| Age | Commit message (Collapse) | Author |
|---|
|
we repeat these stteps later, but it's still good
to be exact here. these lower functions can
change.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
we currently reset just fine, but a partial success
where the previous offset is not the same as the
original should also be considered failure.
this patch therefore makes the return much stricter,
making the code return an error if this occurs,
which in nvmutil would then cause a program exit.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
accidentally removed this in a rebase
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
otherwise, gbe.bin locking won't work!
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
i don't like it grouped together. do it
all separate, for clarity.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
unified arg check for prw and rw_file_exact
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
we check them in prw, but we used to rely
on prw because we called that first. no more.
it's correct to also check them here anyway,
in case i ever call another function here.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
avoid pointer-range overflow arithmetic. this
patch doesn't change behaviour, but makes an
overflow impossible.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
don't do it inside functions. some compilers may
be inconsistent, ditto several auditing tools.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
off is signed, so converting that to unsigned
is better than converting rc (unsigned)
to signed. i had the right idea, but got
it wrong in the earlier version. this
should fix potential overflow issues.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
otherwise, it could still overflow
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
some unused variables if enabled. hide them.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
our fallback pwrite/pread behaviour still does not
properly replicate the safety of real pwrite/pread
i intend to put this i/o code into a library for use
in other programs; nvmutil is single-threaded so
this change is largely redundant (but can't hurt)
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
remove ptr casts to ulong. size_t is better.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
despite my cast, size_t is better for mem index
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
we don't need it anymore.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
rw_file_once was doing what rw_file_exact should be
doing
_once does what it says: once
we were passing an offset (rc) to it that it was not
meaningfully using.
this makes the code now more robust, especially if
we later swap out or break _once - then we don't
get weird behaviour (if there is a regression).
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
we already check not-zero in the next if
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
we assert now that ulong is the size of a pointer,
therefore we know that it can fit a pointer reliably.
this code is written for c90 spec so lacks uintptr
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
technically we're never supposed to do arithmetic on
pointers (there's uintptr for that)
very anal fix
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
not available on older systems. can just pass
the relevant flag in the compiler:
HAVE_ARC4RANDOM_BUF=0 at build time if you need
the fallback.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
i already also guard other toctuo attacks :)
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
if someone deletes gbe.bin while operating, nvmutil
will now abort
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
too over engineered and cumbersome.
the new security in prw() makes it brittle,
and i'd rather not move checks outside of it.
the fallback rand is random enough.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
slow, per call. prw should be generic.
do it just for gbe files, once
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
