[tomoyo-dev-en 181] Re: [PATCH] tomoyo: check tomoyo_get_name() return value

Wed, 30 Mar 2011 08:14:07 -0700 

Xiaochen Wang wrote:
> Although tomoyo_read_profile will check this value (see below),
> we should not ignore the error of memory lacking.
Thank you.

I rechecked the code and noticed that we need to use a lock for protecting the
replacement. TOMOYO 1.7/1.8 and AKARI also need to use a lock and I've just
fixed them. Below is an updated patch based on your suggestion.

Regards.
----------------------------------------
>From 8dd2f256c3ab48851660822a8c67dfa76991b908 Mon Sep 17 00:00:00 2001
From: Tetsuo Handa <penguin-ker...@i-love.sakura.ne.jp>
Date: Wed, 30 Mar 2011 23:11:11 +0900
Subject: [PATCH] TOMOYO: Fix race on updating profile's comment line.

tomoyo_write_profile() since 2.6.34 was not using a lock when replacing
profile's comment line. If multiple threads attempted

  echo '0-COMMENT=comment' > /sys/kernel/security/tomoyo/profile

in parallel, garbage collector will fail to kfree() the old value.
Protect the replacement using a lock. Also, keep the old value rather than
replacing with empty string when out of memory error has occurred.

Signed-off-by: Xiaochen Wang <wangxiaoch...@gmail.com>
Signed-off-by: Tetsuo Handa <penguin-ker...@i-love.sakura.ne.jp>
---
 security/tomoyo/common.c |   12 ++++++++++--
 1 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c
index 7556315..2b7b1a1 100644
--- a/security/tomoyo/common.c
+++ b/security/tomoyo/common.c
@@ -459,8 +459,16 @@ static int tomoyo_write_profile(struct tomoyo_io_buffer 
*head)
        if (profile == &tomoyo_default_profile)
                return -EINVAL;
        if (!strcmp(data, "COMMENT")) {
-               const struct tomoyo_path_info *old_comment = profile->comment;
-               profile->comment = tomoyo_get_name(cp);
+               static DEFINE_SPINLOCK(lock);
+               const struct tomoyo_path_info *new_comment
+                       = tomoyo_get_name(cp);
+               const struct tomoyo_path_info *old_comment;
+               if (!new_comment)
+                       return -ENOMEM;
+               spin_lock(&lock);
+               old_comment = profile->comment;
+               profile->comment = new_comment;
+               spin_unlock(&lock);
                tomoyo_put_name(old_comment);
                return 0;
        }
-- 
1.6.1

_______________________________________________
tomoyo-dev-en mailing list
tomoyo-dev-en@lists.sourceforge.jp
http://lists.sourceforge.jp/mailman/listinfo/tomoyo-dev-en

Reply via email to