ocfs2: fix listxattr handling when the buffer is full

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2026-53041
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-06-24 17:17:15 UTC
Updated2026-06-24 17:17:15 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: ocfs2: fix listxattr handling when the buffer is full [BUG] If an OCFS2 inode has both inline and block-based xattrs, listxattr() can return a size larger than the caller's buffer when the inline names consume that buffer exactly. kernel BUG at mm/usercopy.c:102! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI RIP: 0010:usercopy_abort+0xb7/0xd0 mm/usercopy.c:102 Call Trace: __check_heap_object+0xe3/0x120 mm/slub.c:8243 check_heap_object mm/usercopy.c:196 [inline] __check_object_size mm/usercopy.c:250 [inline] __check_object_size+0x5c5/0x780 mm/usercopy.c:215 check_object_size include/linux/ucopysize.h:22 [inline] check_copy_size include/linux/ucopysize.h:59 [inline] copy_to_user include/linux/uaccess.h:219 [inline] listxattr+0xb0/0x170 fs/xattr.c:926 filename_listxattr fs/xattr.c:958 [inline] path_listxattrat+0x137/0x320 fs/xattr.c:988 __do_sys_listxattr fs/xattr.c:1001 [inline] __se_sys_listxattr fs/xattr.c:998 [inline] __x64_sys_listxattr+0x7f/0xd0 fs/xattr.c:998 ... [CAUSE] Commit 936b8834366e ("ocfs2: Refactor xattr list and remove ocfs2_xattr_handler().") replaced the old per-handler list accounting with ocfs2_xattr_list_entry(), but it kept using size == 0 to detect probe mode. That assumption stops being true once ocfs2_listxattr() finishes the inline-xattr pass. If the inline names fill the caller buffer exactly, the block-xattr pass runs with a non-NULL buffer and a remaining size of zero. ocfs2_xattr_list_entry() then skips the bounds check, keeps counting block names, and returns a positive size larger than the supplied buffer. [FIX] Detect probe mode by testing whether the destination buffer pointer is NULL instead of whether the remaining size is zero. That restores the pre-refactor behavior and matches the OCFS2 getxattr helpers. Once the remaining buffer reaches zero while more names are left, the block-xattr pass now returns -ERANGE instead of reporting a size larger than the allocated list buffer.

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected 936b8834366ec05f2a6993f73afd8348cac9718e a35a1c2b170b5b578b1b3fecb95694796552af9a git Not specified
CNA Linux Linux affected 936b8834366ec05f2a6993f73afd8348cac9718e 2323084c17370304f49c84b354fe7b3edbb264fe git Not specified
CNA Linux Linux affected 936b8834366ec05f2a6993f73afd8348cac9718e 6f702b00b8124c5d3525f19172934544826a114d git Not specified
CNA Linux Linux affected 936b8834366ec05f2a6993f73afd8348cac9718e d919b905939eda93393e3572900ff70dbad2b47f git Not specified
CNA Linux Linux affected 936b8834366ec05f2a6993f73afd8348cac9718e 46e66fefb83811958127bc9ad736983ec629d82b git Not specified
CNA Linux Linux affected 936b8834366ec05f2a6993f73afd8348cac9718e 2685df8577a38d83b367c8cf52eda9dc286959ff git Not specified
CNA Linux Linux affected 936b8834366ec05f2a6993f73afd8348cac9718e 50033ec1350fe68abdc63b950ced7ae57364b77a git Not specified
CNA Linux Linux affected 936b8834366ec05f2a6993f73afd8348cac9718e d12f558e6200b3f47dbef9331ed6d115d2410e59 git Not specified
CNA Linux Linux affected 2.6.28 Not specified
CNA Linux Linux unaffected 2.6.28 semver Not specified
CNA Linux Linux unaffected 5.10.258 5.10.* semver Not specified
CNA Linux Linux unaffected 5.15.209 5.15.* semver Not specified
CNA Linux Linux unaffected 6.1.175 6.1.* semver Not specified
CNA Linux Linux unaffected 6.6.141 6.6.* semver Not specified
CNA Linux Linux unaffected 6.12.91 6.12.* semver Not specified
CNA Linux Linux unaffected 6.18.33 6.18.* semver Not specified
CNA Linux Linux unaffected 7.0.10 7.0.* semver Not specified
CNA Linux Linux unaffected 7.1 * original_commit_for_fix Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/2685df8577a38d83b367c8cf52eda9dc286959ff 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/2323084c17370304f49c84b354fe7b3edbb264fe 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/a35a1c2b170b5b578b1b3fecb95694796552af9a 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/46e66fefb83811958127bc9ad736983ec629d82b 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/d12f558e6200b3f47dbef9331ed6d115d2410e59 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/50033ec1350fe68abdc63b950ced7ae57364b77a 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/d919b905939eda93393e3572900ff70dbad2b47f 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/6f702b00b8124c5d3525f19172934544826a114d 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report