libelf: introduce macros for memory access and pointer handling

We introduce a collection of macros which abstract away all the
pointer arithmetic and dereferences used for accessing the input ELF
and the output area(s).  We use the new macros everywhere.

For now, these macros are semantically identical to the code they
replace, so this patch has no functional change.

elf_is_elfbinary is an exception: since it doesn't take an elf*, we
need to handle it differently.  In a future patch we will change it to
take, and check, a length parameter.  For now we just mark it with a
fixme.

Nontrivial differences in the 4.1 backport:
 * We need to provide our own elf_uintptr_t since Xen doesn't.
 * We see some additional differences in our verification diff.
 * The "function-filter" needs to massage additional symbol names.
Conflicts:
 * In xc_dom_load_elf_symtab the old code used
     *(Elf64_Word*)(&shdr->e64.sh_name) and the new Elf32_Word
   but in fact the type in the struct has changed too so the
   new code using elf_store_field is still correct.
 * loadelfimage, elf_load_image etc. don't exist and are done
   directly with memcpy/memset; patch adjusted appropriately.
 * elf_note_numeric_array doesn't exist in 4.1.

That this patch has no functional change can be verified as follows:

  0. Copy the scripts "comparison-generate" and "function-filter"
     out of this commit message.
  1. Check out the tree before this patch.
  2. Run the script ../comparison-generate .... ../before
  3. Check out the tree after this patch.
  4. Run the script ../comparison-generate .... ../after
  5. diff --exclude=\*.[soi] -ruN before/ after/ |less

Expect these differences:
  * stubdom/zlib-x86_64/ztest*.s2
      The filename of this test file apparently contains the pid.
  * stubdom/grub/kexec.s2:
      Large differences following ".section .debug_info" (which
      the 4.1 build system erroneously fails to suppress).
  * tools/libxc/xc_domain_restore.s2 (64-bit build):
      One trivial code gen difference with no semantic import.
  * xen/common/version.s2
      The xen build timestamp appears in two diff hunks.

Verification that this is all that's needed:
  In a completely built xen.git,
     find * -name .*.d -type f | xargs grep -l libelf\.h
  Expect results in:
     xen/arch/x86:            Checked above.
     tools/libxc:             Checked above.
     tools/xcutils/readnotes: Checked above.
     tools/xenstore:          Checked above.
     xen/common/libelf:
       This is the build for the hypervisor; checked in B above.
     stubdom:
       We have one stubdom which reads ELFs using our libelf,
       pvgrub, which is checked above.

I have not done this verification for ARM.

This is part of the fix to a security issue, XSA-55.

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>

-8<- comparison-generate -8<-
 #!/bin/bash
 # usage:
 #  cd xen.git
 #  .../comparison-generate OUR-CONFIG BUILD-RUNE-PREFIX ../before|../after
 # eg:
 #  .../comparison-generate ~/work/.config 'schroot -pc64 --' ../before
 set -ex

 test $# = 3 || need-exactly-three-arguments

 our_config=$1
 build_rune_prefix=$2
 result_dir=$3

 git clean -x -d -f

 cp "$our_config" .

 cat <<END >>.config
         debug_symbols=n
         CFLAGS += -save-temps
 END

 perl -i~ -pe 's/ -g / -g0 / if m/^CFLAGS/' xen/Rules.mk

 if [ -f ./configure ]; then
         $build_rune_prefix ./configure
 fi

 $build_rune_prefix make -C xen
 $build_rune_prefix make -C tools/include
 $build_rune_prefix make -C stubdom grub
 $build_rune_prefix make -C tools/libxc
 $build_rune_prefix make -C tools/xenstore
 $build_rune_prefix make -C tools/xcutils

 rm -rf "$result_dir"
 mkdir "$result_dir"

 set +x
 for f in `find xen tools stubdom -name \*.[soi]`; do
         mkdir -p "$result_dir"/`dirname $f`
         cp $f "$result_dir"/${f}
         case $f in
         *.s)
                 ../function-filter <$f >"$result_dir"/${f}2
                 ;;
         esac
 done

 echo ok.
-8<-

-8<- function-filter -8<-
 #!/usr/bin/perl -w
 # function-filter
 # script for massaging gcc-generated labels to be consistent
 use strict;
 our @lines;
 my $sedderybody = "sub seddery () {\n";
 while (<>) {
     push @lines, $_;
     if (m/^(__FUNCTION__|__func__|_ctx|note_desc|types|last_order|memflags|mutex|d\d_cpu_last|write_count|wall_last|__PRETTY_FUNCTION__)\.(\d+)\:/ ||
         m/^\s+\.local\s+(_ctx|write_count|d\d_cpu_last|wall_last|mutex)\.(\d+)\s*$/) {
         $sedderybody .= "    s/\\b$1\\.$2\\b/__XSA55MANGLED__$1.$./g;\n";
     }
 }
 $sedderybody .= "}\n1;\n";
 eval $sedderybody or die $@;
 foreach (@lines) {
     seddery();
     print or die $!;
 }
-8<-

2 files changed, 28 insertions, 28 deletions

diff --git a/tools/libxc/xc_dom_elfloader.c b/tools/libxc/xc_dom_elfloader.c
index 0fc35e3448..0fd8c42326 100644
--- a/tools/libxc/xc_dom_elfloader.c
+++ b/tools/libxc/xc_dom_elfloader.c
@@ -115,9 +115,9 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom,
                                   struct elf_binary *elf, int load)
 {
     struct elf_binary syms;
-    const elf_shdr *shdr, *shdr2;
+    ELF_HANDLE_DECL_NONCONST(elf_shdr) shdr; ELF_HANDLE_DECL(elf_shdr) shdr2;
     xen_vaddr_t symtab, maxaddr;
-    char *hdr;
+    ELF_PTRVAL_CHAR hdr;
     size_t size;
     int h, count, type, i, tables = 0;
 
@@ -147,11 +147,11 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom,
         dom->bsd_symtab_start = elf_round_up(elf, dom->kernel_seg.vend);
     }
 
-    memcpy(hdr + sizeof(int),
-           elf->image,
+    elf_memcpy_safe(elf, hdr + sizeof(int),
+           ELF_IMAGE_BASE(elf),
            elf_size(elf, elf->ehdr));
-    memcpy(hdr + sizeof(int) + elf_size(elf, elf->ehdr),
-           elf->image + elf_uval(elf, elf->ehdr, e_shoff),
+    elf_memcpy_safe(elf, hdr + sizeof(int) + elf_size(elf, elf->ehdr),
+           ELF_IMAGE_BASE(elf) + elf_uval(elf, elf->ehdr, e_shoff),
            elf_shdr_count(elf) * elf_size(elf, shdr));
     if ( elf_64bit(elf) )
     {
@@ -189,7 +189,7 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom,
     count = elf_shdr_count(&syms);
     for ( h = 0; h < count; h++ )
     {
-        shdr = elf_shdr_by_index(&syms, h);
+        shdr = ELF_OBSOLETE_VOIDP_CAST elf_shdr_by_index(&syms, h);
         type = elf_uval(&syms, shdr, sh_type);
         if ( type == SHT_STRTAB )
         {
@@ -205,9 +205,9 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom,
             if ( i == count )
             {
                 if ( elf_64bit(&syms) )
-                    *(Elf64_Off*)(&shdr->e64.sh_offset) = 0;
+                    elf_store_field(elf, shdr, e64.sh_offset, 0);
                 else
-                    *(Elf32_Off*)(&shdr->e32.sh_offset) = 0;
+                    elf_store_field(elf, shdr, e32.sh_offset, 0);
                 continue;
             }
         }
@@ -216,9 +216,9 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom,
         {
             /* Mangled to be based on ELF header location. */
             if ( elf_64bit(&syms) )
-                *(Elf64_Off*)(&shdr->e64.sh_offset) = maxaddr - symtab;
+                elf_store_field(elf, shdr, e64.sh_offset, maxaddr - symtab);
             else
-                *(Elf32_Off*)(&shdr->e32.sh_offset) = maxaddr - symtab;
+                elf_store_field(elf, shdr, e32.sh_offset, maxaddr - symtab);
             size = elf_uval(&syms, shdr, sh_size);
             maxaddr = elf_round_up(&syms, maxaddr + size);
             tables++;
@@ -230,7 +230,7 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom,
             if ( load )
             {
                 shdr2 = elf_shdr_by_index(elf, h);
-                memcpy((void*)elf_section_start(&syms, shdr),
+                elf_memcpy_safe(elf, ELF_OBSOLETE_VOIDP_CAST elf_section_start(&syms, shdr),
                        elf_section_start(elf, shdr2),
                        size);
             }
@@ -238,9 +238,9 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom,
 
         /* Name is NULL. */
         if ( elf_64bit(&syms) )
-            *(Elf64_Half*)(&shdr->e64.sh_name) = 0;
+            elf_store_field(elf, shdr, e64.sh_name, 0);
         else
-            *(Elf32_Word*)(&shdr->e32.sh_name) = 0;
+            elf_store_field(elf, shdr, e32.sh_name, 0);
     }
 
     if ( tables == 0 )
@@ -275,7 +275,7 @@ static int xc_dom_parse_elf_kernel(struct xc_dom_image *dom)
     }
 
     /* Find the section-header strings table. */
-    if ( elf->sec_strtab == NULL )
+    if ( ELF_PTRVAL_INVALID(elf->sec_strtab) )
     {
         xc_dom_panic(dom->xch, XC_INVALID_KERNEL, "%s: ELF image"
                      " has no shstrtab", __FUNCTION__);
diff --git a/tools/xcutils/readnotes.c b/tools/xcutils/readnotes.c
index 26376854b2..15e5514a12 100644
--- a/tools/xcutils/readnotes.c
+++ b/tools/xcutils/readnotes.c
@@ -19,13 +19,13 @@
 static xc_interface *xch;
 
 static void print_string_note(const char *prefix, struct elf_binary *elf,
-			      const elf_note *note)
+			      ELF_HANDLE_DECL(elf_note) note)
 {
 	printf("%s: %s\n", prefix, (char*)elf_note_desc(elf, note));
 }
 
 static void print_numeric_note(const char *prefix, struct elf_binary *elf,
-			       const elf_note *note)
+			       ELF_HANDLE_DECL(elf_note) note)
 {
 	uint64_t value = elf_note_numeric(elf, note);
 	int descsz = elf_uval(elf, note, descsz);
@@ -56,12 +56,12 @@ static void print_l1_mfn_valid_note(const char *prefix, struct elf_binary *elf,
 
 }
 
-static int print_notes(struct elf_binary *elf, const elf_note *start, const elf_note *end)
+static int print_notes(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) start, ELF_HANDLE_DECL(elf_note) end)
 {
-	const elf_note *note;
+	ELF_HANDLE_DECL(elf_note) note;
 	int notes_found = 0;
 
-	for ( note = start; note < end; note = elf_note_next(elf, note) )
+	for ( note = start; ELF_HANDLE_PTRVAL(note) < ELF_HANDLE_PTRVAL(end); note = elf_note_next(elf, note) )
 	{
 		if (0 != strcmp(elf_note_name(elf, note), "Xen"))
 			continue;
@@ -128,7 +128,7 @@ int main(int argc, char **argv)
 	void *image,*tmp;
 	struct stat st;
 	struct elf_binary elf;
-	const elf_shdr *shdr;
+	ELF_HANDLE_DECL(elf_shdr) shdr;
 	int notes_found = 0;
 
 	if (argc != 2)
@@ -180,7 +180,7 @@ int main(int argc, char **argv)
 	count = elf_phdr_count(&elf);
 	for ( h=0; h < count; h++)
 	{
-		const elf_phdr *phdr;
+		ELF_HANDLE_DECL(elf_phdr) phdr;
 		phdr = elf_phdr_by_index(&elf, h);
 		if (elf_uval(&elf, phdr, p_type) != PT_NOTE)
 			continue;
@@ -192,8 +192,8 @@ int main(int argc, char **argv)
 			continue;
 
 		notes_found = print_notes(&elf,
-					  elf_segment_start(&elf, phdr),
-					  elf_segment_end(&elf, phdr));
+					  ELF_MAKE_HANDLE(elf_note, elf_segment_start(&elf, phdr)),
+					  ELF_MAKE_HANDLE(elf_note, elf_segment_end(&elf, phdr)));
 	}
 
 	if ( notes_found == 0 )
@@ -201,13 +201,13 @@ int main(int argc, char **argv)
 		count = elf_shdr_count(&elf);
 		for ( h=0; h < count; h++)
 		{
-			const elf_shdr *shdr;
+			ELF_HANDLE_DECL(elf_shdr) shdr;
 			shdr = elf_shdr_by_index(&elf, h);
 			if (elf_uval(&elf, shdr, sh_type) != SHT_NOTE)
 				continue;
 			notes_found = print_notes(&elf,
-						  elf_section_start(&elf, shdr),
-						  elf_section_end(&elf, shdr));
+						  ELF_MAKE_HANDLE(elf_note, elf_section_start(&elf, shdr)),
+						  ELF_MAKE_HANDLE(elf_note, elf_section_end(&elf, shdr)));
 			if ( notes_found )
 				fprintf(stderr, "using notes from SHT_NOTE section\n");
 
@@ -215,7 +215,7 @@ int main(int argc, char **argv)
 	}
 
 	shdr = elf_shdr_by_name(&elf, "__xen_guest");
-	if (shdr)
+	if (ELF_HANDLE_VALID(shdr))
 		printf("__xen_guest: %s\n", (char*)elf_section_start(&elf, shdr));
 
 	return 0;