Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

2MB clusters lead to "The cluster size is 124928 bytes, but the maximum supported one is 2097152" #12

Closed
leofidus opened this issue Mar 9, 2022 · 3 comments
Closed

2MB clusters lead to "The cluster size is 124928 bytes, but the maximum supported one is 2097152" #12

leofidus opened this issue Mar 9, 2022 · 3 comments

Comments

@leofidus
Copy link
Contributor

leofidus commented Mar 9, 2022
edited
Loading

I have an image of an empty 8GB USB drive formatted with 2MB clusters (because I'm evil, not because it's useful :D ):
image

Trying to read that results in the above error thrown by boot_sector.rs#L50 because supposedly the cluster size isn't a power of two.

Not sure how that happens, but the surrounding code claims that sector_size is always 512, sectors_per_cluster is u8, but sector_size*sectors_per_cluster can reach 2097152. That obviously doesn't work out, sectors_per_cluster would have to be 4096, which doesn't fit an u8.

When the error is thrown, self looks like this:

self = BiosParameterBlock {
    sector_size: 512,
    sectors_per_cluster: 244,
    zeros_1: [
        0,
        0,
        0,
        0,
        0,
        0,
        0,
    ],
    media: 248,
    zeros_2: [
        0,
        0,
    ],
    dummy_sectors_per_track: 63,
    dummy_heads: 255,
    hidden_sectors: 0,
    zeros_3: 0,
    physical_drive_number: 128,
    flags: 0,
    extended_boot_signature: 0,
    reserved: 0,
    total_sectors: 15728639,
    mft_lcn: Lcn(
        1536,
    ),
    mft_mirror_lcn: Lcn(
        1,
    ),
    file_record_size_info: -10,
    zeros_4: [
        0,
        0,
        0,
    ],
    index_record_size_info: -12,
    zeros_5: [
        0,
        0,
        0,
    ],
    serial_number: 11734322338205781691,
    checksum: 0,
}

For convenience here's an image that triggers it:

gitntfs-2MBblocks-8GB.img.gz
leofidus added a commit to leofidus/ntfs that referenced this issue Mar 10, 2022
@leofidus
handle large sectors_per_cluster (closes ColinFinck#12)
685e63b
leofidus added a commit to leofidus/ntfs that referenced this issue Mar 10, 2022
@leofidus
handle large sectors_per_cluster (closes ColinFinck#12)
7b30085
leofidus added a commit to leofidus/ntfs that referenced this issue Mar 10, 2022
@leofidus
handle large sectors_per_cluster (closes ColinFinck#12)
9c76781
leofidus added a commit to leofidus/ntfs that referenced this issue Mar 10, 2022
@leofidus
handle large sectors_per_cluster (closes ColinFinck#12)
520bf15
leofidus added a commit to leofidus/ntfs that referenced this issue Mar 10, 2022
@leofidus
handle large sectors_per_cluster (closes ColinFinck#12)
b000503
@ColinFinck
Copy link
Owner

ColinFinck commented Mar 10, 2022
edited
Loading

Thanks for the report! I confirm that this is a bug in the current code.
While tightening record and sector sizes for #2, I also looked into cluster sizes again and found https://dfir.ru/2019/04/23/ntfs-large-clusters/. That basically confirms your analysis and your PR #13.
Back then, I lacked a test image with 2 MiB clusters and Windows didn't want to format my VHD image with 2 MiB clusters. Perhaps my VHD was simply too small. Anyway, thanks for also attaching a test image so I can reproduce.
I also just stumbled upon https://github.com/msuhanov/ntfs-samples. More images for testing :)

I currently have some local changes in my code for #2 and #10 and want to finish them before I can deal with #13.

I'm also looking for NTFS filesystems with non-standard sector sizes. Windows always creates NTFS filesystems with 512-byte sectors for me. NTFS-3G has code to support other sector sizes, but Windows does not accept my NTFS-3G formatted images with non-standard sector sizes.
If you manage to create an NTFS image with an unusual sector size that is accepted by Windows, I would be highly interested :)

@leofidus
Copy link
Contributor Author

The ntfs-samples repository looks really useful, that's a great find. I was thinking of doing basically the same thing for the test images I now have lying around (mine are far more harmless, just cluster sizes, a couple hardlinks, softlinks etc).

I'm also looking for NTFS filesystems with non-standard sector sizes

I just went down the rabbit hole of other-than-512-byte sector sizes. I also failed creating a file system that is recognized by Windows. Diving a bit deeper, it seems Windows imposes three limits on the sector size: it has to be at most the page size of the system (not sure how this interacts with large pages), be a multiple of 256, and it must match the sector size of the device.

The last requirement is the crux of the matter: every device emulates a 512 byte sector size, so that's the only value that works. Seemingly the only exception from this century are 4k native/512e drives that expose a 4096 byte sector size. It's mostly an enterprise thing, but apparently some consumer NVMe SSDs can be configured to run that way. I expect if one sets an SSD to a 4096 byte sector size and formats it with NTFS one would get a 4096 byte sector size in the BiosParameterBlock, and that would also be the only value that allows Windows to mount that file system from that disk.

I don't have any modern spare NVMe SSD lying around, so I can't readily test it in the real world.

@msuhanov
Copy link

You can use Arsenal Image Mounter to emulate a 4Kn device for a given disk image.

@leofidus leofidus mentioned this issue Mar 14, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@leofidus @msuhanov @ColinFinck