Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ValueError: negative shift count for volshell.py dt( ps()[0] ) #1065

Open
phillip-at-work opened this issue Dec 18, 2023 · 2 comments
Open

ValueError: negative shift count for volshell.py dt( ps()[0] ) #1065

phillip-at-work opened this issue Dec 18, 2023 · 2 comments

Comments

@phillip-at-work
Copy link

Describe the bug
Attempting to display_type for ps() layer returns ValueError: negative shift count.

Context
Volatility Version: Volshell (Volatility 3 Framework) 2.5.2
Operating System: MacOS 13.6
Python Version: 3.8.18
Suspected Operating System: Alpine Linux 3.17.3 (v5.15.105-virt kernel)
Command: dt( ps()[0] )

To Reproduce
Steps to reproduce the behavior:

  1. Create a type=padded memory image on the target machine
  2. On the MacOS host, navigate to volatility3 directory
  3. $ python volshell.py -f /Users/indigo/Projects/alpine-mem-dump/alpine-memory-dump-padded.lime -l
  4. In the resulting interactive shell, run >>> dt( ps()[0] )

Expected behavior
Expected a table of memory offsets, symbols and types to print to the terminal for the given layer.

Example output
(layer_name) >>> dt( ps()[0] )
symbol_table_name1!task_struct (11072 bytes)
Traceback (most recent call last):
File "", line 1, in
File "/Users/indigo/Projects/volatility3/volatility3/cli/volshell/linux.py", line 70, in display_type
return super().display_type(object, offset)
File "/Users/indigo/Projects/volatility3/volatility3/cli/volshell/generic.py", line 387, in display_type
self._display_value(getattr(volobject, member)),
File "/Users/indigo/Projects/volatility3/volatility3/framework/objects/init.py", line 964, in getattr
member = template(context=self._context, object_info=object_info)
File "/Users/indigo/Projects/volatility3/volatility3/framework/objects/templates.py", line 96, in call
return self.vol.object_class(
File "/Users/indigo/Projects/volatility3/volatility3/framework/objects/init.py", line 525, in new
return int.new(cls, ((value & ((1 << end_bit) - 1)) >> start_bit)) # type: ignore
ValueError: negative shift count

Additional information
When testing an ubuntu 16 memory dump, I see the expected behavior I describe above. I can fix the issue for the Alpine memory image by revising this module: /Users/indigo/Projects/volatility3/volatility3/framework/objects/init.py

To include the indicated lines:

def __new__(
    cls,
    context: interfaces.context.ContextInterface,
    type_name: str,
    object_info: interfaces.objects.ObjectInformation,
    base_type: interfaces.objects.Template,
    start_bit: int = 0,
    end_bit: int = 0,
    **kwargs,
) -> "BitField":
    value = base_type(context=context, object_info=object_info)
    if start_bit < 0: # ADD THIS
        start_bit = 0 # ADD THIS 
    if end_bit < 0: # ADD THIS
        end_bit = 0 # ADD THIS
    return int.__new__(cls, ((value & ((1 << end_bit) - 1)) >> start_bit))  # type: ignore

But I suspect this is a hacky workaround. Perhaps worthy of further scrutiny.
@eve-mem
Copy link
Contributor

eve-mem commented Dec 18, 2023

Hello @indigo-pc - I'm quite sure that is related to this dwarf2json issue - volatilityfoundation/dwarf2json#49

I'm not sure there is a full fix for it yet unfortunately.

@martinclauss
Copy link

Hey all!

I encountered the same issue:

root@f2cf2fc13a15:/opt/vol/volatility3# ./volshell.py -f /io/dumps/bpfvol3-archlinux-6.6.7-arch1-1_1703148059.dump -l
Volshell (Volatility 3 Framework) 2.5.2
Readline imported successfully  Stacking attempts finished
 
    Call help() to see available functions
 
    Volshell mode        : Linux
    Current Layer        : layer_name
    Current Symbol Table : symbol_table_name1
    Current Kernel Name  : kernel
 
(layer_name) >>> dt(ps()[0])
symbol_table_name1!task_struct (11584 bytes)
Traceback (most recent call last):
  File "<console>", line 1, in <module>
  File "/opt/vol/volatility3/volatility3/cli/volshell/linux.py", line 70, in display_type
    return super().display_type(object, offset)
  File "/opt/vol/volatility3/volatility3/cli/volshell/generic.py", line 387, in display_type
    self._display_value(getattr(volobject, member)),
  File "/opt/vol/volatility3/volatility3/framework/objects/__init__.py", line 955, in __getattr__
    member = template(context=self._context, object_info=object_info)
  File "/opt/vol/volatility3/volatility3/framework/objects/templates.py", line 96, in __call__
    return self.vol.object_class(
  File "/opt/vol/volatility3/volatility3/framework/objects/__init__.py", line 521, in __new__
    return int.__new__(cls, ((value & ((1 << end_bit) - 1)) >> start_bit))  # type: ignore
ValueError: negative shift count

I've uploaded some files that could be helpful for debugging on your side (or the dwarf2json devs):
https://uni-bonn.sciebo.de/s/zUVwXoctEaEg48u

Thanks a lot!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@martinclauss @phillip-at-work @eve-mem