| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 12 Jul 2019 21:47:13 +0000
From: Geoffrey Thomas <Geoffrey.Thomas@...sigma.com>
To: 'Theodore Ts'o' <tytso@....edu>,
Thomas Walker <Thomas.Walker@...sigma.com>
CC: 'Jan Kara' <jack@...e.cz>,
"'linux-ext4@...r.kernel.org'" <linux-ext4@...r.kernel.org>,
"Darrick J. Wong" <darrick.wong@...cle.com>
Subject: RE: Phantom full ext4 root filesystems on 4.1 through 4.14 kernels
On Friday, July 12, 2019 4:28 PM, Theodore Ts'o <tytso@....edu> wrote:
> To: Thomas Walker <Thomas.Walker@...sigma.com>
> Cc: Geoffrey Thomas <Geoffrey.Thomas@...sigma.com>; 'Jan Kara'
> <jack@...e.cz>; 'linux-ext4@...r.kernel.org' <linux-ext4@...r.kernel.org>;
> Darrick J. Wong <darrick.wong@...cle.com>
> Subject: Re: Phantom full ext4 root filesystems on 4.1 through 4.14
> kernels
>
> On Fri, Jul 12, 2019 at 03:19:03PM -0400, Thomas Walker wrote:
> > Clearing orphaned inode 1048838 (uid=0, gid=4, mode=0100640,
> size=39006841856)
>
> > Of particular note, ino 1048838 matches the size of the space that we
> "lost".
>
> Hmmm... what's gid 4? Is that a hint of where the inode might have come
> from?
Good call, gid 4 is `adm`. And now that we have an inode number we can see the file's contents, it's from /var/log/account.
I bet that this is acct(2) holding onto a reference in some weird way (possibly involving logrotate?), which also explains why we couldn't find a userspace process holding onto the inode. We'll investigate a bit....
Thanks,
--
Geoffrey Thomas
geofft@...sigma.com
Powered by blists - more mailing lists