Bug#802089: ext4magic: recover or examine on ext4 file system is impossible

Roberto Maar robi6 at users.sf.net
Sat Oct 17 13:45:11 UTC 2015 

Package: ext4magic
Version: 0.3.2-2
Severity: normal

Dear Maintainer,

ext4magic has a misinterpretation of the physical block addresses and block lengths of ext4 inode.
With each call by ext4magic be other random and too large values dertermined.
Thus, a recover from ext4 file system is not possible.
The error is permanent and 100% reproducible (also on i386)  
Often with the additional warning: "error-NR 22 can not found file"


Example:

# ext4magic -T -I2 -x /dev/sdb1  #debian 8.2 (amd64)
....
Dump Inode 2 from journal transaction 0
Inode: 2   Type: directory    Mode:  0755   Flags: 0x80000 
Generation: 0    Version: 0x00000000:00000004
User:     0   Group:     0   Size: 4096
File ACL: 0    Directory ACL: 0
Links: 5   Blockcount: 8
Fragment:  Address: 0    Number: 0    Size: 0
 ctime: 1444944845:3712000000 -- Thu Oct 15 23:34:05 2015
 atime: 1444944255:1968000000 -- Thu Oct 15 23:24:15 2015
 mtime: 1444944845:3712000000 -- Thu Oct 15 23:34:05 2015
crtime: 1444943306:0000000000 -- Thu Oct 15 23:08:26 2015
Size of extra inode fields: 28
Level Entries                   Logical                  Physical Length Flags
 0/ 0   1/  1           0 -       25855 89219572695840 - 89219572721695  25856 
......
The block length 25855 and the start block 89219572695840 are random values 
and the false block data would also be used while trying a recover.



The correct output should be:  #OpenSuse 13.1 (x86-64)
......
Dump Inode 2 from journal transaction 0
Inode: 2   Type: directory    Mode:  0755   Flags: 0x80000
Generation: 0    Version: 0x00000000:00000004
User:     0   Group:     0   Size: 4096
File ACL: 0    Directory ACL: 0
Links: 5   Blockcount: 8
Fragment:  Address: 0    Number: 0    Size: 0
 ctime: 1444944845:3712000000 -- Thu Oct 15 23:34:05 2015
 atime: 1444944255:1968000000 -- Thu Oct 15 23:24:15 2015
 mtime: 1444944845:3712000000 -- Thu Oct 15 23:34:05 2015
crtime: 1444943306:0000000000 -- Thu Oct 15 23:08:26 2015
Size of extra inode fields: 28
Level Entries                   Logical                  Physical Length Flags
 0/ 0   1/  1           0 -           0        8865 -        8865      1
        2  d  755 (2)      0      0           4096 15-Oct-2015 23:08 .
        2  d  755 (2)      0      0           4096 15-Oct-2015 23:08 ..
       11  d  700 (2)      0      0          16384 15-Oct-2015 23:08 lost+found
   393217  d  755 (2)      0      0          12288 15-Oct-2015 23:04 etc
<  131073> d  755 (2)      0      0          65536 15-Oct-2015 23:20 doc
   524289  d  755 (2)      0      0           4096 15-Oct-2015 22:51 help
.......

See also Ticket #3 on ext4magic sf.net site.


-- System Information:
Debian Release: 8.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages ext4magic depends on:
ii  e2fslibs    1.42.12-1.1
ii  libblkid1   2.25.2-6
ii  libbz2-1.0  1.0.6-7+b3
ii  libc6       2.19-18+deb8u1
ii  libmagic1   1:5.22+15-2
ii  libuuid1    2.25.2-6
ii  zlib1g      1:1.2.8.dfsg-2+b1

ext4magic recommends no packages.

ext4magic suggests no packages.

-- no debconf information

More information about the forensics-devel mailing list