lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1690728.35imogO4tp@mintaka.ncbr.muni.cz>
Date:	Thu, 30 Jun 2016 13:35:18 +0200
From:	Tomáš Trnka <ttrnka@...l.muni.cz>
To:	linux-ext4@...r.kernel.org
Subject: Corrupted inode timestamps on v4.4+?

Hello,

I have noticed some files on my workstation home FS (ext4) having very 
suspicious timestamp values. This has probably started happening in April when 
the machine was running v4.4.3, but the last occurence is from a week ago on 
v4.5.6.

The corruption looks like nonsensical atime and/or mtime seconds values (see 
below). At the same time, the nanosecond portion of a corrupted time is always 
zero. In fact, the nanoseconds for mtime are all zeros for all of the affected 
files, even if the seconds part of mtime looks OK.

I can't confidently claim this is an ext4 bug, but it seems likely (there were 
no HW failures, power cuts, oopses etc. and fsck found no errors). I would be 
glad to debug this further, but currently I have no idea how to reproduce the 
corruption. Any hints are welcome.

Best regards,
Tomáš Trnka

debugfs:  stat Administrace/pip/pip-krb5-storage.pcap  
Inode: 38933641   Type: regular    Mode:  0644   Flags: 0x80000 
Generation: 2251791665    Version: 0x00000000:00000001 
User: 395845   Group:  2001   Size: 802806 
File ACL: 0    Directory ACL: 0 
Links: 1   Blockcount: 1568 
Fragment:  Address: 0    Number: 0    Size: 0 
ctime: 0x572335f2:32d79df0 -- Fri Apr 29 12:22:42 2016 
atime: 0xf9b65000:00000000 -- Thu Oct  5 09:00:16 2102 
mtime: 0x57233597:00000000 -- Fri Apr 29 12:21:11 2016 
crtime: 0x572335f2:1d9f6f84 -- Fri Apr 29 12:22:42 2016 
Size of extra inode fields: 32 
Extended attributes stored in inode body:  
 selinux = "unconfined_u:object_r:user_home_t:s0\000" (37) 
EXTENTS: 
(0-195):155943077-155943272 

debugfs:  inode_dump Administrace/pip/pip-krb5-storage.pcap 
0000  a481 450a f63f 0c00 0050 b6f9 f235 2357  ..E..?...P...5#W 
0020  9735 2357 0000 0000 d107 0100 2006 0000  .5#W........ ... 
0040  0000 0800 0100 0000 0af3 0100 0400 0000  ................ 
0060  0000 0000 0000 0000 c400 0000 a580 4b09  ..............K. 
0100  0000 0000 0000 0000 0000 0000 0000 0000  ................ 
* 
0140  0000 0000 319d 3786 0000 0000 0000 0000  ....1.7......... 
0160  0000 0000 0000 0000 0600 0000 0000 0000  ................ 
0200  2000 0000 f09d d732 0000 0000 0000 0000   ......2........ 
0220  f235 2357 846f 9f1d 0000 0000 0000 0000  .5#W.o.......... 
0240  0000 02ea 0706 3400 0000 0000 2500 0000  ......4.....%... 
0260  0000 0000 7365 6c69 6e75 7800 0000 0000  ....selinux..... 
0300  0000 0000 0000 0000 0000 0000 0000 0000  ................ 
0320  0000 0000 0000 0000 756e 636f 6e66 696e  ........unconfin 
0340  6564 5f75 3a6f 626a 6563 745f 723a 7573  ed_u:object_r:us 
0360  6572 5f68 6f6d 655f 743a 7330 0000 0000  er_home_t:s0.... 

debugfs:  stat tmp/RDP-log.csv  
Inode: 39191637   Type: regular    Mode:  0755   Flags: 0x80000 
Generation: 2606527817    Version: 0x00000000:00000001 
User: 395845   Group:  2001   Size: 749186 
File ACL: 166150131    Directory ACL: 0 
Links: 1   Blockcount: 1472 
Fragment:  Address: 0    Number: 0    Size: 0 
ctime: 0x53c77ea3:78c876a4 -- Thu Jul 17 09:43:31 2014 
atime: 0x5773d316:494a0854 -- Wed Jun 29 15:54:30 2016 
mtime: 0x987df1f8:00000000 -- Fri Jan 27 01:06:16 2051 
crtime: 0x53c77ea0:4e193034 -- Thu Jul 17 09:43:28 2014 
Size of extra inode fields: 32 
EXTENTS: 
(0-182):11657216-11657398 

debugfs:  inode_dump tmp/RDP-log.csv 
0000  ed81 450a 826e 0b00 16d3 7357 a37e c753  ..E..n....sW.~.S 
0020  f8f1 7d98 0000 0000 d107 0100 c005 0000  ..}............. 
0040  0000 0800 0100 0000 0af3 0100 0400 0000  ................ 
0060  0000 0000 0000 0000 b700 0000 00e0 b100  ................ 
0100  0000 0000 0000 0000 0000 0000 0000 0000  ................ 
* 
0140  0000 0000 4975 5c9b f33f e709 0000 0000  ....Iu\..?...... 
0160  0000 0000 0000 0000 0600 0000 0000 0000  ................ 
0200  2000 0000 a476 c878 0000 0000 5408 4a49   ....v.x....T.JI 
0220  a07e c753 3430 194e 0000 0000 0000 0000  .~.S40.N........ 
0240  0000 0000 0000 0000 0000 0000 0000 0000  ................ 
* 

debugfs:  stat openmpi/kraken16.xml  
Inode: 48117428   Type: regular    Mode:  0640   Flags: 0x80000 
Generation: 3888286010    Version: 0x00000000:00000001 
User: 395845   Group:  2001   Size: 32693 
File ACL: 0    Directory ACL: 0 
Links: 1   Blockcount: 64 
Fragment:  Address: 0    Number: 0    Size: 0 
ctime: 0x5763eb3c:45901c0c -- Fri Jun 17 14:21:16 2016 
atime: 0x82779900:00000000 -- Fri May 13 07:07:12 2039 
mtime: 0x5763eb07:00000000 -- Fri Jun 17 14:20:23 2016 
crtime: 0x5763eb3c:42b3ae24 -- Fri Jun 17 14:21:16 2016 
Size of extra inode fields: 32 
Extended attributes stored in inode body:  
 selinux = "unconfined_u:object_r:user_home_t:s0\000" (37) 
EXTENTS: 
(0-7):192521632-192521639

debugfs:  inode_dump openmpi/kraken16.xml  
0000  a081 450a b57f 0000 0099 7782 3ceb 6357  ..E.......w.<.cW 
0020  07eb 6357 0000 0000 d107 0100 4000 0000  ..cW........@... 
0040  0000 0800 0100 0000 0af3 0100 0400 0000  ................ 
0060  0000 0000 0000 0000 0800 0000 a0a5 790b  ..............y. 
0100  0000 0000 0000 0000 0000 0000 0000 0000  ................ 
* 
0140  0000 0000 3a89 c2e7 0000 0000 0000 0000  ....:........... 
0160  0000 0000 0000 0000 0600 0000 0000 0000  ................ 
0200  2000 0000 0c1c 9045 0000 0000 0000 0000   ......E........ 
0220  3ceb 6357 24ae b342 0000 0000 0000 0000  <.cW$..B........ 
0240  0000 02ea 0706 3400 0000 0000 2500 0000  ......4.....%... 
0260  0000 0000 7365 6c69 6e75 7800 0000 0000  ....selinux..... 
0300  0000 0000 0000 0000 0000 0000 0000 0000  ................ 
0320  0000 0000 0000 0000 756e 636f 6e66 696e  ........unconfin 
0340  6564 5f75 3a6f 626a 6563 745f 723a 7573  ed_u:object_r:us 
0360  6572 5f68 6f6d 655f 743a 7330 0000 0000  er_home_t:s0....


--
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ