Uninitialized memory use in unix/memquery_library_bounds_by_iterator
Created by: Carrotman42
While writing a unit test for memquery_library_bounds_by_iterator, I discovered a bug related to uninitialized memory. Specifically, we are not correctly zero-terminating a string after using strncpy. (This is different than the problem that i#3387 references.)
The strncpy in question is on L146: https://github.com/DynamoRIO/dynamorio/blob/c8d5db27d4c28b33b63f5176bf52eb7f89ae0aaf/core/unix/memquery.c#L138-L157
Assuming that dstsz
is greater than slash - src
, this will cause the first slash - src
bytes to be copied into dst
; given that we know slash
is a pointer to the inside of src
, we can be sure that strncpy writes up to that number of bytes and correctly avoids writing a 0 byte to terminate the string. Later the code attempts to fix the issue by saying dst[dstsz - 1] = '\0'
, but that leaves the middle part of the string still completely uninitialized.
This causes problems later in the algorithm, since (in some cases) the dst
is stored into name_cmp
and used to compare consecutive mappings' comment fields, causing them to be mismatched in cases where the uninitialized memory was not 0 already.
I have a simple fix locally which simply null-terminates this 'dst' string more proactively.