util/nvmutil: guard file replacement attacks

i already also guard other toctuo attacks :) Signed-off-by: Leah Rowe <leah@libreboot.org>
author: Leah Rowe <leah@libreboot.org> 2026-03-14 18:21:44 +0000
committer: Leah Rowe <leah@libreboot.org> 2026-03-14 18:21:44 +0000
commit: a80c1890118ee07334fedc6567e6e229bf747970 (patch)
tree: c85d542b6d5a6b933bfea394b46d009f240fddc1 /util/nvmutil/nvmutil.c
parent: ebffecf04b4a77b83e763651957db5e4a9c488a4 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/util/nvmutil/nvmutil.c b/util/nvmutil/nvmutil.c
index 3a6128f9..ed5eef08 100644
--- a/util/nvmutil/nvmutil.c
+++ b/util/nvmutil/nvmutil.c
@@ -652,6 +652,9 @@ static int rw_check_bad_part[] = {0, 0};
 
 static int post_rw_checksum[] = {0, 0};
 
+static dev_t gbe_dev;
+static ino_t gbe_ino;
+
 int
 main(int argc, char *argv[])
 {
@@ -930,6 +933,10 @@ open_gbe_file(void)
 	xopen(&gbe_fd, fname,
 	    command[cmd_index].flags | O_BINARY | O_NOFOLLOW, &gbe_st);
 
+	/* inode will be checked later on write */
+	gbe_dev = gbe_st.st_dev;
+	gbe_ino = gbe_st.st_ino;
+
 	if (gbe_st.st_nlink == 0)
 		err(EIO, "%s: file unlinked while open", fname);
 
@@ -1411,6 +1418,9 @@ write_gbe_file(void)
 	if (fstat(gbe_fd, &gbe_st) == -1)
 		err(errno, "%s: re-check", fname);
 
+	if (gbe_st.st_dev != gbe_dev || gbe_st.st_ino != gbe_ino)
+		err(EIO, "%s: file replaced while open", fname);
+
 	if (gbe_st.st_size != gbe_file_size)
 		err(errno, "%s: file size changed before write", fname);
author	Leah Rowe <leah@libreboot.org>	2026-03-14 18:21:44 +0000
committer	Leah Rowe <leah@libreboot.org>	2026-03-14 18:21:44 +0000
commit	a80c1890118ee07334fedc6567e6e229bf747970 (patch)
tree	c85d542b6d5a6b933bfea394b46d009f240fddc1 /util/nvmutil/nvmutil.c
parent	ebffecf04b4a77b83e763651957db5e4a9c488a4 (diff)