Re: [SECURITY] ntfs3: direct $LX* xattr writes can create a root SUID file

[Willy Tarreau]

Hello,

[moved the security list to bcc since the message was sent to public lists]

Comments below anyway.

On Sat, Jun 06, 2026 at 06:57:01PM +0800, sdj asj wrote:
> PoC
> 
> The core userspace trigger is just direct setxattr() on $LXUID/$LXGID/$LXMOD
> followed by inode reload. The following is copy/paste runnable on a vulnerable
> kernel if /mnt/ntfs3 is a writable NTFS3 mount:
(...)

It's usually not a good idea to send proof of concepts to public lists
as it tends to add pressure to maintainers who feel like they need to
apply an urgent fix.

> Proposed fix:

Was this tested ?

> [PATCH] ntfs3: reject direct userspace writes to reserved $LX* xattrs
> 
> diff --git a/fs/ntfs3/xattr.c b/fs/ntfs3/xattr.c
> index 9eeac0ab2..0bc633025 100644
> --- a/fs/ntfs3/xattr.c
> +++ b/fs/ntfs3/xattr.c
> @@ -851,6 +851,14 @@ static int ntfs_getxattr(const struct
> xattr_handler *handler, struct dentry *de,
>   return err;
>  }
> 
> +static bool ntfs_is_reserved_lxattr(const char *name)
> +{
> + return !strcmp(name, "$LXUID") ||
> +        !strcmp(name, "$LXGID") ||
> +        !strcmp(name, "$LXMOD") ||
> +        !strcmp(name, "$LXDEV");
> +}
> +
>  /*
>   * ntfs_setxattr - inode_operations::setxattr
>   */
> @@ -955,6 +963,11 @@ static noinline int ntfs_setxattr(const struct
> xattr_handler *handler,
>     goto out;
>   }
> 
> + if (ntfs_is_reserved_lxattr(name)) {
> +   err = -EPERM;
> +   goto out;
> + }
> +
>   /* Deal with NTFS extended attribute. */
>   err = ntfs_set_ea(inode, name, strlen(name), value, size, flags, 0,
>         NULL);

Please see Documentation/process/submitting-patches.rst to see how to
turn this into a real patch that can be applied, which if accepted, will
get you credit for finding and fixing this bug.

Also please check Documentation/process/email-clients.rst to find how to
fix your mailer which mangled spaces and tabs as you can see above.

> This report was prepared with AI assistance, so I am treating it as public
> per Documentation/process/security-bugs.rst.

Thanks! Please note that the doc asks not to share PoCs with public
lists, and suggests not to Cc security@ in this case either. It also
asks to provide a tested patch.

Thanks,
Willy