DoS vulnerability in `sys_tputs` through unbounded `NOSCHED` blocking

[HeatCrab]

The sys_tputs system call in kernel/syscall.c disables task switching during character output to prevent output interleaving between concurrent user tasks. However, the output loop has no length constraint, allowing a malicious task to freeze the entire system by passing an arbitrarily long string.

NOSCHED_ENTER();
for (const char *p = str; *p; p++)
    _putchar(*p);
NOSCHED_LEAVE();

A user task can exploit this by invoking sys_tputs with a multi-megabyte string, causing all other tasks (including kernel tasks) to become unresponsive for an extended period.

This may introduced following imapcts and risks

• Complete system freeze while processing malicious input
• No upper bound on blocking duration
• Affects all tasks regardless of priority
• Trivial to exploit from user mode

A defensive mitigation has been implemented in PR #62 by adding a 256-character limit to the output loop, preventing unbounded blocking:

 NOSCHED_ENTER();
-for (const char *p = str; *p; p++)
+for (const char *p = str; *p && (p - str) < 256; p++)
     _putchar(*p);
 NOSCHED_LEAVE();

This limit matches the buffer size used by umode_printf and addresses the immediate DoS risk. However, it does not resolve the underlying architectural issue.

The root cause is that sys_tputs bypasses the asynchronous logger queue and performs direct UART output under scheduler lock. This design was adopted to ensure FIFO ordering for test output, but it creates a DoS attack surface. The logger itself, which is implemented in kernel/logger.c uses unprotected direct output, requiring NOSCHED protection at the syscall level.

Resolving this issue fundamentally would require redesigning the logger architecture with proper synchronization primitives. This work is beyond the scope of the PR #62 and would be better addressed as a separate effort.