Red Hat Bugzilla – Bug 306891
CVE-2006-5753 kernel listxattr syscall can corrupt user space programs
Last modified: 2012-07-16 19:03:34 EDT
The listxattr syscall can corrupt user space under certain circumstances. The
problem seems to be related to signed/unsigned conversion during size promotion.
The function return_EIO returns an int but its used as a ssize_t with a
comparison to 0. This causes the range check to fail and copy_to_user copies way
This has been observed on iso9660 and squashfs on x86_64 machines.
Proposed upstream patch: