Infinite loop while decoding a segmented AD1 v4 image

lfcnassif commented 1 month ago

A colleague reported this to me and sent the thread dump after I asked for. The important piece is:

"Thread-19" #103 prio=5 os_prio=0 cpu=104492031.25ms elapsed=161838.79s tid=0x000001b2658ab000 nid=0x498c runnable  [0x0000007b352fe000]
   java.lang.Thread.State: RUNNABLE
    at iped.engine.datasource.ad1.AD1Extractor.seekAndRead(AD1Extractor.java:325)
    - locked <0x0000000239f55830> (a java.lang.Object)
    at iped.engine.datasource.ad1.AD1Extractor.readBytesFromRelativeFilePos(AD1Extractor.java:373)
    at iped.engine.datasource.ad1.AD1Extractor.readObject(AD1Extractor.java:164)
    at iped.engine.datasource.ad1.FileHeader.getNextHeader(FileHeader.java:65)
    at iped.engine.datasource.AD1DataSourceReader.createAndAddItemRecursive(AD1DataSourceReader.java:122)
    at iped.engine.datasource.AD1DataSourceReader.createAndAddItem(AD1DataSourceReader.java:113)
    at iped.engine.datasource.AD1DataSourceReader.createAndAddItemRecursive(AD1DataSourceReader.java:123)
    at iped.engine.datasource.AD1DataSourceReader.createAndAddItem(AD1DataSourceReader.java:113)
    at iped.engine.datasource.AD1DataSourceReader.createAndAddItemRecursive(AD1DataSourceReader.java:120)
    at iped.engine.datasource.AD1DataSourceReader.createAndAddItem(AD1DataSourceReader.java:113)
    at iped.engine.datasource.AD1DataSourceReader.createAndAddItemRecursive(AD1DataSourceReader.java:123)
    at iped.engine.datasource.AD1DataSourceReader.createAndAddItem(AD1DataSourceReader.java:113)
    at iped.engine.datasource.AD1DataSourceReader.createAndAddItemRecursive(AD1DataSourceReader.java:123)
    at iped.engine.datasource.AD1DataSourceReader.createAndAddItem(AD1DataSourceReader.java:113)
    at iped.engine.datasource.AD1DataSourceReader.createAndAddItemRecursive(AD1DataSourceReader.java:123)
    at iped.engine.datasource.AD1DataSourceReader.read(AD1DataSourceReader.java:49)
    at iped.engine.datasource.ItemProducer.run(ItemProducer.java:123)

   Locked ownable synchronizers:
    - None

"Thread-20" #104 prio=5 os_prio=0 cpu=104255078.13ms elapsed=161838.79s tid=0x000001b2658ac000 nid=0x6488 runnable  [0x0000007b353fd000]
   java.lang.Thread.State: RUNNABLE
    at iped.engine.datasource.ad1.AD1Extractor.readBytesFromRelativeFilePos(AD1Extractor.java:373)
    at iped.engine.datasource.ad1.AD1Extractor.readObject(AD1Extractor.java:164)
    at iped.engine.datasource.ad1.FileHeader.getNextHeader(FileHeader.java:65)
    at iped.engine.datasource.AD1DataSourceReader.createAndAddItemRecursive(AD1DataSourceReader.java:122)
    at iped.engine.datasource.AD1DataSourceReader.createAndAddItem(AD1DataSourceReader.java:113)
    at iped.engine.datasource.AD1DataSourceReader.createAndAddItemRecursive(AD1DataSourceReader.java:123)
    at iped.engine.datasource.AD1DataSourceReader.createAndAddItem(AD1DataSourceReader.java:113)
    at iped.engine.datasource.AD1DataSourceReader.createAndAddItemRecursive(AD1DataSourceReader.java:120)
    at iped.engine.datasource.AD1DataSourceReader.createAndAddItem(AD1DataSourceReader.java:113)
    at iped.engine.datasource.AD1DataSourceReader.createAndAddItemRecursive(AD1DataSourceReader.java:123)
    at iped.engine.datasource.AD1DataSourceReader.createAndAddItem(AD1DataSourceReader.java:113)
    at iped.engine.datasource.AD1DataSourceReader.createAndAddItemRecursive(AD1DataSourceReader.java:123)
    at iped.engine.datasource.AD1DataSourceReader.createAndAddItem(AD1DataSourceReader.java:113)
    at iped.engine.datasource.AD1DataSourceReader.createAndAddItemRecursive(AD1DataSourceReader.java:123)
    at iped.engine.datasource.AD1DataSourceReader.read(AD1DataSourceReader.java:49)
    at iped.engine.datasource.ItemProducer.run(ItemProducer.java:123)

   Locked ownable synchronizers:
    - None

I think the lock shown above is not the cause, I don't see a deadlock, I think some conditions are causing an infinite loop.

lfcnassif commented 1 month ago

@gfd2020 do you have any thoughts about this?

lfcnassif commented 1 month ago

PS: It happens with 4.1.6 and master.

gfd2020 commented 1 month ago

@gfd2020 do you have any thoughts about this?

I've never seen this case. Could you give me the version number of the ftk imager that created ad1? In the log file there must be. How big is ad1 in GB? I think that within ad1 there should also be the version of ad1 itself.

lfcnassif commented 1 month ago

Could you give me the version number of the ftk imager that created ad1?

I'll ask the user, I didn't find it in the log, but the AD1 is version 4.

How big is ad1 in GB?

It is just 20 segments of 1.5GB each = 30GB

lfcnassif commented 1 month ago

The user sent the AD1 to me and I reproduced the issue. I tried some simple code changes, with no success. But, I converted the segmented AD1 to a single segment AD1 and the issue is gone, hopefully for him. Anyway, ideally it should work for segmented AD1 too.

gfd2020 commented 1 month ago

I will try to reproduce with an ad1 of the same size

@lfcnassif , what is the file name and the segments?

lfcnassif commented 1 month ago

Hi @gfd2020,

@lfcnassif , what is the file name and the segments?

26/04/2024  20:40     1.572.864.000 Apple_SSD.ad1
26/04/2024  20:40     1.572.864.000 Apple_SSD.ad10
26/04/2024  20:40     1.572.864.000 Apple_SSD.ad11
26/04/2024  20:40     1.572.864.000 Apple_SSD.ad12
26/04/2024  20:40     1.572.864.000 Apple_SSD.ad13
26/04/2024  20:40     1.572.864.000 Apple_SSD.ad14
26/04/2024  20:40     1.572.864.000 Apple_SSD.ad15
26/04/2024  20:40     1.572.864.000 Apple_SSD.ad16
26/04/2024  20:40     1.572.864.000 Apple_SSD.ad17
26/04/2024  20:40     1.572.864.000 Apple_SSD.ad18
26/04/2024  20:40     1.572.864.000 Apple_SSD.ad19
26/04/2024  20:40     1.572.864.000 Apple_SSD.ad2
26/04/2024  20:45     1.456.171.054 Apple_SSD.ad20
26/04/2024  20:40     1.572.864.000 Apple_SSD.ad3
26/04/2024  20:40     1.572.864.000 Apple_SSD.ad4
26/04/2024  20:40     1.572.864.000 Apple_SSD.ad5
26/04/2024  20:40     1.572.864.000 Apple_SSD.ad6
26/04/2024  20:40     1.572.864.000 Apple_SSD.ad7
26/04/2024  20:40     1.572.864.000 Apple_SSD.ad8
26/04/2024  20:40     1.572.864.000 Apple_SSD.ad9
20 File(s) 31.340.587.054 bytes

lfcnassif commented 1 month ago

I just converted the image using an old FTKImager-4.3.1.1 again to a multi part AD1 image, segmented at 1.5GB boundaries, and decoding finished ok. I'll check with the user what is his FTKImager version and try to reproduce with a newly segmented image, maybe his AD1 segmented image is corrupted and conversion fixed the image...

gfd2020 commented 1 month ago

Look at this line

file.getAbsolutePath().substring(0, file.getAbsolutePath().lastIndexOf(".") + 3) + ad1Ord); FileChannel fc = FileChannel.open(newAd1.toPath(),StandardOpenOption.READ);

I suspect the error is here because the extension segments have more than 4 chars(.ad12 for example). I don't have a PC to test now, I'm just raising this hypothesis)

Ps: I thinks this part is ok. First file is .ad1 Perhaps printing to this part could expose which file is corrupt...

lfcnassif commented 1 month ago

That code works, I tested it with a 46 segments AD1 in the past when it was written and it just worked with the newly created 15 segments AD1.

gfd2020 commented 1 month ago

Was this ad1 generated in ftkimager on the Mac version?

lfcnassif commented 1 month ago

Maybe... Anyway, I just executed the image integrity check of FTKImager and it failed on the user image. And it passed on the single segment and multi segmented AD1 I generated here from his image, both processed fine. So, the user AD1 is corrupted. I'm closing this as invalid, sorry @gfd2020 for taking your time.

gfd2020 commented 1 month ago

No problem. I think we have learned that a corrupted ad1 can cause an infinite loop and we can now adopt the suggestion of passing the ftk integrity test in cases of errors in the processing of ad1. We can improve is the error handling of ad1 because the code considers that ad1 is 100% intact.

sepinf-inc / IPED

Infinite loop while decoding a segmented AD1 v4 image #2200