summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>2011-04-03 00:12:54 +0900
committerJames Morris <jmorris@namei.org>2011-04-19 09:37:12 +1000
commitc0fa797ae6cd02ff87c0bfe0d509368a3b45640e (patch)
tree4f484333268919be0487ff5fdf9dd380d8bf6ed2 /security
parente4f5f26d8336318a5aa0858223c81cf29fcf5f68 (diff)
downloadlinux-c0fa797ae6cd02ff87c0bfe0d509368a3b45640e.tar.gz
linux-c0fa797ae6cd02ff87c0bfe0d509368a3b45640e.tar.bz2
linux-c0fa797ae6cd02ff87c0bfe0d509368a3b45640e.zip
TOMOYO: Fix infinite loop bug when reading /sys/kernel/security/tomoyo/audit
In tomoyo_flush(), head->r.w[0] holds pointer to string data to be printed. But head->r.w[0] was updated only when the string data was partially printed (because head->r.w[0] will be updated by head->r.w[1] later if completely printed). However, regarding /sys/kernel/security/tomoyo/query , an additional '\0' is printed after the string data was completely printed. But if free space for read buffer became 0 before printing the additional '\0', tomoyo_flush() was returning without updating head->r.w[0]. As a result, tomoyo_flush() forever reprints already printed string data. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
-rw-r--r--security/tomoyo/common.c5
1 files changed, 2 insertions, 3 deletions
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c
index 2b7b1a123600..a0d09e56874b 100644
--- a/security/tomoyo/common.c
+++ b/security/tomoyo/common.c
@@ -108,10 +108,9 @@ static bool tomoyo_flush(struct tomoyo_io_buffer *head)
head->read_user_buf += len;
w += len;
}
- if (*w) {
- head->r.w[0] = w;
+ head->r.w[0] = w;
+ if (*w)
return false;
- }
/* Add '\0' for query. */
if (head->poll) {
if (!head->read_user_buf_avail ||