Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NTFS: Error in metadata structure (fs_attr_idx->nrd.allocsize value out of bounds) #2840

Open
joachimmetz opened this issue Jul 5, 2023 · 0 comments
Open

NTFS: Error in metadata structure (fs_attr_idx->nrd.allocsize value out of bounds) #2840

joachimmetz opened this issue Jul 5, 2023 · 0 comments

Comments

@joachimmetz
Copy link
Contributor

joachimmetz commented Jul 5, 2023
edited

Test file generated with https://github.com/dfirlabs/ntfs-specimens/blob/main/generate-specimens-unicode-windows.bat

Tested with 820b185

fls -o 128 fuse/vhdi1 39-144-11 
Error in metadata structure (fs_attr_idx->nrd.allocsize value out of bounds)

This is caused by a limit to prevent excessive memory allocation

fs_attr_idx->nrd.allocsize is 305659904 maybe the limit should be increased to 512 MiB or an alternative approach to loading the entire $INDEX_ALLOCATION into memory?

isstat -o 128 fuse/vhdi1 39-144-11 
MFT Entry Header Values:
Entry: 39        Sequence: 1
$LogFile Sequence Number: 327427853
Allocated Directory
Links: 1

$STANDARD_INFORMATION Attribute Values:
Flags: 
Owner ID: 0
Security ID: 264  (S-1-5-32-544)
Created:        2023-07-03 11:03:50.192576900 (CEST)
File Modified:  2023-07-03 15:09:30.477646300 (CEST)
MFT Modified:   2023-07-03 15:09:30.477646300 (CEST)
Accessed:       2023-07-03 16:57:55.928274700 (CEST)

$FILE_NAME Attribute Values:
Flags: Directory
Name: testdir1
Parent MFT Entry: 5     Sequence: 5
Allocated Size: 0       Actual Size: 0
Created:        2023-07-03 11:03:50.192576900 (CEST)
File Modified:  2023-07-03 11:03:50.192576900 (CEST)
MFT Modified:   2023-07-03 11:03:50.192576900 (CEST)
Accessed:       2023-07-03 11:03:50.192576900 (CEST)

$ATTRIBUTE_LIST Attribute Values:
Type: 16-0      MFT Entry: 39   VCN: 0
Type: 48-2      MFT Entry: 39   VCN: 0
Type: 144-11    MFT Entry: 39   VCN: 0
Type: 160-1     MFT Entry: 17292        VCN: 0
Type: 176-10    MFT Entry: 39   VCN: 0

Attributes: 
Type: $STANDARD_INFORMATION (16-0)   Name: N/A   Resident   size: 72
Type: $ATTRIBUTE_LIST (32-8)   Name: N/A   Resident   size: 184
Type: $FILE_NAME (48-2)   Name: N/A   Resident   size: 82
Type: $INDEX_ROOT (144-11)   Name: $I30   Resident   size: 56
Type: $BITMAP (176-10)   Name: $I30   Non-Resident   size: 13128  init_size: 13128
8777 8842 41625 453186 
Type: $INDEX_ALLOCATION (160-12)   Name: $I30   Non-Resident   size: 305659904  init_size: 305659904
2118 2119 2120 2121 2122 2123 2124 2125 
...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@joachimmetz