lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 18 Apr 2019 12:54:01 +0200
From:   Andrea Lo Pumo <alopumo@...ia.biz>
To:     unlisted-recipients:; (no To-header on input)
Cc:     linux-ext4@...r.kernel.org
Subject: Re: Run mkfs.ext4 on an already existing ext4 filesystem. [Solved]

I have been able to recover the files. It seems that they unmounted
the filesystem shortly after having mounted it. So ext4lazyinit did
not overwrite all the inode tables.

Here I write a more detailed report, in the hope it will be useful for
others. If you would like to review it, it will be appreciated and I
will write a tutorial somewhere.

Also, could the modified do_dump() command  be usefully integrated in debugfs?

---- Report ---

On /dev/sda1 there was an ext4 file system with a lot of large files.
Now, by mistake, mkfs.ext4 has been run on /dev/sda1. The result is
that now /dev/sda1 is "empty": mounting it shows no files.
Luckily, /dev/sda1 was immediately umounted and the majority of files
were recovered.

I have modified the debugfs / libext2fs code to ignore the checksums
of the files and the directories (see Note 1), and run debugfs -c
(catastrophic mode).
Then, with the ls -l and rdump commands of debugfs, the recovery was done.

Since we were not interested in recovering all files, but only certain
directories, I proceeded as follow:

   - modified do_dump() of debugfs/dump.c, to dump all directories
("directory" intended as the special file that contains the list of
sub-files and sub-directories). This is accomplished by doing this:

        for (inode = 1; inode < (ext2_ino_t)0xffffffff; inode++) {
           ....
           sprintf(outFilename, "%u", inode);
           out_fn = outFilename;

           if (inode % 1000000 == 0) {
              printf("%u\n", inode); // print the current inode as a
progress report. There are a total of 2**32-1 inodes.
           }

           unsigned int blocks = inode_blocks(inode);
           if (blocks == 0)
              continue;

           ....

           dump_file(argv[0], inode, fd, preserve, out_fn);

           ....

         }

   inode_blocks() is a custom function, which is attached at the end
of this email, and is used to consider only inodes with a block count
> 0, a link count > 0, a deletion time = 0 and of type directory.

Compiling the modified debugfs, and issuing the dump <1> 111 command
(arguments are irrelevant), one gets all the directory-files of the
filesystem:
  mkdir recover
  cd recover
  sudo path/to/debugfs/debugfs -c /dev/loop12
  debugfs>   dump <1> 111

Then, do "grep NAME recover/ -r", where NAME is the name of a
sub-directory or a sub-file of the directory you are looking for.
If the inode you are looking for was not destroyed, grep will print
something like:
   Binary file recover/7452143 matched.
If you get more than one match. Use the command "strings", e.g.
strings recover/7452143, an you will get a (somewhat garbled) list of
files and directories inside the directory recover/7452143. So you can
choose the appropriate match.

Now, assuming that you settled on a match, that number, e.g. 7452143,
is the inode number of the directory.

Open debugfs -c, and do

  debugfs > ls -l <7452143>

    ... list of files of <7452143> ...

  debugfs > rdump <7452143> .

rdump will recursively dump the content of the directory.

Note 1: I am seeing that debugfs has a -n option to disable checksum
verification. Perhaps, it is the same to what I have done? In details,
I have disabled the following errors: EXT2_ET_DIR_CSUM_INVALID,
EXT2_ET_EXTENT_CSUM_INVALID, disabled "Verify the inode checksum."  in
 ext2fs_read_inode_full().

Final note, debugfs is a powerful tool, by hacking its code you can do
a lot. For example, using inode->i_mtime and modifying do_rdump(), you
can dump only files with a modification time greater than some date.

------

unsigned int inode_blocks(ext2_ino_t  inode)
{
    struct ext2_inode *inode_buf = (struct ext2_inode *)
malloc(EXT2_INODE_SIZE(current_fs->super));

    if (!inode_buf) {
        fprintf(stderr, "%u do_stat: can't allocate buffer\n", inode);
        return 0;
    }

    if (debugfs_read_inode_full(inode, inode_buf, "inode_blocks",
                    EXT2_INODE_SIZE(current_fs->super))) {
        free(inode_buf);
        return 0;
    }

    char ok = inode_buf->i_blocks != 0 && inode_buf->i_links_count != 0 &&
            inode_buf->i_dtime == 0 &&
            LINUX_S_ISDIR(inode_buf->i_mode);

    unsigned int ret  = ok ? inode_buf->i_blocks : 0;

    free(inode_buf);

    return ret;
}

--------

Il giorno gio 11 apr 2019 alle ore 23:23 Theodore Ts'o <tytso@....edu>
ha scritto:
>
> On Thu, Apr 11, 2019 at 11:37:55AM +0200, Andrea Lo Pumo wrote:
> > - The inode map has been overwritten too.
> > - However, the data is still there in the disk, and also the related
> > inode structures. (Just the inode map is missing right?). So, if one
> > is able to locate these inode structures, the relative files could be
> > recovered. We know the name of important directories and files to be
> > recovered. Could this help?
>
> Unfortunately, what gets overwritten is the inode table, which
> contains the inode structures.  So all of the information which says,
> "logical block N of inode M is located on physical block P" is gone.
>
> So your only hope is going to be to use a program which looks at
> individual data blocks, and assumes that (for the most part) files
> tend to be allocated contiguously on the storage device.  Fortunately,
> such a tool has already been written, and it is an open source tool
> called PhotoRec[1].  I see however, you've already tried PhotoRec.
>
> > I could also invest some programming efforts to solve this issue, by
> > hacking some available tools, if this could help and is not too
> > complex. In this regard, I have this question: given that I know the
> > name of some important directories and files to be recovered,
> > theoretically I could write a program that "greps" the name of the
> > file in /dev/sda1 and, around that point, I should locate the inode
> > structure, and with the inode recover the whole file? Any hint toward
> > this direction? I don't have experience with ext programming, but I am
> > willing to hack.
>
> Yeah, unfortunately, no.  You'll be able to find the directory data
> block, sure.  And that will contain the inode number.  But mke2fs
> overwrites the entire inode table, so there's nothing that you can
> find.
>
> > Final question: are there tools to handle this situation? testdisk and
> > ext4magic do not seem to give good results. Photorec is useless to
> > recover large .tar.gz and .ogg files, and more importantly the name of
> > the file, which we also need.
>
> You've listed the primary tools that are available already.  It is
> possible to configure mke2fs to create an undo file, and then when
> something screws up they can use the e2undo file to unwind the
> modifications made by mke2fs (or e2fsck, if the undo file generation
> is enabled by e2fsck).
>
> This feature is not enabled by default, mainly because (a) it slows
> down the mke2fs and e2fsck operations, and that tends to make system
> administrators cranky, and (b) you have to put the e2undo file
> somewhere, and you need to have some kind of scheme to delete old
> e2undo files.  So there is a lot of distribution integration changes
> that has never been done.
>
> Telling you this now isn't particularly helpful, since it's basically
> suggesting that you close the barn door after the horse has escaped.
> However, along with other changes you might want to make to your
> procedures (such as doing regular backups) to avoid future mistakes of
> this ilk, it might be something to consider.
>
> Good luck, and sorry there's not much else help we can offer you,
>
>                                         - Ted

Powered by blists - more mailing lists