Merge pull request volatilityfoundation#1034 from eve-mem/linux_maple…

…_tree_seen_parameter_fix Linux: update maple tree extension to fix issue volatilityfoundation#1032
eve-mem · Dec 1, 2023 · 21af01d · 21af01d
2 parents 292bef9 + 276e695
commit 21af01d
Showing 1 changed file with 13 additions and 1 deletion.
diff --git a/volatility3/framework/symbols/linux/extensions/__init__.py b/volatility3/framework/symbols/linux/extensions/__init__.py
@@ -350,11 +350,21 @@ def _parse_maple_tree_node(
         maple_tree_entry,
         parent,
         expected_maple_tree_depth,
-        seen=set(),
+        seen=None,
         current_depth=1,
     ):
         """Recursively parse Maple Tree Nodes and yield all non empty slots"""
 
+        # Create seen set if it does not exist, e.g. on the first call into this recursive function. This
+        # must be None or an existing set of addresses for MTEs that have already been processed or that
+        # should otherwise be ignored. If parsing from the root node for example this should be None on the
+        # first call. If you needed to parse all nodes downwards from part of the tree this should still be
+        # None. If however you wanted to parse from a node, but ignore some parts of the tree below it then
+        # this could be populated with the addresses of the nodes you wish to ignore.
+
+        if seen == None:
+            seen = set()
+
         # protect against unlikely loop
         if maple_tree_entry in seen:
             vollog.warning(
@@ -363,6 +373,7 @@ def _parse_maple_tree_node(
             return None
         else:
             seen.add(maple_tree_entry)
+
         # check if we have exceeded the expected depth of this maple tree.
         # e.g. when current_depth is larger than expected_maple_tree_depth there may be an issue.
         # it is normal that expected_maple_tree_depth is equal to current_depth.
@@ -371,6 +382,7 @@ def _parse_maple_tree_node(
                 f"The depth for the maple tree at {hex(self.vol.offset)} is {expected_maple_tree_depth}, however when parsing the nodes "
                 f"a depth of {current_depth} was reached. This is unexpected and may lead to incorrect results."
             )
+
         # parse the mte to extract the pointer value, node type, and leaf status
         pointer = maple_tree_entry & ~(self.MAPLE_NODE_POINTER_MASK)
         node_type = (