diff options
author | Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> | 2011-04-03 00:09:26 +0900 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2011-04-19 09:37:06 +1000 |
commit | 2a086e5d3a23570735f75b784d29b93068070833 (patch) | |
tree | 43949632ba2e1c8ed4a8169d64c406d66ce36f23 | |
parent | a3232d2fa2e3cbab3e76d91cdae5890fee8a4034 (diff) |
TOMOYO: Fix race on updating profile's comment line.
In tomoyo_write_profile() since 2.6.34, a lock was by error missing when
replacing profile's comment line. If multiple threads attempted
echo '0-COMMENT=comment' > /sys/kernel/security/tomoyo/profile
in parallel, garbage collector will fail to kfree() the old value.
Protect the replacement using a lock. Also, keep the old value rather than
replace with empty string when out of memory error has occurred.
Signed-off-by: Xiaochen Wang <wangxiaochen0@gmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r-- | security/tomoyo/common.c | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c index 7556315c197..2b7b1a12360 100644 --- a/security/tomoyo/common.c +++ b/security/tomoyo/common.c @@ -459,8 +459,16 @@ static int tomoyo_write_profile(struct tomoyo_io_buffer *head) if (profile == &tomoyo_default_profile) return -EINVAL; if (!strcmp(data, "COMMENT")) { - const struct tomoyo_path_info *old_comment = profile->comment; - profile->comment = tomoyo_get_name(cp); + static DEFINE_SPINLOCK(lock); + const struct tomoyo_path_info *new_comment + = tomoyo_get_name(cp); + const struct tomoyo_path_info *old_comment; + if (!new_comment) + return -ENOMEM; + spin_lock(&lock); + old_comment = profile->comment; + profile->comment = new_comment; + spin_unlock(&lock); tomoyo_put_name(old_comment); return 0; } |