[Vol-dev] BufferAddressSpace Bug

Hi everybody, My apologies if this has been addressed in a previous patch, but I had a Volatility crash today. The system died because a module created a BufferAddressSpace of n bytes and then attempted to read greater than n from it. The problem appears to be a lack of checks in the FileAddressSpace class that the requested address to read from exists in the file (or buffer). Here's a patch to fix it: $ svn diff forensics/addrspace.py Index: forensics/addrspace.py =================================================================== --- forensics/addrspace.py (revision 16) +++ forensics/addrspace.py (working copy) @@ -1,6 +1,6 @@ # Volatility # Copyright (C) 2007,2008 Volatile Systems -# + # Original Source: # Copyright (C) 2004,2005,2006 4tphi Research # Author: {npetroni,awalters}(a)4tphi.net (Nick Petroni and AAron Walters) @@ -51,15 +51,28 @@ return self.fast_fhandle.read(len) def read(self, addr, len): + ''' + Read and return len bytes from the address addr. + If any of those bytes are not available, return None. + ''' + if not self.is_valid_address(addr): + return None self.fhandle.seek(addr) return self.fhandle.read(len) def zread(self, addr, len): - return self.read(addr, len) + ''' + Read and return len bytes from the address addr. + If any of those bytes are not available, return len bytes of zeros. + ''' + tmp = self.read(addr, len) + if tmp is None: + return '\x00' * len + return tmp def read_long(self, addr): string = self.read(addr, 4) - (longval, ) = struct.unpack('=L', string) + (longval, ) = struct.unpack('<L', string) return longval def get_address_range(self): -- Jesse Kornblum