From: Greg Kroah-Hartman Date: Wed, 1 Jul 2026 13:35:11 +0000 (+0200) Subject: 6.18-stable patches X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=05a05194f3e4e04a737a3c04c663b095e5e528df;p=thirdparty%2Fkernel%2Fstable-queue.git 6.18-stable patches added patches: ntfs3-reject-direct-userspace-writes-to-reserved-lx-xattrs.patch --- diff --git a/queue-6.18/ntfs3-reject-direct-userspace-writes-to-reserved-lx-xattrs.patch b/queue-6.18/ntfs3-reject-direct-userspace-writes-to-reserved-lx-xattrs.patch new file mode 100644 index 0000000000..a0e06b49e2 --- /dev/null +++ b/queue-6.18/ntfs3-reject-direct-userspace-writes-to-reserved-lx-xattrs.patch @@ -0,0 +1,58 @@ +From 5b08dccecf825cbf905f348bc6ccb497507e28e2 Mon Sep 17 00:00:00 2001 +From: Konstantin Komarov +Date: Wed, 10 Jun 2026 12:31:01 +0200 +Subject: ntfs3: reject direct userspace writes to reserved $LX* xattrs + +From: Konstantin Komarov + +commit 5b08dccecf825cbf905f348bc6ccb497507e28e2 upstream. + +NTFS3 uses $LXUID, $LXGID, $LXMOD and $LXDEV as internal WSL +permission metadata and reloads them into i_uid, i_gid and i_mode +from ntfs_get_wsl_perm(). + +Because the empty-prefix xattr handler also lets file owners call +setxattr() on these names directly, an unprivileged writer on a +writable ntfs3 mount can plant root ownership and S_ISUID on their own +file and gain euid 0 after inode reload. + +Reject direct userspace writes to the reserved $LX* names. Internal +ntfs3 metadata updates are unchanged because ntfs_save_wsl_perm() +writes them via ntfs_set_ea() directly. + +Signed-off-by: Zhen Yan +[almaz.alexandrovich@paragon-software.com: added an additional check for non privileged users] +Signed-off-by: Konstantin Komarov +Signed-off-by: Greg Kroah-Hartman +--- + fs/ntfs3/xattr.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/fs/ntfs3/xattr.c ++++ b/fs/ntfs3/xattr.c +@@ -845,6 +845,12 @@ out: + return err; + } + ++static bool ntfs_is_reserved_lxattr(const char *name) ++{ ++ return !strcmp(name, "$LXUID") || !strcmp(name, "$LXGID") || ++ !strcmp(name, "$LXMOD") || !strcmp(name, "$LXDEV"); ++} ++ + /* + * ntfs_setxattr - inode_operations::setxattr + */ +@@ -949,6 +955,12 @@ set_new_fa: + goto out; + } + ++ /* Do not allow non privileged users to change $LXUID/$LXGID... */ ++ if (ntfs_is_reserved_lxattr(name) && !capable(CAP_SYS_ADMIN)) { ++ err = -EPERM; ++ goto out; ++ } ++ + /* Deal with NTFS extended attribute. */ + err = ntfs_set_ea(inode, name, strlen(name), value, size, flags, 0, + NULL); diff --git a/queue-6.18/series b/queue-6.18/series index 5e6eeaf60c..d8c82c42d7 100644 --- a/queue-6.18/series +++ b/queue-6.18/series @@ -31,3 +31,4 @@ batman-adv-tvlv-enforce-2-byte-alignment.patch batman-adv-tvlv-avoid-race-of-cifsnotfound-handler-s.patch ipv6-account-for-fraggap-on-the-paged-allocation-path.patch ipv4-account-for-fraggap-on-the-paged-allocation-pat.patch +ntfs3-reject-direct-userspace-writes-to-reserved-lx-xattrs.patch