Commit Graph

3794 Commits

Author SHA1 Message Date
Leah Rowe 7f14693e6c util/nvmutil: more portable Makefile
-Werror removed, for older compilers

actual warnings still there

-std is configurable now

e.g.

make CSTD=-c90
make CSTD=-c99

Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-26 06:59:41 +00:00
Leah Rowe 824fade5e9 util/nvmuttil: don't use arc4random
i have urandom again. it's enough

the fallback rand implementation
is used if needed

now i don't have to worry about any
weird version of unix from 1992 and
deal with weird hacks. in fact, with
this change, my code will probably
compile on irix now

Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-26 06:59:41 +00:00
Leah Rowe 04b215dd6d util/nvmutil: re-enable urandom reads
i had to loosen the pledges for the new i/o
framework, which needs more permissions

as a result, i can now open urandom in
this function statically, rather than
in nvmutil's control logic

and because of that, it's less buggy now

arc4random is disabled on linux by default,
because it's not universally available
on all libc, and only since about 2022
in some glibc versions

better for portability to let linux users
justt use urandom

the new logic is different. now it falls
back to rand per-byte, but in practise
it almost never will.

Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-26 06:59:41 +00:00
Leah Rowe b4b194f94c util/nvmutil: remove arc4random on linux
linux only had it since 2022.

lots of people will complain if i leave this enabled.

not all libc have it either

Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-26 06:59:41 +00:00
Leah Rowe 5d8b19fb75 util/nvmutil: fix cat
i simplified it in the last commits, but i sttill
need this loop to properly handle parts

otherwise yeah, all it's doing is copying a file
verbatim. duh.

Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-26 06:59:41 +00:00
Leah Rowe af7ab6f786 util/nvmutil: double-verify r/w using tmp files
we now read twice, verify the two, to make sure
one read isn't faulty

we operate on a tmp file, then rename back. this
reduces the risk of power cuts corrupting data

we properly verify the contents that we wrote
back

inspired largely by flashprog. i wanted to have
an insanely over-engineered and extremely safe
tool that edits intel gbe nvm files

and now i have one. the only one in existence.

i'm basically writing my own libc code at this
point, to be honest. i'll probably start puttting
these functions in libraries

e.g. that tmpfile generator

Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-26 06:59:41 +00:00
Leah Rowe 1556ca7173 nvmutil: use O_CLOEXEC on gbe files
Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-26 06:59:41 +00:00
Leah Rowe 0d6bb8d747 util/nvmutil: fix verified first, in prw loop
yes, because otherwise if the offset is still
wrong, we allow junk to be written. bad!

Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-26 06:59:41 +00:00
Leah Rowe 31835eb8e3 set errno
Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-26 06:59:41 +00:00
Leah Rowe 4b667f0d19 util/nvmutil: stricter return in pread
we were returning if verified is not off, but we
were not doing the check soon enough.

now it's clearer: just after either a reset,
or we found out offset doesn't match, we
return sooner.

otherwise, we read, and we verify again right
after. in the old code, we verified twice in
a row.

this is just more optimal, for error handling.

Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-26 06:59:41 +00:00
Leah Rowe 572f00e7b7 no, break instead
in the last patch, i return, which then avoids
resetting the offset.

prw is very careful not to return early.

Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-26 06:59:41 +00:00
Leah Rowe d890a6b138 util/nvmutil pread: rw_over_nrw exit, not set
otherwise, if it's -1 and errno happens to be
EINTR or EAGAIN, we might loop on what is a
real error. this bug fixes that edge case.

Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-26 06:59:41 +00:00
Leah Rowe 7f192b4344 nvmutil: stronger race-condition check on prw
do it per read, in the fallback pread/pwrite

per read/write that is

Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-26 06:59:41 +00:00
Leah Rowe a050e5a563 util/nvmutil: fix theoretical buffer overflow
i already guard offsets in io_args, but it's best
to be thorough here.

Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-26 06:59:41 +00:00
Leah Rowe 8d81e8f68b util/nvmutil: prevent underflow in comparison
we already check before that rv is not negative,
and it starts at zero, but it's good to guard
it here just in case (for future re-factoring).

if rv is negative, it could convert (casted to
size_t) to a huge number (we don't want that).

Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-26 06:59:41 +00:00
Leah Rowe d148985e61 comment
Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-26 06:59:41 +00:00
Leah Rowe b09f52547f util/nvmutil: extra race-condition check in prw
even with OFF_RESET, we still want some error checking.
if the check fails again immediately after, then it
suggests that another program really is modifying the
file, so we should stop.

the first check is done on the theory that another
program *was* working on it, but now isn't.

once again, this isn't perfect. use read pread/pwrite
if you need thread safety (and even then, you still
need to actually check your code)

Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-26 06:59:41 +00:00
Leah Rowe 8c0946e9ba util/nvmutil: safer xstrxcmp() - overflow fix
if a points to a buffer shorter than maxlen,
and the string is not null-terminated early,
the loop may read may overflow

e.g.

char buf[3] = {'a', 'b', 'c'};
xstrxcmp(buf, "abc", 50);

this is undefined behaviour, and a bug. C allows
reading past arrays only if the memory exists,
but we can't guarantee that

to fix it, we check the condition for return,
namely NULL character, before using the character
again. This avoids reading further from a multiple
times so we exit as soon as we encounter NULL

this also avoids multiple reads from memory, though
a compiler would optimise that anyway

Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-26 06:59:41 +00:00
Leah Rowe 02dcee0bf7 phrasing
Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-26 06:59:41 +00:00
Leah Rowe 66a9166004 util/nvmutil: stricter rw_gbe_file_exact
we repeat these stteps later, but it's still good
to be exact here. these lower functions can
change.

Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-26 06:59:41 +00:00
Leah Rowe 210f17b9d7 cast
Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-26 06:59:41 +00:00
Leah Rowe 7530881adc comment
Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-26 06:59:41 +00:00
Leah Rowe 2c66b813ef util/nvmutil: stricter lseep_loop return offset
we currently reset just fine, but a partial success
where the previous offset is not the same as the
original should also be considered failure.

this patch therefore makes the return much stricter,
making the code return an error if this occurs,
which in nvmutil would then cause a program exit.

Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-26 06:59:41 +00:00
Leah Rowe 00f92b33e1 util/nvmutil: only use srand on fallback rand
Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-26 06:59:41 +00:00
Leah Rowe 0ff1cac40c nvmutil: add missing check to io_args
accidentally removed this in a rebase

Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-26 06:59:41 +00:00
Leah Rowe 4b69645c88 util/nvmutil: add flock to pledge promises
otherwise, gbe.bin locking won't work!

Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-26 06:59:41 +00:00
Leah Rowe 46bbb4d8e4 util/nvmutil: tidy up io_args
i don't like it grouped together. do it
all separate, for clarity.

Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-26 06:59:41 +00:00
Leah Rowe 402f5cacbd util/nvmutil: tidy up err()
Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-26 06:59:41 +00:00
Leah Rowe 2d46837475 util/nvmutil: re-add io_args()
unified arg check for prw and rw_file_exact

Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-26 06:59:41 +00:00
Leah Rowe 7263125d60 util/nvmutil: rw_file_exact: check inputs also
we check them in prw, but we used to rely
on prw because we called that first. no more.

it's correct to also check them here anyway,
in case i ever call another function here.

Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-26 06:59:41 +00:00
Leah Rowe a89747a5c8 util/nvmutil: rw_over_nrw: err if nrw is zero
Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-26 06:59:41 +00:00
Leah Rowe 13006f2516 util/nvmutil: rw: safer bound check
avoid pointer-range overflow arithmetic. this
patch doesn't change behaviour, but makes an
overflow impossible.

Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-26 06:59:41 +00:00
Leah Rowe f0f2e03476 util/nvmutil rw: make off_reset a toggle
Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-26 06:59:41 +00:00
Leah Rowe d62780948f util/nvmutil: rw_file_exact: explicit casts
don't do it inside functions. some compilers may
be inconsistent, ditto several auditing tools.

Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-26 06:59:41 +00:00
Leah Rowe 1583947625 util/nvmutil: fix potential overflow in rw
off is signed, so converting that to unsigned
is better than converting rc (unsigned)
to signed. i had the right idea, but got
it wrong in the earlier version. this
should fix potential overflow issues.

Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-26 06:59:41 +00:00
Leah Rowe e4802d4013 util/nvmutil: rw file: guard rc before addition
otherwise, it could still overflow

Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-26 06:59:41 +00:00
Leah Rowe 37526fc1c1 nvmutil: toggle for fd thread-safety err state
Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-26 06:59:41 +00:00
Leah Rowe 1d4a57ab26 util/nvmutil: clean up pwrite/pread case
some unused variables if enabled. hide them.

Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-26 06:59:41 +00:00
Leah Rowe 6d338e1fa4 util/nvmutil: partially mitigate fd offset race
our fallback pwrite/pread behaviour still does not
properly replicate the safety of real pwrite/pread

i intend to put this i/o code into a library for use
in other programs; nvmutil is single-threaded so
this change is largely redundant (but can't hurt)

Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-26 06:59:41 +00:00
Leah Rowe 291c8a9a8b util/nvmutil: tidy up rw_file_exact
Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-26 06:59:41 +00:00
Leah Rowe fe9900e7a1 comment
Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-26 06:59:41 +00:00
Leah Rowe a78e156346 util/nvmutil: cleanup
remove ptr casts to ulong. size_t is better.

Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-26 06:59:41 +00:00
Leah Rowe 4558993df4 nope, use size_t
despite my cast, size_t is better for mem index

Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-26 06:59:41 +00:00
Leah Rowe ddd300493b util/nvmutil: use ulong on ptr casts
Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-26 06:59:41 +00:00
Leah Rowe 2de5c6332e util/nvmutil: remove rw_file_once
we don't need it anymore.

Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-26 06:59:41 +00:00
Leah Rowe 3b9761fbed util/nvmutil: move looping logic to rw_file_exact
rw_file_once was doing what rw_file_exact should be
doing

_once does what it says: once

we were passing an offset (rc) to it that it was not
meaningfully using.

this makes the code now more robust, especially if
we later swap out or break _once - then we don't
get weird behaviour (if there is a regression).

Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-26 06:59:41 +00:00
Leah Rowe c825d80198 nvmutil: move increment logic to rw_file_exact
Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-26 06:59:41 +00:00
Leah Rowe 4a3951a4d9 nvmutil: fix redundant check
we already check not-zero in the next if

Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-26 06:59:41 +00:00
Leah Rowe a3354d2598 util/nvmutil: cast gbe file size on ptr cmp
Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-26 06:59:41 +00:00
Leah Rowe 1606f79c74 util/nvmutil: even safer pointer comparison
we assert now that ulong is the size of a pointer,
therefore we know that it can fit a pointer reliably.

this code is written for c90 spec so lacks uintptr

Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-26 06:59:41 +00:00