* [PATCH] ntfs: avoid leaking uninitialised bytes in new security descriptors
@ 2026-05-07 15:48 DaeMyung Kang
2026-05-08 0:30 ` Hyunchul Lee
2026-05-08 14:21 ` Namjae Jeon
0 siblings, 2 replies; 3+ messages in thread
From: DaeMyung Kang @ 2026-05-07 15:48 UTC (permalink / raw)
To: Namjae Jeon, Hyunchul Lee; +Cc: linux-fsdevel, linux-kernel, DaeMyung Kang
ntfs_sd_add_everyone() builds the on-disk security descriptor for a
newly created file by kmalloc()'ing a buffer and then partially
filling it in:
sd = kmalloc(sd_len, GFP_NOFS);
...
sd->revision = 1;
sd->control = SE_DACL_PRESENT | SE_SELF_RELATIVE;
...
The buffer is then handed to ntfs_attr_add() and persisted as the
SECURITY_DESCRIPTOR attribute of the new MFT record. The descriptor
covers a relative security descriptor header, two SIDs (owner and
group), an ACL header, and a single ACE, but several fields inside
those structures are never written before the buffer is committed
to disk:
- struct security_descriptor_relative
@alignment (1 byte)
@sacl (4 bytes; SE_SACL_PRESENT is not set
but the offset still reaches disk)
- struct ntfs_sid (3 instances: owner, group, ACE.sid)
identifier_authority.value[0..4] (5 bytes per SID, 15 total
- only value[5] is set)
- struct ntfs_acl
@alignment1 (1 byte)
@alignment2 (2 bytes)
That is 23 bytes of uninitialised slab memory persisted to disk for
every new file or directory the legacy ntfs driver creates. The
"+ 4" trailing accounting in sd_len holds ace->sid.sub_authority[0],
which the existing code does explicitly write to zero, so it is
not part of the leak.
Anything later able to read the SECURITY_DESCRIPTOR attribute - the
same NTFS volume mounted on Windows or by another NTFS reader, an
offline forensics tool, an unprivileged user that ends up with read
access to the volume - can recover those bytes. The leak persists
for the lifetime of the file on disk, not just the lifetime of the
kernel that wrote it.
Switch the allocation to kzalloc() so every byte the on-disk
descriptor covers is zero before the explicit initialisations run.
While there, replace the bare "return -1" allocation-failure path
with a proper -ENOMEM so the error reaches userspace as a meaningful
errno instead of an unrelated -EPERM.
Found by inspection while auditing fs/ntfs new-inode paths.
Fixes: af0db57d4293 ("ntfs: update inode operations")
Signed-off-by: DaeMyung Kang <charsyam@gmail.com>
---
fs/ntfs/namei.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/ntfs/namei.c b/fs/ntfs/namei.c
index dc786270afe5..aad928ebb7bd 100644
--- a/fs/ntfs/namei.c
+++ b/fs/ntfs/namei.c
@@ -355,9 +355,9 @@ static int ntfs_sd_add_everyone(struct ntfs_inode *ni)
sd_len = sizeof(struct security_descriptor_relative) + 2 *
(sizeof(struct ntfs_sid) + 8) + sizeof(struct ntfs_acl) +
sizeof(struct ntfs_ace) + 4;
- sd = kmalloc(sd_len, GFP_NOFS);
+ sd = kzalloc(sd_len, GFP_NOFS);
if (!sd)
- return -1;
+ return -ENOMEM;
sd->revision = 1;
sd->control = SE_DACL_PRESENT | SE_SELF_RELATIVE;
--
2.43.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] ntfs: avoid leaking uninitialised bytes in new security descriptors
2026-05-07 15:48 [PATCH] ntfs: avoid leaking uninitialised bytes in new security descriptors DaeMyung Kang
@ 2026-05-08 0:30 ` Hyunchul Lee
2026-05-08 14:21 ` Namjae Jeon
1 sibling, 0 replies; 3+ messages in thread
From: Hyunchul Lee @ 2026-05-08 0:30 UTC (permalink / raw)
To: DaeMyung Kang; +Cc: Namjae Jeon, linux-fsdevel, linux-kernel
2026년 5월 8일 (금) 오전 12:48, DaeMyung Kang <charsyam@gmail.com>님이 작성:
>
> ntfs_sd_add_everyone() builds the on-disk security descriptor for a
> newly created file by kmalloc()'ing a buffer and then partially
> filling it in:
>
> sd = kmalloc(sd_len, GFP_NOFS);
> ...
> sd->revision = 1;
> sd->control = SE_DACL_PRESENT | SE_SELF_RELATIVE;
> ...
>
> The buffer is then handed to ntfs_attr_add() and persisted as the
> SECURITY_DESCRIPTOR attribute of the new MFT record. The descriptor
> covers a relative security descriptor header, two SIDs (owner and
> group), an ACL header, and a single ACE, but several fields inside
> those structures are never written before the buffer is committed
> to disk:
>
> - struct security_descriptor_relative
> @alignment (1 byte)
> @sacl (4 bytes; SE_SACL_PRESENT is not set
> but the offset still reaches disk)
>
> - struct ntfs_sid (3 instances: owner, group, ACE.sid)
> identifier_authority.value[0..4] (5 bytes per SID, 15 total
> - only value[5] is set)
>
> - struct ntfs_acl
> @alignment1 (1 byte)
> @alignment2 (2 bytes)
>
> That is 23 bytes of uninitialised slab memory persisted to disk for
> every new file or directory the legacy ntfs driver creates. The
> "+ 4" trailing accounting in sd_len holds ace->sid.sub_authority[0],
> which the existing code does explicitly write to zero, so it is
> not part of the leak.
>
> Anything later able to read the SECURITY_DESCRIPTOR attribute - the
> same NTFS volume mounted on Windows or by another NTFS reader, an
> offline forensics tool, an unprivileged user that ends up with read
> access to the volume - can recover those bytes. The leak persists
> for the lifetime of the file on disk, not just the lifetime of the
> kernel that wrote it.
>
> Switch the allocation to kzalloc() so every byte the on-disk
> descriptor covers is zero before the explicit initialisations run.
> While there, replace the bare "return -1" allocation-failure path
> with a proper -ENOMEM so the error reaches userspace as a meaningful
> errno instead of an unrelated -EPERM.
>
> Found by inspection while auditing fs/ntfs new-inode paths.
>
> Fixes: af0db57d4293 ("ntfs: update inode operations")
> Signed-off-by: DaeMyung Kang <charsyam@gmail.com>
Looks good to me.
Reviewed-by: Hyunchul Lee <hyc.lee@gmail.com>
> ---
> fs/ntfs/namei.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/fs/ntfs/namei.c b/fs/ntfs/namei.c
> index dc786270afe5..aad928ebb7bd 100644
> --- a/fs/ntfs/namei.c
> +++ b/fs/ntfs/namei.c
> @@ -355,9 +355,9 @@ static int ntfs_sd_add_everyone(struct ntfs_inode *ni)
> sd_len = sizeof(struct security_descriptor_relative) + 2 *
> (sizeof(struct ntfs_sid) + 8) + sizeof(struct ntfs_acl) +
> sizeof(struct ntfs_ace) + 4;
> - sd = kmalloc(sd_len, GFP_NOFS);
> + sd = kzalloc(sd_len, GFP_NOFS);
> if (!sd)
> - return -1;
> + return -ENOMEM;
>
> sd->revision = 1;
> sd->control = SE_DACL_PRESENT | SE_SELF_RELATIVE;
> --
> 2.43.0
>
--
Thanks,
Hyunchul
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] ntfs: avoid leaking uninitialised bytes in new security descriptors
2026-05-07 15:48 [PATCH] ntfs: avoid leaking uninitialised bytes in new security descriptors DaeMyung Kang
2026-05-08 0:30 ` Hyunchul Lee
@ 2026-05-08 14:21 ` Namjae Jeon
1 sibling, 0 replies; 3+ messages in thread
From: Namjae Jeon @ 2026-05-08 14:21 UTC (permalink / raw)
To: DaeMyung Kang; +Cc: Hyunchul Lee, linux-fsdevel, linux-kernel
On Fri, May 8, 2026 at 12:49 AM DaeMyung Kang <charsyam@gmail.com> wrote:
>
> ntfs_sd_add_everyone() builds the on-disk security descriptor for a
> newly created file by kmalloc()'ing a buffer and then partially
> filling it in:
>
> sd = kmalloc(sd_len, GFP_NOFS);
> ...
> sd->revision = 1;
> sd->control = SE_DACL_PRESENT | SE_SELF_RELATIVE;
> ...
>
> The buffer is then handed to ntfs_attr_add() and persisted as the
> SECURITY_DESCRIPTOR attribute of the new MFT record. The descriptor
> covers a relative security descriptor header, two SIDs (owner and
> group), an ACL header, and a single ACE, but several fields inside
> those structures are never written before the buffer is committed
> to disk:
>
> - struct security_descriptor_relative
> @alignment (1 byte)
> @sacl (4 bytes; SE_SACL_PRESENT is not set
> but the offset still reaches disk)
>
> - struct ntfs_sid (3 instances: owner, group, ACE.sid)
> identifier_authority.value[0..4] (5 bytes per SID, 15 total
> - only value[5] is set)
>
> - struct ntfs_acl
> @alignment1 (1 byte)
> @alignment2 (2 bytes)
>
> That is 23 bytes of uninitialised slab memory persisted to disk for
> every new file or directory the legacy ntfs driver creates. The
> "+ 4" trailing accounting in sd_len holds ace->sid.sub_authority[0],
> which the existing code does explicitly write to zero, so it is
> not part of the leak.
>
> Anything later able to read the SECURITY_DESCRIPTOR attribute - the
> same NTFS volume mounted on Windows or by another NTFS reader, an
> offline forensics tool, an unprivileged user that ends up with read
> access to the volume - can recover those bytes. The leak persists
> for the lifetime of the file on disk, not just the lifetime of the
> kernel that wrote it.
>
> Switch the allocation to kzalloc() so every byte the on-disk
> descriptor covers is zero before the explicit initialisations run.
> While there, replace the bare "return -1" allocation-failure path
> with a proper -ENOMEM so the error reaches userspace as a meaningful
> errno instead of an unrelated -EPERM.
>
> Found by inspection while auditing fs/ntfs new-inode paths.
>
> Fixes: af0db57d4293 ("ntfs: update inode operations")
> Signed-off-by: DaeMyung Kang <charsyam@gmail.com>
Applied it to #ntfs-next.
Thanks!
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-05-08 14:22 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-07 15:48 [PATCH] ntfs: avoid leaking uninitialised bytes in new security descriptors DaeMyung Kang
2026-05-08 0:30 ` Hyunchul Lee
2026-05-08 14:21 ` Namjae Jeon
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox