diff options
Diffstat (limited to 'util/nvmutil')
| -rw-r--r-- | util/nvmutil/Makefile | 6 | ||||
| -rw-r--r-- | util/nvmutil/nvmutil.c | 1438 |
2 files changed, 1086 insertions, 358 deletions
diff --git a/util/nvmutil/Makefile b/util/nvmutil/Makefile index 719e1c1e..beca4f3a 100644 --- a/util/nvmutil/Makefile +++ b/util/nvmutil/Makefile @@ -3,7 +3,11 @@ # Copyright (c) 2023 Riku Viitanen <riku.viitanen@protonmail.com> CC?=cc -CFLAGS?=-Os -Wall -Wextra -Werror -pedantic -std=c90 +CSTD?=-std=c90 +WERROR?= +CWARN?=-Wall -pedantic +COPT?=-Os +CFLAGS?=$(COPT) $(CWARN) $(CSTD) LDFLAGS?= DESTDIR?= PREFIX?=/usr/local diff --git a/util/nvmutil/nvmutil.c b/util/nvmutil/nvmutil.c index cd9fff88..0b303fe3 100644 --- a/util/nvmutil/nvmutil.c +++ b/util/nvmutil/nvmutil.c @@ -16,18 +16,28 @@ */ /* - * NOTE: older Linux lacked arc4random. - * added in glibc 2.36. Just pass HAVE_ARC4RANDOM_BUF=0 - * at build time if you need old Linux / other libc. + * In practise, most people + * aren't going to use very + * long names, so even on old + * systems with weaker limits, + * it's OK to set this higher. + * + * 4096 is a good, conservative + * default these days. */ -#if defined(__OpenBSD__) || defined(__FreeBSD__) || \ - defined(__NetBSD__) || defined(__APPLE__) || \ - defined(__linux__) -#ifndef HAVE_ARC4RANDOM_BUF -#define HAVE_ARC4RANDOM_BUF 1 +#ifndef PATH_LEN +#ifdef PATH_MAX +#define PATH_LEN (PATH_MAX) +#else +#define PATH_LEN 4096 #endif #endif +#define OFF_ERR 0 +#ifndef OFF_RESET +#define OFF_RESET 1 +#endif + /* * I/O config (build-time) * @@ -249,6 +259,9 @@ typedef char static_assert_twos_complement[ typedef char assert_ulong_ptr[ (sizeof(ulong) >= sizeof(void *)) ? 1 : -1 ]; +typedef char assert_size_t_ptr[ + (sizeof(size_t) >= sizeof(void *)) ? 1 : -1 +]; /* * We set _FILE_OFFSET_BITS 64, but we only handle @@ -292,10 +305,18 @@ typedef char static_assert_off_t_is_32[(sizeof(off_t) >= 4) ? 1 : -1]; #define O_BINARY 0 #endif +#ifndef O_CLOEXEC +#define O_CLOEXEC 0 +#endif + #ifndef O_NOFOLLOW #define O_NOFOLLOW 0 #endif +#ifndef FD_CLOEXEC +#define FD_CLOEXEC 0 +#endif + /* * Sanitize command tables. */ @@ -314,7 +335,7 @@ static int xstrxcmp(const char *a, const char *b, size_t maxlen); * Prep files for reading */ static void open_gbe_file(void); -static void lock_gbe_file(void); +static int lock_file(int fd); static void xopen(int *fd, const char *path, int flags, struct stat *st); /* @@ -323,7 +344,7 @@ static void xopen(int *fd, const char *path, int flags, struct stat *st); * * After this, we can run commands. */ -static void read_gbe_file(void); +static void copy_gbe(void); static void read_checksums(void); static int good_checksum(size_t partnum); @@ -346,10 +367,8 @@ static void set_mac_nib(size_t mac_str_pos, size_t mac_byte_pos, size_t mac_nib_pos); static ushort hextonum(char ch_s); static ushort rhex(void); -#if !defined(HAVE_ARC4RANDOM_BUF) || \ - (HAVE_ARC4RANDOM_BUF) < 1 +static ushort read_urandom(void); static ulong entropy_jitter(void); -#endif static void write_mac_part(size_t partnum); /* @@ -360,11 +379,21 @@ static void print_mac_from_nvm(size_t partnum); static void hexdump(size_t partnum); /* + * Helper functions for command: swap + */ +static void cmd_helper_swap(void); + +/* + * Helper functions for command: copy + */ +static void cmd_helper_copy(void); + +/* * Helper functions for commands: * cat, cat16 and cat128 */ static void cmd_helper_cat(void); -static void gbe_cat_buf(u8 *b); +static void cat_buf(u8 *b); /* * After command processing, write @@ -374,7 +403,6 @@ static void gbe_cat_buf(u8 *b); * below for the actual functions. */ static void write_gbe_file(void); -static void override_part_modified(void); static void set_checksum(size_t part); static ushort calculated_checksum(size_t p); @@ -394,8 +422,11 @@ static void check_bin(size_t a, const char *a_name); */ static void rw_gbe_file_part(size_t p, int rw_type, const char *rw_type_str); +static void write_to_gbe_bin(void); +static int gbe_mv(void); static void check_written_part(size_t p); static void report_io_err_rw(void); +static int fsync_dir(const char *path); static u8 *gbe_mem_offset(size_t part, const char *f_op); static off_t gbe_file_offset(size_t part, const char *f_op); static off_t gbe_x_offset(size_t part, const char *f_op, @@ -404,22 +435,33 @@ static ssize_t rw_gbe_file_exact(int fd, u8 *mem, size_t nrw, off_t off, int rw_type); static ssize_t rw_file_exact(int fd, u8 *mem, size_t len, off_t off, int rw_type, int loop_eagain, int loop_eintr, - size_t max_retries); + size_t max_retries, int off_reset); static ssize_t prw(int fd, void *mem, size_t nrw, - off_t off, int rw_type, int loop_eagain, int loop_eintr); + off_t off, int rw_type, int loop_eagain, int loop_eintr, + int off_reset); +static int io_args(int fd, void *mem, size_t nrw, + off_t off, int rw_type); static int check_file(int fd, struct stat *st); static ssize_t rw_over_nrw(ssize_t r, size_t nrw); +#if !defined(HAVE_REAL_PREAD_PWRITE) || \ + HAVE_REAL_PREAD_PWRITE < 1 static off_t lseek_loop(int fd, off_t off, int whence, int loop_eagain, int loop_eintr); +#endif static int try_err(int loop_err, int errval); /* * Error handling and cleanup */ -static int close_files(void); +static void usage(void); static void err(int nvm_errval, const char *msg, ...); +static int exit_cleanup(void); static const char *getnvmprogname(void); -static void usage(int usage_exit); + +/* + * a special kind of hell + */ +static char *new_tmpfile(int *fd, int local, const char *path); /* * Sizes in bytes: @@ -430,6 +472,8 @@ static void usage(int usage_exit); #define SIZE_16KB (16 * SIZE_1KB) #define SIZE_128KB (128 * SIZE_1KB) +#define GBE_BUF_SIZE (SIZE_128KB) + /* * First 128 bytes of a GbE part contains * the regular NVM (Non-Volatile-Memory) @@ -442,16 +486,13 @@ static void usage(int usage_exit); * There is a second 4KB part with the same * rules, and it *should* be identical. */ -#define GBE_FILE_SIZE SIZE_8KB /* for buf */ -#define GBE_PART_SIZE (GBE_FILE_SIZE >> 1) +#define GBE_WORK_SIZE (SIZE_8KB) +#define GBE_PART_SIZE (GBE_WORK_SIZE >> 1) #define NVM_CHECKSUM 0xBABA #define NVM_SIZE 128 #define NVM_WORDS (NVM_SIZE >> 1) #define NVM_CHECKSUM_WORD (NVM_WORDS - 1) -#define NUM_RANDOM_BYTES 12 -static u8 rnum[NUM_RANDOM_BYTES]; - /* * Portable macro based on BSD nitems. * Used to count the number of commands (see below). @@ -467,12 +508,14 @@ static u8 rnum[NUM_RANDOM_BYTES]; * * The code will handle this properly. */ -static u8 real_buf[GBE_FILE_SIZE]; -static u8 pad[GBE_FILE_SIZE]; /* the file that wouldn't die */ +static u8 real_buf[GBE_BUF_SIZE]; +static u8 bufcmp[GBE_BUF_SIZE]; /* compare gbe/tmp/reads */ +static u8 pad[GBE_WORK_SIZE]; /* the file that wouldn't die */ static u8 *buf = real_buf; static ushort mac_buf[3]; static off_t gbe_file_size; +static off_t gbe_tmp_size; static int gbe_fd = -1; static size_t part; @@ -480,8 +523,8 @@ static u8 part_modified[2]; static u8 part_valid[2]; static const char rmac[] = "xx:xx:xx:xx:xx:xx"; -static const char *mac_str; -static const char *fname; +static const char *mac_str = rmac; +static const char *fname = NULL; static const char *argv0; #ifndef SSIZE_MAX @@ -489,13 +532,6 @@ static const char *argv0; #endif /* - * Use these for .invert in command[]: - * If set to 1: read/write inverter (p0->p1, p1->p0) - */ -#define PART_INVERT 1 -#define NO_INVERT 0 - -/* * Use these for .argc in command[]: */ #define ARGC_3 3 @@ -525,18 +561,6 @@ enum { CMD_CAT128 }; -/* - * If set, a given part will always be written. - */ -enum { - SET_MOD_OFF, /* don't manually set part modified */ - SET_MOD_0, /* set part 0 modified */ - SET_MOD_1, /* set part 1 modified */ - SET_MOD_N, /* set user-specified part modified */ - /* affected by command[].invert */ - SET_MOD_BOTH /* set both parts modified */ -}; - enum { ARG_NOPART, ARG_PART @@ -557,8 +581,6 @@ struct commands { const char *str; void (*run)(void); int argc; - u8 invert; - u8 set_modified; u8 arg_part; u8 chksum_read; u8 chksum_write; @@ -571,50 +593,36 @@ struct commands { */ static const struct commands command[] = { { CMD_DUMP, "dump", cmd_helper_dump, ARGC_3, - NO_INVERT, SET_MOD_OFF, ARG_NOPART, SKIP_CHECKSUM_READ, SKIP_CHECKSUM_WRITE, NVM_SIZE, O_RDONLY }, { CMD_SETMAC, "setmac", cmd_helper_setmac, ARGC_3, - NO_INVERT, SET_MOD_OFF, ARG_NOPART, CHECKSUM_READ, CHECKSUM_WRITE, NVM_SIZE, O_RDWR }, - /* - * OPTIMISATION: Read inverted, so no copying is needed. - */ - { CMD_SWAP, "swap", NULL, ARGC_3, - PART_INVERT, SET_MOD_BOTH, + { CMD_SWAP, "swap", cmd_helper_swap, ARGC_3, ARG_NOPART, CHECKSUM_READ, SKIP_CHECKSUM_WRITE, GBE_PART_SIZE, O_RDWR }, - /* - * OPTIMISATION: Read inverted, so no copying is needed. - * The non-target part will not be read. - */ - { CMD_COPY, "copy", NULL, ARGC_4, - PART_INVERT, SET_MOD_N, + { CMD_COPY, "copy", cmd_helper_copy, ARGC_4, ARG_PART, CHECKSUM_READ, SKIP_CHECKSUM_WRITE, GBE_PART_SIZE, O_RDWR }, { CMD_CAT, "cat", cmd_helper_cat, ARGC_3, - NO_INVERT, SET_MOD_OFF, ARG_NOPART, CHECKSUM_READ, SKIP_CHECKSUM_WRITE, GBE_PART_SIZE, O_RDONLY }, { CMD_CAT16, "cat16", cmd_helper_cat, ARGC_3, - NO_INVERT, SET_MOD_OFF, ARG_NOPART, CHECKSUM_READ, SKIP_CHECKSUM_WRITE, GBE_PART_SIZE, O_RDONLY }, { CMD_CAT128, "cat128", cmd_helper_cat, ARGC_3, - NO_INVERT, SET_MOD_OFF, ARG_NOPART, CHECKSUM_READ, SKIP_CHECKSUM_WRITE, GBE_PART_SIZE, O_RDONLY }, @@ -638,8 +646,7 @@ typedef char assert_read[(IO_READ==0)?1:-1]; typedef char assert_write[(IO_WRITE==1)?1:-1]; typedef char assert_pread[(IO_PREAD==2)?1:-1]; typedef char assert_pwrite[(IO_PWRITE==3)?1:-1]; -typedef char assert_rand_byte[(NUM_RANDOM_BYTES>0)?1:-1]; -typedef char assert_rand_len[(NUM_RANDOM_BYTES<NVM_SIZE)?1:-1]; +typedef char assert_pathlen[(PATH_LEN>=256)?1:-1]; /* commands */ typedef char assert_cmd_dump[(CMD_DUMP==0)?1:-1]; typedef char assert_cmd_setmac[(CMD_SETMAC==1)?1:-1]; @@ -648,12 +655,6 @@ typedef char assert_cmd_copy[(CMD_COPY==3)?1:-1]; typedef char assert_cmd_cat[(CMD_CAT==4)?1:-1]; typedef char assert_cmd_cat16[(CMD_CAT16==5)?1:-1]; typedef char assert_cmd_cat128[(CMD_CAT128==6)?1:-1]; -/* mod_type */ -typedef char assert_mod_off[(SET_MOD_OFF==0)?1:-1]; -typedef char assert_mod_0[(SET_MOD_0==1)?1:-1]; -typedef char assert_mod_1[(SET_MOD_1==2)?1:-1]; -typedef char assert_mod_n[(SET_MOD_N==3)?1:-1]; -typedef char assert_mod_both[(SET_MOD_BOTH==4)?1:-1]; /* bool */ typedef char bool_arg_nopart[(ARG_NOPART==0)?1:-1]; typedef char bool_arg_part[(ARG_PART==1)?1:-1]; @@ -661,14 +662,15 @@ typedef char bool_skip_checksum_read[(SKIP_CHECKSUM_READ==0)?1:-1]; typedef char bool_checksum_read[(CHECKSUM_READ==1)?1:-1]; typedef char bool_skip_checksum_write[(SKIP_CHECKSUM_WRITE==0)?1:-1]; typedef char bool_checksum_write[(CHECKSUM_WRITE==1)?1:-1]; -typedef char bool_no_invert[(NO_INVERT==0)?1:-1]; -typedef char bool_part_invert[(PART_INVERT==1)?1:-1]; typedef char bool_loop_eintr[(LOOP_EINTR==1||LOOP_EINTR==0)?1:-1]; typedef char bool_loop_eagain[(LOOP_EAGAIN==1||LOOP_EAGAIN==0)?1:-1]; typedef char bool_no_loop_eintr[(NO_LOOP_EINTR==0)?1:-1]; typedef char bool_no_loop_eagain[(NO_LOOP_EAGAIN==0)?1:-1]; +typedef char bool_off_err[(OFF_ERR==0)?1:-1]; +typedef char bool_off_reset[(OFF_RESET==0||OFF_RESET==1)?1:-1]; -static int io_err_gbe = 0; +static int io_err_gbe = 0; /* intermediary write (verification) */ +static int io_err_gbe_bin = 0; /* final write (real file) */ static int rw_check_err_read[] = {0, 0}; static int rw_check_partial_read[] = {0, 0}; static int rw_check_bad_part[] = {0, 0}; @@ -678,28 +680,42 @@ static int post_rw_checksum[] = {0, 0}; static dev_t gbe_dev; static ino_t gbe_ino; -#if defined(HAVE_ARC4RANDOM_BUF) && \ - (HAVE_ARC4RANDOM_BUF) > 0 -void arc4random_buf(void *buf, size_t n); -#endif +static dev_t tmp_dev; +static ino_t tmp_ino; + +/* + * No need to declare feature + * macros. I jus declare the + * prototypes. Should be safe + * on most Unices and compilers + */ +int mkstemp(char *template); +int fchmod(int fd, mode_t mode); + +static int tmp_fd = -1; +static char *tname = NULL; int main(int argc, char *argv[]) { argv0 = argv[0]; if (argc < 3) - usage(1); + usage(); fname = argv[1]; + tname = new_tmpfile(&tmp_fd, 0, NULL); + if (tname == NULL) + err(errno, "Can't create tmpfile"); + #ifdef NVMUTIL_PLEDGE #ifdef NVMUTIL_UNVEIL - if (pledge("stdio rpath wpath unveil", NULL) == -1) - err(errno, "pledge"); - if (unveil("/dev/null", "r") == -1) - err(errno, "unveil /dev/null"); + if (pledge("stdio flock rpath wpath cpath unveil", NULL) == -1) + err(errno, "pledge, unveil"); + if (unveil("/dev/urandom", "r") == -1) + err(errno, "unveil: /dev/urandom"); #else - if (pledge("stdio rpath wpath", NULL) == -1) + if (pledge("stdio flock rpath wpath cpath", NULL) == -1) err(errno, "pledge"); #endif #endif @@ -709,74 +725,49 @@ main(int argc, char *argv[]) set_cmd(argc, argv); set_cmd_args(argc, argv); -#ifdef NVMUTIL_PLEDGE #ifdef NVMUTIL_UNVEIL if (command[cmd_index].flags == O_RDONLY) { if (unveil(fname, "r") == -1) - err(errno, "%s: unveil ro", fname); - if (unveil(NULL, NULL) == -1) - err(errno, "unveil block (ro)"); - if (pledge("stdio rpath", NULL) == -1) - err(errno, "pledge ro (kill unveil)"); + err(errno, "%s: unveil r", fname); } else { - if (unveil(fname, "rw") == -1) + if (unveil(fname, "rwc") == -1) err(errno, "%s: unveil rw", fname); - if (unveil(NULL, NULL) == -1) - err(errno, "unveil block (rw)"); - if (pledge("stdio rpath wpath", NULL) == -1) - err(errno, "pledge rw (kill unveil)"); - } -#else - if (command[cmd_index].flags == O_RDONLY) { - if (pledge("stdio rpath", NULL) == -1) - err(errno, "pledge ro"); } -#endif + + if (unveil(tname, "rwc") == -1) + err(errno, "%s: unveil rwc", tname); + + if (unveil(NULL, NULL) == -1) + err(errno, "unveil block (rw)"); + + if (pledge("stdio flock rpath wpath cpath", NULL) == -1) + err(errno, "pledge (kill unveil)"); #endif srand((uint)(time(NULL) ^ getpid())); open_gbe_file(); - lock_gbe_file(); -#ifdef NVMUTIL_PLEDGE - if (pledge("stdio", NULL) == -1) - err(errno, "pledge stdio (main)"); -#endif + memset(buf, 0, GBE_BUF_SIZE); + memset(bufcmp, 0, GBE_BUF_SIZE); - /* - * Used by CMD_CAT, for padding - */ - memset(pad, 0xff, sizeof(pad)); + copy_gbe(); - read_gbe_file(); read_checksums(); run_cmd(cmd_index); - if (command[cmd_index].flags == O_RDWR) { - - write_gbe_file(); + if (command[cmd_index].flags == O_RDWR) + write_to_gbe_bin(); - /* - * We may otherwise read from - * cache, so we must sync. - */ - if (fsync(gbe_fd) == -1) - err(errno, "%s: fsync (pre-verification)", - fname); - - check_written_part(0); - check_written_part(1); - - report_io_err_rw(); + if (exit_cleanup() == -1) + err(EIO, "%s: close", fname); - if (io_err_gbe) - err(EIO, "%s: bad write", fname); - } + if (io_err_gbe_bin) + err(EIO, "%s: error writing final file"); - if (close_files() == -1) - err(EIO, "%s: close", fname); + if (tname != NULL) + free(tname); return EXIT_SUCCESS; } @@ -799,7 +790,6 @@ sanitize_command_list(void) static void sanitize_command_index(size_t c) { - u8 mod_type; size_t gbe_rw_size; check_command_num(c); @@ -821,19 +811,10 @@ sanitize_command_index(size_t c) (ulong)c, command[c].str); } - mod_type = command[c].set_modified; - switch (mod_type) { - case SET_MOD_0: - case SET_MOD_1: - case SET_MOD_N: - case SET_MOD_BOTH: - case SET_MOD_OFF: - break; - default: - err(EINVAL, "Unsupported set_mod type: %u", mod_type); - } + if (command[c].run == NULL) + err(EINVAL, "cmd index %lu: cmd ptr null", + (ulong)c); - check_bin(command[c].invert, "cmd.invert"); check_bin(command[c].arg_part, "cmd.arg_part"); check_bin(command[c].chksum_read, "cmd.chksum_read"); check_bin(command[c].chksum_write, "cmd.chksum_write"); @@ -883,7 +864,7 @@ set_cmd_args(int argc, char *argv[]) u8 arg_part; if (!valid_command(cmd_index) || argc < 3) - usage(1); + usage(); arg_part = command[cmd_index].arg_part; @@ -933,11 +914,17 @@ xstrxcmp(const char *a, const char *b, size_t maxlen) err(EINVAL, "Empty string in xstrxcmp"); for (i = 0; i < maxlen; i++) { - if (a[i] != b[i]) - return (u8)a[i] - (u8)b[i]; + u8 ac = (u8)a[i]; + u8 bc = (u8)b[i]; + + if (ac == '\0' || bc == '\0') { + if (ac == bc) + return 0; + return ac - bc; + } - if (a[i] == '\0') - return 0; + if (ac != bc) + return ac - bc; } /* @@ -959,7 +946,8 @@ open_gbe_file(void) int flags; xopen(&gbe_fd, fname, - command[cmd_index].flags | O_BINARY | O_NOFOLLOW, &gbe_st); + command[cmd_index].flags | O_BINARY | + O_NOFOLLOW | O_CLOEXEC, &gbe_st); /* inode will be checked later on write */ gbe_dev = gbe_st.st_dev; @@ -984,7 +972,7 @@ open_gbe_file(void) * which would therefore break pread/pwrite */ if (flags & O_APPEND) - err(EIO, "%s: O_APPEND flag"); + err(EIO, "%s: O_APPEND flag", fname); gbe_file_size = gbe_st.st_size; @@ -996,10 +984,13 @@ open_gbe_file(void) default: err(EINVAL, "File size must be 8KB, 16KB or 128KB"); } + + if (lock_file(gbe_fd) == -1) + err(errno, "%s: can't lock", fname); } -static void -lock_gbe_file(void) +static int +lock_file(int fd) { struct flock fl; @@ -1012,8 +1003,10 @@ lock_gbe_file(void) fl.l_whence = SEEK_SET; - if (fcntl(gbe_fd, F_SETLK, &fl) == -1) - err(errno, "file is locked by another process"); + if (fcntl(fd, F_SETLK, &fl) == -1) + return -1; + + return 0; } static void @@ -1023,7 +1016,7 @@ xopen(int *fd_ptr, const char *path, int flags, struct stat *st) err(errno, "%s", path); if (fstat(*fd_ptr, st) == -1) - err(errno, "%s", path); + err(errno, "%s: stat", path); if (!S_ISREG(st->st_mode)) err(errno, "%s: not a regular file", path); @@ -1032,23 +1025,87 @@ xopen(int *fd_ptr, const char *path, int flags, struct stat *st) err(errno, "%s: file not seekable", path); } +/* + * We copy the entire gbe file + * to the tmpfile, and then we + * work on that. We copy back + * afterward. this is the copy. + * + * we copy to tmpfile even on + * read-only commands, for the + * double-read verification, + * which also benefits cmd_cat. + */ static void -read_gbe_file(void) +copy_gbe(void) { - size_t p; - u8 do_read[2] = {1, 1}; + ssize_t r; + struct stat st; + + /* read main file */ + r = rw_file_exact(gbe_fd, buf, gbe_file_size, + 0, IO_PREAD, NO_LOOP_EAGAIN, LOOP_EINTR, + MAX_ZERO_RW_RETRY, OFF_ERR); + + if (r < 0) + err(errno, "%s: read failed", fname); + + /* copy to tmpfile */ + + r = rw_file_exact(tmp_fd, buf, gbe_file_size, + 0, IO_PWRITE, NO_LOOP_EAGAIN, LOOP_EINTR, + MAX_ZERO_RW_RETRY, OFF_ERR); + + if (r < 0) + err(errno, "%s: %s: copy failed", + fname, tname); /* - * Commands specifying a partnum only - * need the given GbE part to be read. + * file size comparison */ - if (command[cmd_index].arg_part) - do_read[part ^ 1] = 0; - for (p = 0; p < 2; p++) { - if (do_read[p]) - rw_gbe_file_part(p, IO_PREAD, "pread"); - } + if (fstat(tmp_fd, &st) == -1) + err(errno, "%s: stat", tname); + + gbe_tmp_size = st.st_size; + + if (gbe_tmp_size != gbe_file_size) + err(EIO, "%s: %s: not the same size", fname, tname); + + /* + * fsync tmp gbe file, because we will compare + * its contents to what was read (for safety) + */ + if (fsync(tmp_fd) == -1) + err(errno, "%s: fsync (tmpfile copy)", tname); + + r = rw_file_exact(tmp_fd, bufcmp, gbe_file_size, + 0, IO_PREAD, NO_LOOP_EAGAIN, LOOP_EINTR, + MAX_ZERO_RW_RETRY, OFF_ERR); + + if (r < 0) + err(errno, "%s: read failed (cmp)", tname); + + if (memcmp(buf, bufcmp, gbe_file_size) != 0) + err(errno, "%s: %s: read contents differ (pre-test)", + fname, tname); + + /* + regular operations post-read operate only on the first + 8KB, because each GbE part is the first 4KB of each + half of the file. + + we no longer care about anything past 8KB, until we get + to writing, at which point we will flush the buffer + again + */ + + if (gbe_file_size == SIZE_8KB) + return; + + memcpy(buf + (size_t)GBE_PART_SIZE, + buf + (size_t)(gbe_file_size >> 1), + (size_t)GBE_PART_SIZE); } static void @@ -1056,7 +1113,6 @@ read_checksums(void) { size_t p; size_t skip_part; - u8 invert; u8 arg_part; u8 num_invalid; u8 max_invalid; @@ -1070,7 +1126,6 @@ read_checksums(void) num_invalid = 0; max_invalid = 2; - invert = command[cmd_index].invert; arg_part = command[cmd_index].arg_part; if (arg_part) max_invalid = 1; @@ -1079,7 +1134,7 @@ read_checksums(void) * Skip verification on this part, * but only when arg_part is set. */ - skip_part = part ^ 1 ^ invert; + skip_part = part ^ 1; for (p = 0; p < 2; p++) { /* @@ -1118,8 +1173,11 @@ static void run_cmd(size_t c) { check_command_num(c); - if (command[c].run != NULL) - command[c].run(); + + if (command[c].run == NULL) + err(EINVAL, "Command %lu: null ptr", (ulong)c); + + command[c].run(); } static void @@ -1268,28 +1326,21 @@ hextonum(char ch_s) return 16; /* invalid character */ } -#if defined(HAVE_ARC4RANDOM_BUF) && \ - (HAVE_ARC4RANDOM_BUF) > 0 -static ushort -rhex(void) -{ - static u8 num[12]; - static size_t n = 0; - - if (!n) { - n = 12; - arc4random_buf(num, 12); - } - - return num[--n] & 0xf; -} -#else static ushort rhex(void) { struct timeval tv; ulong mix; static ulong counter = 0; + ushort r; + + /* Read /dev/urandom + * if possible */ + r = read_urandom(); + if (r < 16) + return r; + + /* Fallback */ gettimeofday(&tv, NULL); @@ -1311,6 +1362,38 @@ rhex(void) return (ushort)(mix & 0xf); } +static ushort +read_urandom(void) +{ + static int fd = -1; + static ssize_t n = -1; + + static u8 r[256]; + + if (fd < 0) { + + fd = open("/dev/urandom", O_RDONLY); + + if (fd < 0) + return 16; + } + + if (n < 0) { + + n = rw_file_exact(fd, r, 256, 0, IO_READ, + LOOP_EAGAIN, LOOP_EINTR, 2, OFF_ERR); + + if (n == 0) + n = -1; + if (n < 0) + return 16; + + --n; + } + + return r[n--] & 0xf; +} + static ulong entropy_jitter(void) { @@ -1338,7 +1421,6 @@ entropy_jitter(void) return mix; } -#endif static void write_mac_part(size_t partnum) @@ -1420,35 +1502,77 @@ hexdump(size_t partnum) } static void -cmd_helper_cat(void) +cmd_helper_swap(void) { - size_t p; - size_t ff; - size_t n = 0; + memcpy( + buf + (size_t)GBE_WORK_SIZE, + buf, + GBE_PART_SIZE); + + memcpy( + buf, + buf + (size_t)GBE_PART_SIZE, + GBE_PART_SIZE); + + memcpy( + buf + (size_t)GBE_PART_SIZE, + buf + (size_t)GBE_WORK_SIZE, + GBE_PART_SIZE); + + set_part_modified(0); + set_part_modified(1); +} - if (cmd_index == CMD_CAT16) - n = 1; - else if (cmd_index == CMD_CAT128) - n = 15; - else if (cmd_index != CMD_CAT) - err(EINVAL, "cmd_helper_cat called erroneously"); +static void +cmd_helper_copy(void) +{ + memcpy( + buf + (size_t)((part ^ 1) * GBE_PART_SIZE), + buf + (size_t)(part * GBE_PART_SIZE), + GBE_PART_SIZE); + + set_part_modified(part ^ 1); +} + +static void +cmd_helper_cat(void) +{ + size_t p = 0; + size_t ff = 0; + size_t nff = 0; fflush(NULL); + memset(pad, 0xff, GBE_PART_SIZE); + + switch (cmd_index) { + case CMD_CAT: + nff = 0; + break; + case CMD_CAT16: + nff = 1; + break; + case CMD_CAT128: + nff = 15; + break; + default: + err(EINVAL, "erroneous call to cat"); + } + for (p = 0; p < 2; p++) { - gbe_cat_buf(buf + (ulong)(p * GBE_PART_SIZE)); + cat_buf(bufcmp + (size_t)(p * (gbe_file_size >> 1))); - for (ff = 0; ff < n; ff++) - gbe_cat_buf(pad); + for (ff = 0; ff < nff; ff++) + cat_buf(pad); } } static void -gbe_cat_buf(u8 *b) +cat_buf(u8 *b) { if (rw_file_exact(STDOUT_FILENO, b, GBE_PART_SIZE, 0, IO_WRITE, LOOP_EAGAIN, LOOP_EINTR, - MAX_ZERO_RW_RETRY) < 0) + MAX_ZERO_RW_RETRY, OFF_ERR) < 0) err(errno, "stdout: cat"); } @@ -1456,67 +1580,42 @@ static void write_gbe_file(void) { struct stat gbe_st; + struct stat tmp_st; size_t p; - size_t partnum; u8 update_checksum; if (command[cmd_index].flags == O_RDONLY) return; - update_checksum = command[cmd_index].chksum_write; - - override_part_modified(); - if (fstat(gbe_fd, &gbe_st) == -1) err(errno, "%s: re-check", fname); - if (gbe_st.st_dev != gbe_dev || gbe_st.st_ino != gbe_ino) err(EIO, "%s: file replaced while open", fname); - if (gbe_st.st_size != gbe_file_size) err(errno, "%s: file size changed before write", fname); - if (!S_ISREG(gbe_st.st_mode)) err(errno, "%s: file type changed before write", fname); - for (p = 0; p < 2; p++) { - partnum = p ^ command[cmd_index].invert; + if (fstat(tmp_fd, &tmp_st) == -1) + err(errno, "%s: re-check", tname); + if (tmp_st.st_dev != tmp_dev || tmp_st.st_ino != tmp_ino) + err(EIO, "%s: file replaced while open", tname); + if (tmp_st.st_size != gbe_file_size) + err(errno, "%s: file size changed before write", tname); + if (!S_ISREG(tmp_st.st_mode)) + err(errno, "%s: file type changed before write", tname); + + update_checksum = command[cmd_index].chksum_write; - if (!part_modified[partnum]) + for (p = 0; p < 2; p++) { + if (!part_modified[p]) continue; if (update_checksum) - set_checksum(partnum); + set_checksum(p); - rw_gbe_file_part(partnum, IO_PWRITE, "pwrite"); - } -} - -static void -override_part_modified(void) -{ - u8 mod_type = command[cmd_index].set_modified; - - switch (mod_type) { - case SET_MOD_0: - set_part_modified(0); - break; - case SET_MOD_1: - set_part_modified(1); - break; - case SET_MOD_N: - set_part_modified(part ^ command[cmd_index].invert); - break; - case SET_MOD_BOTH: - set_part_modified(0); - set_part_modified(1); - break; - case SET_MOD_OFF: - break; - default: - err(EINVAL, "Unsupported set_mod type: %u", - mod_type); + rw_gbe_file_part(p, IO_PWRITE, "pwrite"); } } @@ -1610,7 +1709,6 @@ rw_gbe_file_part(size_t p, int rw_type, { ssize_t r; size_t gbe_rw_size = command[cmd_index].rw_size; - u8 invert = command[cmd_index].invert; u8 *mem_offset; off_t file_offset; @@ -1619,17 +1717,10 @@ rw_gbe_file_part(size_t p, int rw_type, err(errno, "%s: %s: part %lu: invalid rw_type, %d", fname, rw_type_str, (ulong)p, rw_type); - if (rw_type == IO_PWRITE) - invert = 0; - - /* - * Inverted reads are used by copy/swap. - * E.g. read from p0 (file) to p1 (mem). - */ - mem_offset = gbe_mem_offset(p ^ invert, rw_type_str); + mem_offset = gbe_mem_offset(p, rw_type_str); file_offset = (off_t)gbe_file_offset(p, rw_type_str); - r = rw_gbe_file_exact(gbe_fd, mem_offset, + r = rw_gbe_file_exact(tmp_fd, mem_offset, gbe_rw_size, file_offset, rw_type); if (r == -1) @@ -1642,6 +1733,92 @@ rw_gbe_file_part(size_t p, int rw_type, } static void +write_to_gbe_bin(void) +{ + int saved_errno; + int mv; + + if (command[cmd_index].flags != O_RDWR) + return; + + write_gbe_file(); + + /* + * We may otherwise read from + * cache, so we must sync. + */ + if (fsync(tmp_fd) == -1) + err(errno, "%s: fsync (pre-verification)", + tname); + + check_written_part(0); + check_written_part(1); + + report_io_err_rw(); + + if (io_err_gbe) + err(EIO, "%s: bad write", fname); + + /* + * success! + * now just rename the tmpfile + */ + + saved_errno = errno; + + if (close(tmp_fd) == -1) { + fprintf(stderr, "FAIL: %s: close\n", tname); + io_err_gbe_bin = 1; + } + + if (close(gbe_fd) == -1) { + fprintf(stderr, "FAIL: %s: close\n", fname); + io_err_gbe_bin = 1; + } + + errno = saved_errno; + + tmp_fd = -1; + gbe_fd = -1; + + if (!io_err_gbe_bin) { + + mv = gbe_mv(); + + if (mv < 0) { + io_err_gbe_bin = 1; + fprintf(stderr, "%s: %s\n", + fname, strerror(errno)); + } else { + /* + * tmpfile removed + * by the rename + */ + + if (tname != NULL) + free(tname); + + tname = NULL; + } + } + + /* + * finally: + * must sync to disk! + * very nearly done + */ + + if (!io_err_gbe_bin) + return; + + fprintf(stderr, "FAIL (rename): %s: skipping fsync\n", + fname); + if (errno) + fprintf(stderr, + "errno %d: %s\n", errno, strerror(errno)); +} + +static void check_written_part(size_t p) { ssize_t r; @@ -1664,11 +1841,15 @@ check_written_part(size_t p) if (fstat(gbe_fd, &st) == -1) err(errno, "%s: fstat (post-write)", fname); - if (st.st_dev != gbe_dev || st.st_ino != gbe_ino) err(EIO, "%s: file changed during write", fname); - r = rw_gbe_file_exact(gbe_fd, pad, + if (fstat(tmp_fd, &st) == -1) + err(errno, "%s: fstat (post-write)", tname); + if (st.st_dev != tmp_dev || st.st_ino != tmp_ino) + err(EIO, "%s: file changed during write", tname); + + r = rw_gbe_file_exact(tmp_fd, pad, gbe_rw_size, file_offset, IO_PREAD); if (r == -1) @@ -1746,6 +1927,212 @@ report_io_err_rw(void) } } +static int +gbe_mv(void) +{ + int r; + int saved_errno; + int tmp_gbe_bin_exists = 1; + + char *dest_tmp = NULL; + int dest_fd = -1; + + saved_errno = errno; + + r = rename(tname, fname); + + if (r > -1) { + /* + * same filesystem + */ + + tmp_gbe_bin_exists = 0; + + if (fsync_dir(fname) < 0) + r = -1; + + goto ret_gbe_mv; + } + + if (errno != EXDEV) + goto ret_gbe_mv; + + /* cross-filesystem rename */ + + if ((r = tmp_fd = open(tname, + O_RDONLY | O_BINARY)) == -1) + goto ret_gbe_mv; + + /* create replacement temp in target directory */ + dest_tmp = new_tmpfile(&dest_fd, 1, fname); + if (dest_tmp == NULL) + goto ret_gbe_mv; + + /* copy data */ + + r = rw_file_exact(tmp_fd, bufcmp, + gbe_file_size, 0, IO_PREAD, + NO_LOOP_EAGAIN, LOOP_EINTR, + MAX_ZERO_RW_RETRY, OFF_ERR); + + if (r < 0) + goto ret_gbe_mv; + + r = rw_file_exact(dest_fd, bufcmp, + gbe_file_size, 0, IO_PWRITE, + NO_LOOP_EAGAIN, LOOP_EINTR, + MAX_ZERO_RW_RETRY, OFF_ERR); + + if (r < 0) + goto ret_gbe_mv; + + if (fsync(dest_fd) == -1) + goto ret_gbe_mv; + + if (close(dest_fd) == -1) + goto ret_gbe_mv; + + if (rename(dest_tmp, fname) == -1) + goto ret_gbe_mv; + + if (fsync_dir(fname) < 0) + goto ret_gbe_mv; + + free(dest_tmp); + dest_tmp = NULL; + +ret_gbe_mv: + + if (gbe_fd > -1) { + if (close(gbe_fd) < 0) + r = -1; + if (fsync_dir(fname) < 0) + r = -1; + gbe_fd = -1; + } + + if (tmp_fd > -1) { + if (close(tmp_fd) < 0) + r = -1; + + tmp_fd = -1; + } + + /* + * before this function is called, + * tmp_fd may have been moved + */ + if (tmp_gbe_bin_exists) { + if (unlink(tname) < 0) + r = -1; + else + tmp_gbe_bin_exists = 0; + } + + if (r < 0) { + /* + * if nothing set errno, + * we assume EIO, or we + * use what was set + */ + if (errno == saved_errno) + errno = EIO; + } else { + errno = saved_errno; + } + + return r; +} + +/* + * Ensure rename() is durable by syncing the + * directory containing the target file. + */ +static int +fsync_dir(const char *path) +{ +#if defined(PATH_LEN) && \ + (PATH_LEN) >= 256 + size_t maxlen = PATH_LEN; +#else + size_t maxlen = 4096; +#endif + size_t pathlen; +/* char dirbuf[maxlen]; */ + char *dirbuf = NULL; + char *slash; + int dfd = -1; + + struct stat st; + + int saved_errno = errno; + + pathlen = xstrxlen(path, maxlen); + + if (pathlen >= maxlen) { + fprintf(stderr, "Path too long for fsync_parent_dir\n"); + goto err_fsync_dir; + } + + dirbuf = malloc(pathlen + 1); + if (dirbuf == NULL) + goto err_fsync_dir; + + memcpy(dirbuf, path, pathlen + 1); + slash = strrchr(dirbuf, '/'); + + if (slash != NULL) { + *slash = '\0'; + if (*dirbuf == '\0') + strcpy(dirbuf, "/"); + } else { + strcpy(dirbuf, "."); + } + + dfd = open(dirbuf, O_RDONLY); + if (dfd == -1) + goto err_fsync_dir; + + if (fstat(dfd, &st) < 0) + goto err_fsync_dir; + + if (!S_ISDIR(st.st_mode)) { + fprintf(stderr, "%s: not a directory\n", dirbuf); + goto err_fsync_dir; + } + + /* sync file on disk */ + if (fsync(dfd) == -1) + goto err_fsync_dir; + + if (close(dfd) == -1) + goto err_fsync_dir; + + if (dirbuf != NULL) + free(dirbuf); + + errno = saved_errno; + return 0; + +err_fsync_dir: + if (!errno) + errno = EIO; + + if (errno != saved_errno) + fprintf(stderr, "%s: %s\n", fname, strerror(errno)); + + if (dirbuf != NULL) + free(dirbuf); + + if (dfd > -1) + close(dfd); + + io_err_gbe_bin = 1; + errno = saved_errno; + + return -1; +} + /* * This one is similar to gbe_file_offset, * but used to check Gbe bounds in memory, @@ -1755,9 +2142,9 @@ static u8 * gbe_mem_offset(size_t p, const char *f_op) { off_t gbe_off = gbe_x_offset(p, f_op, "mem", - GBE_PART_SIZE, GBE_FILE_SIZE); + GBE_PART_SIZE, GBE_WORK_SIZE); - return (u8 *)(buf + (ulong)gbe_off); + return (u8 *)(buf + (size_t)gbe_off); } /* @@ -1801,21 +2188,23 @@ static ssize_t rw_gbe_file_exact(int fd, u8 *mem, size_t nrw, off_t off, int rw_type) { - ulong mem_addr; - ulong buf_addr; - ulong buf_end; + size_t mem_addr; + size_t buf_addr; + ssize_t r; - if (mem == NULL) - goto err_rw_gbe_file_exact; + if (io_args(fd, mem, nrw, off, rw_type) == -1) + return -1; - mem_addr = (ulong)(void *)mem; - buf_addr = (ulong)(void *)buf; - buf_end = buf_addr + (ulong)GBE_FILE_SIZE; + mem_addr = (size_t)(void *)mem; + buf_addr = (size_t)(void *)buf; - if (mem != (void *)pad && - mem != (void *)rnum && - (mem_addr < buf_addr || mem_addr >= buf_end)) - goto err_rw_gbe_file_exact; + if (mem != (void *)pad) { + if (mem_addr < buf_addr) + goto err_rw_gbe_file_exact; + + if ((mem_addr - buf_addr) >= (size_t)GBE_WORK_SIZE) + goto err_rw_gbe_file_exact; + } if (off < 0 || off >= gbe_file_size) goto err_rw_gbe_file_exact; @@ -1823,11 +2212,14 @@ rw_gbe_file_exact(int fd, u8 *mem, size_t nrw, if (nrw > (size_t)(gbe_file_size - off)) goto err_rw_gbe_file_exact; - if (nrw > GBE_PART_SIZE) + if (nrw > (size_t)GBE_PART_SIZE) goto err_rw_gbe_file_exact; - return rw_file_exact(fd, mem, nrw, off, rw_type, - NO_LOOP_EAGAIN, LOOP_EINTR, MAX_ZERO_RW_RETRY); + r = rw_file_exact(fd, mem, nrw, off, rw_type, + NO_LOOP_EAGAIN, LOOP_EINTR, MAX_ZERO_RW_RETRY, + OFF_ERR); + + return rw_over_nrw(r, nrw); err_rw_gbe_file_exact: errno = EIO; @@ -1860,34 +2252,48 @@ err_rw_gbe_file_exact: * returned and errno is set accordingly. * * Zero-byte returns are not allowed. - * It calls rw_file_once(), which will - * re-try on zero-read a finite number - * of times, to prevent infinite loops - * while also having fault tolerance. + * It will re-spin a finite number of + * times upon zero-return, to recover, + * otherwise it will return an error. */ static ssize_t rw_file_exact(int fd, u8 *mem, size_t nrw, off_t off, int rw_type, int loop_eagain, - int loop_eintr, size_t max_retries) + int loop_eintr, size_t max_retries, + int off_reset) { ssize_t rv = 0; ssize_t rc = 0; size_t retries_on_zero = 0; + off_t off_cur; + size_t nrw_cur; + void *mem_cur; + + if (io_args(fd, mem, nrw, off, rw_type) == -1) + return -1; while (1) { + + /* Prevent theoretical overflow */ + if (rv >= 0 && (size_t)rv > (nrw - rc)) + goto err_rw_file_exact; rc += rv; if ((size_t)rc >= nrw) break; - if ((rv = prw(fd, - mem + (ulong)rc, nrw - rc, off + rc, rw_type, - loop_eagain, loop_eintr)) < 0) - return -1; - - /* Prevent theoretical overflow */ - if ((size_t)rv > (nrw - rc)) + mem_cur = (void *)(mem + (size_t)rc); + nrw_cur = (size_t)(nrw - (size_t)rc); + if (off < 0) goto err_rw_file_exact; + off_cur = off + (off_t)rc; + + rv = prw(fd, mem_cur, nrw_cur, off_cur, + rw_type, loop_eagain, loop_eintr, + off_reset); + + if (rv < 0) + return -1; if (rv == 0) { if (retries_on_zero++ < max_retries) @@ -1934,29 +2340,41 @@ err_rw_file_exact: * also mitigates a few theoretical libc bugs. * It is designed for extremely safe single-threaded * I/O on applications that need it. + * + * NOTE: If you use loop_eagain (1), you enable wait + * loop on EAGAIN. Beware if using this on a non-blocking + * pipe (it could spin indefinitely). + * + * off_reset: if zero, and using fallback pwrite/pread + * analogs, we check if a file offset changed, + * which would indicate another thread changed + * it, and return error, without resetting the + * file - this would allow that thread to keep + * running, but we could then cause a whole + * program exit if we wanted to. + * if not zero: + * we reset and continue, and pray for the worst. */ static ssize_t prw(int fd, void *mem, size_t nrw, off_t off, int rw_type, - int loop_eagain, int loop_eintr) + int loop_eagain, int loop_eintr, + int off_reset) { - off_t off_orig; - off_t off_last; ssize_t r; - int saved_errno; int positional_rw; struct stat st; +#if !defined(HAVE_REAL_PREAD_PWRITE) || \ + HAVE_REAL_PREAD_PWRITE < 1 + int saved_errno; + off_t verified; + off_t off_orig; + off_t off_last; +#endif - if (mem == NULL) - goto err_prw; - - if (fd < 0 - || off < 0 - || !nrw /* prevent zero read request */ - || nrw > (size_t)SSIZE_MAX /* prevent overflow */ - || (uint)rw_type > IO_PWRITE) - goto err_prw; + if (io_args(fd, mem, nrw, off, rw_type) == -1) + return -1; r = -1; @@ -2010,32 +2428,79 @@ real_pread_pwrite: goto real_pread_pwrite; #else if ((off_orig = lseek_loop(fd, (off_t)0, SEEK_CUR, - loop_eagain, loop_eintr)) == (off_t)-1) + loop_eagain, loop_eintr)) == (off_t)-1) { r = -1; - else if (lseek_loop(fd, off, SEEK_SET, - loop_eagain, loop_eintr) == (off_t)-1) + } else if (lseek_loop(fd, off, SEEK_SET, + loop_eagain, loop_eintr) == (off_t)-1) { r = -1; + } else { + verified = lseek_loop(fd, (off_t)0, SEEK_CUR, + loop_eagain, loop_eintr); - do { - if (rw_type == IO_PREAD) - r = read(fd, mem, nrw); - else if (rw_type == IO_PWRITE) - r = write(fd, mem, nrw); - - r = rw_over_nrw(r, nrw); - } while (r == -1 && - (errno == try_err(loop_eintr, EINTR) - || errno == try_err(loop_eagain, EAGAIN))); + /* + * Partial thread-safety: detect + * if the offset changed to what + * we previously got. If it did, + * then another thread may have + * changed it. Enabled if + * off_reset is OFF_RESET. + * + * We do this *once*, on the theory + * that nothing is touching it now. + */ + if (off_reset && off != verified) + lseek_loop(fd, off, SEEK_SET, + loop_eagain, loop_eintr); + + do { + /* + * Verify again before I/O + * (even with OFF_ERR) + * + * This implements the first check + * even with OFF_ERR, but without + * the recovery. On ERR_RESET, if + * the check fails again, then we + * know something else is touching + * the file, so it's best that we + * probably leave it alone and err. + * + * In other words, ERR_RESET only + * tolerates one change. Any more + * will cause an exit, including + * per EINTR/EAGAIN re-spin. + */ + verified = lseek_loop(fd, (off_t)0, SEEK_CUR, + loop_eagain, loop_eintr); + + if (off != verified) + goto err_prw; + + if (rw_type == IO_PREAD) + r = read(fd, mem, nrw); + else if (rw_type == IO_PWRITE) + r = write(fd, mem, nrw); + + if (rw_over_nrw(r, nrw) == -1) { + errno = EIO; + break; + } + + } while (r == -1 && + (errno == try_err(loop_eintr, EINTR) + || errno == try_err(loop_eagain, EAGAIN))); + } saved_errno = errno; + off_last = lseek_loop(fd, off_orig, SEEK_SET, loop_eagain, loop_eintr); - if (off_last == (off_t)-1) { + + if (off_last != off_orig) { errno = saved_errno; - return -1; - } - if (off_last != off_orig) goto err_prw; + } + errno = saved_errno; return rw_over_nrw(r, nrw); @@ -2047,6 +2512,44 @@ err_prw: } static int +io_args(int fd, void *mem, size_t nrw, + off_t off, int rw_type) +{ + /* obviously */ + if (mem == NULL) + goto err_io_args; + + /* uninitialised fd */ + if (fd < 0) + goto err_io_args; + + /* negative offset */ + if (off < 0) + goto err_io_args; + + /* prevent zero-byte rw */ + if (!nrw) + goto err_io_args; + + /* prevent overflow */ + if (nrw > (size_t)SSIZE_MAX) + goto err_io_args; + + /* prevent overflow */ + if (((size_t)off + nrw) < (size_t)off) + goto err_io_args; + + if (rw_type > IO_PWRITE) + goto err_io_args; + + return 0; + +err_io_args: + errno = EIO; + return -1; +} + +static int check_file(int fd, struct stat *st) { if (fstat(fd, st) == -1) @@ -2071,6 +2574,14 @@ err_is_file: static ssize_t rw_over_nrw(ssize_t r, size_t nrw) { + /* + * If a byte length of zero + * was requested, that is + * clearly a bug. No way. + */ + if (!nrw) + goto err_rw_over_nrw; + if (r == -1) return r; @@ -2147,25 +2658,25 @@ try_err(int loop_err, int errval) return -1; } -static int -close_files(void) +static void +usage(void) { - int close_err_gbe = 0; - int saved_errno = errno; - - if (gbe_fd > -1) { - if (close(gbe_fd) == -1) - close_err_gbe = errno; - gbe_fd = -1; - } - - if (saved_errno) - errno = saved_errno; + const char *util = getnvmprogname(); - if (close_err_gbe) - return -1; + fprintf(stderr, + "Modify Intel GbE NVM images e.g. set MAC\n" + "USAGE:\n" + "\t%s FILE dump\n" + "\t%s FILE setmac [MAC]\n" + "\t%s FILE swap\n" + "\t%s FILE copy 0|1\n" + "\t%s FILE cat\n" + "\t%s FILE cat16\n" + "\t%s FILE cat128\n", + util, util, util, util, + util, util, util); - return 0; + err(EINVAL, "Too few arguments"); } static void @@ -2173,12 +2684,12 @@ err(int nvm_errval, const char *msg, ...) { va_list args; - if (errno < 0) - errno = ECANCELED; - if (!errno) + if (errno == 0) errno = nvm_errval; + if (!errno) + errno = ECANCELED; - (void)close_files(); + (void)exit_cleanup(); fprintf(stderr, "%s: ", getnvmprogname()); @@ -2189,9 +2700,46 @@ err(int nvm_errval, const char *msg, ...) fprintf(stderr, ": %s", strerror(errno)); fprintf(stderr, "\n"); + + if (tname != NULL) + free(tname); + exit(EXIT_FAILURE); } +static int +exit_cleanup(void) +{ + int close_err = 0; + int saved_errno = errno; + + if (gbe_fd > -1) { + if (close(gbe_fd) == -1) + close_err = 1; + gbe_fd = -1; + } + + if (tmp_fd > -1) { + if (close(tmp_fd) == -1) + close_err = 1; + } + + if (tname != NULL) { + if (unlink(tname) == -1) + close_err = 1; + } + + tmp_fd = -1; + + if (saved_errno) + errno = saved_errno; + + if (close_err) + return -1; + + return 0; +} + static const char * getnvmprogname(void) { @@ -2208,28 +2756,204 @@ getnvmprogname(void) return argv0; } -static void -usage(int usage_exit) +/* + * create new tmpfile path + * + * ON SUCCESS: + * + * returns ptr to path string on success + * ALSO: the int at *fd will be set, + * indicating the file descriptor + * + * ON ERROR: + * + * return NULL (*fd not touched) + * + * malloc() may set errno, but you should + * not rely on errno from this function + * + * local: if non-zero, then only a file + * name will be given, relative to + * the current file name. for this, + * the 3rd argument (path) must be non-null + * + * if local is zero, then 3rd arg (path) + * is irrelevant and can be NULL + */ +static char * +new_tmpfile(int *fd, int local, const char *path) { - const char *util = getnvmprogname(); + size_t maxlen; + struct stat st; -#ifdef NVMUTIL_PLEDGE - if (pledge("stdio", NULL) == -1) - err(errno, "pledge"); + /* + * please do not modify the + * strings or I will get mad + */ + char tmp_none[] = ""; + char tmp_default[] = "/tmp"; + char default_tmpname[] = "tmpXXXXXX"; + char *tmpname; + + char *base = NULL; + char *dest = NULL; + + size_t tmpdir_len = 0; + size_t tmpname_len = 0; + size_t tmppath_len = 0; + + int fd_tmp = -1; + int flags; + + /* + * 256 is the most + * conservative path + * size limit (posix), + * but 4096 is modern + * + * set PATH_LEN as you + * wish, at build time + */ + +#if defined(PATH_LEN) && \ + (PATH_LEN) >= 256 + maxlen = PATH_LEN; +#else + maxlen = 4096; #endif - fprintf(stderr, - "Modify Intel GbE NVM images e.g. set MAC\n" - "USAGE:\n" - "\t%s FILE dump\n" - "\t%s FILE setmac [MAC]\n" - "\t%s FILE swap\n" - "\t%s FILE copy 0|1\n" - "\t%s FILE cat\n" - "\t%s FILE cat16\n" - "\t%s FILE cat128\n", - util, util, util, util, - util, util, util); - if (usage_exit) - err(EINVAL, "Too few arguments"); + tmpname = default_tmpname; + if (local) { + if (path == NULL) + goto err_new_tmpfile; + if (*path == '\0') + goto err_new_tmpfile; + + if (stat(path, &st) == -1) + goto err_new_tmpfile; + + if (!S_ISREG(st.st_mode)) + goto err_new_tmpfile; + + tmpname = (char *)path; + } + + if (local) { + base = tmp_none; + + /* + * appended to filename for tmp: + */ + tmpdir_len = sizeof(default_tmpname); + } else { + base = getenv("TMPDIR"); + + if (base == NULL) + base = tmp_default; + if (*base == '\0') + base = tmp_default; + + tmpdir_len = xstrxlen(base, maxlen); + } + + tmpname_len = xstrxlen(tmpname, maxlen); + + tmppath_len = tmpdir_len + tmpname_len; + ++tmppath_len; /* for '/' or '.' */ + + /* + * max length -1 of maxlen + * for termination + */ + if (tmpdir_len > maxlen - tmpname_len - 1) + goto err_new_tmpfile; + + /* +1 for NULL */ + dest = malloc(tmppath_len + 1); + if (dest == NULL) + goto err_new_tmpfile; + + if (local) { + + *dest = '.'; /* hidden file */ + + memcpy(dest + (size_t)1, tmpname, tmpname_len); + + memcpy(dest + (size_t)1 + tmpname_len, + default_tmpname, tmpdir_len); + } else { + + memcpy(dest, base, tmpdir_len); + + dest[tmpdir_len] = '/'; + + memcpy(dest + tmpdir_len + 1, tmpname, tmpname_len); + } + + dest[tmppath_len] = '\0'; + + fd_tmp = mkstemp(dest); + if (fd_tmp == -1) + goto err_new_tmpfile; + + if (fchmod(fd_tmp, 0600) == -1) + goto err_new_tmpfile; + + if (lock_file(fd_tmp) == -1) + goto err_new_tmpfile; + + if (fstat(fd_tmp, &st) == -1) + goto err_new_tmpfile; + + /* + * Extremely defensive + * likely pointless checks + */ + + /* check if it's a file */ + if (!S_ISREG(st.st_mode)) + goto err_new_tmpfile; + + /* check if it's seekable */ + if (lseek(fd_tmp, 0, SEEK_CUR) == (off_t)-1) + goto err_new_tmpfile; + + /* inode will be checked later on write */ + tmp_dev = st.st_dev; + tmp_ino = st.st_ino; + + /* tmpfile has >1 hardlinks */ + if (st.st_nlink > 1) + goto err_new_tmpfile; + + /* tmpfile unlinked while opened */ + if (st.st_nlink == 0) + goto err_new_tmpfile; + + flags = fcntl(fd_tmp, F_GETFL); + + if (flags == -1) + goto err_new_tmpfile; + + /* + * O_APPEND would permit offsets + * to be ignored, which breaks + * positional read/write + */ + if (flags & O_APPEND) + goto err_new_tmpfile; + + *fd = fd_tmp; + + return dest; + +err_new_tmpfile: + + if (dest != NULL) + free(dest); + + if (fd_tmp > -1) + close(fd_tmp); + + return NULL; } |