From a80c1890118ee07334fedc6567e6e229bf747970 Mon Sep 17 00:00:00 2001
From: Leah Rowe <leah@libreboot.org>
Date: Sat, 14 Mar 2026 18:21:44 +0000
Subject: util/nvmutil: guard file replacement attacks

i already also guard other toctuo attacks :)

Signed-off-by: Leah Rowe <leah@libreboot.org>
---
 util/nvmutil/nvmutil.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'util/nvmutil')

diff --git a/util/nvmutil/nvmutil.c b/util/nvmutil/nvmutil.c
index 3a6128f9..ed5eef08 100644
--- a/util/nvmutil/nvmutil.c
+++ b/util/nvmutil/nvmutil.c
@@ -652,6 +652,9 @@ static int rw_check_bad_part[] = {0, 0};
 
 static int post_rw_checksum[] = {0, 0};
 
+static dev_t gbe_dev;
+static ino_t gbe_ino;
+
 int
 main(int argc, char *argv[])
 {
@@ -930,6 +933,10 @@ open_gbe_file(void)
 	xopen(&gbe_fd, fname,
 	    command[cmd_index].flags | O_BINARY | O_NOFOLLOW, &gbe_st);
 
+	/* inode will be checked later on write */
+	gbe_dev = gbe_st.st_dev;
+	gbe_ino = gbe_st.st_ino;
+
 	if (gbe_st.st_nlink == 0)
 		err(EIO, "%s: file unlinked while open", fname);
 
@@ -1411,6 +1418,9 @@ write_gbe_file(void)
 	if (fstat(gbe_fd, &gbe_st) == -1)
 		err(errno, "%s: re-check", fname);
 
+	if (gbe_st.st_dev != gbe_dev || gbe_st.st_ino != gbe_ino)
+		err(EIO, "%s: file replaced while open", fname);
+
 	if (gbe_st.st_size != gbe_file_size)
 		err(errno, "%s: file size changed before write", fname);
 
-- 
cgit v1.2.1