volatilityfoundation · Abyss-W4tcher · Apr 15, 2025 · Apr 15, 2025 · Apr 15, 2025 · Apr 15, 2025
diff --git a/volatility3/framework/constants/linux/__init__.py b/volatility3/framework/constants/linux/__init__.py
@@ -432,6 +432,17 @@ def flags(self) -> str:
 VMCOREINFO_MAGIC_ALIGNED = VMCOREINFO_MAGIC + b"\x00"
 OSRELEASE_TAG = b"OSRELEASE="
 
+ATTRIBUTE_NAME_MAX_SIZE = 255
+"""
+In 5.9-rc1+, the Linux kernel limits the READ size of a section bin_attribute name to MODULE_SECT_READ_SIZE:
+
+- https://elixir.bootlin.com/linux/v6.15-rc4/source/kernel/module/sysfs.c#L106
+- https://github.com/torvalds/linux/commit/11990a5bd7e558e9203c1070fc52fb6f0488e75b
+
+However, the raw section name loaded from the .ko ELF can in theory be thousands of characters,
+and unless we do a NULL terminated search we can't set a perfect value.
+"""
+
 
 @dataclass
 class TaintFlag:

diff --git a/volatility3/framework/objects/utility.py b/volatility3/framework/objects/utility.py
@@ -3,11 +3,13 @@
 #
 
 import re
-
+import logging
 from typing import Optional, Union
 
 from volatility3.framework import interfaces, objects, constants, exceptions
 
+vollog = logging.getLogger(__name__)
+
 
 def rol(value: int, count: int, max_bits: int = 64) -> int:
     """A rotate-left instruction in Python"""
@@ -250,3 +252,50 @@ def array_of_pointers(
     ).clone()
     subtype_pointer.update_vol(subtype=subtype)
     return array.cast("array", count=count, subtype=subtype_pointer)
+
+
+def dynamically_sized_array_of_pointers(
+    context: interfaces.context.ContextInterface,
+    array: interfaces.objects.ObjectInterface,
+    iterator_guard_value: int,
+    subtype: Union[str, interfaces.objects.Template],
+    stop_value: int = 0,
+    stop_on_invalid_pointers: bool = True,
+) -> interfaces.objects.ObjectInterface:
+    """Iterates over a dynamically sized array of pointers (e.g. NULL-terminated).
+    Array iteration should always be performed with an arbitrary guard value as maximum size,
+    to prevent running forever in case something unexpected happens.
+
+        Args:
+            context: The context on which to operate.
+            array: The object to cast to an array.
+            iterator_guard_value: Stop iterating when the iterator index is greater than this value. This is an extra-safety against smearing.
+            subtype: The subtype of the array's pointers.
+            stop_value: Stop value used to determine when to terminate iteration once it is encountered. Defaults to 0 (NULL-terminated arrays).
+            stop_on_invalid_pointers: Determines whether to stop iterating or not when an invalid pointer is encountered. This can be useful for arrays
+    that are known to have smeared entries before the end.
+
+        Returns:
+            An array of pointer objects
+    """
+    new_count = 0
+    for entry in array_of_pointers(
 object_info = interfaces.objects.ObjectInformation( 
     layer_name=self.vol.layer_name, 
     offset=mask & (self.vol.offset + (self.vol.subtype.size * index)), 
     parent=self, 
     native_layer_name=self.vol.native_layer_name or self.vol.layer_name, 
     size=self.vol.subtype.size, 
 ) 
 result += [self.vol.subtype(context=self._context, object_info=object_info)] 
 object_info = interfaces.objects.ObjectInformation( 
     layer_name=self.vol.layer_name, 
     offset=mask & (self.vol.offset + (self.vol.subtype.size * index)), 
     parent=self, 
     native_layer_name=self.vol.native_layer_name or self.vol.layer_name, 
     size=self.vol.subtype.size, 
 ) 
 result += [self.vol.subtype(context=self._context, object_info=object_info)] 
+        array=array, count=iterator_guard_value, subtype=subtype, context=context
+    ):
+        # "entry" is naturally represented by the address that the pointer refers to
+        if (entry == stop_value) or (
+            not entry.is_readable() and stop_on_invalid_pointers
+        ):
+            break
+        new_count += 1
+    else:
+        vollog.log(
+            constants.LOGLEVEL_V,
+            f"""Iterator guard value {iterator_guard_value} reached while iterating over array at offset {array.vol.offset:#x}.\
+ This means that there is a bug (e.g. smearing) with this array, or that it may contain valid entries past the iterator guard value.""",
+        )
+
+    # Leverage the "Array" object instead of returning a Python list
+    return array_of_pointers(
+        array=array, count=new_count, subtype=subtype, context=context
+    )
diff --git a/volatility3/framework/plugins/linux/module_extract.py b/volatility3/framework/plugins/linux/module_extract.py
@@ -4,8 +4,8 @@
 import logging
 from typing import List
 
+import volatility3.framework.symbols.linux.utilities.modules as linux_utilities_modules
 from volatility3 import framework
-import volatility3.framework.symbols.linux.utilities.module_extract as linux_utilities_module_extract
 from volatility3.framework import interfaces, renderers
 from volatility3.framework.configuration import requirements
 from volatility3.framework.renderers import format_hints
@@ -17,7 +17,7 @@
 class ModuleExtract(interfaces.plugins.PluginInterface):
     """Recreates an ELF file from a specific address in the kernel"""
 
-    _version = (1, 0, 0)
+    _version = (1, 0, 1)
     _required_framework_version = (2, 25, 0)
 
     framework.require_interface_version(*_required_framework_version)
@@ -37,9 +37,9 @@ def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]
                 optional=False,
             ),
             requirements.VersionRequirement(
-                name="linux_utilities_module_extract",
-                version=(1, 0, 0),
-                component=linux_utilities_module_extract.ModuleExtract,
+                name="linux_utilities_modules_module_extract",
+                version=(1, 0, 2),
+                component=linux_utilities_modules.ModuleExtract,
             ),
         ]
 
@@ -58,7 +58,7 @@ def _generator(self):
 
         module = kernel.object(object_type="module", offset=base_address, absolute=True)
 
-        elf_data = linux_utilities_module_extract.ModuleExtract.extract_module(
+        elf_data = linux_utilities_modules.ModuleExtract.extract_module(
             self.context, self.config["kernel"], module
         )
         if not elf_data:

diff --git a/volatility3/framework/symbols/linux/__init__.py b/volatility3/framework/symbols/linux/__init__.py
@@ -52,7 +52,6 @@ def __init__(self, *args, **kwargs) -> None:
         self.set_type_class("idr", extensions.IDR)
         self.set_type_class("address_space", extensions.address_space)
         self.set_type_class("page", extensions.page)
-        self.set_type_class("module_sect_attr", extensions.module_sect_attr)
 
         # Might not exist in the current symbols
         self.optional_set_type_class("module", extensions.module)
@@ -61,6 +60,8 @@ def __init__(self, *args, **kwargs) -> None:
         self.optional_set_type_class("kernel_cap_struct", extensions.kernel_cap_struct)
         self.optional_set_type_class("kernel_cap_t", extensions.kernel_cap_t)
         self.optional_set_type_class("scatterlist", extensions.scatterlist)
+        self.optional_set_type_class("module_sect_attr", extensions.module_sect_attr)
+        self.optional_set_type_class("bin_attribute", extensions.bin_attribute)
 
         # kernels >= 4.18
         self.optional_set_type_class("timespec64", extensions.timespec64)

diff --git a/volatility3/framework/symbols/linux/extensions/__init__.py b/volatility3/framework/symbols/linux/extensions/__init__.py
@@ -179,41 +179,64 @@ def get_name(self) -> Optional[str]:
             return None
 
     def _get_sect_count(self, grp: interfaces.objects.ObjectInterface) -> int:
-        """Try to determine the number of valid sections"""
-        symbol_table_name = self.get_symbol_table_name()
-        arr = self._context.object(
-            symbol_table_name + constants.BANG + "array",
-            layer_name=self.vol.layer_name,
-            offset=grp.attrs,
-            subtype=self._context.symbol_space.get_type(
-                symbol_table_name + constants.BANG + "pointer"
-            ),
-            count=25,
-        )
+        """Try to determine the number of valid sections. Support for kernels > 6.14-rc1.
+
+        Resources:
+            - https://github.com/torvalds/linux/commit/d8959b947a8dfab1047c6fd5e982808f65717bfe
+            - https://github.com/torvalds/linux/commit/e0349c46cb4fbbb507fa34476bd70f9c82bad359
+        """
+
+        if grp.has_member("bin_attrs"):
+            arr_offset_ptr = grp.bin_attrs
+            arr_subtype = "bin_attribute"
+        else:
+            arr_offset_ptr = grp.attrs
+            arr_subtype = "attribute"
+
+        if not arr_offset_ptr.is_readable():
+            vollog.log(
+                constants.LOGLEVEL_V,
+                f"Cannot dereference the pointer to the NULL-terminated list of binary attributes for module at offset {self.vol.offset:#x}",
+            )
+            return 0
 
-        idx = 0
-        while arr[idx] and arr[idx].is_readable():
-            idx = idx + 1
-        return idx
+        # We chose 100 as an arbitrary guard value to prevent
+        # looping forever in extreme cases, and because 100 is not expected
+        # to be a valid number of sections. If that still happens,
+        # Vol3 module processing will indicate that it is missing information
+        # with the following message:
+        # "Unable to reconstruct the ELF for module struct at"
+        # See PR #1773 for more information.
+        bin_attrs_list = utility.dynamically_sized_array_of_pointers(
+            context=self._context,
+            array=arr_offset_ptr.dereference(),
+            iterator_guard_value=100,
+            subtype=self.get_symbol_table_name() + constants.BANG + arr_subtype,
+        )
+        return len(bin_attrs_list)
 
     @functools.cached_property
     def number_of_sections(self) -> int:
+        # Dropped in 6.14-rc1: d8959b947a8dfab1047c6fd5e982808f65717bfe
         if self.sect_attrs.has_member("nsections"):
             return self.sect_attrs.nsections
 
         return self._get_sect_count(self.sect_attrs.grp)
 
     def get_sections(self) -> Iterable[interfaces.objects.ObjectInterface]:
         """Get a list of section attributes for the given module."""
+        if self.number_of_sections == 0:
+            vollog.debug(
+                f"Invalid number of sections ({self.number_of_sections}) for module at offset {self.vol.offset:#x}"
+            )
+            return []
 
         symbol_table_name = self.get_symbol_table_name()
         arr = self._context.object(
             symbol_table_name + constants.BANG + "array",
             layer_name=self.vol.layer_name,
             offset=self.sect_attrs.attrs.vol.offset,
-            subtype=self._context.symbol_space.get_type(
-                symbol_table_name + constants.BANG + "module_sect_attr"
-            ),
+            subtype=self.sect_attrs.attrs.vol.subtype,
             count=self.number_of_sections,
         )
 
@@ -3157,22 +3180,28 @@ def get_name(self) -> Optional[str]:
         """
         if hasattr(self, "battr"):
             try:
-                return utility.pointer_to_string(self.battr.attr.name, count=32)
+                return utility.pointer_to_string(
+                    self.battr.attr.name, count=linux_constants.ATTRIBUTE_NAME_MAX_SIZE
+                )
             except exceptions.InvalidAddressException:
                 # if battr is present then its name attribute needs to be valid
                 vollog.debug(f"Invalid battr name for section at {self.vol.offset:#x}")
                 return None
 
         elif self.name.vol.type_name == "array":
             try:
-                return utility.array_to_string(self.name, count=32)
+                return utility.array_to_string(
+                    self.name, count=linux_constants.ATTRIBUTE_NAME_MAX_SIZE
+                )
             except exceptions.InvalidAddressException:
                 # specifically do not return here to give `mattr` a chance
                 vollog.debug(f"Invalid direct name for section at {self.vol.offset:#x}")
 
         elif self.name.vol.type_name == "pointer":
             try:
-                return utility.pointer_to_string(self.name, count=32)
+                return utility.pointer_to_string(
+                    self.name, count=linux_constants.ATTRIBUTE_NAME_MAX_SIZE
+                )
             except exceptions.InvalidAddressException:
                 # specifically do not return here to give `mattr` a chance
                 vollog.debug(
@@ -3182,10 +3211,33 @@ def get_name(self) -> Optional[str]:
         # if everything else failed...
         if hasattr(self, "mattr"):
             try:
-                return utility.pointer_to_string(self.mattr.attr.name, count=32)
+                return utility.pointer_to_string(
+                    self.mattr.attr.name, count=linux_constants.ATTRIBUTE_NAME_MAX_SIZE
+                )
             except exceptions.InvalidAddressException:
                 vollog.debug(
                     f"Unresolvable name for for section at {self.vol.offset:#x}"
                 )
 
         return None
+
+
+class bin_attribute(objects.StructType):
+    def get_name(self) -> Optional[str]:
+        """
+        Performs extraction of the bin_attribute name
+        """
+        try:
+            return utility.pointer_to_string(
+                self.attr.name, count=linux_constants.ATTRIBUTE_NAME_MAX_SIZE
+            )
+        except exceptions.InvalidAddressException:
+            vollog.debug(f"Invalid attr name for bin_attribute at {self.vol.offset:#x}")
+            return None
+
+    @property
+    def address(self) -> int:
+        """Equivalent to module_sect_attr.address:
+        - https://github.com/torvalds/linux/commit/4b2c11e4aaf7e3d7fd9ce8e5995a32ff5e27d74f
+        """
+        return self.private