The Linux Kernel Mailing List
 help / color / mirror / Atom feed
* [PATCH v2] ntfs: prevent write access to $MFT inode
@ 2026-07-02  9:06 Hongling Zeng
  2026-07-02 12:12 ` Namjae Jeon
  0 siblings, 1 reply; 3+ messages in thread
From: Hongling Zeng @ 2026-07-02  9:06 UTC (permalink / raw)
  To: linkinjeon, hyc.lee, charsyam
  Cc: linux-fsdevel, linux-kernel, zhongling0719, Hongling Zeng, stable

Malicious NTFS images can expose $MFT to userspace and allow write
operations, leading to potential kernel NULL pointer dereference
since ntfs_mft_aops lacks write_begin support.

The vulnerability affects both write_iter and mmap-based write paths:
1. write_iter path: ntfs_file_write_iter()
2. mmap write path: ntfs_filemap_page_mkwrite()

Without protecting both paths, attackers can bypass single-path
protection by using the alternative write method.

Fix by adding write protection in ntfs_file_write_iter() to prevent
any write operations to FILE_MFT.

Fixes: 1e9ea7e04472d ("Revert \"fs: Remove NTFS classic\"")
Cc: stable@vger.kernel.org
Signed-off-by: Hongling Zeng <zenghongling@kylinos.cn>

---
Change in v2:
 - Fix format string for u64 mft_no in system file protection
---
 fs/ntfs/file.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/fs/ntfs/file.c b/fs/ntfs/file.c
index 6a7b638e523d..d637d4a587d5 100644
--- a/fs/ntfs/file.c
+++ b/fs/ntfs/file.c
@@ -550,6 +550,12 @@ static ssize_t ntfs_file_write_iter(struct kiocb *iocb, struct iov_iter *from)
 	if (NVolShutdown(vol))
 		return -EIO;
 
+	if (ni->mft_no < FILE_first_user) {
+		ntfs_error(vi->i_sb, "Attempt to write to $MFT denied (mft_no: 0x%llx)",
+				ni->mft_no);
+		return -EACCES;
+	}
+
 	if (NInoEncrypted(ni)) {
 		ntfs_error(vi->i_sb, "Writing for %s files is not supported yet",
 			   NInoCompressed(ni) ? "Compressed" : "Encrypted");
@@ -618,8 +624,15 @@ static ssize_t ntfs_file_write_iter(struct kiocb *iocb, struct iov_iter *from)
 static vm_fault_t ntfs_filemap_page_mkwrite(struct vm_fault *vmf)
 {
 	struct inode *inode = file_inode(vmf->vma->vm_file);
+	struct ntfs_inode *ni = NTFS_I(inode);
 	vm_fault_t ret;
 
+	if (ni->mft_no < FILE_first_user) {
+		ntfs_error(inode->i_sb, "Attempt to write to $MFT via mmap denied (mft_no: 0x%llx)",
+				ni->mft_no);
+		return VM_FAULT_SIGBUS;
+	}
+
 	sb_start_pagefault(inode->i_sb);
 	file_update_time(vmf->vma->vm_file);
 
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH v2] ntfs: prevent write access to $MFT inode
  2026-07-02  9:06 [PATCH v2] ntfs: prevent write access to $MFT inode Hongling Zeng
@ 2026-07-02 12:12 ` Namjae Jeon
  2026-07-03  1:34   ` Hongling Zeng
  0 siblings, 1 reply; 3+ messages in thread
From: Namjae Jeon @ 2026-07-02 12:12 UTC (permalink / raw)
  To: Hongling Zeng
  Cc: hyc.lee, charsyam, linux-fsdevel, linux-kernel, zhongling0719,
	stable

[-- Attachment #1: Type: text/plain, Size: 897 bytes --]

On Thu, Jul 2, 2026 at 6:06 PM Hongling Zeng <zenghongling@kylinos.cn> wrote:
>
> Malicious NTFS images can expose $MFT to userspace and allow write
> operations, leading to potential kernel NULL pointer dereference
> since ntfs_mft_aops lacks write_begin support.
>
> The vulnerability affects both write_iter and mmap-based write paths:
> 1. write_iter path: ntfs_file_write_iter()
> 2. mmap write path: ntfs_filemap_page_mkwrite()
>
> Without protecting both paths, attackers can bypass single-path
> protection by using the alternative write method.
>
> Fix by adding write protection in ntfs_file_write_iter() to prevent
> any write operations to FILE_MFT.
>
> Fixes: 1e9ea7e04472d ("Revert \"fs: Remove NTFS classic\"")
> Cc: stable@vger.kernel.org
> Signed-off-by: Hongling Zeng <zenghongling@kylinos.cn>
Can you check if the attached file fixes this issue ?
Thanks.

[-- Attachment #2: 0001-ntfs-make-system-files-immutable-to-prevent-corrupti.patch --]
[-- Type: text/x-patch, Size: 1905 bytes --]

From 1d9ec40feffcf2d054df01b58564334977ecdf9b Mon Sep 17 00:00:00 2001
From: Namjae Jeon <linkinjeon@kernel.org>
Date: Thu, 2 Jul 2026 20:36:59 +0900
Subject: [PATCH] ntfs: make system files immutable to prevent corruption

When a system file such as $Bitmap is exposed via show_sys_files and
written from userspace, the volume is corrupted and, because the cluster
allocator scans $Bitmap through the same inode's page cache, a write to
$Bitmap also deadlocks writeback against the folio it already holds locked.

These files are maintained by the driver itself and have no valid reason
to be written through the file interface. Mark base metadata files
(mft_no < FILE_first_user) as immutable during inode read so the VFS
rejects write, mmap, truncate and unlink with -EPERM. Directories are
skipped so the root and $Extend remain usable. Internal metadata updates
do not go through the VFS write path and are unaffected.

Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
---
 fs/ntfs/inode.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/fs/ntfs/inode.c b/fs/ntfs/inode.c
index c2715521e562..7381a18cfadd 100644
--- a/fs/ntfs/inode.c
+++ b/fs/ntfs/inode.c
@@ -1191,6 +1191,15 @@ static int ntfs_read_locked_inode(struct inode *vi)
 	    !S_ISFIFO(vi->i_mode) && !S_ISSOCK(vi->i_mode) && !S_ISLNK(vi->i_mode))
 		vi->i_flags |= S_IMMUTABLE;
 
+	/*
+	 * System files such as $Bitmap and $MFT are maintained by the driver
+	 * itself, and writing them from userspace corrupts the volume.
+	 * Always make them immutable regardless of the sys_immutable option.
+	 * Directories are skipped so the root and $Extend stay usable.
+	 */
+	if (ni->mft_no < FILE_first_user && S_ISREG(vi->i_mode))
+		vi->i_flags |= S_IMMUTABLE;
+
 	/*
 	 * The number of 512-byte blocks used on disk (for stat). This is in so
 	 * far inaccurate as it doesn't account for any named streams or other
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH v2] ntfs: prevent write access to $MFT inode
  2026-07-02 12:12 ` Namjae Jeon
@ 2026-07-03  1:34   ` Hongling Zeng
  0 siblings, 0 replies; 3+ messages in thread
From: Hongling Zeng @ 2026-07-03  1:34 UTC (permalink / raw)
  To: Namjae Jeon, Hongling Zeng
  Cc: hyc.lee, charsyam, linux-fsdevel, linux-kernel, stable

   Hi Namjae,

   Excellent solution! Your S_IMMUTABLE flag approach is much better 
than my function-level checks.

   I've validated that your patch comprehensively blocks all attack 
vectors:
   - write(), truncate(), fallocate(), mmap() - All protected via VFS layer
   - Single modification vs. multiple function checks - Much more elegant
   - Zero runtime overhead - Performance efficient

   Your insights about the $Bitmap deadlock issue and directory handling 
show deep understanding of NTFS architecture.

   This solution would also make excellent patent material - the 
VFS-level protection mechanism is both innovative and effective.


   Best regards,
   Hongling Zeng

在 2026年07月02日 20:12, Namjae Jeon 写道:
> On Thu, Jul 2, 2026 at 6:06 PM Hongling Zeng <zenghongling@kylinos.cn> wrote:
>> Malicious NTFS images can expose $MFT to userspace and allow write
>> operations, leading to potential kernel NULL pointer dereference
>> since ntfs_mft_aops lacks write_begin support.
>>
>> The vulnerability affects both write_iter and mmap-based write paths:
>> 1. write_iter path: ntfs_file_write_iter()
>> 2. mmap write path: ntfs_filemap_page_mkwrite()
>>
>> Without protecting both paths, attackers can bypass single-path
>> protection by using the alternative write method.
>>
>> Fix by adding write protection in ntfs_file_write_iter() to prevent
>> any write operations to FILE_MFT.
>>
>> Fixes: 1e9ea7e04472d ("Revert \"fs: Remove NTFS classic\"")
>> Cc: stable@vger.kernel.org
>> Signed-off-by: Hongling Zeng <zenghongling@kylinos.cn>
> Can you check if the attached file fixes this issue ?
> Thanks.


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-07-03  1:35 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-02  9:06 [PATCH v2] ntfs: prevent write access to $MFT inode Hongling Zeng
2026-07-02 12:12 ` Namjae Jeon
2026-07-03  1:34   ` Hongling Zeng

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox