https://bugzilla.kernel.org/show_bug.cgi?id=200933 --- Comment #3 from Theodore Tso (tytso@xxxxxxx) --- Patch to fix this: http://patchwork.ozlabs.org/patch/962516/ Note: I will probably be retitling and rewriting the patch description, because on further reflection, it's not possible for this to become a buffer overrun attack. That's because we are checking to make sure the inline directory does not exceed the bounds of the inline data xattr. The size == 0 is coming from the "end of xattr list" marker in the xattr data structure. That has to be there, or we would have declared the xattr data structure to be corrupt before we even tried to parse the inline directory. So the only way the attacker can manifest a problem is by causing the divide by zero in __ext4_check_dir_entry(). So for CVE scoring purposes, this is just a denial of service attack (triggering a kernel divide by zero trap, which doesn't kill the kernel per se, but which leaves various locks and refcounts held, which will eventually cause the system to become wedged). It is not a buffer overrun. -- You are receiving this mail because: You are watching the assignee of the bug.
