diff options
author | Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> | 2011-04-02 11:09:26 -0400 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2011-04-18 19:37:06 -0400 |
commit | 2a086e5d3a23570735f75b784d29b93068070833 (patch) | |
tree | 43949632ba2e1c8ed4a8169d64c406d66ce36f23 /security/tomoyo | |
parent | a3232d2fa2e3cbab3e76d91cdae5890fee8a4034 (diff) |
TOMOYO: Fix race on updating profile's comment line.
In tomoyo_write_profile() since 2.6.34, a lock was by error missing when
replacing profile's comment line. If multiple threads attempted
echo '0-COMMENT=comment' > /sys/kernel/security/tomoyo/profile
in parallel, garbage collector will fail to kfree() the old value.
Protect the replacement using a lock. Also, keep the old value rather than
replace with empty string when out of memory error has occurred.
Signed-off-by: Xiaochen Wang <wangxiaochen0@gmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/tomoyo')
-rw-r--r-- | security/tomoyo/common.c | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c index 7556315c1978..2b7b1a123600 100644 --- a/security/tomoyo/common.c +++ b/security/tomoyo/common.c | |||
@@ -459,8 +459,16 @@ static int tomoyo_write_profile(struct tomoyo_io_buffer *head) | |||
459 | if (profile == &tomoyo_default_profile) | 459 | if (profile == &tomoyo_default_profile) |
460 | return -EINVAL; | 460 | return -EINVAL; |
461 | if (!strcmp(data, "COMMENT")) { | 461 | if (!strcmp(data, "COMMENT")) { |
462 | const struct tomoyo_path_info *old_comment = profile->comment; | 462 | static DEFINE_SPINLOCK(lock); |
463 | profile->comment = tomoyo_get_name(cp); | 463 | const struct tomoyo_path_info *new_comment |
464 | = tomoyo_get_name(cp); | ||
465 | const struct tomoyo_path_info *old_comment; | ||
466 | if (!new_comment) | ||
467 | return -ENOMEM; | ||
468 | spin_lock(&lock); | ||
469 | old_comment = profile->comment; | ||
470 | profile->comment = new_comment; | ||
471 | spin_unlock(&lock); | ||
464 | tomoyo_put_name(old_comment); | 472 | tomoyo_put_name(old_comment); |
465 | return 0; | 473 | return 0; |
466 | } | 474 | } |