| Age | Commit message (Collapse) | Author |
|---|
|
and with that, now the code compiles on gcc
with -std=c90 -pedantic
with -Werror and -Wall -Wextra
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
This reverts commit bdb43afac6edef21a15f99b8c3beac01be8b86f7.
|
|
have A-Z too, for more randomness
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
i no longer use -Werror
these can actually conflict on some weird
systems, so better just remove them
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
close may set errno to EINTR, which could
cause weird edge case behaviour in our
prw() functtion
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
use stat instead of access (race conditions)
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
try a few more times until success
explicitly return EEXIST when needed
we try multiple times and check more
thoroughly if a file exists, thus
reducing the risk of race conditions
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
more portable
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
not portable. some old systems don't have it,
or handle it very poorly
unsigned long is a reasonable way to refer
to indexes inside pointters
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
some old systems don't have ssize_t or size_t
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
older unix needed lower
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
very old libc doesn't have it
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
if the global file is created on a different file
system than the gbe file, unveil would trigger an
abort trap, since we rely on created a second
temporary file, whose path we can't know ahead
of time.
i could get rid of unveil, or unveil a directory,
but neither is acceptable. just use localtmp on
openbsd. a temporary file is created next to
the gbe file, in the same directory.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
now the custom fallback code is very unlikely
to ever actually be used, on any system,
except really old systems.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
i need these. can always turn them off
when running make if you need to
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
-Werror removed, for older compilers
actual warnings still there
-std is configurable now
e.g.
make CSTD=-c90
make CSTD=-c99
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
i have urandom again. it's enough
the fallback rand implementation
is used if needed
now i don't have to worry about any
weird version of unix from 1992 and
deal with weird hacks. in fact, with
this change, my code will probably
compile on irix now
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
i had to loosen the pledges for the new i/o
framework, which needs more permissions
as a result, i can now open urandom in
this function statically, rather than
in nvmutil's control logic
and because of that, it's less buggy now
arc4random is disabled on linux by default,
because it's not universally available
on all libc, and only since about 2022
in some glibc versions
better for portability to let linux users
justt use urandom
the new logic is different. now it falls
back to rand per-byte, but in practise
it almost never will.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
linux only had it since 2022.
lots of people will complain if i leave this enabled.
not all libc have it either
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
i simplified it in the last commits, but i sttill
need this loop to properly handle parts
otherwise yeah, all it's doing is copying a file
verbatim. duh.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
we now read twice, verify the two, to make sure
one read isn't faulty
we operate on a tmp file, then rename back. this
reduces the risk of power cuts corrupting data
we properly verify the contents that we wrote
back
inspired largely by flashprog. i wanted to have
an insanely over-engineered and extremely safe
tool that edits intel gbe nvm files
and now i have one. the only one in existence.
i'm basically writing my own libc code at this
point, to be honest. i'll probably start puttting
these functions in libraries
e.g. that tmpfile generator
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
yes, because otherwise if the offset is still
wrong, we allow junk to be written. bad!
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
we were returning if verified is not off, but we
were not doing the check soon enough.
now it's clearer: just after either a reset,
or we found out offset doesn't match, we
return sooner.
otherwise, we read, and we verify again right
after. in the old code, we verified twice in
a row.
this is just more optimal, for error handling.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
in the last patch, i return, which then avoids
resetting the offset.
prw is very careful not to return early.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
otherwise, if it's -1 and errno happens to be
EINTR or EAGAIN, we might loop on what is a
real error. this bug fixes that edge case.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
do it per read, in the fallback pread/pwrite
per read/write that is
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
i already guard offsets in io_args, but it's best
to be thorough here.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
we already check before that rv is not negative,
and it starts at zero, but it's good to guard
it here just in case (for future re-factoring).
if rv is negative, it could convert (casted to
size_t) to a huge number (we don't want that).
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
even with OFF_RESET, we still want some error checking.
if the check fails again immediately after, then it
suggests that another program really is modifying the
file, so we should stop.
the first check is done on the theory that another
program *was* working on it, but now isn't.
once again, this isn't perfect. use read pread/pwrite
if you need thread safety (and even then, you still
need to actually check your code)
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
if a points to a buffer shorter than maxlen,
and the string is not null-terminated early,
the loop may read may overflow
e.g.
char buf[3] = {'a', 'b', 'c'};
xstrxcmp(buf, "abc", 50);
this is undefined behaviour, and a bug. C allows
reading past arrays only if the memory exists,
but we can't guarantee that
to fix it, we check the condition for return,
namely NULL character, before using the character
again. This avoids reading further from a multiple
times so we exit as soon as we encounter NULL
this also avoids multiple reads from memory, though
a compiler would optimise that anyway
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
we repeat these stteps later, but it's still good
to be exact here. these lower functions can
change.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
