The Linux Kernel Mailing List
 help / color / mirror / Atom feed
From: Hongling Zeng <zhongling0719@126.com>
To: Namjae Jeon <linkinjeon@kernel.org>,
	 Hongling Zeng <zenghongling@kylinos.cn>
Cc: hyc.lee@gmail.com, charsyam@gmail.com,
	linux-fsdevel@vger.kernel.org,  linux-kernel@vger.kernel.org,
	stable@vger.kernel.org
Subject: Re: [PATCH v2] ntfs: prevent write access to $MFT inode
Date: Fri, 03 Jul 2026 09:34:54 +0800	[thread overview]
Message-ID: <6A4711BE.8090101@126.com> (raw)
In-Reply-To: <CAKYAXd9018ondtRRa6mGexej-SDCm3-LeWV0W4TCUwBZ5hOXvg@mail.gmail.com>

   Hi Namjae,

   Excellent solution! Your S_IMMUTABLE flag approach is much better 
than my function-level checks.

   I've validated that your patch comprehensively blocks all attack 
vectors:
   - write(), truncate(), fallocate(), mmap() - All protected via VFS layer
   - Single modification vs. multiple function checks - Much more elegant
   - Zero runtime overhead - Performance efficient

   Your insights about the $Bitmap deadlock issue and directory handling 
show deep understanding of NTFS architecture.

   This solution would also make excellent patent material - the 
VFS-level protection mechanism is both innovative and effective.


   Best regards,
   Hongling Zeng

在 2026年07月02日 20:12, Namjae Jeon 写道:
> On Thu, Jul 2, 2026 at 6:06 PM Hongling Zeng <zenghongling@kylinos.cn> wrote:
>> Malicious NTFS images can expose $MFT to userspace and allow write
>> operations, leading to potential kernel NULL pointer dereference
>> since ntfs_mft_aops lacks write_begin support.
>>
>> The vulnerability affects both write_iter and mmap-based write paths:
>> 1. write_iter path: ntfs_file_write_iter()
>> 2. mmap write path: ntfs_filemap_page_mkwrite()
>>
>> Without protecting both paths, attackers can bypass single-path
>> protection by using the alternative write method.
>>
>> Fix by adding write protection in ntfs_file_write_iter() to prevent
>> any write operations to FILE_MFT.
>>
>> Fixes: 1e9ea7e04472d ("Revert \"fs: Remove NTFS classic\"")
>> Cc: stable@vger.kernel.org
>> Signed-off-by: Hongling Zeng <zenghongling@kylinos.cn>
> Can you check if the attached file fixes this issue ?
> Thanks.


      reply	other threads:[~2026-07-03  1:35 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-02  9:06 [PATCH v2] ntfs: prevent write access to $MFT inode Hongling Zeng
2026-07-02 12:12 ` Namjae Jeon
2026-07-03  1:34   ` Hongling Zeng [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=6A4711BE.8090101@126.com \
    --to=zhongling0719@126.com \
    --cc=charsyam@gmail.com \
    --cc=hyc.lee@gmail.com \
    --cc=linkinjeon@kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=zenghongling@kylinos.cn \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox