strntoul's implementation shouldn't read more than n bytes

Question

strntoul's implementation shouldn't read more than n bytes

Closed this issue 4 years ago · 0 comments

Currently our strntoul function has the following prototype:

unsigned long strntoul(const char *nptr, size_t len, char **endptr, int base);

It copies nptr (source string) into a local buffer using strlcpy function. However, strlcpy expects the string to be NULL-terminated:

[...] for strlcpy() src must be NUL-terminated

as it reads the whole string until it finds '\0'.

In the initrd.c file we apply strntoul function to non-NULL-terminated strings and the function reads more memory than it should (despite specifying len parameter). Probably strntoul's implementation should be fixed.

The bug was found by KASAN:

(gdb) bt
#0  panic_fail () at /home/jpszczolowski/mimiker/sys/kern/assert.c:6
#1  0xc012fcdc in kasan_shadow_check (read=0x1, size=0x1, addr=addr@entry=0xc0186d1e) at /home/jpszczolowski/mimiker/sys/kern/kasan.c:134                                                    
#2  __asan_load1_noabort (addr=addr@entry=0xc0186d1e) at /home/jpszczolowski/mimiker/sys/kern/kasan.c:210                                                                                    
#3  0xc013e4e4 in strlcpy (dst=dst@entry=0xc0186c18 <_stack0+3096> "070702", src=src@entry=0xc0186cb0 <_stack0+3248> "07070200020009000041ED000003EB000003E8000000085E2E0E2E", '0' <repeats 15 times>, "900000001", '0' <repeats 23 times>, "200000000\030\300\002", siz=siz@entry=0x7) at /home/jpszczolowski/mimiker/lib/libc/string/strlcpy.c:53                                        
#4  0xc013f588 in strntoul (nptr=nptr@entry=0xc0186cb0 <_stack0+3248> "07070200020009000041ED000003EB000003E8000000085E2E0E2E", '0' <repeats 15 times>, "900000001", '0' <repeats 23 times>, "200000000\030\300\002", len=len@entry=0x6, endptr=endptr@entry=0x0, base=base@entry=0x8) at /home/jpszczolowski/mimiker/sys/libkern/stdlib/strtoul.c:103                                     
#5  0xc0133238 in read_cpio_header (tape=tape@entry=0xc0186dc0 <_stack0+3520>, cpio=cpio@entry=0xc0002028) at /home/jpszczolowski/mimiker/sys/kern/initrd.c:81                               
#6  0xc01336e4 in read_cpio_archive () at /home/jpszczolowski/mimiker/sys/kern/initrd.c:130
#7  0xc0133a28 in initrd_init (vfc=<optimized out>) at /home/jpszczolowski/mimiker/sys/kern/initrd.c:327                                                                                     
#8  0xc011822c in vfs_register (vfc=0xc0174960 <initrd_conf>) at /home/jpszczolowski/mimiker/sys/kern/vfs.c:104                                                                              
#9  0xc011833c in vfs_init () at /home/jpszczolowski/mimiker/sys/kern/vfs.c:65
#10 0xc011ee20 in sysinit () at /home/jpszczolowski/mimiker/sys/kern/sysinit.c:89
#11 0xc0122880 in kernel_init () at /home/jpszczolowski/mimiker/sys/kern/startup.c:33
#12 0xc0106654 in platform_init () at /home/jpszczolowski/mimiker/sys/mips/malta.c:170
#13 0x8010104c in _start () at /home/jpszczolowski/mimiker/sys/mips/start.S:48