All of lore.kernel.org
 help / color / mirror / Atom feed
From: Hongling Zeng <zhongling0719@126.com>
To: Namjae Jeon <linkinjeon@kernel.org>,
	 Hongling Zeng <zenghongling@kylinos.cn>
Cc: hyc.lee@gmail.com, charsyam@gmail.com,
	linux-fsdevel@vger.kernel.org,  linux-kernel@vger.kernel.org,
	stable@vger.kernel.org
Subject: Re: [PATCH v2] ntfs: prevent write access to $MFT inode
Date: Fri, 03 Jul 2026 09:34:54 +0800	[thread overview]
Message-ID: <6A4711BE.8090101@126.com> (raw)
In-Reply-To: <CAKYAXd9018ondtRRa6mGexej-SDCm3-LeWV0W4TCUwBZ5hOXvg@mail.gmail.com>

   Hi Namjae,

   Excellent solution! Your S_IMMUTABLE flag approach is much better 
than my function-level checks.

   I've validated that your patch comprehensively blocks all attack 
vectors:
   - write(), truncate(), fallocate(), mmap() - All protected via VFS layer
   - Single modification vs. multiple function checks - Much more elegant
   - Zero runtime overhead - Performance efficient

   Your insights about the $Bitmap deadlock issue and directory handling 
show deep understanding of NTFS architecture.

   This solution would also make excellent patent material - the 
VFS-level protection mechanism is both innovative and effective.


   Best regards,
   Hongling Zeng

在 2026年07月02日 20:12, Namjae Jeon 写道:
> On Thu, Jul 2, 2026 at 6:06 PM Hongling Zeng <zenghongling@kylinos.cn> wrote:
>> Malicious NTFS images can expose $MFT to userspace and allow write
>> operations, leading to potential kernel NULL pointer dereference
>> since ntfs_mft_aops lacks write_begin support.
>>
>> The vulnerability affects both write_iter and mmap-based write paths:
>> 1. write_iter path: ntfs_file_write_iter()
>> 2. mmap write path: ntfs_filemap_page_mkwrite()
>>
>> Without protecting both paths, attackers can bypass single-path
>> protection by using the alternative write method.
>>
>> Fix by adding write protection in ntfs_file_write_iter() to prevent
>> any write operations to FILE_MFT.
>>
>> Fixes: 1e9ea7e04472d ("Revert \"fs: Remove NTFS classic\"")
>> Cc: stable@vger.kernel.org
>> Signed-off-by: Hongling Zeng <zenghongling@kylinos.cn>
> Can you check if the attached file fixes this issue ?
> Thanks.


      reply	other threads:[~2026-07-03  1:35 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-02  9:06 [PATCH v2] ntfs: prevent write access to $MFT inode Hongling Zeng
2026-07-02 12:12 ` Namjae Jeon
2026-07-03  1:34   ` Hongling Zeng [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=6A4711BE.8090101@126.com \
    --to=zhongling0719@126.com \
    --cc=charsyam@gmail.com \
    --cc=hyc.lee@gmail.com \
    --cc=linkinjeon@kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=zenghongling@kylinos.cn \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.