From: Hongling Zeng <zhongling0719@126.com>
To: Namjae Jeon <linkinjeon@kernel.org>,
Hongling Zeng <zenghongling@kylinos.cn>
Cc: hyc.lee@gmail.com, charsyam@gmail.com,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
stable@vger.kernel.org
Subject: Re: [PATCH v2] ntfs: prevent write access to $MFT inode
Date: Fri, 03 Jul 2026 09:34:54 +0800 [thread overview]
Message-ID: <6A4711BE.8090101@126.com> (raw)
In-Reply-To: <CAKYAXd9018ondtRRa6mGexej-SDCm3-LeWV0W4TCUwBZ5hOXvg@mail.gmail.com>
Hi Namjae,
Excellent solution! Your S_IMMUTABLE flag approach is much better
than my function-level checks.
I've validated that your patch comprehensively blocks all attack
vectors:
- write(), truncate(), fallocate(), mmap() - All protected via VFS layer
- Single modification vs. multiple function checks - Much more elegant
- Zero runtime overhead - Performance efficient
Your insights about the $Bitmap deadlock issue and directory handling
show deep understanding of NTFS architecture.
This solution would also make excellent patent material - the
VFS-level protection mechanism is both innovative and effective.
Best regards,
Hongling Zeng
在 2026年07月02日 20:12, Namjae Jeon 写道:
> On Thu, Jul 2, 2026 at 6:06 PM Hongling Zeng <zenghongling@kylinos.cn> wrote:
>> Malicious NTFS images can expose $MFT to userspace and allow write
>> operations, leading to potential kernel NULL pointer dereference
>> since ntfs_mft_aops lacks write_begin support.
>>
>> The vulnerability affects both write_iter and mmap-based write paths:
>> 1. write_iter path: ntfs_file_write_iter()
>> 2. mmap write path: ntfs_filemap_page_mkwrite()
>>
>> Without protecting both paths, attackers can bypass single-path
>> protection by using the alternative write method.
>>
>> Fix by adding write protection in ntfs_file_write_iter() to prevent
>> any write operations to FILE_MFT.
>>
>> Fixes: 1e9ea7e04472d ("Revert \"fs: Remove NTFS classic\"")
>> Cc: stable@vger.kernel.org
>> Signed-off-by: Hongling Zeng <zenghongling@kylinos.cn>
> Can you check if the attached file fixes this issue ?
> Thanks.
prev parent reply other threads:[~2026-07-03 1:35 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-02 9:06 [PATCH v2] ntfs: prevent write access to $MFT inode Hongling Zeng
2026-07-02 12:12 ` Namjae Jeon
2026-07-03 1:34 ` Hongling Zeng [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6A4711BE.8090101@126.com \
--to=zhongling0719@126.com \
--cc=charsyam@gmail.com \
--cc=hyc.lee@gmail.com \
--cc=linkinjeon@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=zenghongling@kylinos.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.