From 7fb0b2f69293f0fb0e83e9b125fbd658503147f0 Mon Sep 17 00:00:00 2001
From: Leah Rowe <leah@libreboot.org>
Date: Sun, 29 Mar 2026 22:15:27 +0100
Subject: libreboot-utils: safe memcmp

Signed-off-by: Leah Rowe <leah@libreboot.org>
---
 util/libreboot-utils/lib/io.c      |  4 ++--
 util/libreboot-utils/lib/mkhtemp.c |  2 +-
 util/libreboot-utils/lib/string.c  | 33 +++++++++++++++++++++++++++++++++
 3 files changed, 36 insertions(+), 3 deletions(-)

(limited to 'util/libreboot-utils/lib')

diff --git a/util/libreboot-utils/lib/io.c b/util/libreboot-utils/lib/io.c
index eac6073e..4938cdc8 100644
--- a/util/libreboot-utils/lib/io.c
+++ b/util/libreboot-utils/lib/io.c
@@ -143,7 +143,7 @@ read_file(void)
 	if (_r < 0)
 		err_exit(errno, "%s: read failed (cmp)", f->tname);
 
-	if (memcmp(f->buf, f->bufcmp, f->gbe_file_size) != 0)
+	if (vcmp(f->buf, f->bufcmp, f->gbe_file_size) != 0)
 		err_exit(errno, "%s: %s: read contents differ (pre-test)",
 		    f->fname, f->tname);
 }
@@ -329,7 +329,7 @@ check_written_part(size_t p)
 		f->rw_check_err_read[p] = f->io_err_gbe = 1;
 	else if ((size_t)rval != gbe_rw_size)
 		f->rw_check_partial_read[p] = f->io_err_gbe = 1;
-	else if (memcmp(mem_offset, f->pad, gbe_rw_size) != 0)
+	else if (vcmp(mem_offset, f->pad, gbe_rw_size) != 0)
 		f->rw_check_bad_part[p] = f->io_err_gbe = 1;
 
 	if (f->rw_check_err_read[p] ||
diff --git a/util/libreboot-utils/lib/mkhtemp.c b/util/libreboot-utils/lib/mkhtemp.c
index bba8a7ca..2ef26d67 100644
--- a/util/libreboot-utils/lib/mkhtemp.c
+++ b/util/libreboot-utils/lib/mkhtemp.c
@@ -567,7 +567,7 @@ mkhtemp(int *fd,
 	    if_err(fname_len > template_len, EOVERFLOW))
 		return -1;
 
-	if (if_err(memcmp(fname, template + template_len - fname_len,
+	if (if_err(vcmp(fname, template + template_len - fname_len,
 	      fname_len) != 0, EINVAL))
 		return -1;
 
diff --git a/util/libreboot-utils/lib/string.c b/util/libreboot-utils/lib/string.c
index 39b31cb0..49c23663 100644
--- a/util/libreboot-utils/lib/string.c
+++ b/util/libreboot-utils/lib/string.c
@@ -292,6 +292,39 @@ err:
 	return -1;
 }
 
+/* because no libc reimagination is complete
+ * without a reimplementation of memcmp. and
+ * no safe one is complete without null checks.
+ */
+int
+vcmp(const void *s1, const void *s2, size_t n)
+{
+	size_t i = 0;
+	size_t a;
+	size_t b;
+
+	if (if_err(s1 == NULL || s2 == NULL, EFAULT))
+		err_exit(EFAULT, "vcmp: null input");
+
+	const unsigned char *x = s1;
+	const unsigned char *y = s2;
+
+	for ( ; i + sizeof(size_t) <= n; i += sizeof(size_t)) {
+
+		memcpy(&a, x + i, sizeof(size_t));
+		memcpy(&b, y + i, sizeof(size_t));
+
+		if (a != b)
+			break;
+	}
+
+	for ( ; i < n; i++)
+		if (x[i] != y[i])
+			return (int)x[i] - (int)y[i];
+
+	return 0;
+}
+
 /* on functions that return with errno,
  * i sometimes have a default fallback,
  * which is set if errno wasn't changed,
-- 
cgit v1.2.1