From e0b057b406a33501a656dc8d67ea945d7bcdad61 Mon Sep 17 00:00:00 2001 From: Tetsuo Handa Date: Fri, 21 Oct 2011 12:37:13 +0900 Subject: TOMOYO: Fix incomplete read after seek. Commit f23571e8 "TOMOYO: Copy directly to userspace buffer." introduced tomoyo_flush() that flushes data to be read as soon as possible. tomoyo_select_domain() (which is called by write()) enqueues data which meant to be read by next read(), but previous read()'s read buffer's size was not cleared. As a result, since 2.6.36, sequence like char *cp = "select global-pid=1\n"; read(fd, buf1, sizeof(buf1)); write(fd, cp, strlen(cp)); read(fd, buf2, sizeof(buf2)); causes enqueued data to be flushed to buf1 rather than buf2. Fix this bug by clearing read buffer's size upon write() request. Signed-off-by: Tetsuo Handa Signed-off-by: James Morris --- security/tomoyo/common.c | 1 + 1 file changed, 1 insertion(+) (limited to 'security') diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c index 96b7233..d41900d 100644 --- a/security/tomoyo/common.c +++ b/security/tomoyo/common.c @@ -2591,6 +2591,7 @@ ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head, return -EFAULT; if (mutex_lock_interruptible(&head->io_sem)) return -EINTR; + head->read_user_buf_avail = 0; idx = tomoyo_read_lock(); /* Read a line and dispatch it to the policy handler. */ while (avail_len > 0) { -- cgit v1.1