diff options
| author | Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> | 2011-04-02 11:12:54 -0400 |
|---|---|---|
| committer | James Morris <jmorris@namei.org> | 2011-04-18 19:37:12 -0400 |
| commit | c0fa797ae6cd02ff87c0bfe0d509368a3b45640e (patch) | |
| tree | 4f484333268919be0487ff5fdf9dd380d8bf6ed2 /security | |
| parent | e4f5f26d8336318a5aa0858223c81cf29fcf5f68 (diff) | |
TOMOYO: Fix infinite loop bug when reading /sys/kernel/security/tomoyo/audit
In tomoyo_flush(), head->r.w[0] holds pointer to string data to be printed.
But head->r.w[0] was updated only when the string data was partially
printed (because head->r.w[0] will be updated by head->r.w[1] later if
completely printed). However, regarding /sys/kernel/security/tomoyo/query ,
an additional '\0' is printed after the string data was completely printed.
But if free space for read buffer became 0 before printing the additional '\0',
tomoyo_flush() was returning without updating head->r.w[0]. As a result,
tomoyo_flush() forever reprints already printed string data.
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
| -rw-r--r-- | security/tomoyo/common.c | 5 |
1 files changed, 2 insertions, 3 deletions
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c index 2b7b1a123600..a0d09e56874b 100644 --- a/security/tomoyo/common.c +++ b/security/tomoyo/common.c | |||
| @@ -108,10 +108,9 @@ static bool tomoyo_flush(struct tomoyo_io_buffer *head) | |||
| 108 | head->read_user_buf += len; | 108 | head->read_user_buf += len; |
| 109 | w += len; | 109 | w += len; |
| 110 | } | 110 | } |
| 111 | if (*w) { | 111 | head->r.w[0] = w; |
| 112 | head->r.w[0] = w; | 112 | if (*w) |
| 113 | return false; | 113 | return false; |
| 114 | } | ||
| 115 | /* Add '\0' for query. */ | 114 | /* Add '\0' for query. */ |
| 116 | if (head->poll) { | 115 | if (head->poll) { |
| 117 | if (!head->read_user_buf_avail || | 116 | if (!head->read_user_buf_avail || |