summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>2011-10-21 12:37:13 +0900
committerJames Morris <jmorris@namei.org>2011-10-22 21:55:26 +0200
commite0b057b406a33501a656dc8d67ea945d7bcdad61 (patch)
tree16132a7c59322cb1d406a07b875518a3bbd3db39 /security
parent6afcb3b7393f5aa388a0d077c490ed411ab3cd27 (diff)
downloadlinux-stable-e0b057b406a33501a656dc8d67ea945d7bcdad61.tar.gz
linux-stable-e0b057b406a33501a656dc8d67ea945d7bcdad61.tar.bz2
linux-stable-e0b057b406a33501a656dc8d67ea945d7bcdad61.zip
TOMOYO: Fix incomplete read after seek.
Commit f23571e8 "TOMOYO: Copy directly to userspace buffer." introduced tomoyo_flush() that flushes data to be read as soon as possible. tomoyo_select_domain() (which is called by write()) enqueues data which meant to be read by next read(), but previous read()'s read buffer's size was not cleared. As a result, since 2.6.36, sequence like char *cp = "select global-pid=1\n"; read(fd, buf1, sizeof(buf1)); write(fd, cp, strlen(cp)); read(fd, buf2, sizeof(buf2)); causes enqueued data to be flushed to buf1 rather than buf2. Fix this bug by clearing read buffer's size upon write() request. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
-rw-r--r--security/tomoyo/common.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c
index 96b7233a0df6..d41900de8a69 100644
--- a/security/tomoyo/common.c
+++ b/security/tomoyo/common.c
@@ -2591,6 +2591,7 @@ ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head,
return -EFAULT;
if (mutex_lock_interruptible(&head->io_sem))
return -EINTR;
+ head->read_user_buf_avail = 0;
idx = tomoyo_read_lock();
/* Read a line and dispatch it to the policy handler. */
while (avail_len > 0) {