Linux.pstree bug

[tuttimann]

Describe the bug
I wanted to investigate the following memory image:
13cubed Linux Memory Forensics Challenge

I downloaded the right symbols for the memory image and afterwards ran linux.pslist without any problems, but when I am running linux.pstree I get an error message, which I will paste below.

Context
Volatility Version: 2.11.0
Operating System: Ubuntu 24.04.1 LTS
Python Version: Python 3.12.3
Suspected Operating System: Ubuntu 22.04 6.5.0-41
Command: vol3 -f memory.vmem linux.pstree

To Reproduce
Steps to reproduce the behavior:

1. Use command on the given memory image
2. See error

Expected behavior
Output of pstree

Example output

Progress:  100.00		Stacking attempts finished                   
OFFSET (V)	PID	TID	PPID	COMM
Traceback (most recent call last):
  File "/home/fabian/Tools/volatility3/vol.py", line 11, in <module>
    volatility3.cli.main()
  File "/home/fabian/Tools/volatility3/volatility3/cli/__init__.py", line 917, in main
    CommandLine().run()
  File "/home/fabian/Tools/volatility3/volatility3/cli/__init__.py", line 505, in run
    renderer.render(grid)
  File "/home/fabian/Tools/volatility3/volatility3/cli/text_renderer.py", line 230, in render
    grid.populate(visitor, outfd)
  File "/home/fabian/Tools/volatility3/volatility3/framework/renderers/__init__.py", line 248, in populate
    treenode = self._append(parent, item)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/fabian/Tools/volatility3/volatility3/framework/renderers/__init__.py", line 312, in _append
    return self._insert(parent, None, values)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/fabian/Tools/volatility3/volatility3/framework/renderers/__init__.py", line 334, in _insert
    tree_item = TreeNode(newpath, self, parent, values)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/fabian/Tools/volatility3/volatility3/framework/renderers/__init__.py", line 64, in __init__
    self._validate_values(values)
  File "/home/fabian/Tools/volatility3/volatility3/framework/renderers/__init__.py", line 83, in _validate_values
    raise TypeError(
TypeError: Values must be a list of objects made up of simple types and number the same as the columns

[ikelos]

Thanks, the offending commit is here: 69512dc
It should've warranted a major bump rather than a minor bump, but it slipped through.

The fix will be to give pslist the MAJOR bump to its version, and then to fix pstree to match it. @gcmoreira would you mind doing the honours? Otherwise I can do it once I'm home from work...

[gcmoreira]

Sure, I've already assigned this to myself. It also impacts pidhashtable, so no worries. I'll take care of all the necessary fixes. And testcases for each of them.
Also, I would like to get_task_fields() returns a dataclass instead of a tuple.. that way each plugin can pick the fields they want. How do you see that?

[ikelos]

Errr, as long as the version bumps happen properly when they're supposed to, there's not much different between returning a tuple/namedtuple/dataclass. That would put the major version up to 4 if you did though...