summaryrefslogtreecommitdiff
path: root/util/nvmutil
diff options
context:
space:
mode:
Diffstat (limited to 'util/nvmutil')
-rw-r--r--util/nvmutil/.gitignore3
-rw-r--r--util/nvmutil/AUTHORS1
-rw-r--r--util/nvmutil/COPYING3
-rw-r--r--util/nvmutil/ChangeLog.md8
-rw-r--r--util/nvmutil/Makefile40
-rw-r--r--util/nvmutil/README.md4
-rw-r--r--util/nvmutil/nvmutil.c3086
7 files changed, 2918 insertions, 227 deletions
diff --git a/util/nvmutil/.gitignore b/util/nvmutil/.gitignore
new file mode 100644
index 00000000..802202a4
--- /dev/null
+++ b/util/nvmutil/.gitignore
@@ -0,0 +1,3 @@
+/nvm
+/nvmutil
+*.bin
diff --git a/util/nvmutil/AUTHORS b/util/nvmutil/AUTHORS
index f3c00385..f38ea210 100644
--- a/util/nvmutil/AUTHORS
+++ b/util/nvmutil/AUTHORS
@@ -1 +1,2 @@
Leah Rowe
+Riku Viitanen
diff --git a/util/nvmutil/COPYING b/util/nvmutil/COPYING
index 784581dd..47c35a86 100644
--- a/util/nvmutil/COPYING
+++ b/util/nvmutil/COPYING
@@ -1,4 +1,5 @@
-Copyright (C) 2022, 2023 Leah Rowe <leah@libreboot.org>
+Copyright (C) 2022-2026 Leah Rowe <leah@libreboot.org>
+Copyright (c) 2023 Riku Viitanen <riku.viitanen@protonmail.com>
Permission is hereby granted, free of charge, to any person obtaining a
copy of this software and associated documentation files (the
diff --git a/util/nvmutil/ChangeLog.md b/util/nvmutil/ChangeLog.md
deleted file mode 100644
index e1ed5754..00000000
--- a/util/nvmutil/ChangeLog.md
+++ /dev/null
@@ -1,8 +0,0 @@
-This change log has moved. Please refer here for historical pre-osboot-merge
-changes:
-
-<https://libreboot.org/docs/install/nvmutilimport.html>
-
-Osboot merged with Libreboot on November 17th, 2022. For nvmutil changes after
-this date, please check regular Libreboot release announcements which shall
-now specify any such changes.
diff --git a/util/nvmutil/Makefile b/util/nvmutil/Makefile
index f25f6dd5..beca4f3a 100644
--- a/util/nvmutil/Makefile
+++ b/util/nvmutil/Makefile
@@ -1,16 +1,36 @@
# SPDX-License-Identifier: MIT
-# SPDX-FileCopyrightText: 2022 Leah Rowe <leah@libreboot.org>
-# SPDX-FileCopyrightText: 2023 Riku Viitanen <riku.viitanen@protonmail.com>
+# Copyright (c) 2022,2026 Leah Rowe <leah@libreboot.org>
+# Copyright (c) 2023 Riku Viitanen <riku.viitanen@protonmail.com>
-CC=cc
-CFLAGS=-Os -Wall -Wextra -Werror -pedantic
-PREFIX?=/usr/bin
+CC?=cc
+CSTD?=-std=c90
+WERROR?=
+CWARN?=-Wall -pedantic
+COPT?=-Os
+CFLAGS?=$(COPT) $(CWARN) $(CSTD)
+LDFLAGS?=
+DESTDIR?=
+PREFIX?=/usr/local
+INSTALL?=install
-nvm: nvmutil.c
- $(CC) $(CFLAGS) nvmutil.c -o nvm
+PROG=nvmutil
-install: nvm
- install nvm $(PREFIX)/nvm
+all: $(PROG)
+
+$(PROG): nvmutil.c
+ $(CC) $(CFLAGS) $(LDFLAGS) nvmutil.c -o $(PROG)
+
+install: $(PROG)
+ $(INSTALL) -d $(DESTDIR)$(PREFIX)/bin
+ $(INSTALL) $(PROG) $(DESTDIR)$(PREFIX)/bin/$(PROG)
+ chmod 755 $(DESTDIR)$(PREFIX)/bin/$(PROG)
+
+uninstall:
+ rm -f $(DESTDIR)$(PREFIX)/bin/$(PROG)
clean:
- rm -f nvm
+ rm -f $(PROG)
+
+distclean: clean
+
+.PHONY: all install uninstall clean distclean
diff --git a/util/nvmutil/README.md b/util/nvmutil/README.md
deleted file mode 100644
index 03a25bc4..00000000
--- a/util/nvmutil/README.md
+++ /dev/null
@@ -1,4 +0,0 @@
-
-This documentation has become part of lbwww. See:
-
-<https://libreboot.org/docs/install/nvmutil.html>
diff --git a/util/nvmutil/nvmutil.c b/util/nvmutil/nvmutil.c
index 35abbfae..0b303fe3 100644
--- a/util/nvmutil/nvmutil.c
+++ b/util/nvmutil/nvmutil.c
@@ -1,281 +1,2959 @@
-/* SPDX-License-Identifier: MIT */
-/* SPDX-FileCopyrightText: 2022, 2023 Leah Rowe <leah@libreboot.org> */
-/* SPDX-FileCopyrightText: 2023 Riku Viitanen <riku.viitanen@protonmail.com> */
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (c) 2022-2026 Leah Rowe <leah@libreboot.org>
+ * Copyright (c) 2023 Riku Viitanen <riku.viitanen@protonmail.com>
+ *
+ * This tool lets you modify Intel GbE NVM (Gigabit Ethernet
+ * Non-Volatile Memory) images, e.g. change the MAC address.
+ * These images configure your Intel Gigabit Ethernet adapter.
+ *
+ * This code is designed to be portable, running on as many
+ * Unix and Unix-like systems as possible (mainly BSD/Linux).
+ *
+ * Recommended CFLAGS for Clang/GCC:
+ *
+ * -Os -Wall -Wextra -Werror -pedantic -std=c90
+ */
+/*
+ * In practise, most people
+ * aren't going to use very
+ * long names, so even on old
+ * systems with weaker limits,
+ * it's OK to set this higher.
+ *
+ * 4096 is a good, conservative
+ * default these days.
+ */
+#ifndef PATH_LEN
+#ifdef PATH_MAX
+#define PATH_LEN (PATH_MAX)
+#else
+#define PATH_LEN 4096
+#endif
+#endif
+
+#define OFF_ERR 0
+#ifndef OFF_RESET
+#define OFF_RESET 1
+#endif
+
+/*
+ * I/O config (build-time)
+ *
+ * Regarding:
+ * Retries on zero-return.
+ *
+ * 5 retries is generous,
+ * but also conservative.
+ * This is enough for e.g.
+ * slow USB flash drives,
+ * busy NFS servers, etc.
+ * Any more is too much
+ * and not of much benefit.
+ *
+ * 3-5 will tolerate buggy
+ * USB drives for example,
+ * but won't spin as long
+ * on really buggy and slow
+ * networks e.g. slow NFS.
+ *
+ * At least 3-5 recommended.
+ * Pass this at build time.
+ */
+#ifndef MAX_ZERO_RW_RETRY
+#define MAX_ZERO_RW_RETRY 5
+#endif
+/*
+ * 0: portable pread/pwrite
+ * 1: real pread/pwrite (thread-safe)
+ * Pass this at build-time
+ */
+#ifndef HAVE_REAL_PREAD_PWRITE
+#define HAVE_REAL_PREAD_PWRITE 0
+#endif
+/*
+ * Configure whether to wait on
+ * EINTR on files, or EAGAIN on
+ * cmd cat (stdout).
+ *
+ * Pass these at build time.
+ */
+#ifndef LOOP_EAGAIN
+#define LOOP_EAGAIN 1
+#endif
+#ifndef LOOP_EINTR
+#define LOOP_EINTR 1
+#endif
+
+/*
+ * Major TODO: split this into multiple files.
+ * This program has become quite large now, mostly
+ * due to all the extra sanity checks / portability.
+ * Make most of nvmutil a *library* for re-use
+ *
+ * TODO: gettimeofday not posible - use portable functions.
+ * TODO: ux fallback: modify the program instead
+ * to run on 16-bit systems: smaller buffers, and do
+ * operations byte-based instead of word-based.
+ *
+ * TODO: _XOPEN_SOURCE 500 probably not needed anymore.
+ * the portable fallbacks alone are likely enough.
+ * e.g. i don't need stdint, and i don't use pwrite/pread
+ * anymore.
+ *
+ * TODO: version detection of various BSDs to detect
+ * arc4random, use that if available. but also work on
+ * older versions of those BSDs (also MacOS) that lack it.
+ *
+ * TODO: portability/testing on non-Unix systems:
+ * old DOS. all windows versions (probably irrelevant
+ * because you can use cygwin/wsl, whatever), classic MacOS,
+ * also test really old unix e.g. sunos and irix. Be/Haiku too!
+ *
+ * TODO: reliance on global variables for status. make
+ * functions use structs passed as args instead, make
+ * functions re-useable (including libraries), etc.
+ *
+ * TODO: bound checks for files per-command, e.g. only
+ * first 6 bytes for CMD_SETMAC
+ *
+ * TODO: in command sanitizer: verify that each given
+ * entry corresponds to the correct function, in the
+ * pointer (this check is currently missing)
+ *
+ * TODO: general modularisierung of the entire codebase.
+ * TODO: better explain copy/swap read inversion trick
+ * by improving existing comments
+ * TODO: lots of overwritten comments in code. tidy it up.
+ *
+ * TODO: use getopt for nvmutil args, so that multiple
+ * operations can be performed, and also on many
+ * files at once (noting limitations with cat)
+ * BONUS: implement own getopt(), for portability
+ *
+ * TODO: document fuzzing / static analysis methods
+ * for the code, and:
+ * TODO: implement rigorous unit tests (separate util)
+ * NOTE: this would *include* known good test files
+ * in various configurations, also invalid files.
+ * the tests would likely be portable posix shell
+ * scripts rather than a new C program, but a modularisiert
+ * codebase would allow me to write a separate C
+ * program to test some finer intricacies
+ * TODO: the unit tests would basically test regressions
+ * TODO: after writing back a gbe to file, close() and
+ * open() it again, read it again, and check that
+ * the contents were written correctly, providing
+ * a warning if they were. do this in the main
+ * program.
+ * TODO: the unit tests would include an aggressive set
+ * of fuzz tests, under controlled conditions
+ *
+ * TODO: also document the layout of Intel GbE files, so
+ * that wily individuals can easily expand the
+ * featureset of nvmutil.
+ * TODO: write a manpage
+ * TODO: simplify the command sanitization, implement more
+ * of it as build time checks, e.g. static asserts.
+ * generally remove cleverness from the code, instead
+ * prefyerring readibility
+ * TODO: also document nvmutil's coding style, which is
+ * its own style at this point!
+ * TODO: when all the above (and possibly more) is done,
+ * submit this tool to coreboot with a further change
+ * to their build system that lets users modify
+ * GbE images, especially set MAC addresses, when
+ * including GbE files in coreboot configs.
+ */
+/*
+ BONUS TODO:
+ CI/CD. woodpecker is good enough, sourcehut also has one.
+ tie this in with other things mentioned here,
+ e.g. fuzzer / unit tests
+*/
+
+/* Major TODO: reproducible builds
+Test with and without these:
+
+CFLAGS += -fno-record-gcc-switches
+CFLAGS += -ffile-prefix-map=$(PWD)=.
+CFLAGS += -fdebug-prefix-map=$(PWD)=.
+
+I already avoid unique timestamps per-build,
+by not using them, e.g. not reporting build
+time in the program.
+
+When splitting the nvmutil.c file later, do e.g.:
+
+SRC = main.c io.c nvm.c cmd.c
+OBJ = $(SRC:.c=.o)
+
+^ explicitly declare the order in which to build
+*/
+
+/*
+TODO:
+further note when fuzzing is implemented:
+use deterministic randomisation, with a
+guaranteed seed - so e.g. don't use /dev/urandom
+in test builds. e.g. just use normal rand()
+but with a static seed e.g. 1234
+*/
+/*
+TODO: stricter build flags, e.g.
+CFLAGS += -fstack-protector-strong
+CFLAGS += -fno-common
+CFLAGS += -D_FORTIFY_SOURCE=2
+CFLAGS += -fPIE
+
+also consider:
+-fstack-clash-protection
+-Wl,-z,relro
+-Wl,-z,now
+*/
+
+#ifndef _FILE_OFFSET_BITS
+#define _FILE_OFFSET_BITS 64
+#endif
+
+#ifdef __OpenBSD__
+#include <sys/param.h>
+#endif
+#include <sys/types.h>
+#include <sys/time.h>
#include <sys/stat.h>
-#include <dirent.h>
-#include <err.h>
#include <errno.h>
#include <fcntl.h>
-#include <stdint.h>
+#include <limits.h>
+#include <stdarg.h>
+#include <stddef.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <time.h>
#include <unistd.h>
-void cmd_setchecksum(void), cmd_brick(void), cmd_copy(void), writeGbeFile(void),
- cmd_dump(void), cmd_setmac(void), readGbeFile(void), showmac(int partnum),
- hexdump(int partnum), handle_endianness(int partnum), openFiles(const char *path);
-int macAddress(const char *strMac, uint16_t *mac), validChecksum(int partnum);
-uint8_t hextonum(char chs), rhex(void);
-
-#define COMMAND argv[2]
-#define MAC_ADDRESS argv[3]
-#define PARTNUM argv[3]
-#define SIZE_4KB 0x1000
-
-uint16_t buf16[SIZE_4KB], mac[3] = {0, 0, 0};
-uint8_t *buf = (uint8_t *) &buf16;
-size_t nf = 128, gbe[2];
-uint8_t nvmPartModified[2] = {0, 0}, skipread[2] = {0, 0};
-int e = 1, flags = O_RDWR, rfd, fd, part, gbeFileModified = 0;
-
-const char *strMac = NULL, *strRMac = "??:??:??:??:??:??", *filename = NULL;
-
-typedef struct op {
- char *str;
- void (*cmd)(void);
- int args;
-} op_t;
-op_t op[] = {
-{ .str = "dump", .cmd = cmd_dump, .args = 3},
-{ .str = "setmac", .cmd = cmd_setmac, .args = 3},
-{ .str = "swap", .cmd = writeGbeFile, .args = 3},
-{ .str = "copy", .cmd = cmd_copy, .args = 4},
-{ .str = "brick", .cmd = cmd_brick, .args = 4},
-{ .str = "setchecksum", .cmd = cmd_setchecksum, .args = 4},
+typedef unsigned char u8;
+typedef unsigned short ushort;
+typedef unsigned int uint;
+typedef unsigned long ulong;
+
+/* type asserts */
+typedef char static_assert_char_is_8_bits[(CHAR_BIT == 8) ? 1 : -1];
+typedef char static_assert_char_is_1[(sizeof(char) == 1) ? 1 : -1];
+typedef char static_assert_u8_is_1[
+ (sizeof(u8) == 1) ? 1 : -1];
+typedef char static_assert_ushort_is_2[
+ (sizeof(ushort) >= 2) ? 1 : -1];
+typedef char static_assert_short_is_2[(sizeof(short) >= 2) ? 1 : -1];
+typedef char static_assert_uint_is_4[
+ (sizeof(uint) >= 4) ? 1 : -1];
+typedef char static_assert_ulong_is_4[
+ (sizeof(ulong) >= 4) ? 1 : -1];
+typedef char static_assert_int_ge_32[(sizeof(int) >= 4) ? 1 : -1];
+typedef char static_assert_twos_complement[
+ ((-1 & 3) == 3) ? 1 : -1
+];
+typedef char assert_ulong_ptr[
+ (sizeof(ulong) >= sizeof(void *)) ? 1 : -1
+];
+typedef char assert_size_t_ptr[
+ (sizeof(size_t) >= sizeof(void *)) ? 1 : -1
+];
+
+/*
+ * We set _FILE_OFFSET_BITS 64, but we only handle
+ * files that are 128KB in size at a maximum, so we
+ * realistically only need 32-bit at a minimum.
+ *
+ * We set 64 anyway, because there's no reason not
+ * to, but some systems may ignore _FILE_OFFSET_BITS
+ */
+typedef char static_assert_off_t_is_32[(sizeof(off_t) >= 4) ? 1 : -1];
+
+/*
+ * Older versions of BSD to the early 2000s
+ * could compile nvmutil, but pledge was
+ * added in the 2010s. Therefore, for extra
+ * portability, we will only pledge/unveil
+ * on OpenBSD versions that have it.
+ */
+#if defined(__OpenBSD__) && defined(OpenBSD)
+#if OpenBSD >= 604
+#ifndef NVMUTIL_UNVEIL
+#define NVMUTIL_UNVEIL 1
+#endif
+#endif
+#if OpenBSD >= 509
+#ifndef NVMUTIL_PLEDGE
+#define NVMUTIL_PLEDGE 1
+#endif
+#endif
+#endif
+
+#ifndef EXIT_FAILURE
+#define EXIT_FAILURE 1
+#endif
+
+#ifndef EXIT_SUCCESS
+#define EXIT_SUCCESS 0
+#endif
+
+#ifndef O_BINARY
+#define O_BINARY 0
+#endif
+
+#ifndef O_CLOEXEC
+#define O_CLOEXEC 0
+#endif
+
+#ifndef O_NOFOLLOW
+#define O_NOFOLLOW 0
+#endif
+
+#ifndef FD_CLOEXEC
+#define FD_CLOEXEC 0
+#endif
+
+/*
+ * Sanitize command tables.
+ */
+static void sanitize_command_list(void);
+static void sanitize_command_index(size_t c);
+
+/*
+ * Argument handling (user input)
+ */
+static void set_cmd(int argc, char *argv[]);
+static void set_cmd_args(int argc, char *argv[]);
+static size_t conv_argv_part_num(const char *part_str);
+static int xstrxcmp(const char *a, const char *b, size_t maxlen);
+
+/*
+ * Prep files for reading
+ */
+static void open_gbe_file(void);
+static int lock_file(int fd);
+static void xopen(int *fd, const char *path, int flags, struct stat *st);
+
+/*
+ * Read GbE file and verify
+ * checksums.
+ *
+ * After this, we can run commands.
+ */
+static void copy_gbe(void);
+static void read_checksums(void);
+static int good_checksum(size_t partnum);
+
+/*
+ * Execute user command on GbE data.
+ * These are stubs that call helpers.
+ */
+static void run_cmd(size_t c);
+static void check_command_num(size_t c);
+static u8 valid_command(size_t c);
+
+/*
+ * Helper functions for command: setmac
+ */
+static void cmd_helper_setmac(void);
+static void parse_mac_string(void);
+static size_t xstrxlen(const char *scmp, size_t maxlen);
+static void set_mac_byte(size_t mac_byte_pos);
+static void set_mac_nib(size_t mac_str_pos,
+ size_t mac_byte_pos, size_t mac_nib_pos);
+static ushort hextonum(char ch_s);
+static ushort rhex(void);
+static ushort read_urandom(void);
+static ulong entropy_jitter(void);
+static void write_mac_part(size_t partnum);
+
+/*
+ * Helper functions for command: dump
+ */
+static void cmd_helper_dump(void);
+static void print_mac_from_nvm(size_t partnum);
+static void hexdump(size_t partnum);
+
+/*
+ * Helper functions for command: swap
+ */
+static void cmd_helper_swap(void);
+
+/*
+ * Helper functions for command: copy
+ */
+static void cmd_helper_copy(void);
+
+/*
+ * Helper functions for commands:
+ * cat, cat16 and cat128
+ */
+static void cmd_helper_cat(void);
+static void cat_buf(u8 *b);
+
+/*
+ * After command processing, write
+ * the modified GbE file back.
+ *
+ * These are stub functions: check
+ * below for the actual functions.
+ */
+static void write_gbe_file(void);
+static void set_checksum(size_t part);
+static ushort calculated_checksum(size_t p);
+
+/*
+ * Helper functions for accessing
+ * the NVM area during operation.
+ */
+static ushort nvm_word(size_t pos16, size_t part);
+static void set_nvm_word(size_t pos16, size_t part, ushort val16);
+static void set_part_modified(size_t p);
+static void check_nvm_bound(size_t pos16, size_t part);
+static void check_bin(size_t a, const char *a_name);
+
+/*
+ * Helper functions for stub functions
+ * that handle GbE file reads/writes.
+ */
+static void rw_gbe_file_part(size_t p, int rw_type,
+ const char *rw_type_str);
+static void write_to_gbe_bin(void);
+static int gbe_mv(void);
+static void check_written_part(size_t p);
+static void report_io_err_rw(void);
+static int fsync_dir(const char *path);
+static u8 *gbe_mem_offset(size_t part, const char *f_op);
+static off_t gbe_file_offset(size_t part, const char *f_op);
+static off_t gbe_x_offset(size_t part, const char *f_op,
+ const char *d_type, off_t nsize, off_t ncmp);
+static ssize_t rw_gbe_file_exact(int fd, u8 *mem, size_t nrw,
+ off_t off, int rw_type);
+static ssize_t rw_file_exact(int fd, u8 *mem, size_t len,
+ off_t off, int rw_type, int loop_eagain, int loop_eintr,
+ size_t max_retries, int off_reset);
+static ssize_t prw(int fd, void *mem, size_t nrw,
+ off_t off, int rw_type, int loop_eagain, int loop_eintr,
+ int off_reset);
+static int io_args(int fd, void *mem, size_t nrw,
+ off_t off, int rw_type);
+static int check_file(int fd, struct stat *st);
+static ssize_t rw_over_nrw(ssize_t r, size_t nrw);
+#if !defined(HAVE_REAL_PREAD_PWRITE) || \
+ HAVE_REAL_PREAD_PWRITE < 1
+static off_t lseek_loop(int fd, off_t off,
+ int whence, int loop_eagain, int loop_eintr);
+#endif
+static int try_err(int loop_err, int errval);
+
+/*
+ * Error handling and cleanup
+ */
+static void usage(void);
+static void err(int nvm_errval, const char *msg, ...);
+static int exit_cleanup(void);
+static const char *getnvmprogname(void);
+
+/*
+ * a special kind of hell
+ */
+static char *new_tmpfile(int *fd, int local, const char *path);
+
+/*
+ * Sizes in bytes:
+ */
+#define SIZE_1KB 1024
+#define SIZE_4KB (4 * SIZE_1KB)
+#define SIZE_8KB (8 * SIZE_1KB)
+#define SIZE_16KB (16 * SIZE_1KB)
+#define SIZE_128KB (128 * SIZE_1KB)
+
+#define GBE_BUF_SIZE (SIZE_128KB)
+
+/*
+ * First 128 bytes of a GbE part contains
+ * the regular NVM (Non-Volatile-Memory)
+ * area. All of these bytes must add up,
+ * truncated to 0xBABA.
+ *
+ * The full GbE region is 4KB, but only
+ * the first 128 bytes are used here.
+ *
+ * There is a second 4KB part with the same
+ * rules, and it *should* be identical.
+ */
+#define GBE_WORK_SIZE (SIZE_8KB)
+#define GBE_PART_SIZE (GBE_WORK_SIZE >> 1)
+#define NVM_CHECKSUM 0xBABA
+#define NVM_SIZE 128
+#define NVM_WORDS (NVM_SIZE >> 1)
+#define NVM_CHECKSUM_WORD (NVM_WORDS - 1)
+
+/*
+ * Portable macro based on BSD nitems.
+ * Used to count the number of commands (see below).
+ */
+#define items(x) (sizeof((x)) / sizeof((x)[0]))
+
+/*
+ * GbE files can be 8KB, 16KB or 128KB,
+ * but we only need the two 4KB parts
+ * from offset zero and offset 64KB in
+ * a 128KB file, or zero and 8KB in a 16KB
+ * file, or zero and 4KB in an 8KB file.
+ *
+ * The code will handle this properly.
+ */
+static u8 real_buf[GBE_BUF_SIZE];
+static u8 bufcmp[GBE_BUF_SIZE]; /* compare gbe/tmp/reads */
+static u8 pad[GBE_WORK_SIZE]; /* the file that wouldn't die */
+static u8 *buf = real_buf;
+
+static ushort mac_buf[3];
+static off_t gbe_file_size;
+static off_t gbe_tmp_size;
+
+static int gbe_fd = -1;
+static size_t part;
+static u8 part_modified[2];
+static u8 part_valid[2];
+
+static const char rmac[] = "xx:xx:xx:xx:xx:xx";
+static const char *mac_str = rmac;
+static const char *fname = NULL;
+static const char *argv0;
+
+#ifndef SSIZE_MAX
+#define SSIZE_MAX ((ssize_t)(~((size_t)1 << (sizeof(ssize_t)*CHAR_BIT-1))))
+#endif
+
+/*
+ * Use these for .argc in command[]:
+ */
+#define ARGC_3 3
+#define ARGC_4 4
+
+#define NO_LOOP_EAGAIN 0
+#define NO_LOOP_EINTR 0
+
+enum {
+ IO_READ,
+ IO_WRITE,
+ IO_PREAD,
+ IO_PWRITE
+};
+
+/*
+ * Used as indices for command[]
+ * MUST be in the same order as entries in command[]
+ */
+enum {
+ CMD_DUMP,
+ CMD_SETMAC,
+ CMD_SWAP,
+ CMD_COPY,
+ CMD_CAT,
+ CMD_CAT16,
+ CMD_CAT128
+};
+
+enum {
+ ARG_NOPART,
+ ARG_PART
+};
+
+enum {
+ SKIP_CHECKSUM_READ,
+ CHECKSUM_READ
+};
+
+enum {
+ SKIP_CHECKSUM_WRITE,
+ CHECKSUM_WRITE
+};
+
+struct commands {
+ size_t chk;
+ const char *str;
+ void (*run)(void);
+ int argc;
+ u8 arg_part;
+ u8 chksum_read;
+ u8 chksum_write;
+ size_t rw_size; /* within the 4KB GbE part */
+ int flags; /* e.g. O_RDWR or O_RDONLY */
+};
+
+/*
+ * Command table, for nvmutil commands
+ */
+static const struct commands command[] = {
+ { CMD_DUMP, "dump", cmd_helper_dump, ARGC_3,
+ ARG_NOPART,
+ SKIP_CHECKSUM_READ, SKIP_CHECKSUM_WRITE,
+ NVM_SIZE, O_RDONLY },
+
+ { CMD_SETMAC, "setmac", cmd_helper_setmac, ARGC_3,
+ ARG_NOPART,
+ CHECKSUM_READ, CHECKSUM_WRITE,
+ NVM_SIZE, O_RDWR },
+
+ { CMD_SWAP, "swap", cmd_helper_swap, ARGC_3,
+ ARG_NOPART,
+ CHECKSUM_READ, SKIP_CHECKSUM_WRITE,
+ GBE_PART_SIZE, O_RDWR },
+
+ { CMD_COPY, "copy", cmd_helper_copy, ARGC_4,
+ ARG_PART,
+ CHECKSUM_READ, SKIP_CHECKSUM_WRITE,
+ GBE_PART_SIZE, O_RDWR },
+
+ { CMD_CAT, "cat", cmd_helper_cat, ARGC_3,
+ ARG_NOPART,
+ CHECKSUM_READ, SKIP_CHECKSUM_WRITE,
+ GBE_PART_SIZE, O_RDONLY },
+
+ { CMD_CAT16, "cat16", cmd_helper_cat, ARGC_3,
+ ARG_NOPART,
+ CHECKSUM_READ, SKIP_CHECKSUM_WRITE,
+ GBE_PART_SIZE, O_RDONLY },
+
+ { CMD_CAT128, "cat128", cmd_helper_cat, ARGC_3,
+ ARG_NOPART,
+ CHECKSUM_READ, SKIP_CHECKSUM_WRITE,
+ GBE_PART_SIZE, O_RDONLY },
};
-void (*cmd)(void) = NULL;
-#define ERR() errno = errno ? errno : ECANCELED
-#define err_if(x) if (x) err(ERR(), "%s", filename)
+#define MAX_CMD_LEN 50
+#define N_COMMANDS items(command)
+#define CMD_NULL N_COMMANDS
+
+/*
+ * Index in command[], will be set later
+ */
+static size_t cmd_index = CMD_NULL;
+
+/*
+ * asserts (variables/defines sanity check)
+ */
+typedef char assert_argc3[(ARGC_3==3)?1:-1];
+typedef char assert_argc4[(ARGC_4==4)?1:-1];
+typedef char assert_read[(IO_READ==0)?1:-1];
+typedef char assert_write[(IO_WRITE==1)?1:-1];
+typedef char assert_pread[(IO_PREAD==2)?1:-1];
+typedef char assert_pwrite[(IO_PWRITE==3)?1:-1];
+typedef char assert_pathlen[(PATH_LEN>=256)?1:-1];
+/* commands */
+typedef char assert_cmd_dump[(CMD_DUMP==0)?1:-1];
+typedef char assert_cmd_setmac[(CMD_SETMAC==1)?1:-1];
+typedef char assert_cmd_swap[(CMD_SWAP==2)?1:-1];
+typedef char assert_cmd_copy[(CMD_COPY==3)?1:-1];
+typedef char assert_cmd_cat[(CMD_CAT==4)?1:-1];
+typedef char assert_cmd_cat16[(CMD_CAT16==5)?1:-1];
+typedef char assert_cmd_cat128[(CMD_CAT128==6)?1:-1];
+/* bool */
+typedef char bool_arg_nopart[(ARG_NOPART==0)?1:-1];
+typedef char bool_arg_part[(ARG_PART==1)?1:-1];
+typedef char bool_skip_checksum_read[(SKIP_CHECKSUM_READ==0)?1:-1];
+typedef char bool_checksum_read[(CHECKSUM_READ==1)?1:-1];
+typedef char bool_skip_checksum_write[(SKIP_CHECKSUM_WRITE==0)?1:-1];
+typedef char bool_checksum_write[(CHECKSUM_WRITE==1)?1:-1];
+typedef char bool_loop_eintr[(LOOP_EINTR==1||LOOP_EINTR==0)?1:-1];
+typedef char bool_loop_eagain[(LOOP_EAGAIN==1||LOOP_EAGAIN==0)?1:-1];
+typedef char bool_no_loop_eintr[(NO_LOOP_EINTR==0)?1:-1];
+typedef char bool_no_loop_eagain[(NO_LOOP_EAGAIN==0)?1:-1];
+typedef char bool_off_err[(OFF_ERR==0)?1:-1];
+typedef char bool_off_reset[(OFF_RESET==0||OFF_RESET==1)?1:-1];
+
+static int io_err_gbe = 0; /* intermediary write (verification) */
+static int io_err_gbe_bin = 0; /* final write (real file) */
+static int rw_check_err_read[] = {0, 0};
+static int rw_check_partial_read[] = {0, 0};
+static int rw_check_bad_part[] = {0, 0};
+
+static int post_rw_checksum[] = {0, 0};
+
+static dev_t gbe_dev;
+static ino_t gbe_ino;
-#define xopen(f,l,p) if (opendir(l) != NULL) err(errno = EISDIR, "%s", l); \
- if ((f = open(l, p)) == -1) err(ERR(), "%s", l); \
- if (fstat(f, &st) == -1) err(ERR(), "%s", l)
+static dev_t tmp_dev;
+static ino_t tmp_ino;
-#define word(pos16, partnum) buf16[pos16 + (partnum << 11)]
-#define setWord(pos16, p, val16) if ((gbeFileModified = 1) && \
- word(pos16, p) != val16) nvmPartModified[p] = 1 | (word(pos16, p) = val16)
+/*
+ * No need to declare feature
+ * macros. I jus declare the
+ * prototypes. Should be safe
+ * on most Unices and compilers
+ */
+int mkstemp(char *template);
+int fchmod(int fd, mode_t mode);
+
+static int tmp_fd = -1;
+static char *tname = NULL;
int
main(int argc, char *argv[])
{
- if (argc < 3) {
- fprintf(stderr, "USAGE:\n");
- fprintf(stderr, " %s FILE dump\n", argv[0]);
- fprintf(stderr, " %s FILE setmac [MAC]\n", argv[0]);
- fprintf(stderr, " %s FILE swap\n", argv[0]);
- fprintf(stderr, " %s FILE copy 0|1\n", argv[0]);
- fprintf(stderr, " %s FILE brick 0|1\n", argv[0]);
- fprintf(stderr, " %s FILE setchecksum 0|1\n", argv[0]);
- err(errno = ECANCELED, "Too few arguments");
- }
- flags = (strcmp(COMMAND, "dump") == 0) ? O_RDONLY : flags;
- filename = argv[1];
-#ifdef __OpenBSD__
- err_if(unveil("/dev/urandom", "r") == -1);
- err_if(unveil(filename, flags == O_RDONLY ? "r" : "rw") == -1);
- err_if(pledge(flags == O_RDONLY ? "stdio rpath" : "stdio rpath wpath",
- NULL) == -1);
+ argv0 = argv[0];
+ if (argc < 3)
+ usage();
+
+ fname = argv[1];
+
+ tname = new_tmpfile(&tmp_fd, 0, NULL);
+ if (tname == NULL)
+ err(errno, "Can't create tmpfile");
+
+#ifdef NVMUTIL_PLEDGE
+#ifdef NVMUTIL_UNVEIL
+ if (pledge("stdio flock rpath wpath cpath unveil", NULL) == -1)
+ err(errno, "pledge, unveil");
+ if (unveil("/dev/urandom", "r") == -1)
+ err(errno, "unveil: /dev/urandom");
+#else
+ if (pledge("stdio flock rpath wpath cpath", NULL) == -1)
+ err(errno, "pledge");
#endif
- openFiles(filename);
-#ifdef __OpenBSD__
- err_if(pledge("stdio", NULL) == -1);
#endif
- for (int i = 0; i < 6; i++)
- if (strcmp(COMMAND, op[i].str) == 0)
- if ((cmd = argc >= op[i].args ? op[i].cmd : NULL))
- break;
- if (cmd == cmd_setmac)
- strMac = (argc > 3) ? MAC_ADDRESS : strRMac;
- else if ((cmd != NULL) && (argc > 3))
- err_if((errno = (!((part = PARTNUM[0] - '0') == 0 || part == 1))
- || PARTNUM[1] ? EINVAL : errno));
- err_if((errno = (cmd == NULL) ? EINVAL : errno));
+ sanitize_command_list();
+
+ set_cmd(argc, argv);
+ set_cmd_args(argc, argv);
+
+#ifdef NVMUTIL_UNVEIL
+ if (command[cmd_index].flags == O_RDONLY) {
+ if (unveil(fname, "r") == -1)
+ err(errno, "%s: unveil r", fname);
+ } else {
+ if (unveil(fname, "rwc") == -1)
+ err(errno, "%s: unveil rw", fname);
+ }
+
+ if (unveil(tname, "rwc") == -1)
+ err(errno, "%s: unveil rwc", tname);
+
+ if (unveil(NULL, NULL) == -1)
+ err(errno, "unveil block (rw)");
+
+ if (pledge("stdio flock rpath wpath cpath", NULL) == -1)
+ err(errno, "pledge (kill unveil)");
+#endif
+
+ srand((uint)(time(NULL) ^ getpid()));
+
+ open_gbe_file();
+
+ memset(buf, 0, GBE_BUF_SIZE);
+ memset(bufcmp, 0, GBE_BUF_SIZE);
- readGbeFile();
- (*cmd)();
+ copy_gbe();
- if ((gbeFileModified) && (flags != O_RDONLY) && (cmd != writeGbeFile))
- writeGbeFile();
- err_if((errno != 0) && (cmd != cmd_dump));
- return errno;
+ read_checksums();
+
+ run_cmd(cmd_index);
+
+ if (command[cmd_index].flags == O_RDWR)
+ write_to_gbe_bin();
+
+ if (exit_cleanup() == -1)
+ err(EIO, "%s: close", fname);
+
+ if (io_err_gbe_bin)
+ err(EIO, "%s: error writing final file");
+
+ if (tname != NULL)
+ free(tname);
+
+ return EXIT_SUCCESS;
}
-void
-openFiles(const char *path)
+/*
+ * Guard against regressions by maintainers (command table)
+ */
+static void
+sanitize_command_list(void)
{
- struct stat st;
- xopen(fd, path, flags);
- if ((st.st_size != (SIZE_4KB << 1)))
- err(errno = ECANCELED, "File `%s` not 8KiB", path);
- xopen(rfd, "/dev/urandom", O_RDONLY);
- errno = errno != ENOTDIR ? errno : 0;
-}
-
-void
-readGbeFile(void)
-{
- nf = ((cmd == writeGbeFile) || (cmd == cmd_copy)) ? SIZE_4KB : nf;
- skipread[part ^ 1] = (cmd == cmd_copy) | (cmd == cmd_setchecksum)
- | (cmd == cmd_brick);
- gbe[1] = (gbe[0] = (size_t) buf) + SIZE_4KB;
- for (int p = 0; p < 2; p++) {
- if (skipread[p])
- continue;
- err_if(pread(fd, (uint8_t *) gbe[p], nf, p << 12) == -1);
- handle_endianness(p);
+ size_t c;
+
+ for (c = 0; c < N_COMMANDS; c++)
+ sanitize_command_index(c);
+}
+
+/*
+ * TODO: specific config checks per command
+ */
+static void
+sanitize_command_index(size_t c)
+{
+ size_t gbe_rw_size;
+
+ check_command_num(c);
+
+ if (command[c].argc < 3)
+ err(EINVAL, "cmd index %lu: argc below 3, %d",
+ (ulong)c, command[c].argc);
+
+ if (command[c].str == NULL)
+ err(EINVAL, "cmd index %lu: NULL str",
+ (ulong)c);
+ if (*command[c].str == '\0')
+ err(EINVAL, "cmd index %lu: empty str",
+ (ulong)c);
+
+ if (xstrxlen(command[c].str, MAX_CMD_LEN + 1) >
+ MAX_CMD_LEN) {
+ err(EINVAL, "cmd index %lu: str too long: %s",
+ (ulong)c, command[c].str);
}
+
+ if (command[c].run == NULL)
+ err(EINVAL, "cmd index %lu: cmd ptr null",
+ (ulong)c);
+
+ check_bin(command[c].arg_part, "cmd.arg_part");
+ check_bin(command[c].chksum_read, "cmd.chksum_read");
+ check_bin(command[c].chksum_write, "cmd.chksum_write");
+
+ gbe_rw_size = command[c].rw_size;
+
+ switch (gbe_rw_size) {
+ case GBE_PART_SIZE:
+ case NVM_SIZE:
+ break;
+ default:
+ err(EINVAL, "Unsupported rw_size: %lu",
+ (ulong)gbe_rw_size);
+ }
+
+ if (gbe_rw_size > GBE_PART_SIZE)
+ err(EINVAL, "rw_size larger than GbE part: %lu",
+ (ulong)gbe_rw_size);
+
+ if (command[c].flags != O_RDONLY &&
+ command[c].flags != O_RDWR)
+ err(EINVAL, "invalid cmd.flags setting");
}
-void
-cmd_setmac(void)
+static void
+set_cmd(int argc, char *argv[])
{
- if (macAddress(strMac, mac))
- err(errno = ECANCELED, "Bad MAC address");
- for (int partnum = 0; partnum < 2; partnum++) {
- if (!validChecksum(part = partnum))
+ const char *cmd_str;
+
+ for (cmd_index = 0; valid_command(cmd_index); cmd_index++) {
+ cmd_str = command[cmd_index].str;
+
+ if (xstrxcmp(argv[2], cmd_str, MAX_CMD_LEN) != 0)
continue;
- for (int w = 0; w < 3; w++)
- setWord(w, partnum, mac[w]);
- cmd_setchecksum();
+ else if (argc >= command[cmd_index].argc)
+ return;
+
+ err(EINVAL, "Too few args on command '%s'", cmd_str);
}
+
+ cmd_index = CMD_NULL;
}
-int
-macAddress(const char *strMac, uint16_t *mac)
-{
- uint64_t total = 0;
- if (strnlen(strMac, 20) == 17) {
- for (uint8_t h, i = 0; i < 16; i += 3) {
- if (i != 15)
- if (strMac[i + 2] != ':')
- return 1;
- int byte = i / 3;
- for (int nib = 0; nib < 2; nib++, total += h) {
- if ((h = hextonum(strMac[i + nib])) > 15)
- return 1;
- if ((byte == 0) && (nib == 1))
- if (strMac[i + nib] == '?')
- h = (h & 0xE) | 2; /* local, unicast */
- mac[byte >> 1] |= ((uint16_t ) h)
- << ((8 * (byte % 2)) + (4 * (nib ^ 1)));
+static void
+set_cmd_args(int argc, char *argv[])
+{
+ u8 arg_part;
+
+ if (!valid_command(cmd_index) || argc < 3)
+ usage();
+
+ arg_part = command[cmd_index].arg_part;
+
+ /* Maintainer bugs */
+ if (arg_part && argc < 4)
+ err(EINVAL,
+ "arg_part set for command that needs argc4");
+ if (arg_part && cmd_index == CMD_SETMAC)
+ err(EINVAL,
+ "arg_part set on CMD_SETMAC");
+
+ if (cmd_index == CMD_SETMAC)
+ mac_str = argc >= 4 ? argv[3] : rmac;
+ else if (arg_part)
+ part = conv_argv_part_num(argv[3]);
+}
+
+static size_t
+conv_argv_part_num(const char *part_str)
+{
+ u8 ch;
+
+ if (part_str[0] == '\0' || part_str[1] != '\0')
+ err(EINVAL, "Partnum string '%s' wrong length", part_str);
+
+ /* char signedness is implementation-defined */
+ ch = (u8)part_str[0];
+ if (ch < '0' || ch > '1')
+ err(EINVAL, "Bad part number (%c)", ch);
+
+ return (size_t)(ch - '0');
+}
+
+/*
+ * Portable strcmp() but blocks NULL/empty/unterminated
+ * strings. Even stricter than strncmp().
+ */
+static int
+xstrxcmp(const char *a, const char *b, size_t maxlen)
+{
+ size_t i;
+
+ if (a == NULL || b == NULL)
+ err(EINVAL, "NULL input to xstrxcmp");
+
+ if (*a == '\0' || *b == '\0')
+ err(EINVAL, "Empty string in xstrxcmp");
+
+ for (i = 0; i < maxlen; i++) {
+ u8 ac = (u8)a[i];
+ u8 bc = (u8)b[i];
+
+ if (ac == '\0' || bc == '\0') {
+ if (ac == bc)
+ return 0;
+ return ac - bc;
}
- }}
- return ((total == 0) | (mac[0] & 1)); /* multicast/all-zero banned */
+
+ if (ac != bc)
+ return ac - bc;
+ }
+
+ /*
+ * We reached maxlen, so assume unterminated string.
+ */
+ err(EINVAL, "Unterminated string in xstrxcmp");
+
+ /*
+ * Should never reach here. This keeps compilers happy.
+ */
+ errno = EINVAL;
+ return -1;
+}
+
+static void
+open_gbe_file(void)
+{
+ struct stat gbe_st;
+ int flags;
+
+ xopen(&gbe_fd, fname,
+ command[cmd_index].flags | O_BINARY |
+ O_NOFOLLOW | O_CLOEXEC, &gbe_st);
+
+ /* inode will be checked later on write */
+ gbe_dev = gbe_st.st_dev;
+ gbe_ino = gbe_st.st_ino;
+
+ if (gbe_st.st_nlink > 1)
+ fprintf(stderr,
+ "%s: warning: file has %lu hard links\n",
+ fname, (ulong)gbe_st.st_nlink);
+
+ if (gbe_st.st_nlink == 0)
+ err(EIO, "%s: file unlinked while open", fname);
+
+ flags = fcntl(gbe_fd, F_GETFL);
+ if (flags == -1)
+ err(errno, "%s: fcntl(F_GETFL)", fname);
+
+ /*
+ * O_APPEND must not be used, because this
+ * allows POSIX write() to ignore the
+ * current write offset and write at EOF,
+ * which would therefore break pread/pwrite
+ */
+ if (flags & O_APPEND)
+ err(EIO, "%s: O_APPEND flag", fname);
+
+ gbe_file_size = gbe_st.st_size;
+
+ switch (gbe_file_size) {
+ case SIZE_8KB:
+ case SIZE_16KB:
+ case SIZE_128KB:
+ break;
+ default:
+ err(EINVAL, "File size must be 8KB, 16KB or 128KB");
+ }
+
+ if (lock_file(gbe_fd) == -1)
+ err(errno, "%s: can't lock", fname);
}
-uint8_t
-hextonum(char ch)
+static int
+lock_file(int fd)
{
- if ((ch >= '0') && (ch <= '9'))
+ struct flock fl;
+
+ memset(&fl, 0, sizeof(fl));
+
+ if (command[cmd_index].flags == O_RDONLY)
+ fl.l_type = F_RDLCK;
+ else
+ fl.l_type = F_WRLCK;
+
+ fl.l_whence = SEEK_SET;
+
+ if (fcntl(fd, F_SETLK, &fl) == -1)
+ return -1;
+
+ return 0;
+}
+
+static void
+xopen(int *fd_ptr, const char *path, int flags, struct stat *st)
+{
+ if ((*fd_ptr = open(path, flags)) == -1)
+ err(errno, "%s", path);
+
+ if (fstat(*fd_ptr, st) == -1)
+ err(errno, "%s: stat", path);
+
+ if (!S_ISREG(st->st_mode))
+ err(errno, "%s: not a regular file", path);
+
+ if (lseek(*fd_ptr, 0, SEEK_CUR) == (off_t)-1)
+ err(errno, "%s: file not seekable", path);
+}
+
+/*
+ * We copy the entire gbe file
+ * to the tmpfile, and then we
+ * work on that. We copy back
+ * afterward. this is the copy.
+ *
+ * we copy to tmpfile even on
+ * read-only commands, for the
+ * double-read verification,
+ * which also benefits cmd_cat.
+ */
+static void
+copy_gbe(void)
+{
+ ssize_t r;
+ struct stat st;
+
+ /* read main file */
+ r = rw_file_exact(gbe_fd, buf, gbe_file_size,
+ 0, IO_PREAD, NO_LOOP_EAGAIN, LOOP_EINTR,
+ MAX_ZERO_RW_RETRY, OFF_ERR);
+
+ if (r < 0)
+ err(errno, "%s: read failed", fname);
+
+ /* copy to tmpfile */
+
+ r = rw_file_exact(tmp_fd, buf, gbe_file_size,
+ 0, IO_PWRITE, NO_LOOP_EAGAIN, LOOP_EINTR,
+ MAX_ZERO_RW_RETRY, OFF_ERR);
+
+ if (r < 0)
+ err(errno, "%s: %s: copy failed",
+ fname, tname);
+
+ /*
+ * file size comparison
+ */
+
+ if (fstat(tmp_fd, &st) == -1)
+ err(errno, "%s: stat", tname);
+
+ gbe_tmp_size = st.st_size;
+
+ if (gbe_tmp_size != gbe_file_size)
+ err(EIO, "%s: %s: not the same size", fname, tname);
+
+ /*
+ * fsync tmp gbe file, because we will compare
+ * its contents to what was read (for safety)
+ */
+ if (fsync(tmp_fd) == -1)
+ err(errno, "%s: fsync (tmpfile copy)", tname);
+
+ r = rw_file_exact(tmp_fd, bufcmp, gbe_file_size,
+ 0, IO_PREAD, NO_LOOP_EAGAIN, LOOP_EINTR,
+ MAX_ZERO_RW_RETRY, OFF_ERR);
+
+ if (r < 0)
+ err(errno, "%s: read failed (cmp)", tname);
+
+ if (memcmp(buf, bufcmp, gbe_file_size) != 0)
+ err(errno, "%s: %s: read contents differ (pre-test)",
+ fname, tname);
+
+ /*
+ regular operations post-read operate only on the first
+ 8KB, because each GbE part is the first 4KB of each
+ half of the file.
+
+ we no longer care about anything past 8KB, until we get
+ to writing, at which point we will flush the buffer
+ again
+ */
+
+ if (gbe_file_size == SIZE_8KB)
+ return;
+
+ memcpy(buf + (size_t)GBE_PART_SIZE,
+ buf + (size_t)(gbe_file_size >> 1),
+ (size_t)GBE_PART_SIZE);
+}
+
+static void
+read_checksums(void)
+{
+ size_t p;
+ size_t skip_part;
+ u8 arg_part;
+ u8 num_invalid;
+ u8 max_invalid;
+
+ part_valid[0] = 0;
+ part_valid[1] = 0;
+
+ if (!command[cmd_index].chksum_read)
+ return;
+
+ num_invalid = 0;
+ max_invalid = 2;
+
+ arg_part = command[cmd_index].arg_part;
+ if (arg_part)
+ max_invalid = 1;
+
+ /*
+ * Skip verification on this part,
+ * but only when arg_part is set.
+ */
+ skip_part = part ^ 1;
+
+ for (p = 0; p < 2; p++) {
+ /*
+ * Only verify a part if it was *read*
+ */
+ if (arg_part && (p == skip_part))
+ continue;
+
+ part_valid[p] = good_checksum(p);
+ if (!part_valid[p])
+ ++num_invalid;
+ }
+
+ if (num_invalid >= max_invalid) {
+ if (max_invalid == 1)
+ err(ECANCELED, "%s: part %lu has a bad checksum",
+ fname, (ulong)part);
+ err(ECANCELED, "%s: No valid checksum found in file",
+ fname);
+ }
+}
+
+static int
+good_checksum(size_t partnum)
+{
+ ushort expected_checksum = calculated_checksum(partnum);
+ ushort current_checksum = nvm_word(NVM_CHECKSUM_WORD, partnum);
+
+ if (current_checksum == expected_checksum)
+ return 1;
+
+ return 0;
+}
+
+static void
+run_cmd(size_t c)
+{
+ check_command_num(c);
+
+ if (command[c].run == NULL)
+ err(EINVAL, "Command %lu: null ptr", (ulong)c);
+
+ command[c].run();
+}
+
+static void
+check_command_num(size_t c)
+{
+ if (!valid_command(c))
+ err(EINVAL, "Invalid run_cmd arg: %lu",
+ (ulong)c);
+}
+
+static u8
+valid_command(size_t c)
+{
+ if (c >= N_COMMANDS)
+ return 0;
+
+ if (c != command[c].chk)
+ err(EINVAL, "Invalid cmd chk value (%lu) vs arg: %lu",
+ (ulong)command[c].chk, (ulong)c);
+
+ return 1;
+}
+
+static void
+cmd_helper_setmac(void)
+{
+ size_t partnum;
+
+ printf("MAC address to be written: %s\n", mac_str);
+ parse_mac_string();
+
+ for (partnum = 0; partnum < 2; partnum++)
+ write_mac_part(partnum);
+}
+
+static void
+parse_mac_string(void)
+{
+ size_t mac_byte;
+
+ if (xstrxlen(mac_str, 18) != 17)
+ err(EINVAL, "MAC address is the wrong length");
+
+ memset(mac_buf, 0, sizeof(mac_buf));
+
+ for (mac_byte = 0; mac_byte < 6; mac_byte++)
+ set_mac_byte(mac_byte);
+
+ if ((mac_buf[0] | mac_buf[1] | mac_buf[2]) == 0)
+ err(EINVAL, "Must not specify all-zeroes MAC address");
+
+ if (mac_buf[0] & 1)
+ err(EINVAL, "Must not specify multicast MAC address");
+}
+
+/*
+ * strnlen() but aborts on NULL input, and empty strings.
+ * Our version also prohibits unterminated strings.
+ * strnlen() was standardized in POSIX.1-2008 and is not
+ * available on some older systems, so we provide our own.
+ */
+static size_t
+xstrxlen(const char *scmp, size_t maxlen)
+{
+ size_t xstr_index;
+
+ if (scmp == NULL)
+ err(EINVAL, "NULL input to xstrxlen");
+
+ if (*scmp == '\0')
+ err(EINVAL, "Empty string in xstrxlen");
+
+ for (xstr_index = 0;
+ xstr_index < maxlen && scmp[xstr_index] != '\0';
+ xstr_index++);
+
+ if (xstr_index == maxlen)
+ err(EINVAL, "Unterminated string in xstrxlen");
+
+ return xstr_index;
+}
+
+static void
+set_mac_byte(size_t mac_byte_pos)
+{
+ size_t mac_str_pos = mac_byte_pos * 3;
+ size_t mac_nib_pos;
+ char separator;
+
+ if (mac_str_pos < 15) {
+ if ((separator = mac_str[mac_str_pos + 2]) != ':')
+ err(EINVAL, "Invalid MAC address separator '%c'",
+ separator);
+ }
+
+ for (mac_nib_pos = 0; mac_nib_pos < 2; mac_nib_pos++)
+ set_mac_nib(mac_str_pos, mac_byte_pos, mac_nib_pos);
+}
+
+static void
+set_mac_nib(size_t mac_str_pos,
+ size_t mac_byte_pos, size_t mac_nib_pos)
+{
+ char mac_ch;
+ ushort hex_num;
+
+ mac_ch = mac_str[mac_str_pos + mac_nib_pos];
+
+ if ((hex_num = hextonum(mac_ch)) > 15)
+ err(EINVAL, "Invalid character '%c'",
+ mac_str[mac_str_pos + mac_nib_pos]);
+
+ /*
+ * If random, ensure that local/unicast bits are set.
+ */
+ if ((mac_byte_pos == 0) && (mac_nib_pos == 1) &&
+ ((mac_ch | 0x20) == 'x' ||
+ (mac_ch == '?')))
+ hex_num = (hex_num & 0xE) | 2; /* local, unicast */
+
+ /*
+ * MAC words stored big endian in-file, little-endian
+ * logically, so we reverse the order.
+ */
+ mac_buf[mac_byte_pos >> 1] |= hex_num <<
+ (((mac_byte_pos & 1) << 3) /* left or right byte? */
+ | ((mac_nib_pos ^ 1) << 2)); /* left or right nib? */
+}
+
+static ushort
+hextonum(char ch_s)
+{
+ u8 ch = (u8)ch_s;
+
+ if ((uint)(ch - '0') <= 9)
return ch - '0';
- else if ((ch >= 'A') && (ch <= 'F'))
- return ch - 'A' + 10;
- else if ((ch >= 'a') && (ch <= 'f'))
+
+ ch |= 0x20;
+
+ if ((uint)(ch - 'a') <= 5)
return ch - 'a' + 10;
- return (ch == '?') ? rhex() : 16;
+
+ if (ch == '?' || ch == 'x')
+ return rhex(); /* random character */
+
+ return 16; /* invalid character */
}
-uint8_t
+static ushort
rhex(void)
{
- static uint8_t n = 0, rnum[16];
- if (!n)
- err_if(pread(rfd, (uint8_t *) &rnum, (n = 15) + 1, 0) == -1);
- return rnum[n--] & 0xf;
+ struct timeval tv;
+ ulong mix;
+ static ulong counter = 0;
+ ushort r;
+
+ /* Read /dev/urandom
+ * if possible */
+ r = read_urandom();
+ if (r < 16)
+ return r;
+
+ /* Fallback */
+
+ gettimeofday(&tv, NULL);
+
+ mix = (ulong)tv.tv_sec
+ ^ (ulong)tv.tv_usec
+ ^ (ulong)getpid()
+ ^ (ulong)&mix
+ ^ counter++
+ ^ entropy_jitter();
+
+ /*
+ * Stack addresses can vary between
+ * calls, thus increasing entropy.
+ */
+ mix ^= (ulong)&mix;
+ mix ^= (ulong)&tv;
+ mix ^= (ulong)&counter;
+
+ return (ushort)(mix & 0xf);
+}
+
+static ushort
+read_urandom(void)
+{
+ static int fd = -1;
+ static ssize_t n = -1;
+
+ static u8 r[256];
+
+ if (fd < 0) {
+
+ fd = open("/dev/urandom", O_RDONLY);
+
+ if (fd < 0)
+ return 16;
+ }
+
+ if (n < 0) {
+
+ n = rw_file_exact(fd, r, 256, 0, IO_READ,
+ LOOP_EAGAIN, LOOP_EINTR, 2, OFF_ERR);
+
+ if (n == 0)
+ n = -1;
+ if (n < 0)
+ return 16;
+
+ --n;
+ }
+
+ return r[n--] & 0xf;
+}
+
+static ulong
+entropy_jitter(void)
+{
+ struct timeval a, b;
+ ulong mix = 0;
+ long mix_diff;
+ int i;
+
+ for (i = 0; i < 8; i++) {
+ gettimeofday(&a, NULL);
+ getpid();
+ gettimeofday(&b, NULL);
+
+ /*
+ * prevent negative numbers to prevent overflow,
+ * which would bias rand to large numbers
+ */
+ mix_diff = (long)(b.tv_usec - a.tv_usec);
+ if (mix_diff < 0)
+ mix_diff = -mix_diff;
+
+ mix ^= (ulong)(mix_diff);
+ mix ^= (ulong)&mix;
+ }
+
+ return mix;
+}
+
+static void
+write_mac_part(size_t partnum)
+{
+ size_t w;
+
+ check_bin(partnum, "part number");
+ if (!part_valid[partnum])
+ return;
+
+ for (w = 0; w < 3; w++)
+ set_nvm_word(w, partnum, mac_buf[w]);
+
+ printf("Wrote MAC address to part %lu: ",
+ (ulong)partnum);
+ print_mac_from_nvm(partnum);
}
-void
-cmd_dump(void)
+static void
+cmd_helper_dump(void)
{
- for (int partnum = 0, numInvalid = 0; partnum < 2; partnum++) {
- if (!validChecksum(partnum))
- ++numInvalid;
- printf("MAC (part %d): ", partnum);
- showmac(partnum), hexdump(partnum);
- errno = ((numInvalid < 2) && (partnum)) ? 0 : errno;
+ size_t partnum;
+
+ part_valid[0] = good_checksum(0);
+ part_valid[1] = good_checksum(1);
+
+ for (partnum = 0; partnum < 2; partnum++) {
+ if (!part_valid[partnum])
+ fprintf(stderr,
+ "BAD checksum %04x in part %lu (expected %04x)\n",
+ nvm_word(NVM_CHECKSUM_WORD, partnum),
+ (ulong)partnum,
+ calculated_checksum(partnum));
+
+ printf("MAC (part %lu): ",
+ (ulong)partnum);
+ print_mac_from_nvm(partnum);
+ hexdump(partnum);
}
}
-void
-showmac(int partnum)
+static void
+print_mac_from_nvm(size_t partnum)
{
- for (int c = 0; c < 3; c++) {
- uint16_t val16 = word(c, partnum);
- printf("%02x:%02x", val16 & 0xff, val16 >> 8);
- printf(c == 2 ? "\n" : ":");
+ size_t c;
+ ushort val16;
+
+ for (c = 0; c < 3; c++) {
+ val16 = nvm_word(c, partnum);
+ printf("%02x:%02x",
+ (uint)(val16 & 0xff),
+ (uint)(val16 >> 8));
+ if (c == 2)
+ printf("\n");
+ else
+ printf(":");
}
}
-void
-hexdump(int partnum)
+static void
+hexdump(size_t partnum)
{
- for (int row = 0; row < 8; row++) {
- printf("%07x", row << 4);
- for (int c = 0; c < 8; c++) {
- uint16_t val16 = word((row << 3) + c, partnum);
- printf(" %02x%02x", val16 >> 8, val16 & 0xff);
- } printf("\n");
+ size_t c;
+ size_t row;
+ ushort val16;
+
+ for (row = 0; row < 8; row++) {
+ printf("%08lx ", (ulong)((size_t)row << 4));
+ for (c = 0; c < 8; c++) {
+ val16 = nvm_word((row << 3) + c, partnum);
+ if (c == 4)
+ printf(" ");
+ printf(" %02x %02x",
+ (uint)(val16 & 0xff),
+ (uint)(val16 >> 8));
+ }
+ printf("\n");
}
}
-void
-cmd_setchecksum(void)
+static void
+cmd_helper_swap(void)
{
- uint16_t val16 = 0;
- for (int c = 0; c < 0x3F; c++)
- val16 += word(c, part);
- setWord(0x3F, part, 0xBABA - val16);
+ memcpy(
+ buf + (size_t)GBE_WORK_SIZE,
+ buf,
+ GBE_PART_SIZE);
+
+ memcpy(
+ buf,
+ buf + (size_t)GBE_PART_SIZE,
+ GBE_PART_SIZE);
+
+ memcpy(
+ buf + (size_t)GBE_PART_SIZE,
+ buf + (size_t)GBE_WORK_SIZE,
+ GBE_PART_SIZE);
+
+ set_part_modified(0);
+ set_part_modified(1);
}
-void
-cmd_brick(void)
+static void
+cmd_helper_copy(void)
{
- if (validChecksum(part))
- setWord(0x3F, part, ((word(0x3F, part)) ^ 0xFF));
+ memcpy(
+ buf + (size_t)((part ^ 1) * GBE_PART_SIZE),
+ buf + (size_t)(part * GBE_PART_SIZE),
+ GBE_PART_SIZE);
+
+ set_part_modified(part ^ 1);
}
-void
-cmd_copy(void)
+static void
+cmd_helper_cat(void)
{
- if ((gbeFileModified = nvmPartModified[part ^ 1] = validChecksum(part)))
- gbe[part ^ 1] = gbe[part]; /* speedhack: copy ptr, not words */
+ size_t p = 0;
+ size_t ff = 0;
+ size_t nff = 0;
+
+ fflush(NULL);
+
+ memset(pad, 0xff, GBE_PART_SIZE);
+
+ switch (cmd_index) {
+ case CMD_CAT:
+ nff = 0;
+ break;
+ case CMD_CAT16:
+ nff = 1;
+ break;
+ case CMD_CAT128:
+ nff = 15;
+ break;
+ default:
+ err(EINVAL, "erroneous call to cat");
+ }
+
+ for (p = 0; p < 2; p++) {
+ cat_buf(bufcmp + (size_t)(p * (gbe_file_size >> 1)));
+
+ for (ff = 0; ff < nff; ff++)
+ cat_buf(pad);
+ }
}
-int
-validChecksum(int partnum)
+static void
+cat_buf(u8 *b)
{
- uint16_t total = 0;
- for(int w = 0; w <= 0x3F; w++)
- total += word(w, partnum);
- if (total == 0xBABA)
- return 1;
- fprintf(stderr, "WARNING: BAD checksum in part %d\n", partnum);
- return (errno = ECANCELED) & 0;
+ if (rw_file_exact(STDOUT_FILENO, b,
+ GBE_PART_SIZE, 0, IO_WRITE, LOOP_EAGAIN, LOOP_EINTR,
+ MAX_ZERO_RW_RETRY, OFF_ERR) < 0)
+ err(errno, "stdout: cat");
}
-void
-writeGbeFile(void)
+static void
+write_gbe_file(void)
{
- err_if((cmd == writeGbeFile) && !(validChecksum(0) || validChecksum(1)));
- for (int p = 0, x = (cmd == writeGbeFile) ? 1 : 0; p < 2; p++) {
- if ((!nvmPartModified[p]) && (cmd != writeGbeFile))
+ struct stat gbe_st;
+ struct stat tmp_st;
+
+ size_t p;
+ u8 update_checksum;
+
+ if (command[cmd_index].flags == O_RDONLY)
+ return;
+
+ if (fstat(gbe_fd, &gbe_st) == -1)
+ err(errno, "%s: re-check", fname);
+ if (gbe_st.st_dev != gbe_dev || gbe_st.st_ino != gbe_ino)
+ err(EIO, "%s: file replaced while open", fname);
+ if (gbe_st.st_size != gbe_file_size)
+ err(errno, "%s: file size changed before write", fname);
+ if (!S_ISREG(gbe_st.st_mode))
+ err(errno, "%s: file type changed before write", fname);
+
+ if (fstat(tmp_fd, &tmp_st) == -1)
+ err(errno, "%s: re-check", tname);
+ if (tmp_st.st_dev != tmp_dev || tmp_st.st_ino != tmp_ino)
+ err(EIO, "%s: file replaced while open", tname);
+ if (tmp_st.st_size != gbe_file_size)
+ err(errno, "%s: file size changed before write", tname);
+ if (!S_ISREG(tmp_st.st_mode))
+ err(errno, "%s: file type changed before write", tname);
+
+ update_checksum = command[cmd_index].chksum_write;
+
+ for (p = 0; p < 2; p++) {
+ if (!part_modified[p])
continue;
- handle_endianness(p^x);
- err_if(pwrite(fd, (uint8_t *) gbe[p^x], nf, p << 12) == -1);
+
+ if (update_checksum)
+ set_checksum(p);
+
+ rw_gbe_file_part(p, IO_PWRITE, "pwrite");
}
- errno = 0;
- err_if(close(fd) == -1);
}
-void
-handle_endianness(int partnum)
+static void
+set_checksum(size_t p)
+{
+ check_bin(p, "part number");
+ set_nvm_word(NVM_CHECKSUM_WORD, p, calculated_checksum(p));
+}
+
+static ushort
+calculated_checksum(size_t p)
{
- uint8_t *n = (uint8_t *) gbe[partnum];
- for (size_t w = nf * ((uint8_t *) &e)[0], x = 1; w < nf; w += 2, x += 2)
- n[w] ^= n[x], n[x] ^= n[w], n[w] ^= n[x];
+ size_t c;
+ uint val16 = 0;
+
+ for (c = 0; c < NVM_CHECKSUM_WORD; c++)
+ val16 += (uint)nvm_word(c, p);
+
+ return (ushort)((NVM_CHECKSUM - val16) & 0xffff);
+}
+
+/*
+ * GbE NVM files store 16-bit (2-byte) little-endian words.
+ * We must therefore swap the order when reading or writing.
+ *
+ * NOTE: The MAC address words are stored big-endian in the
+ * file, but we assume otherwise and adapt accordingly.
+ */
+
+static ushort
+nvm_word(size_t pos16, size_t p)
+{
+ size_t pos;
+
+ check_nvm_bound(pos16, p);
+ pos = (pos16 << 1) + (p * GBE_PART_SIZE);
+
+ return (ushort)buf[pos] |
+ ((ushort)buf[pos + 1] << 8);
+}
+
+static void
+set_nvm_word(size_t pos16, size_t p, ushort val16)
+{
+ size_t pos;
+
+ check_nvm_bound(pos16, p);
+ pos = (pos16 << 1) + (p * GBE_PART_SIZE);
+
+ buf[pos] = (u8)(val16 & 0xff);
+ buf[pos + 1] = (u8)(val16 >> 8);
+
+ set_part_modified(p);
+}
+
+static void
+set_part_modified(size_t p)
+{
+ check_bin(p, "part number");
+ part_modified[p] = 1;
+}
+
+static void
+check_nvm_bound(size_t c, size_t p)
+{
+ /*
+ * NVM_SIZE assumed as the limit, because this
+ * current design assumes that we will only
+ * ever modified the NVM area.
+ */
+
+ check_bin(p, "part number");
+
+ if (c >= NVM_WORDS)
+ err(ECANCELED, "check_nvm_bound: out of bounds %lu",
+ (ulong)c);
+}
+
+static void
+check_bin(size_t a, const char *a_name)
+{
+ if (a > 1)
+ err(EINVAL, "%s must be 0 or 1, but is %lu",
+ a_name, (ulong)a);
+}
+
+static void
+rw_gbe_file_part(size_t p, int rw_type,
+ const char *rw_type_str)
+{
+ ssize_t r;
+ size_t gbe_rw_size = command[cmd_index].rw_size;
+
+ u8 *mem_offset;
+ off_t file_offset;
+
+ if (rw_type < IO_PREAD || rw_type > IO_PWRITE)
+ err(errno, "%s: %s: part %lu: invalid rw_type, %d",
+ fname, rw_type_str, (ulong)p, rw_type);
+
+ mem_offset = gbe_mem_offset(p, rw_type_str);
+ file_offset = (off_t)gbe_file_offset(p, rw_type_str);
+
+ r = rw_gbe_file_exact(tmp_fd, mem_offset,
+ gbe_rw_size, file_offset, rw_type);
+
+ if (r == -1)
+ err(errno, "%s: %s: part %lu",
+ fname, rw_type_str, (ulong)p);
+
+ if ((size_t)r != gbe_rw_size)
+ err(EIO, "%s: partial %s: part %lu",
+ fname, rw_type_str, (ulong)p);
+}
+
+static void
+write_to_gbe_bin(void)
+{
+ int saved_errno;
+ int mv;
+
+ if (command[cmd_index].flags != O_RDWR)
+ return;
+
+ write_gbe_file();
+
+ /*
+ * We may otherwise read from
+ * cache, so we must sync.
+ */
+ if (fsync(tmp_fd) == -1)
+ err(errno, "%s: fsync (pre-verification)",
+ tname);
+
+ check_written_part(0);
+ check_written_part(1);
+
+ report_io_err_rw();
+
+ if (io_err_gbe)
+ err(EIO, "%s: bad write", fname);
+
+ /*
+ * success!
+ * now just rename the tmpfile
+ */
+
+ saved_errno = errno;
+
+ if (close(tmp_fd) == -1) {
+ fprintf(stderr, "FAIL: %s: close\n", tname);
+ io_err_gbe_bin = 1;
+ }
+
+ if (close(gbe_fd) == -1) {
+ fprintf(stderr, "FAIL: %s: close\n", fname);
+ io_err_gbe_bin = 1;
+ }
+
+ errno = saved_errno;
+
+ tmp_fd = -1;
+ gbe_fd = -1;
+
+ if (!io_err_gbe_bin) {
+
+ mv = gbe_mv();
+
+ if (mv < 0) {
+ io_err_gbe_bin = 1;
+ fprintf(stderr, "%s: %s\n",
+ fname, strerror(errno));
+ } else {
+ /*
+ * tmpfile removed
+ * by the rename
+ */
+
+ if (tname != NULL)
+ free(tname);
+
+ tname = NULL;
+ }
+ }
+
+ /*
+ * finally:
+ * must sync to disk!
+ * very nearly done
+ */
+
+ if (!io_err_gbe_bin)
+ return;
+
+ fprintf(stderr, "FAIL (rename): %s: skipping fsync\n",
+ fname);
+ if (errno)
+ fprintf(stderr,
+ "errno %d: %s\n", errno, strerror(errno));
+}
+
+static void
+check_written_part(size_t p)
+{
+ ssize_t r;
+ size_t gbe_rw_size;
+ u8 *mem_offset;
+ off_t file_offset;
+ u8 *buf_restore;
+ struct stat st;
+
+ if (!part_modified[p])
+ return;
+
+ gbe_rw_size = command[cmd_index].rw_size;
+
+ /* invert not needed for pwrite */
+ mem_offset = gbe_mem_offset(p, "pwrite");
+ file_offset = (off_t)gbe_file_offset(p, "pwrite");
+
+ memset(pad, 0xff, sizeof(pad));
+
+ if (fstat(gbe_fd, &st) == -1)
+ err(errno, "%s: fstat (post-write)", fname);
+ if (st.st_dev != gbe_dev || st.st_ino != gbe_ino)
+ err(EIO, "%s: file changed during write", fname);
+
+ if (fstat(tmp_fd, &st) == -1)
+ err(errno, "%s: fstat (post-write)", tname);
+ if (st.st_dev != tmp_dev || st.st_ino != tmp_ino)
+ err(EIO, "%s: file changed during write", tname);
+
+ r = rw_gbe_file_exact(tmp_fd, pad,
+ gbe_rw_size, file_offset, IO_PREAD);
+
+ if (r == -1)
+ rw_check_err_read[p] = io_err_gbe = 1;
+ else if ((size_t)r != gbe_rw_size)
+ rw_check_partial_read[p] = io_err_gbe = 1;
+ else if (memcmp(mem_offset, pad, gbe_rw_size) != 0)
+ rw_check_bad_part[p] = io_err_gbe = 1;
+
+ if (rw_check_err_read[p] ||
+ rw_check_partial_read[p])
+ return;
+
+ /*
+ * We only load one part on-file, into memory but
+ * always at offset zero, for post-write checks.
+ * That's why we hardcode good_checksum(0).
+ */
+ buf_restore = buf;
+ buf = pad;
+ post_rw_checksum[p] = good_checksum(0);
+ buf = buf_restore;
+}
+
+static void
+report_io_err_rw(void)
+{
+ size_t p;
+
+ if (!io_err_gbe)
+ return;
+
+ for (p = 0; p < 2; p++) {
+ if (!part_modified[p])
+ continue;
+
+ if (rw_check_err_read[p])
+ fprintf(stderr,
+ "%s: pread: p%lu (post-verification)\n",
+ fname, (ulong)p);
+ if (rw_check_partial_read[p])
+ fprintf(stderr,
+ "%s: partial pread: p%lu (post-verification)\n",
+ fname, (ulong)p);
+ if (rw_check_bad_part[p])
+ fprintf(stderr,
+ "%s: pwrite: corrupt write on p%lu\n",
+ fname, (ulong)p);
+
+ if (rw_check_err_read[p] ||
+ rw_check_partial_read[p]) {
+ fprintf(stderr,
+ "%s: p%lu: skipped checksum verification "
+ "(because read failed)\n",
+ fname, (ulong)p);
+
+ continue;
+ }
+
+ fprintf(stderr, "%s: ", fname);
+
+ if (post_rw_checksum[p])
+ fprintf(stderr, "GOOD");
+ else
+ fprintf(stderr, "BAD");
+
+ fprintf(stderr, " checksum in p%lu on-disk.\n",
+ (ulong)p);
+
+ if (post_rw_checksum[p]) {
+ fprintf(stderr,
+ " This does NOT mean it's safe. it may be\n"
+ " salvageable if you use the cat feature.\n");
+ }
+ }
+}
+
+static int
+gbe_mv(void)
+{
+ int r;
+ int saved_errno;
+ int tmp_gbe_bin_exists = 1;
+
+ char *dest_tmp = NULL;
+ int dest_fd = -1;
+
+ saved_errno = errno;
+
+ r = rename(tname, fname);
+
+ if (r > -1) {
+ /*
+ * same filesystem
+ */
+
+ tmp_gbe_bin_exists = 0;
+
+ if (fsync_dir(fname) < 0)
+ r = -1;
+
+ goto ret_gbe_mv;
+ }
+
+ if (errno != EXDEV)
+ goto ret_gbe_mv;
+
+ /* cross-filesystem rename */
+
+ if ((r = tmp_fd = open(tname,
+ O_RDONLY | O_BINARY)) == -1)
+ goto ret_gbe_mv;
+
+ /* create replacement temp in target directory */
+ dest_tmp = new_tmpfile(&dest_fd, 1, fname);
+ if (dest_tmp == NULL)
+ goto ret_gbe_mv;
+
+ /* copy data */
+
+ r = rw_file_exact(tmp_fd, bufcmp,
+ gbe_file_size, 0, IO_PREAD,
+ NO_LOOP_EAGAIN, LOOP_EINTR,
+ MAX_ZERO_RW_RETRY, OFF_ERR);
+
+ if (r < 0)
+ goto ret_gbe_mv;
+
+ r = rw_file_exact(dest_fd, bufcmp,
+ gbe_file_size, 0, IO_PWRITE,
+ NO_LOOP_EAGAIN, LOOP_EINTR,
+ MAX_ZERO_RW_RETRY, OFF_ERR);
+
+ if (r < 0)
+ goto ret_gbe_mv;
+
+ if (fsync(dest_fd) == -1)
+ goto ret_gbe_mv;
+
+ if (close(dest_fd) == -1)
+ goto ret_gbe_mv;
+
+ if (rename(dest_tmp, fname) == -1)
+ goto ret_gbe_mv;
+
+ if (fsync_dir(fname) < 0)
+ goto ret_gbe_mv;
+
+ free(dest_tmp);
+ dest_tmp = NULL;
+
+ret_gbe_mv:
+
+ if (gbe_fd > -1) {
+ if (close(gbe_fd) < 0)
+ r = -1;
+ if (fsync_dir(fname) < 0)
+ r = -1;
+ gbe_fd = -1;
+ }
+
+ if (tmp_fd > -1) {
+ if (close(tmp_fd) < 0)
+ r = -1;
+
+ tmp_fd = -1;
+ }
+
+ /*
+ * before this function is called,
+ * tmp_fd may have been moved
+ */
+ if (tmp_gbe_bin_exists) {
+ if (unlink(tname) < 0)
+ r = -1;
+ else
+ tmp_gbe_bin_exists = 0;
+ }
+
+ if (r < 0) {
+ /*
+ * if nothing set errno,
+ * we assume EIO, or we
+ * use what was set
+ */
+ if (errno == saved_errno)
+ errno = EIO;
+ } else {
+ errno = saved_errno;
+ }
+
+ return r;
+}
+
+/*
+ * Ensure rename() is durable by syncing the
+ * directory containing the target file.
+ */
+static int
+fsync_dir(const char *path)
+{
+#if defined(PATH_LEN) && \
+ (PATH_LEN) >= 256
+ size_t maxlen = PATH_LEN;
+#else
+ size_t maxlen = 4096;
+#endif
+ size_t pathlen;
+/* char dirbuf[maxlen]; */
+ char *dirbuf = NULL;
+ char *slash;
+ int dfd = -1;
+
+ struct stat st;
+
+ int saved_errno = errno;
+
+ pathlen = xstrxlen(path, maxlen);
+
+ if (pathlen >= maxlen) {
+ fprintf(stderr, "Path too long for fsync_parent_dir\n");
+ goto err_fsync_dir;
+ }
+
+ dirbuf = malloc(pathlen + 1);
+ if (dirbuf == NULL)
+ goto err_fsync_dir;
+
+ memcpy(dirbuf, path, pathlen + 1);
+ slash = strrchr(dirbuf, '/');
+
+ if (slash != NULL) {
+ *slash = '\0';
+ if (*dirbuf == '\0')
+ strcpy(dirbuf, "/");
+ } else {
+ strcpy(dirbuf, ".");
+ }
+
+ dfd = open(dirbuf, O_RDONLY);
+ if (dfd == -1)
+ goto err_fsync_dir;
+
+ if (fstat(dfd, &st) < 0)
+ goto err_fsync_dir;
+
+ if (!S_ISDIR(st.st_mode)) {
+ fprintf(stderr, "%s: not a directory\n", dirbuf);
+ goto err_fsync_dir;
+ }
+
+ /* sync file on disk */
+ if (fsync(dfd) == -1)
+ goto err_fsync_dir;
+
+ if (close(dfd) == -1)
+ goto err_fsync_dir;
+
+ if (dirbuf != NULL)
+ free(dirbuf);
+
+ errno = saved_errno;
+ return 0;
+
+err_fsync_dir:
+ if (!errno)
+ errno = EIO;
+
+ if (errno != saved_errno)
+ fprintf(stderr, "%s: %s\n", fname, strerror(errno));
+
+ if (dirbuf != NULL)
+ free(dirbuf);
+
+ if (dfd > -1)
+ close(dfd);
+
+ io_err_gbe_bin = 1;
+ errno = saved_errno;
+
+ return -1;
+}
+
+/*
+ * This one is similar to gbe_file_offset,
+ * but used to check Gbe bounds in memory,
+ * and it is *also* used during file I/O.
+ */
+static u8 *
+gbe_mem_offset(size_t p, const char *f_op)
+{
+ off_t gbe_off = gbe_x_offset(p, f_op, "mem",
+ GBE_PART_SIZE, GBE_WORK_SIZE);
+
+ return (u8 *)(buf + (size_t)gbe_off);
+}
+
+/*
+ * I/O operations filtered here. These operations must
+ * only write from the 0th position or the half position
+ * within the GbE file, and write 4KB of data.
+ *
+ * This check is called, to ensure just that.
+ */
+static off_t
+gbe_file_offset(size_t p, const char *f_op)
+{
+ off_t gbe_file_half_size = gbe_file_size >> 1;
+
+ return gbe_x_offset(p, f_op, "file",
+ gbe_file_half_size, gbe_file_size);
+}
+
+static off_t
+gbe_x_offset(size_t p, const char *f_op, const char *d_type,
+ off_t nsize, off_t ncmp)
+{
+ off_t off;
+
+ check_bin(p, "part number");
+
+ off = ((off_t)p) * (off_t)nsize;
+
+ if (off > ncmp - GBE_PART_SIZE)
+ err(ECANCELED, "%s: GbE %s %s out of bounds",
+ fname, d_type, f_op);
+
+ if (off != 0 && off != ncmp >> 1)
+ err(ECANCELED, "%s: GbE %s %s at bad offset",
+ fname, d_type, f_op);
+
+ return off;
+}
+
+static ssize_t
+rw_gbe_file_exact(int fd, u8 *mem, size_t nrw,
+ off_t off, int rw_type)
+{
+ size_t mem_addr;
+ size_t buf_addr;
+ ssize_t r;
+
+ if (io_args(fd, mem, nrw, off, rw_type) == -1)
+ return -1;
+
+ mem_addr = (size_t)(void *)mem;
+ buf_addr = (size_t)(void *)buf;
+
+ if (mem != (void *)pad) {
+ if (mem_addr < buf_addr)
+ goto err_rw_gbe_file_exact;
+
+ if ((mem_addr - buf_addr) >= (size_t)GBE_WORK_SIZE)
+ goto err_rw_gbe_file_exact;
+ }
+
+ if (off < 0 || off >= gbe_file_size)
+ goto err_rw_gbe_file_exact;
+
+ if (nrw > (size_t)(gbe_file_size - off))
+ goto err_rw_gbe_file_exact;
+
+ if (nrw > (size_t)GBE_PART_SIZE)
+ goto err_rw_gbe_file_exact;
+
+ r = rw_file_exact(fd, mem, nrw, off, rw_type,
+ NO_LOOP_EAGAIN, LOOP_EINTR, MAX_ZERO_RW_RETRY,
+ OFF_ERR);
+
+ return rw_over_nrw(r, nrw);
+
+err_rw_gbe_file_exact:
+ errno = EIO;
+ return -1;
+}
+
+/*
+ * Safe I/O functions wrapping around
+ * read(), write() and providing a portable
+ * analog of both pread() and pwrite().
+ * These functions are designed for maximum
+ * robustness, checking NULL inputs, overflowed
+ * outputs, and all kinds of errors that the
+ * standard libc functions don't.
+ *
+ * Looping on EINTR and EAGAIN is supported.
+ * EINTR/EAGAIN looping is done indefinitely.
+ */
+
+/*
+ * rw_file_exact() - Read perfectly or die
+ *
+ * Read/write, and absolutely insist on an
+ * absolute read; e.g. if 100 bytes are
+ * requested, this MUST return 100.
+ *
+ * This function will never return zero.
+ * It will only return below (error),
+ * or above (success). On error, -1 is
+ * returned and errno is set accordingly.
+ *
+ * Zero-byte returns are not allowed.
+ * It will re-spin a finite number of
+ * times upon zero-return, to recover,
+ * otherwise it will return an error.
+ */
+static ssize_t
+rw_file_exact(int fd, u8 *mem, size_t nrw,
+ off_t off, int rw_type, int loop_eagain,
+ int loop_eintr, size_t max_retries,
+ int off_reset)
+{
+ ssize_t rv = 0;
+ ssize_t rc = 0;
+ size_t retries_on_zero = 0;
+ off_t off_cur;
+ size_t nrw_cur;
+ void *mem_cur;
+
+ if (io_args(fd, mem, nrw, off, rw_type) == -1)
+ return -1;
+
+ while (1) {
+
+ /* Prevent theoretical overflow */
+ if (rv >= 0 && (size_t)rv > (nrw - rc))
+ goto err_rw_file_exact;
+
+ rc += rv;
+ if ((size_t)rc >= nrw)
+ break;
+
+ mem_cur = (void *)(mem + (size_t)rc);
+ nrw_cur = (size_t)(nrw - (size_t)rc);
+ if (off < 0)
+ goto err_rw_file_exact;
+ off_cur = off + (off_t)rc;
+
+ rv = prw(fd, mem_cur, nrw_cur, off_cur,
+ rw_type, loop_eagain, loop_eintr,
+ off_reset);
+
+ if (rv < 0)
+ return -1;
+
+ if (rv == 0) {
+ if (retries_on_zero++ < max_retries)
+ continue;
+ goto err_rw_file_exact;
+ }
+
+ retries_on_zero = 0;
+ }
+
+ if ((size_t)rc != nrw)
+ goto err_rw_file_exact;
+
+ return rw_over_nrw(rc, nrw);
+
+err_rw_file_exact:
+ errno = EIO;
+ return -1;
+}
+
+/*
+ * prw() - portable read-write
+ *
+ * This implements a portable analog of pwrite()
+ * and pread() - note that this version is not
+ * thread-safe (race conditions are possible on
+ * shared file descriptors).
+ *
+ * This limitation is acceptable, since nvmutil is
+ * single-threaded. Portability is the main goal.
+ *
+ * If you need real pwrite/pread, just compile
+ * with flag: HAVE_REAL_PREAD_PWRITE=1
+ *
+ * A fallback is provided for regular read/write.
+ * rw_type can be IO_READ, IO_WRITE, IO_PREAD
+ * or IO_PWRITE
+ *
+ * loop_eagain does a retry loop on EAGAIN if set
+ * loop_eintr does a retry loop on EINTR if set
+ *
+ * Unlike the bare syscalls, prw() does security
+ * checks e.g. checks NULL strings, checks bounds,
+ * also mitigates a few theoretical libc bugs.
+ * It is designed for extremely safe single-threaded
+ * I/O on applications that need it.
+ *
+ * NOTE: If you use loop_eagain (1), you enable wait
+ * loop on EAGAIN. Beware if using this on a non-blocking
+ * pipe (it could spin indefinitely).
+ *
+ * off_reset: if zero, and using fallback pwrite/pread
+ * analogs, we check if a file offset changed,
+ * which would indicate another thread changed
+ * it, and return error, without resetting the
+ * file - this would allow that thread to keep
+ * running, but we could then cause a whole
+ * program exit if we wanted to.
+ * if not zero:
+ * we reset and continue, and pray for the worst.
+ */
+
+static ssize_t
+prw(int fd, void *mem, size_t nrw,
+ off_t off, int rw_type,
+ int loop_eagain, int loop_eintr,
+ int off_reset)
+{
+ ssize_t r;
+ int positional_rw;
+ struct stat st;
+#if !defined(HAVE_REAL_PREAD_PWRITE) || \
+ HAVE_REAL_PREAD_PWRITE < 1
+ int saved_errno;
+ off_t verified;
+ off_t off_orig;
+ off_t off_last;
+#endif
+
+ if (io_args(fd, mem, nrw, off, rw_type) == -1)
+ return -1;
+
+ r = -1;
+
+ /* Programs like cat can use this,
+ so we only check if it's a normal
+ file if not looping EAGAIN */
+ if (!loop_eagain) {
+ /*
+ * Checking on every run of prw()
+ * is expensive if called many
+ * times, but is defensive in
+ * case the status changes.
+ */
+ if (check_file(fd, &st) == -1)
+ return -1;
+ }
+
+ if (rw_type >= IO_PREAD)
+ positional_rw = 1; /* pread/pwrite */
+ else
+ positional_rw = 0; /* read/write */
+
+try_rw_again:
+
+ if (!positional_rw) {
+#if defined(HAVE_REAL_PREAD_PWRITE) && \
+ HAVE_REAL_PREAD_PWRITE > 0
+real_pread_pwrite:
+#endif
+ if (rw_type == IO_WRITE)
+ r = write(fd, mem, nrw);
+ else if (rw_type == IO_READ)
+ r = read(fd, mem, nrw);
+#if defined(HAVE_REAL_PREAD_PWRITE) && \
+ HAVE_REAL_PREAD_PWRITE > 0
+ else if (rw_type == IO_PWRITE)
+ r = pwrite(fd, mem, nrw, off);
+ else if (rw_type == IO_PREAD)
+ r = pread(fd, mem, nrw, off);
+#endif
+
+ if (r == -1 && (errno == try_err(loop_eintr, EINTR)
+ || errno == try_err(loop_eagain, EAGAIN)))
+ goto try_rw_again;
+
+ return rw_over_nrw(r, nrw);
+ }
+
+#if defined(HAVE_REAL_PREAD_PWRITE) && \
+ HAVE_REAL_PREAD_PWRITE > 0
+ goto real_pread_pwrite;
+#else
+ if ((off_orig = lseek_loop(fd, (off_t)0, SEEK_CUR,
+ loop_eagain, loop_eintr)) == (off_t)-1) {
+ r = -1;
+ } else if (lseek_loop(fd, off, SEEK_SET,
+ loop_eagain, loop_eintr) == (off_t)-1) {
+ r = -1;
+ } else {
+ verified = lseek_loop(fd, (off_t)0, SEEK_CUR,
+ loop_eagain, loop_eintr);
+
+ /*
+ * Partial thread-safety: detect
+ * if the offset changed to what
+ * we previously got. If it did,
+ * then another thread may have
+ * changed it. Enabled if
+ * off_reset is OFF_RESET.
+ *
+ * We do this *once*, on the theory
+ * that nothing is touching it now.
+ */
+ if (off_reset && off != verified)
+ lseek_loop(fd, off, SEEK_SET,
+ loop_eagain, loop_eintr);
+
+ do {
+ /*
+ * Verify again before I/O
+ * (even with OFF_ERR)
+ *
+ * This implements the first check
+ * even with OFF_ERR, but without
+ * the recovery. On ERR_RESET, if
+ * the check fails again, then we
+ * know something else is touching
+ * the file, so it's best that we
+ * probably leave it alone and err.
+ *
+ * In other words, ERR_RESET only
+ * tolerates one change. Any more
+ * will cause an exit, including
+ * per EINTR/EAGAIN re-spin.
+ */
+ verified = lseek_loop(fd, (off_t)0, SEEK_CUR,
+ loop_eagain, loop_eintr);
+
+ if (off != verified)
+ goto err_prw;
+
+ if (rw_type == IO_PREAD)
+ r = read(fd, mem, nrw);
+ else if (rw_type == IO_PWRITE)
+ r = write(fd, mem, nrw);
+
+ if (rw_over_nrw(r, nrw) == -1) {
+ errno = EIO;
+ break;
+ }
+
+ } while (r == -1 &&
+ (errno == try_err(loop_eintr, EINTR)
+ || errno == try_err(loop_eagain, EAGAIN)));
+ }
+
+ saved_errno = errno;
+
+ off_last = lseek_loop(fd, off_orig, SEEK_SET,
+ loop_eagain, loop_eintr);
+
+ if (off_last != off_orig) {
+ errno = saved_errno;
+ goto err_prw;
+ }
+
+ errno = saved_errno;
+
+ return rw_over_nrw(r, nrw);
+#endif
+
+err_prw:
+ errno = EIO;
+ return -1;
+}
+
+static int
+io_args(int fd, void *mem, size_t nrw,
+ off_t off, int rw_type)
+{
+ /* obviously */
+ if (mem == NULL)
+ goto err_io_args;
+
+ /* uninitialised fd */
+ if (fd < 0)
+ goto err_io_args;
+
+ /* negative offset */
+ if (off < 0)
+ goto err_io_args;
+
+ /* prevent zero-byte rw */
+ if (!nrw)
+ goto err_io_args;
+
+ /* prevent overflow */
+ if (nrw > (size_t)SSIZE_MAX)
+ goto err_io_args;
+
+ /* prevent overflow */
+ if (((size_t)off + nrw) < (size_t)off)
+ goto err_io_args;
+
+ if (rw_type > IO_PWRITE)
+ goto err_io_args;
+
+ return 0;
+
+err_io_args:
+ errno = EIO;
+ return -1;
+}
+
+static int
+check_file(int fd, struct stat *st)
+{
+ if (fstat(fd, st) == -1)
+ goto err_is_file;
+
+ if (!S_ISREG(st->st_mode))
+ goto err_is_file;
+
+ return 0;
+
+err_is_file:
+ errno = EIO;
+ return -1;
+}
+
+/*
+ * Check overflows caused by buggy libc.
+ *
+ * POSIX can say whatever it wants.
+ * specification != implementation
+ */
+static ssize_t
+rw_over_nrw(ssize_t r, size_t nrw)
+{
+ /*
+ * If a byte length of zero
+ * was requested, that is
+ * clearly a bug. No way.
+ */
+ if (!nrw)
+ goto err_rw_over_nrw;
+
+ if (r == -1)
+ return r;
+
+ if ((size_t)r > SSIZE_MAX) {
+ /*
+ * Theoretical buggy libc
+ * check. Extremely academic.
+ *
+ * Specifications never
+ * allow this return value
+ * to exceed SSIZE_MAX, but
+ * spec != implementation
+ *
+ * Check this after using
+ * [p]read() or [p]write()
+ */
+ goto err_rw_over_nrw;
+ }
+
+ /*
+ * Theoretical buggy libc:
+ * Should never return a number of
+ * bytes above the requested length.
+ */
+ if ((size_t)r > nrw)
+ goto err_rw_over_nrw;
+
+ return r;
+
+err_rw_over_nrw:
+
+ errno = EIO;
+ return -1;
+}
+
+#if !defined(HAVE_REAL_PREAD_PWRITE) || \
+ HAVE_REAL_PREAD_PWRITE < 1
+/*
+ * lseek_loop() does lseek() but optionally
+ * on an EINTR/EAGAIN wait loop. Used by prw()
+ * for setting offsets for positional I/O.
+ */
+static off_t
+lseek_loop(int fd, off_t off, int whence,
+ int loop_eagain, int loop_eintr)
+{
+ off_t old = -1;
+
+ do {
+ old = lseek(fd, off, whence);
+ } while (old == (off_t)-1 && (
+ errno == try_err(loop_eintr, EINTR) ||
+ errno == try_err(loop_eagain, EAGAIN)));
+
+ return old;
+}
+#endif
+
+/*
+ * If a given error loop is enabled,
+ * e.g. EINTR or EAGAIN, an I/O operation
+ * will loop until errno isn't -1 and one
+ * of these, e.g. -1 and EINTR
+ */
+static int
+try_err(int loop_err, int errval)
+{
+ if (loop_err)
+ return errval;
+
+ /* errno is never negative,
+ so functions checking it
+ can use it accordingly */
+ return -1;
+}
+
+static void
+usage(void)
+{
+ const char *util = getnvmprogname();
+
+ fprintf(stderr,
+ "Modify Intel GbE NVM images e.g. set MAC\n"
+ "USAGE:\n"
+ "\t%s FILE dump\n"
+ "\t%s FILE setmac [MAC]\n"
+ "\t%s FILE swap\n"
+ "\t%s FILE copy 0|1\n"
+ "\t%s FILE cat\n"
+ "\t%s FILE cat16\n"
+ "\t%s FILE cat128\n",
+ util, util, util, util,
+ util, util, util);
+
+ err(EINVAL, "Too few arguments");
+}
+
+static void
+err(int nvm_errval, const char *msg, ...)
+{
+ va_list args;
+
+ if (errno == 0)
+ errno = nvm_errval;
+ if (!errno)
+ errno = ECANCELED;
+
+ (void)exit_cleanup();
+
+ fprintf(stderr, "%s: ", getnvmprogname());
+
+ va_start(args, msg);
+ vfprintf(stderr, msg, args);
+ va_end(args);
+
+ fprintf(stderr, ": %s", strerror(errno));
+
+ fprintf(stderr, "\n");
+
+ if (tname != NULL)
+ free(tname);
+
+ exit(EXIT_FAILURE);
+}
+
+static int
+exit_cleanup(void)
+{
+ int close_err = 0;
+ int saved_errno = errno;
+
+ if (gbe_fd > -1) {
+ if (close(gbe_fd) == -1)
+ close_err = 1;
+ gbe_fd = -1;
+ }
+
+ if (tmp_fd > -1) {
+ if (close(tmp_fd) == -1)
+ close_err = 1;
+ }
+
+ if (tname != NULL) {
+ if (unlink(tname) == -1)
+ close_err = 1;
+ }
+
+ tmp_fd = -1;
+
+ if (saved_errno)
+ errno = saved_errno;
+
+ if (close_err)
+ return -1;
+
+ return 0;
+}
+
+static const char *
+getnvmprogname(void)
+{
+ const char *p;
+
+ if (argv0 == NULL || *argv0 == '\0')
+ return "";
+
+ p = strrchr(argv0, '/');
+
+ if (p)
+ return p + 1;
+ else
+ return argv0;
+}
+
+/*
+ * create new tmpfile path
+ *
+ * ON SUCCESS:
+ *
+ * returns ptr to path string on success
+ * ALSO: the int at *fd will be set,
+ * indicating the file descriptor
+ *
+ * ON ERROR:
+ *
+ * return NULL (*fd not touched)
+ *
+ * malloc() may set errno, but you should
+ * not rely on errno from this function
+ *
+ * local: if non-zero, then only a file
+ * name will be given, relative to
+ * the current file name. for this,
+ * the 3rd argument (path) must be non-null
+ *
+ * if local is zero, then 3rd arg (path)
+ * is irrelevant and can be NULL
+ */
+static char *
+new_tmpfile(int *fd, int local, const char *path)
+{
+ size_t maxlen;
+ struct stat st;
+
+ /*
+ * please do not modify the
+ * strings or I will get mad
+ */
+ char tmp_none[] = "";
+ char tmp_default[] = "/tmp";
+ char default_tmpname[] = "tmpXXXXXX";
+ char *tmpname;
+
+ char *base = NULL;
+ char *dest = NULL;
+
+ size_t tmpdir_len = 0;
+ size_t tmpname_len = 0;
+ size_t tmppath_len = 0;
+
+ int fd_tmp = -1;
+ int flags;
+
+ /*
+ * 256 is the most
+ * conservative path
+ * size limit (posix),
+ * but 4096 is modern
+ *
+ * set PATH_LEN as you
+ * wish, at build time
+ */
+
+#if defined(PATH_LEN) && \
+ (PATH_LEN) >= 256
+ maxlen = PATH_LEN;
+#else
+ maxlen = 4096;
+#endif
+
+ tmpname = default_tmpname;
+ if (local) {
+ if (path == NULL)
+ goto err_new_tmpfile;
+ if (*path == '\0')
+ goto err_new_tmpfile;
+
+ if (stat(path, &st) == -1)
+ goto err_new_tmpfile;
+
+ if (!S_ISREG(st.st_mode))
+ goto err_new_tmpfile;
+
+ tmpname = (char *)path;
+ }
+
+ if (local) {
+ base = tmp_none;
+
+ /*
+ * appended to filename for tmp:
+ */
+ tmpdir_len = sizeof(default_tmpname);
+ } else {
+ base = getenv("TMPDIR");
+
+ if (base == NULL)
+ base = tmp_default;
+ if (*base == '\0')
+ base = tmp_default;
+
+ tmpdir_len = xstrxlen(base, maxlen);
+ }
+
+ tmpname_len = xstrxlen(tmpname, maxlen);
+
+ tmppath_len = tmpdir_len + tmpname_len;
+ ++tmppath_len; /* for '/' or '.' */
+
+ /*
+ * max length -1 of maxlen
+ * for termination
+ */
+ if (tmpdir_len > maxlen - tmpname_len - 1)
+ goto err_new_tmpfile;
+
+ /* +1 for NULL */
+ dest = malloc(tmppath_len + 1);
+ if (dest == NULL)
+ goto err_new_tmpfile;
+
+ if (local) {
+
+ *dest = '.'; /* hidden file */
+
+ memcpy(dest + (size_t)1, tmpname, tmpname_len);
+
+ memcpy(dest + (size_t)1 + tmpname_len,
+ default_tmpname, tmpdir_len);
+ } else {
+
+ memcpy(dest, base, tmpdir_len);
+
+ dest[tmpdir_len] = '/';
+
+ memcpy(dest + tmpdir_len + 1, tmpname, tmpname_len);
+ }
+
+ dest[tmppath_len] = '\0';
+
+ fd_tmp = mkstemp(dest);
+ if (fd_tmp == -1)
+ goto err_new_tmpfile;
+
+ if (fchmod(fd_tmp, 0600) == -1)
+ goto err_new_tmpfile;
+
+ if (lock_file(fd_tmp) == -1)
+ goto err_new_tmpfile;
+
+ if (fstat(fd_tmp, &st) == -1)
+ goto err_new_tmpfile;
+
+ /*
+ * Extremely defensive
+ * likely pointless checks
+ */
+
+ /* check if it's a file */
+ if (!S_ISREG(st.st_mode))
+ goto err_new_tmpfile;
+
+ /* check if it's seekable */
+ if (lseek(fd_tmp, 0, SEEK_CUR) == (off_t)-1)
+ goto err_new_tmpfile;
+
+ /* inode will be checked later on write */
+ tmp_dev = st.st_dev;
+ tmp_ino = st.st_ino;
+
+ /* tmpfile has >1 hardlinks */
+ if (st.st_nlink > 1)
+ goto err_new_tmpfile;
+
+ /* tmpfile unlinked while opened */
+ if (st.st_nlink == 0)
+ goto err_new_tmpfile;
+
+ flags = fcntl(fd_tmp, F_GETFL);
+
+ if (flags == -1)
+ goto err_new_tmpfile;
+
+ /*
+ * O_APPEND would permit offsets
+ * to be ignored, which breaks
+ * positional read/write
+ */
+ if (flags & O_APPEND)
+ goto err_new_tmpfile;
+
+ *fd = fd_tmp;
+
+ return dest;
+
+err_new_tmpfile:
+
+ if (dest != NULL)
+ free(dest);
+
+ if (fd_tmp > -1)
+ close(fd_tmp);
+
+ return NULL;
}
generated by cgit v1.2.1 (git 2.18.0) at 2026-03-16 10:52:54 +0000