The listxattr syscall can corrupt user space under certain circumstances. The problem seems to be related to signed/unsigned conversion during size promotion. The function return_EIO returns an int but its used as a ssize_t with a comparison to 0. This causes the range check to fail and copy_to_user copies way too much. This has been observed on iso9660 and squashfs on x86_64 machines.
Proposed upstream patch: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=be6aab0e9fa6d3c6d75aa1e38ac972d8b4ee82b8 Reference: http://lkml.org/lkml/2007/1/3/150