libelf: introduce macros for memory access and pointer handling

We introduce a collection of macros which abstract away all the
pointer arithmetic and dereferences used for accessing the input ELF
and the output area(s).  We use the new macros everywhere.

For now, these macros are semantically identical to the code they
replace, so this patch has no functional change.

elf_is_elfbinary is an exception: since it doesn't take an elf*, we
need to handle it differently.  In a future patch we will change it to
take, and check, a length parameter.  For now we just mark it with a
fixme.

That this patch has no functional change can be verified as follows:

  0. Copy the scripts "comparison-generate" and "function-filter"
     out of this commit message.
  1. Check out the tree before this patch.
  2. Run the script ../comparison-generate .... ../before
  3. Check out the tree after this patch.
  4. Run the script ../comparison-generate .... ../after
  5. diff --exclude=\*.[soi] -ruN before/ after/ |less

Expect these differences:
  * stubdom/zlib-x86_64/ztest*.s2
      The filename of this test file apparently contains the pid.
  * xen/common/version.s2
      The xen build timestamp appears in two diff hunks.

Verification that this is all that's needed:
  In a completely built xen.git,
     find * -name .*.d -type f | xargs grep -l libelf\.h
  Expect results in:
     xen/arch/x86:            Checked above.
     tools/libxc:             Checked above.
     tools/xcutils/readnotes: Checked above.
     tools/xenstore:          Checked above.
     xen/common/libelf:
       This is the build for the hypervisor; checked in B above.
     stubdom:
       We have one stubdom which reads ELFs using our libelf,
       pvgrub, which is checked above.

I have not done this verification for ARM.

This is part of the fix to a security issue, XSA-55.

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>

-8<- comparison-generate -8<-
 #!/bin/bash
 # usage:
 #  cd xen.git
 #  .../comparison-generate OUR-CONFIG BUILD-RUNE-PREFIX ../before|../after
 # eg:
 #  .../comparison-generate ~/work/.config 'schroot -pc64 --' ../before
 set -ex

 test $# = 3 || need-exactly-three-arguments

 our_config=$1
 build_rune_prefix=$2
 result_dir=$3

 git clean -x -d -f

 cp "$our_config" .

 cat <<END >>.config
         debug_symbols=n
         CFLAGS += -save-temps
 END

 perl -i~ -pe 's/ -g / -g0 / if m/^CFLAGS/' xen/Rules.mk

 if [ -f ./configure ]; then
         $build_rune_prefix ./configure
 fi

 $build_rune_prefix make -C xen
 $build_rune_prefix make -C tools/include
 $build_rune_prefix make -C stubdom grub
 $build_rune_prefix make -C tools/libxc
 $build_rune_prefix make -C tools/xenstore
 $build_rune_prefix make -C tools/xcutils

 rm -rf "$result_dir"
 mkdir "$result_dir"

 set +x
 for f in `find xen tools stubdom -name \*.[soi]`; do
         mkdir -p "$result_dir"/`dirname $f`
         cp $f "$result_dir"/${f}
         case $f in
         *.s)
                 ../function-filter <$f >"$result_dir"/${f}2
                 ;;
         esac
 done

 echo ok.
-8<-

-8<- function-filter -8<-
 #!/usr/bin/perl -w
 # function-filter
 # script for massaging gcc-generated labels to be consistent
 use strict;
 our @lines;
 my $sedderybody = "sub seddery () {\n";
 while (<>) {
     push @lines, $_;
     if (m/^(__FUNCTION__|__func__)\.(\d+)\:/) {
         $sedderybody .= "    s/\\b$1\\.$2\\b/__XSA55MANGLED__$1.$./g;\n";
     }
 }
 $sedderybody .= "}\n1;\n";
 eval $sedderybody or die $@;
 foreach (@lines) {
     seddery();
     print or die $!;
 }
-8<-

3 files changed, 29 insertions, 29 deletions

diff --git a/tools/libxc/xc_dom_elfloader.c b/tools/libxc/xc_dom_elfloader.c
index e82f6e9593..cc0f206011 100644
--- a/tools/libxc/xc_dom_elfloader.c
+++ b/tools/libxc/xc_dom_elfloader.c
@@ -115,9 +115,9 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom,
                                   struct elf_binary *elf, int load)
 {
     struct elf_binary syms;
-    const elf_shdr *shdr, *shdr2;
+    ELF_HANDLE_DECL_NONCONST(elf_shdr) shdr; ELF_HANDLE_DECL(elf_shdr) shdr2;
     xen_vaddr_t symtab, maxaddr;
-    char *hdr;
+    ELF_PTRVAL_CHAR hdr;
     size_t size;
     int h, count, type, i, tables = 0;
 
@@ -147,11 +147,11 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom,
         dom->bsd_symtab_start = elf_round_up(elf, dom->kernel_seg.vend);
     }
 
-    memcpy(hdr + sizeof(int),
-           elf->image,
+    elf_memcpy_safe(elf, hdr + sizeof(int),
+           ELF_IMAGE_BASE(elf),
            elf_size(elf, elf->ehdr));
-    memcpy(hdr + sizeof(int) + elf_size(elf, elf->ehdr),
-           elf->image + elf_uval(elf, elf->ehdr, e_shoff),
+    elf_memcpy_safe(elf, hdr + sizeof(int) + elf_size(elf, elf->ehdr),
+           ELF_IMAGE_BASE(elf) + elf_uval(elf, elf->ehdr, e_shoff),
            elf_shdr_count(elf) * elf_size(elf, shdr));
     if ( elf_64bit(elf) )
     {
@@ -189,7 +189,7 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom,
     count = elf_shdr_count(&syms);
     for ( h = 0; h < count; h++ )
     {
-        shdr = elf_shdr_by_index(&syms, h);
+        shdr = ELF_OBSOLETE_VOIDP_CAST elf_shdr_by_index(&syms, h);
         type = elf_uval(&syms, shdr, sh_type);
         if ( type == SHT_STRTAB )
         {
@@ -205,9 +205,9 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom,
             if ( i == count )
             {
                 if ( elf_64bit(&syms) )
-                    *(Elf64_Off*)(&shdr->e64.sh_offset) = 0;
+                    elf_store_field(elf, shdr, e64.sh_offset, 0);
                 else
-                    *(Elf32_Off*)(&shdr->e32.sh_offset) = 0;
+                    elf_store_field(elf, shdr, e32.sh_offset, 0);
                 continue;
             }
         }
@@ -216,9 +216,9 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom,
         {
             /* Mangled to be based on ELF header location. */
             if ( elf_64bit(&syms) )
-                *(Elf64_Off*)(&shdr->e64.sh_offset) = maxaddr - symtab;
+                elf_store_field(elf, shdr, e64.sh_offset, maxaddr - symtab);
             else
-                *(Elf32_Off*)(&shdr->e32.sh_offset) = maxaddr - symtab;
+                elf_store_field(elf, shdr, e32.sh_offset, maxaddr - symtab);
             size = elf_uval(&syms, shdr, sh_size);
             maxaddr = elf_round_up(&syms, maxaddr + size);
             tables++;
@@ -230,7 +230,7 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom,
             if ( load )
             {
                 shdr2 = elf_shdr_by_index(elf, h);
-                memcpy((void*)elf_section_start(&syms, shdr),
+                elf_memcpy_safe(elf, ELF_OBSOLETE_VOIDP_CAST elf_section_start(&syms, shdr),
                        elf_section_start(elf, shdr2),
                        size);
             }
@@ -238,9 +238,9 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom,
 
         /* Name is NULL. */
         if ( elf_64bit(&syms) )
-            *(Elf64_Word*)(&shdr->e64.sh_name) = 0;
+            elf_store_field(elf, shdr, e64.sh_name, 0);
         else
-            *(Elf32_Word*)(&shdr->e32.sh_name) = 0;
+            elf_store_field(elf, shdr, e32.sh_name, 0);
     }
 
     if ( tables == 0 )
@@ -275,7 +275,7 @@ static int xc_dom_parse_elf_kernel(struct xc_dom_image *dom)
     }
 
     /* Find the section-header strings table. */
-    if ( elf->sec_strtab == NULL )
+    if ( ELF_PTRVAL_INVALID(elf->sec_strtab) )
     {
         xc_dom_panic(dom->xch, XC_INVALID_KERNEL, "%s: ELF image"
                      " has no shstrtab", __FUNCTION__);
diff --git a/tools/libxc/xc_hvm_build_x86.c b/tools/libxc/xc_hvm_build_x86.c
index cf5d7fb0f6..15b603de69 100644
--- a/tools/libxc/xc_hvm_build_x86.c
+++ b/tools/libxc/xc_hvm_build_x86.c
@@ -110,7 +110,7 @@ static int loadelfimage(
     if ( elf->dest == NULL )
         goto err;
 
-    elf->dest += elf->pstart & (PAGE_SIZE - 1);
+    ELF_ADVANCE_DEST(elf, elf->pstart & (PAGE_SIZE - 1));
 
     /* Load the initial elf image. */
     rc = elf_load_binary(elf);
diff --git a/tools/xcutils/readnotes.c b/tools/xcutils/readnotes.c
index c926186663..2af047dc2f 100644
--- a/tools/xcutils/readnotes.c
+++ b/tools/xcutils/readnotes.c
@@ -61,13 +61,13 @@ struct setup_header {
 } __attribute__((packed));
 
 static void print_string_note(const char *prefix, struct elf_binary *elf,
-			      const elf_note *note)
+			      ELF_HANDLE_DECL(elf_note) note)
 {
 	printf("%s: %s\n", prefix, (char*)elf_note_desc(elf, note));
 }
 
 static void print_numeric_note(const char *prefix, struct elf_binary *elf,
-			       const elf_note *note)
+			       ELF_HANDLE_DECL(elf_note) note)
 {
 	uint64_t value = elf_note_numeric(elf, note);
 	int descsz = elf_uval(elf, note, descsz);
@@ -98,12 +98,12 @@ static void print_l1_mfn_valid_note(const char *prefix, struct elf_binary *elf,
 
 }
 
-static int print_notes(struct elf_binary *elf, const elf_note *start, const elf_note *end)
+static int print_notes(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) start, ELF_HANDLE_DECL(elf_note) end)
 {
-	const elf_note *note;
+	ELF_HANDLE_DECL(elf_note) note;
 	int notes_found = 0;
 
-	for ( note = start; note < end; note = elf_note_next(elf, note) )
+	for ( note = start; ELF_HANDLE_PTRVAL(note) < ELF_HANDLE_PTRVAL(end); note = elf_note_next(elf, note) )
 	{
 		if (0 != strcmp(elf_note_name(elf, note), "Xen"))
 			continue;
@@ -170,7 +170,7 @@ int main(int argc, char **argv)
 	void *image,*tmp;
 	struct stat st;
 	struct elf_binary elf;
-	const elf_shdr *shdr;
+	ELF_HANDLE_DECL(elf_shdr) shdr;
 	int notes_found = 0;
 
 	struct setup_header *hdr;
@@ -257,7 +257,7 @@ int main(int argc, char **argv)
 	count = elf_phdr_count(&elf);
 	for ( h=0; h < count; h++)
 	{
-		const elf_phdr *phdr;
+		ELF_HANDLE_DECL(elf_phdr) phdr;
 		phdr = elf_phdr_by_index(&elf, h);
 		if (elf_uval(&elf, phdr, p_type) != PT_NOTE)
 			continue;
@@ -269,8 +269,8 @@ int main(int argc, char **argv)
 			continue;
 
 		notes_found = print_notes(&elf,
-					  elf_segment_start(&elf, phdr),
-					  elf_segment_end(&elf, phdr));
+					  ELF_MAKE_HANDLE(elf_note, elf_segment_start(&elf, phdr)),
+					  ELF_MAKE_HANDLE(elf_note, elf_segment_end(&elf, phdr)));
 	}
 
 	if ( notes_found == 0 )
@@ -278,13 +278,13 @@ int main(int argc, char **argv)
 		count = elf_shdr_count(&elf);
 		for ( h=0; h < count; h++)
 		{
-			const elf_shdr *shdr;
+			ELF_HANDLE_DECL(elf_shdr) shdr;
 			shdr = elf_shdr_by_index(&elf, h);
 			if (elf_uval(&elf, shdr, sh_type) != SHT_NOTE)
 				continue;
 			notes_found = print_notes(&elf,
-						  elf_section_start(&elf, shdr),
-						  elf_section_end(&elf, shdr));
+						  ELF_MAKE_HANDLE(elf_note, elf_section_start(&elf, shdr)),
+						  ELF_MAKE_HANDLE(elf_note, elf_section_end(&elf, shdr)));
 			if ( notes_found )
 				fprintf(stderr, "using notes from SHT_NOTE section\n");
 
@@ -292,7 +292,7 @@ int main(int argc, char **argv)
 	}
 
 	shdr = elf_shdr_by_name(&elf, "__xen_guest");
-	if (shdr)
+	if (ELF_HANDLE_VALID(shdr))
 		printf("__xen_guest: %s\n", (char*)elf_section_start(&elf, shdr));
 
 	return 0;