lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Sat, 7 May 2011 10:38:38 +0300
From:	"Amir G." <amir73il@...rs.sourceforge.net>
To:	Christoph Anton Mitterer <calestyo@...entia.net>
Cc:	Ext4 Developers List <linux-ext4@...r.kernel.org>,
	Mike Swanson <mikeonthecomputer@...il.com>
Subject: Re: mounting ext3 with another superblock doesn't work?

Hi Christoph,

First, sending this question to linux-ext4 is your best bet.
Second, I have this email from Mike, who had the exact same problem.
I gave him some advice (off the list for some reason).

So you can do one 2 things:
1. take comfort that you are not alone
2. ask Mike if my advice helped him or if he found other ways to
overcome the problem. I think he used an LVM snapshot to make
some experiments before actually making changing to the fs.

Your situation may be even better off than Mike's.
If you really hit ctrl-C after overwriting only super block and inode block #0,
then you haven't really lost much 'information'
the super block and inode block #0 from a new formatted fs, should contain
roughly the exact same 'information', the only exception is files (not
directories) created
at the root dir. those file inodes information would have been been lost.

Again, if you have a way to make a full backup of your drive,
before doing any experiments, that would be wise...
Also, when you attempt to mount the fs, better try readonly mount.
If there are lost files or your drive, you don't want to overwrite their data.

Good luck,
Amir.

---------- Forwarded message ----------
From: Amir Goldstein <amir73il@...il.com>
Date: Sun, Dec 19, 2010 at 11:01 PM
Subject: Re: Accidental mkfs.ext4 on wrong volume already formatted with ext4...
To: Mike Swanson <mikeonthecomputer@...il.com>


On Sat, Dec 18, 2010 at 12:12 PM, Mike Swanson
<mikeonthecomputer@...il.com> wrote:
> Hey,
>
> In some stupid late night adventures, I accidentally ran mke2fs on my
> normal /home volume (1.3TB, about 600GB used....) rather than a new
> volume I had intended... I quickly realized my mistake and did ^C
> though I'm not sure what my options are now for possible recovery....
>
> # mkfs.ext4 /dev/freedom/home
> mke2fs 1.41.12 (17-May-2010)
> Filesystem label=
> OS type: Linux
> Block size=4096 (log=2)
> Fragment size=4096 (log=2)
> Stride=0 blocks, Stripe width=0 blocks
> 85196800 inodes, 340787200 blocks
> 17039360 blocks (5.00%) reserved for the super user
> First data block=0
> Maximum filesystem blocks=0
> 10400 block groups
> 32768 blocks per group, 32768 fragments per group
> 8192 inodes per group
> Superblock backups stored on blocks:
>        32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
>        4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968,
>        102400000, 214990848
>
> Writing inode tables: ^C 41/10400
> #
>
> "dumpe2fs -o superblock=20480000" seems to give the old superblock
> metadata still... filesystem create time, last write, etc, though
> running e2fsck results in this:
> # e2fsck -n -b 20480000 /dev/freedom/home
> e2fsck 1.41.12 (17-May-2010)
> Superblock has an invalid journal (inode 8).
> Clear? no
>
> e2fsck: Illegal inode number while checking ext3 journal for /dev/freedom/home
>
>
> I'm in a panic and I don't know what to do.. if anyone can help
> recover data from this accident it would be much appreciated

Oh, what a mess...

I cannot offer you much, but I will try to assess your situation and
offer some tips I would try.
I do not offer fixing tools nor have those tips ever been tested by myself.
I do hope that I am not mumbling nonsense and planting fake hopes...

It appear from the logs, that you have wiped the super block and all
of it's backups
and the first 41 block groups inode tables.

Maybe you have a working copy of your super block and maybe you don't,
but assuming you know the parameters you used to format the partition
in the first place, recovering a sane super block shouldn't be too hard.
I think Fsck can fix the most of the fields later (???)
The real problem is the lost inodes.

What you know for sure is that you have wiped the root inode (2)
resize inode (7), journal inode (8) and every file
which was ever created in the root directory.

So suppose you have the ability to format a file system , which looks the same
as your file system when it was created (using same mkfs parameters and
preferably the same mkfs version), you can use that to copy a sane version
of root, resize, and journal inodes.

The journal inode should be identical to the one you wiped (it never
changes after mkfs).
The resize inode also never changes unless you did online resize, but
it can be fixed by fsck.
The root inode (containing the root directory) will now contain just
one block, but
hopefully that is the same block as in your file system, so if you may
be able to recover some
files or more importantly, the directories under root, which lead to
the entire un-wiped file system.

I would even try to manually allocate the next 11 adjacent blocks to
the root inode,
which may contain more root directory entries.

If all that fails and you still want to manually fix your file system,
the directories under root, should be the first inode in some block
group inode table,
and it's parent directory  is the root inode.
There may be a utility that can use that info to recover a file
system, but I don't know it.

I hope any of this helps.
Good luck,
Amir.



On Sat, May 7, 2011 at 3:09 AM, Christoph Anton Mitterer
<calestyo@...entia.net> wrote:
> Hi.
>
> Few minutes ago, being too tired, I unfortunately did a mkfs.ext3 on an
> already existing ext3 fs (instead of fsck.ext3).
> It unfortunately didn't warn me that there's already an fs on it but
> started right away with it's evil work[0] until I ^C-ed it[0] in panic.
>
> I know this list is about devel, but unfortunately I don't know a better
> place to ask experts (sorry).
>
>
> When I scan the fs with testdisk it seems to find some superblocks, having
> the old fs label:
> superblock 32768, blocksize=4096 [data1]
> superblock 98304, blocksize=4096 [data1]
> superblock 163840, blocksize=4096 [data1]
> superblock 229376, blocksize=4096 [data1]
> superblock 294912, blocksize=4096 [data1]
> superblock 819200, blocksize=4096 [data1]
> superblock 884736, blocksize=4096 [data1]
> superblock 1605632, blocksize=4096 [data1]
> superblock 2654208, blocksize=4096 [data1]
> superblock 4096000, blocksize=4096 [data1]
>
> Could it be that these are still valid ones?
>
> When I try to mount e.g.:
> # mount -t ext3 -o sb=$((32768*4)) /dev/sdc1 /mnt/
> mount: wrong fs type, bad option, bad superblock on /dev/sdc1,
>       missing codepage or helper program, or other error
>       In some cases useful info is found in syslog - try
>       dmesg | tail  or so
>
> ...it doesn't work however.
>
> Any ideas?
>
> Thanks,
> Chris.
>
> btw: Please CC me as I'm off list.
>
>
> [0]mke2fs 1.41.12 (17-May-2010)
> Filesystem label=
> OS type: Linux
> Block size=4096 (log=2)
> Fragment size=4096 (log=2)
> Stride=0 blocks, Stripe width=0 blocks
> 45793280 inodes, 183143000 blocks
> 9157150 blocks (5.00%) reserved for the super user
> First data block=0
> Maximum filesystem blocks=4294967296
> 5590 block groups
> 32768 blocks per group, 32768 fragments per group
> 8192 inodes per group
> Superblock backups stored on blocks:
>        32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
>        4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968,
>        102400000
>
> Writing inode tables: ^C00/5590
> --
> To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
--
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ