306891 – (CVE-2006-5753) CVE-2006-5753 kernel listxattr syscall can corrupt user space programs

Bug 306891 (CVE-2006-5753) - CVE-2006-5753 kernel listxattr syscall can corrupt user space programs

Summary: CVE-2006-5753 kernel listxattr syscall can corrupt user space programs

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2006-5753
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	220119 220677 247600
Blocks:
TreeView+	depends on / blocked

Reported:	2007-09-26 13:14 UTC by Mark J. Cox
Modified:	2021-11-12 19:35 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-03-20 02:45:36 UTC
Embargoed:

Attachments	(Terms of Use)

Description Mark J. Cox 2007-09-26 13:14:44 UTC

The listxattr syscall can corrupt user space under certain circumstances. The
problem seems to be related to signed/unsigned conversion during size promotion.
The function return_EIO returns an int but its used as a ssize_t with a
comparison to 0. This causes the range check to fail and copy_to_user copies way
too much.

This has been observed on iso9660 and squashfs on x86_64 machines.

Comment 4 Eugene Teo (Security Response) 2008-09-16 03:17:34 UTC

Proposed upstream patch:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=be6aab0e9fa6d3c6d75aa1e38ac972d8b4ee82b8

Reference:
http://lkml.org/lkml/2007/1/3/150

Note You need to log in before you can comment on or make changes to this bug.