lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 17 Oct 2017 12:48:04 -0400
From:   Theodore Ts'o <tytso@....edu>
To:     Kilian Cavalotti <kilian.cavalotti.work@...il.com>
Cc:     Andreas Dilger <adilger@...ger.ca>, linux-ext4@...r.kernel.org
Subject: Re: Recover from a "deleted inode referenced" situation

On Tue, Oct 17, 2017 at 08:32:52AM -0700, Kilian Cavalotti wrote:
> On Sun, Oct 15, 2017 at 6:28 PM, Theodore Ts'o <tytso@....edu> wrote:
> >> Is there any possibility that the filesystem could appear to be
> >> resized (extended) with the actual inode table still referencing the
> >> pre-resize one?
> >
> > It's possible, I suppose.  If the vendor script unmounted the file
> > system and then attempted to run e2fsck -fy to fix the file system,
> > perhaps.  In which case the damage could also have been done by the
> > e2fsck -fy run, depending on how badly the file system was corrupted
> > before this whole procedure was started.
> 
> In that case, is there any way to re-shrink the filesystem to its
> pre-expansion size, and try to read the pre-expansion inode table from
> another superblock? Or did the r/w remount over-write all the existing
> superblocks with the same new, corrupted information?

Unfortunately, if this is what happened, then the true damage was done
when the file system was remounted read/write, and because the
allocation bitmaps were incorrect, portions of the inode table were
overwritten with file data.  (As I mentioned, with modern file systems
there is a safety check which is now enabled by default which will
notice when there is an attempt to allocate blocks that are part of
the inode table, and stop this Very Bad Thing from happening.  It does
take a tiny bit of extra CPU overhead, but we ultimately decided It
Was Worth It.  Unfortunately, it was not enabled by default in the
3.10 kernel.)

There's not really any recovery possible in that case, unfortunately.  :-(

	    	       			    - Ted

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ