Unable to read memory on x86-64 Ubuntu

[mike-myers-tob]

I was testing this out on an Ubuntu 22.04 (64-bit) virtual machine under VMware Fusion, and having some issues. Same results when I install version 0.6.1 from cargo or when I build and run from the current HEAD of main, which is:

mmyers@ubuntu-22-04-vm:~/Desktop/avml$ /home/mmyers/.cargo/bin/avml --version
avml 0.6.1
mmyers@ubuntu-22-04-vm:~/Desktop/avml$ sudo /home/mmyers/.cargo/bin/avml ~/Desktop/quick_test_0.6.1.lime
Error: error: unable to read memory
caused by:
    0: unable to create memory snapshot:     
        error: unable to create memory snapshot from source: /dev/crash
        caused by:
            0: unable to create memory snapshot
            1: unable to read memory
            2: No such file or directory (os error 2)
        
        error: unable to create memory snapshot from source: /proc/kcore
        caused by:
            0: unable to find memory range: 175116312..175124567
        
        error: unable to create memory snapshot from source: /dev/mem
        caused by:
            0: unable to create memory snapshot
            1: write block failed: 1048576..175116311

The filesystem should have ~55 GB free, and the RAM to capture should be ~12GB uncompressed. But this seems more of a failure to read memory than to dump it? I understand that AVML will iterate over the memory sources to find a functional source. so I suppose all three methods failed here.

This looks like #73 but I will try to be responsive here to figure out what this is.

[msam123]

Having the same issue. Any updates?

[bmc-msft]

You're correct that unless AVML is writing output in a streaming fashion, it will iteratively try each source until one succeeds.

I'm not able to reproduce this issue locally. I've tested on Ubuntu 22.04 VMs in Azure with 1GB, 16GB, and 32GB of ram respectively. I will try to put together PR that will provide more information to help debug this issue.

[marshrayms]

Perhaps the VM is booting in 'secure' mode which disables raw memory access?

[mike-myers-tob]

This is what @bmc-msft determined from additional info I sent him:

AVML coalesced sequential ranges, but the pseudo-headers that /proc/kcore creates doesn't do that.
AVML should be more inclusive of which pseudo section headers it uses to refer to physical memory.

So he's going to remove the coalescence of sequential ranges. I'll re-test when there's a new branch and see if it fixes it.

[deepakdc01]

Can someone confirm if secure boot is the cause of this error? Basically, is the tool deprived of direct memory access?

[bmc-msft]

I do not believe the issue to be secure boot related.

[bmc-msft]

A fix that addresses this issue has been released as part of 0.7.0