syscall: return EINVAL when string arguments have NUL characters

Since NUL usually terminates strings in underlying syscalls, allowing it when converting string arguments is a security risk, especially when dealing with filenames. For example, a program might reason that filename like "/root/..\x00/" is a subdirectory or "/root/" and allow access to it, while underlying syscall will treat "\x00" as an end of that string and the actual filename will be "/root/..", which might be unexpected. Returning EINVAL when string arguments have NUL in them makes sure this attack vector is unusable. R=golang-dev, r, bradfitz, fullung, rsc, minux.ma CC=golang-dev https://golang.org/cl/6458050
2025-12-08 06:10:04 +00:00 · 2012-08-05 17:24:32 -04:00 · 2012-08-05 17:24:32 -04:00 · a108369c83
commit a108369c83
parent 8efb70f92e
39 changed files with 2837 additions and 502 deletions
--- a/src/pkg/syscall/syscall_linux_386.go
+++ b/src/pkg/syscall/syscall_linux_386.go
@ -306,7 +306,11 @@ func Fstatfs(fd int, buf *Statfs_t) (err error) {
 }

 func Statfs(path string, buf *Statfs_t) (err error) {
-	_, _, e := Syscall(SYS_STATFS64, uintptr(unsafe.Pointer(StringBytePtr(path))), unsafe.Sizeof(*buf), uintptr(unsafe.Pointer(buf)))
+	pathp, err := BytePtrFromString(path)
+	if err != nil {
+		return err
+	}
+	_, _, e := Syscall(SYS_STATFS64, uintptr(unsafe.Pointer(pathp)), unsafe.Sizeof(*buf), uintptr(unsafe.Pointer(buf)))
 	if e != 0 {
 		err = e
 	}