diff options
author | Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> | 2011-10-20 23:37:13 -0400 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2011-10-22 15:55:26 -0400 |
commit | e0b057b406a33501a656dc8d67ea945d7bcdad61 (patch) | |
tree | 16132a7c59322cb1d406a07b875518a3bbd3db39 /security | |
parent | 6afcb3b7393f5aa388a0d077c490ed411ab3cd27 (diff) |
TOMOYO: Fix incomplete read after seek.
Commit f23571e8 "TOMOYO: Copy directly to userspace buffer." introduced
tomoyo_flush() that flushes data to be read as soon as possible.
tomoyo_select_domain() (which is called by write()) enqueues data which meant
to be read by next read(), but previous read()'s read buffer's size was not
cleared. As a result, since 2.6.36, sequence like
char *cp = "select global-pid=1\n";
read(fd, buf1, sizeof(buf1));
write(fd, cp, strlen(cp));
read(fd, buf2, sizeof(buf2));
causes enqueued data to be flushed to buf1 rather than buf2.
Fix this bug by clearing read buffer's size upon write() request.
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
-rw-r--r-- | security/tomoyo/common.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c index 96b7233a0df6..d41900de8a69 100644 --- a/security/tomoyo/common.c +++ b/security/tomoyo/common.c | |||
@@ -2591,6 +2591,7 @@ ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head, | |||
2591 | return -EFAULT; | 2591 | return -EFAULT; |
2592 | if (mutex_lock_interruptible(&head->io_sem)) | 2592 | if (mutex_lock_interruptible(&head->io_sem)) |
2593 | return -EINTR; | 2593 | return -EINTR; |
2594 | head->read_user_buf_avail = 0; | ||
2594 | idx = tomoyo_read_lock(); | 2595 | idx = tomoyo_read_lock(); |
2595 | /* Read a line and dispatch it to the policy handler. */ | 2596 | /* Read a line and dispatch it to the policy handler. */ |
2596 | while (avail_len > 0) { | 2597 | while (avail_len > 0) { |