00
Fixed a bug where get_available_addresses in the XEN AS would return MFNs, breaking plugins that depend on it, like memdump. Fixed an issue where phys_addr in Linux profiles would return negative values. BUG= R=scudette@gmail.com Review URL: https://codereview.appspot.com/264190043
diff --git a/rekall-core/rekall/plugins/addrspaces/amd64.py b/rekall-core/rekall/plugins/addrspaces/amd64.py
@@ -325,7 +325,6 @@ class XenParaVirtAMD64PagedMemory(AMD64PagedMemory):
     def __init__(self, **kwargs):
         super(XenParaVirtAMD64PagedMemory, self).__init__(**kwargs)
         self.page_offset = self.session.GetParameter("page_offset")
-        self.m2p_mapping = {}
         self._xen_features = None
         self.rebuilding_map = False
         if self.page_offset:
@@ -386,13 +385,17 @@ def _RebuildM2PMapping(self):
         reference.
         """
 
-        self.session.logging.debug(
-            "Rebuilding the machine to physical mapping...")
+        if self.session.GetParameter("m2p_mapping"):
+          return
 
         if self.rebuilding_map:
             raise RuntimeError("RebuildM2PMapping recursed... aborting.")
 
         self.rebuilding_map = True
+
+        self.session.logging.debug(
+            "Rebuilding the machine to physical mapping...")
+
         try:
             p2m_top_location = self.session.profile.get_constant_object(
                 "p2m_top", "Pointer", vm=self)
@@ -507,9 +510,9 @@ def _RebuildM2PMapping(self):
                             continue
 
                         new_mapping[mfn] = pfn
-
-            self.m2p_mapping = new_mapping
-            self.session.SetCache("mapping", self.m2p_mapping)
+            self.session.logging.debug("Caching m2p_mapping (%d entries)...",
+                                       len(new_mapping))
+            self.session.SetCache("m2p_mapping", new_mapping)
         finally:
             self.rebuilding_map = False
 
@@ -529,13 +532,14 @@ def m2p(self, machine_address):
         This translates host physical addresses to guest physical.
         Requires a machine to physical mapping to have been calculated.
         """
-        if not self.m2p_mapping:
+        m2p_mapping = self.session.GetParameter("m2p_mapping", cached=True)
+        if not m2p_mapping:
           self._RebuildM2PMapping()
         machine_address = obj.Pointer.integer_to_address(machine_address)
         mfn = machine_address / 0x1000
-        pfn = self.m2p_mapping.get(mfn)
+        pfn = m2p_mapping.get(mfn)
         if pfn is None:
-            return 0
+            return obj.NoneObject("No PFN mapping found for MFN %d" % mfn)
         return (pfn * 0x1000) | (0xFFF & machine_address)
 
     def read_pte(self, vaddr, collection=None):
@@ -551,7 +555,7 @@ def read_pte(self, vaddr, collection=None):
     def vtop(self, vaddr):
         vaddr = obj.Pointer.integer_to_address(vaddr)
 
-        if not self.session.GetParameter("mapping"):
+        if not self.session.GetParameter("m2p_mapping"):
             # Simple shortcut for linux. This is required for the first set
             # of virtual to physical resolutions while we're building the
             # mapping.
@@ -565,3 +569,28 @@ def vtop(self, vaddr):
                 self._RebuildM2PMapping()
 
         return super(XenParaVirtAMD64PagedMemory, self).vtop(vaddr)
+
+    def _get_available_PTEs(self, pte_table, vaddr, start=0):
+        """Returns PFNs for each PTE entry."""
+        tmp3 = vaddr
+        for i, pte_value in enumerate(pte_table):
+            # Each of the PTE values has to be translated back to a PFN, since
+            # they are MFNs.
+            pte_value = self.m2p(pte_value)
+
+            # When no translation was found, we skip the PTE, since we don't
+            # know where it's pointing to.
+            if pte_value == None:
+                continue
+
+            if not pte_value & self.valid_mask:
+                continue
+
+            vaddr = tmp3 | i << 12
+            next_vaddr = tmp3 | ((i + 1) << 12)
+            if start >= next_vaddr:
+                continue
+
+            yield (vaddr,
+                   (pte_value & 0xffffffffff000) | (vaddr & 0xfff),
+                   0x1000)
diff --git a/rekall-core/rekall/plugins/overlays/linux/linux.py b/rekall-core/rekall/plugins/overlays/linux/linux.py
@@ -734,7 +734,7 @@ def get_process_address_space(self):
         try:
             process_as = self.obj_vm.__class__(
                 base=self.obj_vm.base, session=self.obj_vm.session,
-                dtb=directory_table_base)
+                dtb=directory_table_base, profile=self.obj_profile)
 
         except AssertionError:
             return obj.NoneObject("Unable to get process AS")
@@ -1099,9 +1099,14 @@ def phys_addr(self, va):
         phys_addr detects the relocation and returns the correct physical
         address.
         """
-        return (obj.Pointer.integer_to_address(va)
-                - obj.Pointer.integer_to_address(self.GetPageOffset())
-                + self.GetRelocationDelta())
+        va_addr = obj.Pointer.integer_to_address(va)
+        page_offset_addr = obj.Pointer.integer_to_address(
+            self.GetPageOffset())
+
+        if va_addr >= page_offset_addr:
+            return (va_addr - page_offset_addr + self.GetRelocationDelta())
+        else:
+            return obj.NoneObject("Unable to translate VA 0x%x", va)
 
     def GetRelocationDelta(self):
         """Returns the number of bytes the kernel base is shifted."""
