Fixed the mechanism to detect XEN Paravirtualization being enabled. T…

…he previous check would activate XEN when running a paravirtualized kernel on bare hardware, where it's actually not enabled. Now we check the effects xen_setup_pv_ops() has on pv_info. BUG= R=scudette@gmail.com Review URL: https://codereview.appspot.com/247990043
google · Jun 15, 2015 · 2bf9117 · 2bf9117
1 parent 4c3b721
commit 2bf9117
Showing 1 changed file with 13 additions and 10 deletions.
diff --git a/rekall/plugins/linux/common.py b/rekall/plugins/linux/common.py
@@ -191,16 +191,19 @@ def GetAddressSpaceImplementation(self):
 
             # XEN PV guests have a mapping in p2m_top. We verify this symbol
             # is not NULL.
-            p2m_top_phys = self.profile.phys_addr(
-                self.profile.get_constant("p2m_top", True))
-            p2m_top = struct.unpack("<Q",
-                                    self.physical_address_space.read(
-                                        p2m_top_phys, 8))[0]
-            if p2m_top:
-                self.session.logging.debug("Detected paravirtualized XEN guest")
-                impl = "XenParaVirtAMD64PagedMemory"
-                as_class = addrspace.BaseAddressSpace.classes[impl]
-                return as_class
+            pv_info_virt = self.profile.get_constant("pv_info")
+            if pv_info_virt:
+                pv_info_phys = self.profile.phys_addr(pv_info_virt)
+                paravirt_enabled = self.session.profile.pv_info(
+                    offset=pv_info_phys,
+                    vm=self.physical_address_space).paravirt_enabled
+                if paravirt_enabled:
+                    self.session.logging.debug(
+                        "Detected paravirtualized XEN guest")
+                    impl = "XenParaVirtAMD64PagedMemory"
+                    as_class = addrspace.BaseAddressSpace.classes[impl]
+                    return as_class
+
 
         elif self.profile.get_constant("arm_syscall"):
             # An ARM address space.