| Age | Commit message (Collapse) | Author |
|---|
|
remove close_warn and close_no_err
make close_on_eintr a void, and abort
on error instead of returning -1.
a failed file closure is a world-ending
event. burn accordingly.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
on error state, i was resetting errno
unconditionally, which would then mask
the real error.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
i now use a singleton hook function per program:
nvmutil, mkhtemp and lottery
call this at the startup of your program:
(void) errhook(exit_cleanup);
then provide that function. make it static,
so that each program has its own version.
if you're writing a program that handles lots
of files for example, and you want to do certain
cleanup on exit (including error exit), this can
be quite useful.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
i no longer care about openbsd 5.9. we assume unveil
is available, as has been the case for the past 12
years.
i use wrappers for unveil and pledge, which means that
i call them on every os. on OSes that don't have these,
i just return. it's somewhat inelegant, but also means
that i see errors more easily, e.g. misnamed variables
inside previous ifdef OpenBSD blocks.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
yes, a common thing in C programs is one or all
of the following:
* use after frees
* double free (on non-NULL pointer)
* over-writing currently used pointer (mem leak)
i try to reduce the chance of this in my software,
by running free() through a filter function,
free_if_not_null, that returns if a function
is being freed twice - because it sets NULL
after freeing, but will only free if it's not
null already.
this patch adds two functions: smalloc and vmalloc,
for strings and voids. using these makes the program
abort if:
* non-null pointer given for initialisation
* pointer to pointer is null (of course)
* size of zero given, for malloc (zero bytes)
i myself was caught out by this change, prompting
me to make the following fix in fs_dirname_basename()
inside lib/file.c:
- char *buf;
+ char *buf = NULL;
Yes.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
clamp rand to eliminate modulo sampling; high
values on the randomisation will bias the result.
not really critical for mac addresses, but there's
no reason not to have this. this patches reduces
the chance that two libreboot users will generate
the same mac addresses!
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
i had a bunch of hacks in here because i was
previously using very buggy rand. now it's ok.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
should be null on bad return
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
and the module bias handling is fully correct
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
extremely theoretical, with a T. T for theoretical.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
not really a thing. bufsiz would never be zero,
unless the demon takes over linux
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
concatenate an arbitrary number of strings,
pointed to by char **
i'll use this and the next function, dcatn,
in an upcoming feature planned for mkhtemp.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
to test the effectiveness of the rand function
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
similar to the logic about other failure states
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
make it more efficient. much lower rejection
rate now, about 2-5%. deal with bias, but also
get numbers in bulk. not too many.
i'd say this is about right in terms of performance
balance. 64 bytes == 8 large integers.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
now you can send an arbitrary number of bytes
with random numbers
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
also re-add /dev/urandom support, as a config option
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
build-time option. do not allow fallback; on
a system where getrandom is used, it should
be used exclusively.
on some systems, getrandom may not be available,
even if they have a newer kernel.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
This will also be used in lbmk itself at some point,
which currently just uses regular mktemp, for tmpdir
handling during the build process.
Renamed util/nvmutil to util/libreboot-utils, which
now contains two tools. The new tool, mkhtemp, is a
hardened implementation of mktemp, which nvmutil
also uses now. Still experimental, but good enough
for nvmutil.
Mkhtemp attempts to provide TOCTOU resistance on
Linux, by using modern features in Linux such as
Openat2 (syscall) with O_EXCL and O_TMPFILE,
and many various security checks e.g.
inode/dev during creation. Checks are done constantly,
to try to detect race conditions. The code is very
strict about things like sticky bits in world writeable
directories, also ownership (it can be made to bar even
root access on files and directories it doesn't own).
It's a security-first implementation of mktemp, likely
even more secure than the OpenBSD mkstemp, but more
auditing and testing is needed - more features are
also planned, including a compatibility mode to make
it also work like traditional mktemp/mkstemp. The
intention, once this becomes stable, is that it will
become a modern drop-in replacement for mkstemp on
Linux and BSD systems.
Some legacy code has been removed, and in general
cleaned up. I wrote mkhtemp for nvmutil, as part of
its atomic write behaviour, but mktemp was the last
remaining liability, so I rewrote that too!
Docs/manpage/website will be made for mkhtemp once
the code is mature.
Other changes have also been made. This is from another
experimental branch of Libreboot, that I'm pushing
early. For example, nvmutil's state machine has been
tidied up, moving more logic back into main.
Mktemp is historically prone to race conditions,
e.g. symlink attacks, directory replacement, remounting
during operation, all sorts of things. Mkhtemp has
been written to solve, or otherwise mitigate, that
problem. Mkhtemp is currently experimental and will
require a major cleanup at some point, but it
already works well enough, and you can in fact use
it; at this time, the -d, -p and -q flags are
supported, and you can add a custom template at
the end, e.g.
mkhtemp -p test -d
Eventually, I will make this have complete parity
with the GNU and BSD implementations, so that it is
fully useable on existing setups, while optionally
providing the hardening as well.
A lot of code has also been tidied up. I didn't
track the changes I made with this one, because
it was a major re-write of nvmutil; it is now
libreboot-utils, and I will continue to write
more programs in here over time. It's basically
now a bunch of hardened wrappers around various
libc functions, e.g. there is also a secure I/O
wrapper for read/write.
There is a custom randomisation function, rlong,
which simply uses arc4random or getrandom, on
BSD and Linux respectively. Efforts are made to
make it as reliable as possible, to the extent
that it never returns with failure; in the unlikely
event that it fails, it aborts. It also sleeps
between failure, to mitigate certain DoS attacks.
You can just go in util/libreboot-utils and
type make, then you will have the nvmutil and
mkhtemp binaries, which you can just use. It
all works. Everything was massively rewritten.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
