Malicious NTFS images can expose $MFT to userspace and allow write operations, leading to potential kernel NULL pointer dereference since ntfs_mft_aops lacks write_begin support. The vulnerability affects both write_iter and mmap-based write paths: 1. write_iter path: ntfs_file_write_iter() 2. mmap write path: ntfs_filemap_page_mkwrite() Without protecting both paths, attackers can bypass single-path protection by using the alternative write method. Fix by adding write protection in ntfs_file_write_iter() to prevent any write operations to FILE_MFT. Fixes: 1e9ea7e04472d ("Revert \"fs: Remove NTFS classic\"") Cc: stable@vger.kernel.org Signed-off-by: Hongling Zeng --- fs/ntfs/file.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/fs/ntfs/file.c b/fs/ntfs/file.c index 6a7b638e523d..0d8f11e5ccb7 100644 --- a/fs/ntfs/file.c +++ b/fs/ntfs/file.c @@ -550,6 +550,12 @@ static ssize_t ntfs_file_write_iter(struct kiocb *iocb, struct iov_iter *from) if (NVolShutdown(vol)) return -EIO; + if (ni->mft_no == FILE_MFT) { + ntfs_error(vi->i_sb, "Attempt to write to $MFT denied (mft_no: 0x%lx)", + ni->mft_no); + return -EACCES; + } + if (NInoEncrypted(ni)) { ntfs_error(vi->i_sb, "Writing for %s files is not supported yet", NInoCompressed(ni) ? "Compressed" : "Encrypted"); @@ -618,8 +624,15 @@ static ssize_t ntfs_file_write_iter(struct kiocb *iocb, struct iov_iter *from) static vm_fault_t ntfs_filemap_page_mkwrite(struct vm_fault *vmf) { struct inode *inode = file_inode(vmf->vma->vm_file); + struct ntfs_inode *ni = NTFS_I(inode); vm_fault_t ret; + if (ni->mft_no == FILE_MFT) { + ntfs_error(inode->i_sb, "Attempt to write to $MFT via mmap denied (mft_no: 0x%lx)", + ni->mft_no); + return VM_FAULT_SIGBUS; + } + sb_start_pagefault(inode->i_sb); file_update_time(vmf->vma->vm_file); -- 2.25.1