From: Greg KH <gregkh@linuxfoundation.org>
To: sdj asj <sdjasjbuaa@gmail.com>
Cc: stable@vger.kernel.org, ntfs3@lists.linux.dev,
Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Subject: Re: [stable] Please backport ntfs3: reject direct userspace writes to reserved $LX* xattrs
Date: Wed, 1 Jul 2026 15:36:00 +0200 [thread overview]
Message-ID: <2026070140-segment-schematic-0a38@gregkh> (raw)
In-Reply-To: <CAFTRC0=hdHvug9=JyiZ=XYowdpqp9TAgXbq0YpDOEnzmQUWxzQ@mail.gmail.com>
On Wed, Jul 01, 2026 at 08:27:36PM +0800, sdj asj wrote:
> Hello stable team,
>
> Please consider picking up the following upstream commit for supported
> stable trees where it applies:
>
> 5b08dccecf825cbf905f348bc6ccb497507e28e2
> ntfs3: reject direct userspace writes to reserved $LX* xattrs
>
> Reason for stable:
>
> This fixes a user-visible security issue in ntfs3. Before this change,
> the empty-prefix xattr handler allowed an unprivileged file owner on a
> writable ntfs3 mount to set the reserved $LXUID, $LXGID and $LXMOD
> extended attributes directly. These attributes are later trusted by
> ntfs_get_wsl_perm() during inode reload and used to populate i_uid,
> i_gid and i_mode.
>
> As a result, an unprivileged user can create a file that becomes
> root-owned and SUID after inode reload. The issue is reproducible
> using normal syscalls only and does not require a malformed filesystem
> image.
>
> The upstream fix prevents non-privileged users from directly writing
> these reserved $LX* attributes, while keeping internal ntfs3 metadata
> updates working.
>
> The original issue no longer reproduces with the upstream fix applied.
>
> Please apply this to supported stable branches that contain the
> vulnerable ntfs3 code.
What branches are that? I've applied this to 5.15.y and newer, but it
didn't apply to 5.10.y.
thanks,
greg k-h
next prev parent reply other threads:[~2026-07-01 13:36 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-01 12:27 [stable] Please backport ntfs3: reject direct userspace writes to reserved $LX* xattrs sdj asj
2026-07-01 13:36 ` Greg KH [this message]
2026-07-01 23:34 ` sdj asj
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2026070140-segment-schematic-0a38@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=almaz.alexandrovich@paragon-software.com \
--cc=ntfs3@lists.linux.dev \
--cc=sdjasjbuaa@gmail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.