-
Notifications
You must be signed in to change notification settings - Fork 593
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
exFAT: volume label directory entry reading failure on drives formatted without a label by mkfs.exfat #2857
Comments
In addition to the change in L594,
I think L646 should also be fixed to avoid fsstat segmentation fault1 when going through all data area sectors but still can't find a volume label entry to retrieve the relevant info of interest: Line 646 in a14a5a8
Change it from: Footnotes
|
To reproduce the issue, simply format a drive as follows:
output
By default mkfs.exfat sets EntryType = 0x83 for volume label entry regardless of the entry's status (exfatprogs/exfatprogs#230). When formatting without a label, the CharacterCount field is set to 0 (i.e., dentry->volume_label_length_chars = 0) so it will fail the check at L128 of exfatfs_meta.c and unable to proceed:
sleuthkit/tsk/fs/exfatfs_meta.c
Line 128 in bb056c4
In addition, the primary reason that it got stuck at exfatfs_find_volume_label_dentry is because the current_sector was never incremented in (as mentioned in #2673):
sleuthkit/tsk/fs/exfatfs.c
Line 594 in 99f0b41
Changing it to:
for (current_sector = a_fatfs->rootsect; current_sector < last_sector_of_data_area; current_sector++) {
would suffice to address both this issue and #2673. However, with only this fix, TSK would have to walk through all sectors to exit the exfatfs_find_volume_label_dentry function before moving on to subsequent steps, resulting in a waste of time, especially when the drive being analyzed is large. To quickly complete this function call to address the incorrect InUse bit issue, one can for example expand L128-133 from:
to:
The text was updated successfully, but these errors were encountered: