+++ /dev/null
-From 9737484becab4a25159f1e985700eaee89690d34 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Fri, 14 Jun 2013 16:43:15 +0100
-Subject: [PATCH 01/23] libelf: abolish libelf-relocate.c
-
-This file is not actually used. It's not built in Xen's instance of
-libelf; in libxc's it's built but nothing in it is called. Do not
-compile it in libxc, and delete it.
-
-This reduces the amount of work we need to do in forthcoming patches
-to libelf (particularly since as libelf-relocate.c is not used it is
-probably full of bugs).
-
-This is part of the fix to a security issue, XSA-55.
-
-Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
-Acked-by: Ian Campbell <ian.campbell@citrix.com>
----
- tools/libxc/Makefile | 2 +-
- xen/common/libelf/libelf-relocate.c | 372 -----------------------------------
- 2 files changed, 1 insertions(+), 373 deletions(-)
- delete mode 100644 xen/common/libelf/libelf-relocate.c
-
-diff --git a/tools/libxc/Makefile b/tools/libxc/Makefile
-index ca38cbd..d8c6a60 100644
---- a/tools/libxc/Makefile
-+++ b/tools/libxc/Makefile
-@@ -53,7 +53,7 @@ vpath %.c ../../xen/common/libelf
- CFLAGS += -I../../xen/common/libelf
-
- GUEST_SRCS-y += libelf-tools.c libelf-loader.c
--GUEST_SRCS-y += libelf-dominfo.c libelf-relocate.c
-+GUEST_SRCS-y += libelf-dominfo.c
-
- # new domain builder
- GUEST_SRCS-y += xc_dom_core.c xc_dom_boot.c
-diff --git a/xen/common/libelf/libelf-relocate.c b/xen/common/libelf/libelf-relocate.c
-deleted file mode 100644
-index 7ef4b01..0000000
---- a/xen/common/libelf/libelf-relocate.c
-+++ /dev/null
-@@ -1,372 +0,0 @@
--/*
-- * ELF relocation code (not used by xen kernel right now).
-- *
-- * This library is free software; you can redistribute it and/or
-- * modify it under the terms of the GNU Lesser General Public
-- * License as published by the Free Software Foundation;
-- * version 2.1 of the License.
-- *
-- * This library is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-- * Lesser General Public License for more details.
-- *
-- * You should have received a copy of the GNU Lesser General Public
-- * License along with this library; if not, write to the Free Software
-- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
-- */
--
--#include "libelf-private.h"
--
--/* ------------------------------------------------------------------------ */
--
--static const char *rel_names_i386[] = {
-- "R_386_NONE",
-- "R_386_32",
-- "R_386_PC32",
-- "R_386_GOT32",
-- "R_386_PLT32",
-- "R_386_COPY",
-- "R_386_GLOB_DAT",
-- "R_386_JMP_SLOT",
-- "R_386_RELATIVE",
-- "R_386_GOTOFF",
-- "R_386_GOTPC",
-- "R_386_32PLT",
-- "R_386_TLS_TPOFF",
-- "R_386_TLS_IE",
-- "R_386_TLS_GOTIE",
-- "R_386_TLS_LE",
-- "R_386_TLS_GD",
-- "R_386_TLS_LDM",
-- "R_386_16",
-- "R_386_PC16",
-- "R_386_8",
-- "R_386_PC8",
-- "R_386_TLS_GD_32",
-- "R_386_TLS_GD_PUSH",
-- "R_386_TLS_GD_CALL",
-- "R_386_TLS_GD_POP",
-- "R_386_TLS_LDM_32",
-- "R_386_TLS_LDM_PUSH",
-- "R_386_TLS_LDM_CALL",
-- "R_386_TLS_LDM_POP",
-- "R_386_TLS_LDO_32",
-- "R_386_TLS_IE_32",
-- "R_386_TLS_LE_32",
-- "R_386_TLS_DTPMOD32",
-- "R_386_TLS_DTPOFF32",
-- "R_386_TLS_TPOFF32",
--};
--
--static int elf_reloc_i386(struct elf_binary *elf, int type,
-- uint64_t addr, uint64_t value)
--{
-- void *ptr = elf_get_ptr(elf, addr);
-- uint32_t *u32;
--
-- switch ( type )
-- {
-- case 1 /* R_386_32 */ :
-- u32 = ptr;
-- *u32 += elf->reloc_offset;
-- break;
-- case 2 /* R_386_PC32 */ :
-- /* nothing */
-- break;
-- default:
-- return -1;
-- }
-- return 0;
--}
--
--/* ------------------------------------------------------------------------ */
--
--static const char *rel_names_x86_64[] = {
-- "R_X86_64_NONE",
-- "R_X86_64_64",
-- "R_X86_64_PC32",
-- "R_X86_64_GOT32",
-- "R_X86_64_PLT32",
-- "R_X86_64_COPY",
-- "R_X86_64_GLOB_DAT",
-- "R_X86_64_JUMP_SLOT",
-- "R_X86_64_RELATIVE",
-- "R_X86_64_GOTPCREL",
-- "R_X86_64_32",
-- "R_X86_64_32S",
-- "R_X86_64_16",
-- "R_X86_64_PC16",
-- "R_X86_64_8",
-- "R_X86_64_PC8",
-- "R_X86_64_DTPMOD64",
-- "R_X86_64_DTPOFF64",
-- "R_X86_64_TPOFF64",
-- "R_X86_64_TLSGD",
-- "R_X86_64_TLSLD",
-- "R_X86_64_DTPOFF32",
-- "R_X86_64_GOTTPOFF",
-- "R_X86_64_TPOFF32",
--};
--
--static int elf_reloc_x86_64(struct elf_binary *elf, int type,
-- uint64_t addr, uint64_t value)
--{
-- void *ptr = elf_get_ptr(elf, addr);
-- uint64_t *u64;
-- uint32_t *u32;
-- int32_t *s32;
--
-- switch ( type )
-- {
-- case 1 /* R_X86_64_64 */ :
-- u64 = ptr;
-- value += elf->reloc_offset;
-- *u64 = value;
-- break;
-- case 2 /* R_X86_64_PC32 */ :
-- u32 = ptr;
-- *u32 = value - addr;
-- if ( *u32 != (uint32_t)(value - addr) )
-- {
-- elf_err(elf, "R_X86_64_PC32 overflow: 0x%" PRIx32
-- " != 0x%" PRIx32 "\n",
-- *u32, (uint32_t) (value - addr));
-- return -1;
-- }
-- break;
-- case 10 /* R_X86_64_32 */ :
-- u32 = ptr;
-- value += elf->reloc_offset;
-- *u32 = value;
-- if ( *u32 != value )
-- {
-- elf_err(elf, "R_X86_64_32 overflow: 0x%" PRIx32
-- " != 0x%" PRIx64 "\n",
-- *u32, value);
-- return -1;
-- }
-- break;
-- case 11 /* R_X86_64_32S */ :
-- s32 = ptr;
-- value += elf->reloc_offset;
-- *s32 = value;
-- if ( *s32 != (int64_t) value )
-- {
-- elf_err(elf, "R_X86_64_32S overflow: 0x%" PRIx32
-- " != 0x%" PRIx64 "\n",
-- *s32, (int64_t) value);
-- return -1;
-- }
-- break;
-- default:
-- return -1;
-- }
-- return 0;
--}
--
--/* ------------------------------------------------------------------------ */
--
--static struct relocs {
-- const char **names;
-- int count;
-- int (*func) (struct elf_binary * elf, int type, uint64_t addr,
-- uint64_t value);
--} relocs[] =
--/* *INDENT-OFF* */
--{
-- [EM_386] = {
-- .names = rel_names_i386,
-- .count = sizeof(rel_names_i386) / sizeof(rel_names_i386[0]),
-- .func = elf_reloc_i386,
-- },
-- [EM_X86_64] = {
-- .names = rel_names_x86_64,
-- .count = sizeof(rel_names_x86_64) / sizeof(rel_names_x86_64[0]),
-- .func = elf_reloc_x86_64,
-- }
--};
--/* *INDENT-ON* */
--
--/* ------------------------------------------------------------------------ */
--
--static const char *rela_name(int machine, int type)
--{
-- if ( machine > sizeof(relocs) / sizeof(relocs[0]) )
-- return "unknown mach";
-- if ( !relocs[machine].names )
-- return "unknown mach";
-- if ( type > relocs[machine].count )
-- return "unknown rela";
-- return relocs[machine].names[type];
--}
--
--static int elf_reloc_section(struct elf_binary *elf,
-- const elf_shdr * rels,
-- const elf_shdr * sect, const elf_shdr * syms)
--{
-- const void *ptr, *end;
-- const elf_shdr *shdr;
-- const elf_rela *rela;
-- const elf_rel *rel;
-- const elf_sym *sym;
-- uint64_t s_type;
-- uint64_t r_offset;
-- uint64_t r_info;
-- uint64_t r_addend;
-- int r_type, r_sym;
-- size_t rsize;
-- uint64_t shndx, sbase, addr, value;
-- const char *sname;
-- int machine;
--
-- machine = elf_uval(elf, elf->ehdr, e_machine);
-- if ( (machine >= (sizeof(relocs) / sizeof(relocs[0]))) ||
-- (relocs[machine].func == NULL) )
-- {
-- elf_err(elf, "%s: can't handle machine %d\n",
-- __FUNCTION__, machine);
-- return -1;
-- }
-- if ( elf_swap(elf) )
-- {
-- elf_err(elf, "%s: non-native byte order, relocation not supported\n",
-- __FUNCTION__);
-- return -1;
-- }
--
-- s_type = elf_uval(elf, rels, sh_type);
-- rsize = (SHT_REL == s_type) ? elf_size(elf, rel) : elf_size(elf, rela);
-- ptr = elf_section_start(elf, rels);
-- end = elf_section_end(elf, rels);
--
-- for ( ; ptr < end; ptr += rsize )
-- {
-- switch ( s_type )
-- {
-- case SHT_REL:
-- rel = ptr;
-- r_offset = elf_uval(elf, rel, r_offset);
-- r_info = elf_uval(elf, rel, r_info);
-- r_addend = 0;
-- break;
-- case SHT_RELA:
-- rela = ptr;
-- r_offset = elf_uval(elf, rela, r_offset);
-- r_info = elf_uval(elf, rela, r_info);
-- r_addend = elf_uval(elf, rela, r_addend);
-- break;
-- default:
-- /* can't happen */
-- return -1;
-- }
-- if ( elf_64bit(elf) )
-- {
-- r_type = ELF64_R_TYPE(r_info);
-- r_sym = ELF64_R_SYM(r_info);
-- }
-- else
-- {
-- r_type = ELF32_R_TYPE(r_info);
-- r_sym = ELF32_R_SYM(r_info);
-- }
--
-- sym = elf_sym_by_index(elf, r_sym);
-- shndx = elf_uval(elf, sym, st_shndx);
-- switch ( shndx )
-- {
-- case SHN_UNDEF:
-- sname = "*UNDEF*";
-- sbase = 0;
-- break;
-- case SHN_COMMON:
-- elf_err(elf, "%s: invalid section: %" PRId64 "\n",
-- __FUNCTION__, shndx);
-- return -1;
-- case SHN_ABS:
-- sname = "*ABS*";
-- sbase = 0;
-- break;
-- default:
-- shdr = elf_shdr_by_index(elf, shndx);
-- if ( shdr == NULL )
-- {
-- elf_err(elf, "%s: invalid section: %" PRId64 "\n",
-- __FUNCTION__, shndx);
-- return -1;
-- }
-- sname = elf_section_name(elf, shdr);
-- sbase = elf_uval(elf, shdr, sh_addr);
-- }
--
-- addr = r_offset;
-- value = elf_uval(elf, sym, st_value);
-- value += r_addend;
--
-- if ( elf->log_callback && (elf->verbose > 1) )
-- {
-- uint64_t st_name = elf_uval(elf, sym, st_name);
-- const char *name = st_name ? elf->sym_strtab + st_name : "*NONE*";
--
-- elf_msg(elf,
-- "%s: type %s [%d], off 0x%" PRIx64 ", add 0x%" PRIx64 ","
-- " sym %s [0x%" PRIx64 "], sec %s [0x%" PRIx64 "]"
-- " -> addr 0x%" PRIx64 " value 0x%" PRIx64 "\n",
-- __FUNCTION__, rela_name(machine, r_type), r_type, r_offset,
-- r_addend, name, elf_uval(elf, sym, st_value), sname, sbase,
-- addr, value);
-- }
--
-- if ( relocs[machine].func(elf, r_type, addr, value) == -1 )
-- {
-- elf_err(elf, "%s: unknown/unsupported reloc type %s [%d]\n",
-- __FUNCTION__, rela_name(machine, r_type), r_type);
-- return -1;
-- }
-- }
-- return 0;
--}
--
--int elf_reloc(struct elf_binary *elf)
--{
-- const elf_shdr *rels, *sect, *syms;
-- uint64_t i, count, type;
--
-- count = elf_shdr_count(elf);
-- for ( i = 0; i < count; i++ )
-- {
-- rels = elf_shdr_by_index(elf, i);
-- type = elf_uval(elf, rels, sh_type);
-- if ( (type != SHT_REL) && (type != SHT_RELA) )
-- continue;
--
-- sect = elf_shdr_by_index(elf, elf_uval(elf, rels, sh_info));
-- syms = elf_shdr_by_index(elf, elf_uval(elf, rels, sh_link));
-- if ( NULL == sect || NULL == syms )
-- continue;
--
-- if ( !(elf_uval(elf, sect, sh_flags) & SHF_ALLOC) )
-- {
-- elf_msg(elf, "%s: relocations for %s, skipping\n",
-- __FUNCTION__, elf_section_name(elf, sect));
-- continue;
-- }
--
-- elf_msg(elf, "%s: relocations for %s @ 0x%" PRIx64 "\n",
-- __FUNCTION__, elf_section_name(elf, sect),
-- elf_uval(elf, sect, sh_addr));
-- if ( elf_reloc_section(elf, rels, sect, syms) != 0 )
-- return -1;
-- }
-- return 0;
--}
--
--/*
-- * Local variables:
-- * mode: C
-- * c-set-style: "BSD"
-- * c-basic-offset: 4
-- * tab-width: 4
-- * indent-tabs-mode: nil
-- * End:
-- */
---
-1.7.2.5
-
+++ /dev/null
-From a672da4b2d58ef12be9d7407160e9fb43cac75d9 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Fri, 14 Jun 2013 16:43:16 +0100
-Subject: [PATCH 02/23] libxc: introduce xc_dom_seg_to_ptr_pages
-
-Provide a version of xc_dom_seg_to_ptr which returns the number of
-guest pages it has actually mapped. This is useful for callers who
-want to do range checking; we will use this later in this series.
-
-This is part of the fix to a security issue, XSA-55.
-
-Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
-Acked-by: Ian Campbell <ian.campbell@citrix.com>
-Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
----
- tools/libxc/xc_dom.h | 19 ++++++++++++++++---
- 1 files changed, 16 insertions(+), 3 deletions(-)
-
-diff --git a/tools/libxc/xc_dom.h b/tools/libxc/xc_dom.h
-index 6a72aa9..9af2195 100644
---- a/tools/libxc/xc_dom.h
-+++ b/tools/libxc/xc_dom.h
-@@ -278,14 +278,27 @@ void *xc_dom_pfn_to_ptr(struct xc_dom_image *dom, xen_pfn_t first,
- void xc_dom_unmap_one(struct xc_dom_image *dom, xen_pfn_t pfn);
- void xc_dom_unmap_all(struct xc_dom_image *dom);
-
--static inline void *xc_dom_seg_to_ptr(struct xc_dom_image *dom,
-- struct xc_dom_seg *seg)
-+static inline void *xc_dom_seg_to_ptr_pages(struct xc_dom_image *dom,
-+ struct xc_dom_seg *seg,
-+ xen_pfn_t *pages_out)
- {
- xen_vaddr_t segsize = seg->vend - seg->vstart;
- unsigned int page_size = XC_DOM_PAGE_SIZE(dom);
- xen_pfn_t pages = (segsize + page_size - 1) / page_size;
-+ void *retval;
-+
-+ retval = xc_dom_pfn_to_ptr(dom, seg->pfn, pages);
-+
-+ *pages_out = retval ? pages : 0;
-+ return retval;
-+}
-+
-+static inline void *xc_dom_seg_to_ptr(struct xc_dom_image *dom,
-+ struct xc_dom_seg *seg)
-+{
-+ xen_pfn_t dummy;
-
-- return xc_dom_pfn_to_ptr(dom, seg->pfn, pages);
-+ return xc_dom_seg_to_ptr_pages(dom, seg, &dummy);
- }
-
- static inline void *xc_dom_vaddr_to_ptr(struct xc_dom_image *dom,
---
-1.7.2.5
-
+++ /dev/null
-From 8c738fa5c1f3cfcd935b6191b3526f7ac8b2a5bd Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Fri, 14 Jun 2013 16:43:16 +0100
-Subject: [PATCH 03/23] libxc: Fix range checking in xc_dom_pfn_to_ptr etc.
-
-* Ensure that xc_dom_pfn_to_ptr (when called with count==0) does not
- return a previously-allocated block which is entirely before the
- requested pfn (!)
-
-* Provide a version of xc_dom_pfn_to_ptr, xc_dom_pfn_to_ptr_retcount,
- which provides the length of the mapped region via an out parameter.
-
-* Change xc_dom_vaddr_to_ptr to always provide the length of the
- mapped region and change the call site in xc_dom_binloader.c to
- check it. The call site in xc_dom_load_elf_symtab will be corrected
- in a forthcoming patch, and for now ignores the returned length.
-
-This is part of the fix to a security issue, XSA-55.
-
-Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
----
- tools/libxc/xc_dom.h | 16 +++++++++++++---
- tools/libxc/xc_dom_binloader.c | 11 ++++++++++-
- tools/libxc/xc_dom_core.c | 13 +++++++++++++
- tools/libxc/xc_dom_elfloader.c | 3 ++-
- 4 files changed, 38 insertions(+), 5 deletions(-)
-
-diff --git a/tools/libxc/xc_dom.h b/tools/libxc/xc_dom.h
-index 9af2195..9f8037e 100644
---- a/tools/libxc/xc_dom.h
-+++ b/tools/libxc/xc_dom.h
-@@ -275,6 +275,8 @@ int xc_dom_alloc_segment(struct xc_dom_image *dom,
-
- void *xc_dom_pfn_to_ptr(struct xc_dom_image *dom, xen_pfn_t first,
- xen_pfn_t count);
-+void *xc_dom_pfn_to_ptr_retcount(struct xc_dom_image *dom, xen_pfn_t first,
-+ xen_pfn_t count, xen_pfn_t *count_out);
- void xc_dom_unmap_one(struct xc_dom_image *dom, xen_pfn_t pfn);
- void xc_dom_unmap_all(struct xc_dom_image *dom);
-
-@@ -302,13 +304,21 @@ static inline void *xc_dom_seg_to_ptr(struct xc_dom_image *dom,
- }
-
- static inline void *xc_dom_vaddr_to_ptr(struct xc_dom_image *dom,
-- xen_vaddr_t vaddr)
-+ xen_vaddr_t vaddr,
-+ size_t *safe_region_out)
- {
- unsigned int page_size = XC_DOM_PAGE_SIZE(dom);
- xen_pfn_t page = (vaddr - dom->parms.virt_base) / page_size;
- unsigned int offset = (vaddr - dom->parms.virt_base) % page_size;
-- void *ptr = xc_dom_pfn_to_ptr(dom, page, 0);
-- return (ptr ? (ptr + offset) : NULL);
-+ xen_pfn_t safe_region_count;
-+ void *ptr;
-+
-+ *safe_region_out = 0;
-+ ptr = xc_dom_pfn_to_ptr_retcount(dom, page, 0, &safe_region_count);
-+ if ( ptr == NULL )
-+ return ptr;
-+ *safe_region_out = (safe_region_count << XC_DOM_PAGE_SHIFT(dom)) - offset;
-+ return ptr;
- }
-
- static inline int xc_dom_feature_translated(struct xc_dom_image *dom)
-diff --git a/tools/libxc/xc_dom_binloader.c b/tools/libxc/xc_dom_binloader.c
-index 769e97d..bde93f7 100644
---- a/tools/libxc/xc_dom_binloader.c
-+++ b/tools/libxc/xc_dom_binloader.c
-@@ -249,6 +249,7 @@ static int xc_dom_load_bin_kernel(struct xc_dom_image *dom)
- char *image = dom->kernel_blob;
- char *dest;
- size_t image_size = dom->kernel_size;
-+ size_t dest_size;
- uint32_t start_addr;
- uint32_t load_end_addr;
- uint32_t bss_end_addr;
-@@ -272,7 +273,15 @@ static int xc_dom_load_bin_kernel(struct xc_dom_image *dom)
- DOMPRINTF(" text_size: 0x%" PRIx32 "", text_size);
- DOMPRINTF(" bss_size: 0x%" PRIx32 "", bss_size);
-
-- dest = xc_dom_vaddr_to_ptr(dom, dom->kernel_seg.vstart);
-+ dest = xc_dom_vaddr_to_ptr(dom, dom->kernel_seg.vstart, &dest_size);
-+
-+ if ( dest_size < text_size ||
-+ dest_size - text_size < bss_size )
-+ {
-+ DOMPRINTF("%s: mapped region is too small for image", __FUNCTION__);
-+ return -EINVAL;
-+ }
-+
- memcpy(dest, image + skip, text_size);
- memset(dest + text_size, 0, bss_size);
-
-diff --git a/tools/libxc/xc_dom_core.c b/tools/libxc/xc_dom_core.c
-index 2a01d7c..8913e41 100644
---- a/tools/libxc/xc_dom_core.c
-+++ b/tools/libxc/xc_dom_core.c
-@@ -351,10 +351,19 @@ int xc_dom_try_gunzip(struct xc_dom_image *dom, void **blob, size_t * size)
- void *xc_dom_pfn_to_ptr(struct xc_dom_image *dom, xen_pfn_t pfn,
- xen_pfn_t count)
- {
-+ xen_pfn_t count_out_dummy;
-+ return xc_dom_pfn_to_ptr_retcount(dom, pfn, count, &count_out_dummy);
-+}
-+
-+void *xc_dom_pfn_to_ptr_retcount(struct xc_dom_image *dom, xen_pfn_t pfn,
-+ xen_pfn_t count, xen_pfn_t *count_out)
-+{
- struct xc_dom_phys *phys;
- unsigned int page_shift = XC_DOM_PAGE_SHIFT(dom);
- char *mode = "unset";
-
-+ *count_out = 0;
-+
- if ( pfn > dom->total_pages || /* multiple checks to avoid overflows */
- count > dom->total_pages ||
- pfn > dom->total_pages - count )
-@@ -384,6 +393,7 @@ void *xc_dom_pfn_to_ptr(struct xc_dom_image *dom, xen_pfn_t pfn,
- phys->count);
- return NULL;
- }
-+ *count_out = count;
- }
- else
- {
-@@ -391,6 +401,9 @@ void *xc_dom_pfn_to_ptr(struct xc_dom_image *dom, xen_pfn_t pfn,
- just hand out a pointer to it */
- if ( pfn < phys->first )
- continue;
-+ if ( pfn >= phys->first + phys->count )
-+ continue;
-+ *count_out = phys->count - (pfn - phys->first);
- }
- return phys->ptr + ((pfn - phys->first) << page_shift);
- }
-diff --git a/tools/libxc/xc_dom_elfloader.c b/tools/libxc/xc_dom_elfloader.c
-index 2e69559..031b5b6 100644
---- a/tools/libxc/xc_dom_elfloader.c
-+++ b/tools/libxc/xc_dom_elfloader.c
-@@ -130,10 +130,11 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom,
-
- if ( load )
- {
-+ size_t allow_size; /* will be used in a forthcoming XSA-55 patch */
- if ( !dom->bsd_symtab_start )
- return 0;
- size = dom->kernel_seg.vend - dom->bsd_symtab_start;
-- hdr = xc_dom_vaddr_to_ptr(dom, dom->bsd_symtab_start);
-+ hdr = xc_dom_vaddr_to_ptr(dom, dom->bsd_symtab_start, &allow_size);
- *(int *)hdr = size - sizeof(int);
- }
- else
---
-1.7.2.5
-
+++ /dev/null
-From 035634047d10c678cbb8801c4263747bdaf4e5b1 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Fri, 14 Jun 2013 16:43:16 +0100
-Subject: [PATCH 04/23] libelf: add `struct elf_binary*' parameter to elf_load_image
-
-The meat of this function is going to need a copy of the elf pointer,
-in forthcoming patches.
-
-No functional change in this patch.
-
-This is part of the fix to a security issue, XSA-55.
-
-Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
-Acked-by: Ian Campbell <ian.campbell@citrix.com>
-Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
----
- xen/common/libelf/libelf-loader.c | 8 +++++---
- 1 files changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/xen/common/libelf/libelf-loader.c b/xen/common/libelf/libelf-loader.c
-index ab58b8b..0559d88 100644
---- a/xen/common/libelf/libelf-loader.c
-+++ b/xen/common/libelf/libelf-loader.c
-@@ -108,7 +108,8 @@ void elf_set_log(struct elf_binary *elf, elf_log_callback *log_callback,
- elf->verbose = verbose;
- }
-
--static int elf_load_image(void *dst, const void *src, uint64_t filesz, uint64_t memsz)
-+static int elf_load_image(struct elf_binary *elf,
-+ void *dst, const void *src, uint64_t filesz, uint64_t memsz)
- {
- memcpy(dst, src, filesz);
- memset(dst + filesz, 0, memsz - filesz);
-@@ -122,7 +123,8 @@ void elf_set_verbose(struct elf_binary *elf)
- elf->verbose = 1;
- }
-
--static int elf_load_image(void *dst, const void *src, uint64_t filesz, uint64_t memsz)
-+static int elf_load_image(struct elf_binary *elf,
-+ void *dst, const void *src, uint64_t filesz, uint64_t memsz)
- {
- int rc;
- if ( filesz > ULONG_MAX || memsz > ULONG_MAX )
-@@ -279,7 +281,7 @@ int elf_load_binary(struct elf_binary *elf)
- dest = elf_get_ptr(elf, paddr);
- elf_msg(elf, "%s: phdr %" PRIu64 " at 0x%p -> 0x%p\n",
- __func__, i, dest, dest + filesz);
-- if ( elf_load_image(dest, elf->image + offset, filesz, memsz) != 0 )
-+ if ( elf_load_image(elf, dest, elf->image + offset, filesz, memsz) != 0 )
- return -1;
- }
-
---
-1.7.2.5
-
+++ /dev/null
-From 83ec905922b496e1a5756e3a88405eb6c2c6ba88 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Fri, 14 Jun 2013 16:43:16 +0100
-Subject: [PATCH 05/23] libelf: abolish elf_sval and elf_access_signed
-
-These are not used anywhere.
-
-This is part of the fix to a security issue, XSA-55.
-
-Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
-Acked-by: Ian Campbell <ian.campbell@citrix.com>
----
- xen/common/libelf/libelf-tools.c | 28 ----------------------------
- xen/include/xen/libelf.h | 11 -----------
- 2 files changed, 0 insertions(+), 39 deletions(-)
-
-diff --git a/xen/common/libelf/libelf-tools.c b/xen/common/libelf/libelf-tools.c
-index cb97908..2f54142 100644
---- a/xen/common/libelf/libelf-tools.c
-+++ b/xen/common/libelf/libelf-tools.c
-@@ -48,34 +48,6 @@ uint64_t elf_access_unsigned(struct elf_binary * elf, const void *ptr,
- }
- }
-
--int64_t elf_access_signed(struct elf_binary *elf, const void *ptr,
-- uint64_t offset, size_t size)
--{
-- int need_swap = elf_swap(elf);
-- const int8_t *s8;
-- const int16_t *s16;
-- const int32_t *s32;
-- const int64_t *s64;
--
-- switch ( size )
-- {
-- case 1:
-- s8 = ptr + offset;
-- return *s8;
-- case 2:
-- s16 = ptr + offset;
-- return need_swap ? bswap_16(*s16) : *s16;
-- case 4:
-- s32 = ptr + offset;
-- return need_swap ? bswap_32(*s32) : *s32;
-- case 8:
-- s64 = ptr + offset;
-- return need_swap ? bswap_64(*s64) : *s64;
-- default:
-- return 0;
-- }
--}
--
- uint64_t elf_round_up(struct elf_binary *elf, uint64_t addr)
- {
- int elf_round = (elf_64bit(elf) ? 8 : 4) - 1;
-diff --git a/xen/include/xen/libelf.h b/xen/include/xen/libelf.h
-index e8f6508..38e490c 100644
---- a/xen/include/xen/libelf.h
-+++ b/xen/include/xen/libelf.h
-@@ -136,23 +136,12 @@ struct elf_binary {
- offsetof(typeof(*(str)),e32.elem), \
- sizeof((str)->e32.elem)))
-
--#define elf_sval(elf, str, elem) \
-- ((ELFCLASS64 == (elf)->class) \
-- ? elf_access_signed((elf), (str), \
-- offsetof(typeof(*(str)),e64.elem), \
-- sizeof((str)->e64.elem)) \
-- : elf_access_signed((elf), (str), \
-- offsetof(typeof(*(str)),e32.elem), \
-- sizeof((str)->e32.elem)))
--
- #define elf_size(elf, str) \
- ((ELFCLASS64 == (elf)->class) \
- ? sizeof((str)->e64) : sizeof((str)->e32))
-
- uint64_t elf_access_unsigned(struct elf_binary *elf, const void *ptr,
- uint64_t offset, size_t size);
--int64_t elf_access_signed(struct elf_binary *elf, const void *ptr,
-- uint64_t offset, size_t size);
-
- uint64_t elf_round_up(struct elf_binary *elf, uint64_t addr);
-
---
-1.7.2.5
-
+++ /dev/null
-From 682a04488e7b3bd6c3448ab60599566eb7c6177a Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Fri, 14 Jun 2013 16:43:16 +0100
-Subject: [PATCH 06/23] libelf: move include of <asm/guest_access.h> to top of file
-
-libelf-loader.c #includes <asm/guest_access.h>, when being compiled
-for Xen. Currently it does this in the middle of the file.
-
-Move this #include to the top of the file, before libelf-private.h.
-This is necessary because in forthcoming patches we will introduce
-private #defines of memcpy etc. which would interfere with definitions
-in headers #included from guest_access.h.
-
-No semantic or functional change in this patch.
-
-This is part of the fix to a security issue, XSA-55.
-
-Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
-Acked-by: Ian Campbell <ian.campbell@citrix.com>
-Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
----
- xen/common/libelf/libelf-loader.c | 5 ++++-
- 1 files changed, 4 insertions(+), 1 deletions(-)
-
-diff --git a/xen/common/libelf/libelf-loader.c b/xen/common/libelf/libelf-loader.c
-index 0559d88..ec0706b 100644
---- a/xen/common/libelf/libelf-loader.c
-+++ b/xen/common/libelf/libelf-loader.c
-@@ -16,6 +16,10 @@
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
- */
-
-+#ifdef __XEN__
-+#include <asm/guest_access.h>
-+#endif
-+
- #include "libelf-private.h"
-
- /* ------------------------------------------------------------------------ */
-@@ -116,7 +120,6 @@ static int elf_load_image(struct elf_binary *elf,
- return 0;
- }
- #else
--#include <asm/guest_access.h>
-
- void elf_set_verbose(struct elf_binary *elf)
- {
---
-1.7.2.5
-
+++ /dev/null
-From de9089b449d2508b1ba05590905c7ebaee00c8c4 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Fri, 14 Jun 2013 16:43:16 +0100
-Subject: [PATCH 07/23] libelf/xc_dom_load_elf_symtab: Do not use "syms" uninitialised
-
-xc_dom_load_elf_symtab (with load==0) calls elf_round_up, but it
-mistakenly used the uninitialised variable "syms" when calculating
-dom->bsd_symtab_start. This should be a reference to "elf".
-
-This change might have the effect of rounding the value differently.
-Previously if the uninitialised value (a single byte on the stack) was
-ELFCLASS64 (ie, 2), the alignment would be to 8 bytes, otherwise to 4.
-
-However, the value is calculated from dom->kernel_seg.vend so this
-could only make a difference if that value wasn't already aligned to 8
-bytes.
-
-This is part of the fix to a security issue, XSA-55.
-
-Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
-Acked-by: Ian Campbell <ian.campbell@citrix.com>
----
- tools/libxc/xc_dom_elfloader.c | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
-
-diff --git a/tools/libxc/xc_dom_elfloader.c b/tools/libxc/xc_dom_elfloader.c
-index 031b5b6..e82f6e9 100644
---- a/tools/libxc/xc_dom_elfloader.c
-+++ b/tools/libxc/xc_dom_elfloader.c
-@@ -144,7 +144,7 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom,
- hdr = xc_dom_malloc(dom, size);
- if ( hdr == NULL )
- return 0;
-- dom->bsd_symtab_start = elf_round_up(&syms, dom->kernel_seg.vend);
-+ dom->bsd_symtab_start = elf_round_up(elf, dom->kernel_seg.vend);
- }
-
- memcpy(hdr + sizeof(int),
---
-1.7.2.5
-
+++ /dev/null
-From 40020ab55a1e9a1674ddecdb70299fab4fe8579d Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Fri, 14 Jun 2013 16:43:17 +0100
-Subject: [PATCH 08/23] libelf: introduce macros for memory access and pointer handling
-
-We introduce a collection of macros which abstract away all the
-pointer arithmetic and dereferences used for accessing the input ELF
-and the output area(s). We use the new macros everywhere.
-
-For now, these macros are semantically identical to the code they
-replace, so this patch has no functional change.
-
-elf_is_elfbinary is an exception: since it doesn't take an elf*, we
-need to handle it differently. In a future patch we will change it to
-take, and check, a length parameter. For now we just mark it with a
-fixme.
-
-That this patch has no functional change can be verified as follows:
-
- 0. Copy the scripts "comparison-generate" and "function-filter"
- out of this commit message.
- 1. Check out the tree before this patch.
- 2. Run the script ../comparison-generate .... ../before
- 3. Check out the tree after this patch.
- 4. Run the script ../comparison-generate .... ../after
- 5. diff --exclude=\*.[soi] -ruN before/ after/ |less
-
-Expect these differences:
- * stubdom/zlib-x86_64/ztest*.s2
- The filename of this test file apparently contains the pid.
- * xen/common/version.s2
- The xen build timestamp appears in two diff hunks.
-
-Verification that this is all that's needed:
- In a completely built xen.git,
- find * -name .*.d -type f | xargs grep -l libelf\.h
- Expect results in:
- xen/arch/x86: Checked above.
- tools/libxc: Checked above.
- tools/xcutils/readnotes: Checked above.
- tools/xenstore: Checked above.
- xen/common/libelf:
- This is the build for the hypervisor; checked in B above.
- stubdom:
- We have one stubdom which reads ELFs using our libelf,
- pvgrub, which is checked above.
-
-I have not done this verification for ARM.
-
-This is part of the fix to a security issue, XSA-55.
-
-Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
-Acked-by: Ian Campbell <ian.campbell@citrix.com>
-Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
-
--8<- comparison-generate -8<-
- #!/bin/bash
- # usage:
- # cd xen.git
- # .../comparison-generate OUR-CONFIG BUILD-RUNE-PREFIX ../before|../after
- # eg:
- # .../comparison-generate ~/work/.config 'schroot -pc64 --' ../before
- set -ex
-
- test $# = 3 || need-exactly-three-arguments
-
- our_config=$1
- build_rune_prefix=$2
- result_dir=$3
-
- git clean -x -d -f
-
- cp "$our_config" .
-
- cat <<END >>.config
- debug_symbols=n
- CFLAGS += -save-temps
- END
-
- perl -i~ -pe 's/ -g / -g0 / if m/^CFLAGS/' xen/Rules.mk
-
- if [ -f ./configure ]; then
- $build_rune_prefix ./configure
- fi
-
- $build_rune_prefix make -C xen
- $build_rune_prefix make -C tools/include
- $build_rune_prefix make -C stubdom grub
- $build_rune_prefix make -C tools/libxc
- $build_rune_prefix make -C tools/xenstore
- $build_rune_prefix make -C tools/xcutils
-
- rm -rf "$result_dir"
- mkdir "$result_dir"
-
- set +x
- for f in `find xen tools stubdom -name \*.[soi]`; do
- mkdir -p "$result_dir"/`dirname $f`
- cp $f "$result_dir"/${f}
- case $f in
- *.s)
- ../function-filter <$f >"$result_dir"/${f}2
- ;;
- esac
- done
-
- echo ok.
--8<-
-
--8<- function-filter -8<-
- #!/usr/bin/perl -w
- # function-filter
- # script for massaging gcc-generated labels to be consistent
- use strict;
- our @lines;
- my $sedderybody = "sub seddery () {\n";
- while (<>) {
- push @lines, $_;
- if (m/^(__FUNCTION__|__func__)\.(\d+)\:/) {
- $sedderybody .= " s/\\b$1\\.$2\\b/__XSA55MANGLED__$1.$./g;\n";
- }
- }
- $sedderybody .= "}\n1;\n";
- eval $sedderybody or die $@;
- foreach (@lines) {
- seddery();
- print or die $!;
- }
--8<-
----
- tools/libxc/xc_dom_elfloader.c | 30 +++---
- tools/libxc/xc_hvm_build_x86.c | 2 +-
- tools/xcutils/readnotes.c | 26 +++---
- xen/common/libelf/libelf-dominfo.c | 51 +++++-----
- xen/common/libelf/libelf-loader.c | 84 +++++++++--------
- xen/common/libelf/libelf-tools.c | 94 +++++++++---------
- xen/include/xen/libelf.h | 188 +++++++++++++++++++++++++++++++-----
- 7 files changed, 312 insertions(+), 163 deletions(-)
-
-diff --git a/tools/libxc/xc_dom_elfloader.c b/tools/libxc/xc_dom_elfloader.c
-index e82f6e9..cc0f206 100644
---- a/tools/libxc/xc_dom_elfloader.c
-+++ b/tools/libxc/xc_dom_elfloader.c
-@@ -115,9 +115,9 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom,
- struct elf_binary *elf, int load)
- {
- struct elf_binary syms;
-- const elf_shdr *shdr, *shdr2;
-+ ELF_HANDLE_DECL_NONCONST(elf_shdr) shdr; ELF_HANDLE_DECL(elf_shdr) shdr2;
- xen_vaddr_t symtab, maxaddr;
-- char *hdr;
-+ ELF_PTRVAL_CHAR hdr;
- size_t size;
- int h, count, type, i, tables = 0;
-
-@@ -147,11 +147,11 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom,
- dom->bsd_symtab_start = elf_round_up(elf, dom->kernel_seg.vend);
- }
-
-- memcpy(hdr + sizeof(int),
-- elf->image,
-+ elf_memcpy_safe(elf, hdr + sizeof(int),
-+ ELF_IMAGE_BASE(elf),
- elf_size(elf, elf->ehdr));
-- memcpy(hdr + sizeof(int) + elf_size(elf, elf->ehdr),
-- elf->image + elf_uval(elf, elf->ehdr, e_shoff),
-+ elf_memcpy_safe(elf, hdr + sizeof(int) + elf_size(elf, elf->ehdr),
-+ ELF_IMAGE_BASE(elf) + elf_uval(elf, elf->ehdr, e_shoff),
- elf_shdr_count(elf) * elf_size(elf, shdr));
- if ( elf_64bit(elf) )
- {
-@@ -189,7 +189,7 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom,
- count = elf_shdr_count(&syms);
- for ( h = 0; h < count; h++ )
- {
-- shdr = elf_shdr_by_index(&syms, h);
-+ shdr = ELF_OBSOLETE_VOIDP_CAST elf_shdr_by_index(&syms, h);
- type = elf_uval(&syms, shdr, sh_type);
- if ( type == SHT_STRTAB )
- {
-@@ -205,9 +205,9 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom,
- if ( i == count )
- {
- if ( elf_64bit(&syms) )
-- *(Elf64_Off*)(&shdr->e64.sh_offset) = 0;
-+ elf_store_field(elf, shdr, e64.sh_offset, 0);
- else
-- *(Elf32_Off*)(&shdr->e32.sh_offset) = 0;
-+ elf_store_field(elf, shdr, e32.sh_offset, 0);
- continue;
- }
- }
-@@ -216,9 +216,9 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom,
- {
- /* Mangled to be based on ELF header location. */
- if ( elf_64bit(&syms) )
-- *(Elf64_Off*)(&shdr->e64.sh_offset) = maxaddr - symtab;
-+ elf_store_field(elf, shdr, e64.sh_offset, maxaddr - symtab);
- else
-- *(Elf32_Off*)(&shdr->e32.sh_offset) = maxaddr - symtab;
-+ elf_store_field(elf, shdr, e32.sh_offset, maxaddr - symtab);
- size = elf_uval(&syms, shdr, sh_size);
- maxaddr = elf_round_up(&syms, maxaddr + size);
- tables++;
-@@ -230,7 +230,7 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom,
- if ( load )
- {
- shdr2 = elf_shdr_by_index(elf, h);
-- memcpy((void*)elf_section_start(&syms, shdr),
-+ elf_memcpy_safe(elf, ELF_OBSOLETE_VOIDP_CAST elf_section_start(&syms, shdr),
- elf_section_start(elf, shdr2),
- size);
- }
-@@ -238,9 +238,9 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom,
-
- /* Name is NULL. */
- if ( elf_64bit(&syms) )
-- *(Elf64_Word*)(&shdr->e64.sh_name) = 0;
-+ elf_store_field(elf, shdr, e64.sh_name, 0);
- else
-- *(Elf32_Word*)(&shdr->e32.sh_name) = 0;
-+ elf_store_field(elf, shdr, e32.sh_name, 0);
- }
-
- if ( tables == 0 )
-@@ -275,7 +275,7 @@ static int xc_dom_parse_elf_kernel(struct xc_dom_image *dom)
- }
-
- /* Find the section-header strings table. */
-- if ( elf->sec_strtab == NULL )
-+ if ( ELF_PTRVAL_INVALID(elf->sec_strtab) )
- {
- xc_dom_panic(dom->xch, XC_INVALID_KERNEL, "%s: ELF image"
- " has no shstrtab", __FUNCTION__);
-diff --git a/tools/libxc/xc_hvm_build_x86.c b/tools/libxc/xc_hvm_build_x86.c
-index cf5d7fb..15b603d 100644
---- a/tools/libxc/xc_hvm_build_x86.c
-+++ b/tools/libxc/xc_hvm_build_x86.c
-@@ -110,7 +110,7 @@ static int loadelfimage(
- if ( elf->dest == NULL )
- goto err;
-
-- elf->dest += elf->pstart & (PAGE_SIZE - 1);
-+ ELF_ADVANCE_DEST(elf, elf->pstart & (PAGE_SIZE - 1));
-
- /* Load the initial elf image. */
- rc = elf_load_binary(elf);
-diff --git a/tools/xcutils/readnotes.c b/tools/xcutils/readnotes.c
-index c926186..2af047d 100644
---- a/tools/xcutils/readnotes.c
-+++ b/tools/xcutils/readnotes.c
-@@ -61,13 +61,13 @@ struct setup_header {
- } __attribute__((packed));
-
- static void print_string_note(const char *prefix, struct elf_binary *elf,
-- const elf_note *note)
-+ ELF_HANDLE_DECL(elf_note) note)
- {
- printf("%s: %s\n", prefix, (char*)elf_note_desc(elf, note));
- }
-
- static void print_numeric_note(const char *prefix, struct elf_binary *elf,
-- const elf_note *note)
-+ ELF_HANDLE_DECL(elf_note) note)
- {
- uint64_t value = elf_note_numeric(elf, note);
- int descsz = elf_uval(elf, note, descsz);
-@@ -98,12 +98,12 @@ static void print_l1_mfn_valid_note(const char *prefix, struct elf_binary *elf,
-
- }
-
--static int print_notes(struct elf_binary *elf, const elf_note *start, const elf_note *end)
-+static int print_notes(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) start, ELF_HANDLE_DECL(elf_note) end)
- {
-- const elf_note *note;
-+ ELF_HANDLE_DECL(elf_note) note;
- int notes_found = 0;
-
-- for ( note = start; note < end; note = elf_note_next(elf, note) )
-+ for ( note = start; ELF_HANDLE_PTRVAL(note) < ELF_HANDLE_PTRVAL(end); note = elf_note_next(elf, note) )
- {
- if (0 != strcmp(elf_note_name(elf, note), "Xen"))
- continue;
-@@ -170,7 +170,7 @@ int main(int argc, char **argv)
- void *image,*tmp;
- struct stat st;
- struct elf_binary elf;
-- const elf_shdr *shdr;
-+ ELF_HANDLE_DECL(elf_shdr) shdr;
- int notes_found = 0;
-
- struct setup_header *hdr;
-@@ -257,7 +257,7 @@ int main(int argc, char **argv)
- count = elf_phdr_count(&elf);
- for ( h=0; h < count; h++)
- {
-- const elf_phdr *phdr;
-+ ELF_HANDLE_DECL(elf_phdr) phdr;
- phdr = elf_phdr_by_index(&elf, h);
- if (elf_uval(&elf, phdr, p_type) != PT_NOTE)
- continue;
-@@ -269,8 +269,8 @@ int main(int argc, char **argv)
- continue;
-
- notes_found = print_notes(&elf,
-- elf_segment_start(&elf, phdr),
-- elf_segment_end(&elf, phdr));
-+ ELF_MAKE_HANDLE(elf_note, elf_segment_start(&elf, phdr)),
-+ ELF_MAKE_HANDLE(elf_note, elf_segment_end(&elf, phdr)));
- }
-
- if ( notes_found == 0 )
-@@ -278,13 +278,13 @@ int main(int argc, char **argv)
- count = elf_shdr_count(&elf);
- for ( h=0; h < count; h++)
- {
-- const elf_shdr *shdr;
-+ ELF_HANDLE_DECL(elf_shdr) shdr;
- shdr = elf_shdr_by_index(&elf, h);
- if (elf_uval(&elf, shdr, sh_type) != SHT_NOTE)
- continue;
- notes_found = print_notes(&elf,
-- elf_section_start(&elf, shdr),
-- elf_section_end(&elf, shdr));
-+ ELF_MAKE_HANDLE(elf_note, elf_section_start(&elf, shdr)),
-+ ELF_MAKE_HANDLE(elf_note, elf_section_end(&elf, shdr)));
- if ( notes_found )
- fprintf(stderr, "using notes from SHT_NOTE section\n");
-
-@@ -292,7 +292,7 @@ int main(int argc, char **argv)
- }
-
- shdr = elf_shdr_by_name(&elf, "__xen_guest");
-- if (shdr)
-+ if (ELF_HANDLE_VALID(shdr))
- printf("__xen_guest: %s\n", (char*)elf_section_start(&elf, shdr));
-
- return 0;
-diff --git a/xen/common/libelf/libelf-dominfo.c b/xen/common/libelf/libelf-dominfo.c
-index 523837f..7140d59 100644
---- a/xen/common/libelf/libelf-dominfo.c
-+++ b/xen/common/libelf/libelf-dominfo.c
-@@ -44,7 +44,7 @@ int elf_xen_parse_features(const char *features,
-
- for ( pos = 0; features[pos] != '\0'; pos += len )
- {
-- memset(feature, 0, sizeof(feature));
-+ elf_memset_unchecked(feature, 0, sizeof(feature));
- for ( len = 0;; len++ )
- {
- if ( len >= sizeof(feature)-1 )
-@@ -96,7 +96,7 @@ int elf_xen_parse_features(const char *features,
-
- int elf_xen_parse_note(struct elf_binary *elf,
- struct elf_dom_parms *parms,
-- const elf_note *note)
-+ ELF_HANDLE_DECL(elf_note) note)
- {
- /* *INDENT-OFF* */
- static const struct {
-@@ -215,15 +215,16 @@ int elf_xen_parse_note(struct elf_binary *elf,
-
- static int elf_xen_parse_notes(struct elf_binary *elf,
- struct elf_dom_parms *parms,
-- const void *start, const void *end)
-+ ELF_PTRVAL_CONST_VOID start,
-+ ELF_PTRVAL_CONST_VOID end)
- {
- int xen_elfnotes = 0;
-- const elf_note *note;
-+ ELF_HANDLE_DECL(elf_note) note;
-
- parms->elf_note_start = start;
- parms->elf_note_end = end;
-- for ( note = parms->elf_note_start;
-- (void *)note < parms->elf_note_end;
-+ for ( note = ELF_MAKE_HANDLE(elf_note, parms->elf_note_start);
-+ ELF_HANDLE_PTRVAL(note) < parms->elf_note_end;
- note = elf_note_next(elf, note) )
- {
- if ( strcmp(elf_note_name(elf, note), "Xen") )
-@@ -241,45 +242,46 @@ static int elf_xen_parse_notes(struct elf_binary *elf,
- int elf_xen_parse_guest_info(struct elf_binary *elf,
- struct elf_dom_parms *parms)
- {
-- const char *h;
-+ ELF_PTRVAL_CONST_CHAR h;
- char name[32], value[128];
- int len;
-
- h = parms->guest_info;
-- while ( *h )
-+#define STAR(h) (*(h))
-+ while ( STAR(h) )
- {
-- memset(name, 0, sizeof(name));
-- memset(value, 0, sizeof(value));
-+ elf_memset_unchecked(name, 0, sizeof(name));
-+ elf_memset_unchecked(value, 0, sizeof(value));
- for ( len = 0;; len++, h++ )
- {
- if ( len >= sizeof(name)-1 )
- break;
-- if ( *h == '\0' )
-+ if ( STAR(h) == '\0' )
- break;
-- if ( *h == ',' )
-+ if ( STAR(h) == ',' )
- {
- h++;
- break;
- }
-- if ( *h == '=' )
-+ if ( STAR(h) == '=' )
- {
- h++;
- for ( len = 0;; len++, h++ )
- {
- if ( len >= sizeof(value)-1 )
- break;
-- if ( *h == '\0' )
-+ if ( STAR(h) == '\0' )
- break;
-- if ( *h == ',' )
-+ if ( STAR(h) == ',' )
- {
- h++;
- break;
- }
-- value[len] = *h;
-+ value[len] = STAR(h);
- }
- break;
- }
-- name[len] = *h;
-+ name[len] = STAR(h);
- }
- elf_msg(elf, "%s: %s=\"%s\"\n", __FUNCTION__, name, value);
-
-@@ -328,7 +330,8 @@ int elf_xen_parse_guest_info(struct elf_binary *elf,
- static int elf_xen_note_check(struct elf_binary *elf,
- struct elf_dom_parms *parms)
- {
-- if ( (parms->elf_note_start == NULL) && (parms->guest_info == NULL) )
-+ if ( (ELF_PTRVAL_INVALID(parms->elf_note_start)) &&
-+ (ELF_PTRVAL_INVALID(parms->guest_info)) )
- {
- int machine = elf_uval(elf, elf->ehdr, e_machine);
- if ( (machine == EM_386) || (machine == EM_X86_64) )
-@@ -457,12 +460,12 @@ static int elf_xen_addr_calc_check(struct elf_binary *elf,
- int elf_xen_parse(struct elf_binary *elf,
- struct elf_dom_parms *parms)
- {
-- const elf_shdr *shdr;
-- const elf_phdr *phdr;
-+ ELF_HANDLE_DECL(elf_shdr) shdr;
-+ ELF_HANDLE_DECL(elf_phdr) phdr;
- int xen_elfnotes = 0;
- int i, count, rc;
-
-- memset(parms, 0, sizeof(*parms));
-+ elf_memset_unchecked(parms, 0, sizeof(*parms));
- parms->virt_base = UNSET_ADDR;
- parms->virt_entry = UNSET_ADDR;
- parms->virt_hypercall = UNSET_ADDR;
-@@ -532,11 +535,11 @@ int elf_xen_parse(struct elf_binary *elf,
- for ( i = 0; i < count; i++ )
- {
- shdr = elf_shdr_by_name(elf, "__xen_guest");
-- if ( shdr )
-+ if ( ELF_HANDLE_VALID(shdr) )
- {
- parms->guest_info = elf_section_start(elf, shdr);
-- parms->elf_note_start = NULL;
-- parms->elf_note_end = NULL;
-+ parms->elf_note_start = ELF_INVALID_PTRVAL;
-+ parms->elf_note_end = ELF_INVALID_PTRVAL;
- elf_msg(elf, "%s: __xen_guest: \"%s\"\n", __FUNCTION__,
- parms->guest_info);
- elf_xen_parse_guest_info(elf, parms);
-diff --git a/xen/common/libelf/libelf-loader.c b/xen/common/libelf/libelf-loader.c
-index ec0706b..0fef84c 100644
---- a/xen/common/libelf/libelf-loader.c
-+++ b/xen/common/libelf/libelf-loader.c
-@@ -26,7 +26,7 @@
-
- int elf_init(struct elf_binary *elf, const char *image, size_t size)
- {
-- const elf_shdr *shdr;
-+ ELF_HANDLE_DECL(elf_shdr) shdr;
- uint64_t i, count, section, offset;
-
- if ( !elf_is_elfbinary(image) )
-@@ -35,7 +35,7 @@ int elf_init(struct elf_binary *elf, const char *image, size_t size)
- return -1;
- }
-
-- memset(elf, 0, sizeof(*elf));
-+ elf_memset_unchecked(elf, 0, sizeof(*elf));
- elf->image = image;
- elf->size = size;
- elf->ehdr = (elf_ehdr *)image;
-@@ -65,7 +65,7 @@ int elf_init(struct elf_binary *elf, const char *image, size_t size)
- /* Find section string table. */
- section = elf_uval(elf, elf->ehdr, e_shstrndx);
- shdr = elf_shdr_by_index(elf, section);
-- if ( shdr != NULL )
-+ if ( ELF_HANDLE_VALID(shdr) )
- elf->sec_strtab = elf_section_start(elf, shdr);
-
- /* Find symbol table and symbol string table. */
-@@ -77,9 +77,9 @@ int elf_init(struct elf_binary *elf, const char *image, size_t size)
- continue;
- elf->sym_tab = shdr;
- shdr = elf_shdr_by_index(elf, elf_uval(elf, shdr, sh_link));
-- if ( shdr == NULL )
-+ if ( !ELF_HANDLE_VALID(shdr) )
- {
-- elf->sym_tab = NULL;
-+ elf->sym_tab = ELF_INVALID_HANDLE(elf_shdr);
- continue;
- }
- elf->sym_strtab = elf_section_start(elf, shdr);
-@@ -113,10 +113,11 @@ void elf_set_log(struct elf_binary *elf, elf_log_callback *log_callback,
- }
-
- static int elf_load_image(struct elf_binary *elf,
-- void *dst, const void *src, uint64_t filesz, uint64_t memsz)
-+ ELF_PTRVAL_VOID dst, ELF_PTRVAL_CONST_VOID src,
-+ uint64_t filesz, uint64_t memsz)
- {
-- memcpy(dst, src, filesz);
-- memset(dst + filesz, 0, memsz - filesz);
-+ elf_memcpy_safe(elf, dst, src, filesz);
-+ elf_memset_safe(elf, dst + filesz, 0, memsz - filesz);
- return 0;
- }
- #else
-@@ -126,16 +127,17 @@ void elf_set_verbose(struct elf_binary *elf)
- elf->verbose = 1;
- }
-
--static int elf_load_image(struct elf_binary *elf,
-- void *dst, const void *src, uint64_t filesz, uint64_t memsz)
-+static int elf_load_image(struct elf_binary *elf, ELF_PTRVAL_VOID dst, ELF_PTRVAL_CONST_VOID src, uint64_t filesz, uint64_t memsz)
- {
- int rc;
- if ( filesz > ULONG_MAX || memsz > ULONG_MAX )
- return -1;
-- rc = raw_copy_to_guest(dst, src, filesz);
-+ /* We trust the dom0 kernel image completely, so we don't care
-+ * about overruns etc. here. */
-+ rc = raw_copy_to_guest(ELF_UNSAFE_PTR(dst), ELF_UNSAFE_PTR(src), filesz);
- if ( rc != 0 )
- return -1;
-- rc = raw_clear_guest(dst + filesz, memsz - filesz);
-+ rc = raw_clear_guest(ELF_UNSAFE_PTR(dst + filesz), memsz - filesz);
- if ( rc != 0 )
- return -1;
- return 0;
-@@ -146,10 +148,10 @@ static int elf_load_image(struct elf_binary *elf,
- void elf_parse_bsdsyms(struct elf_binary *elf, uint64_t pstart)
- {
- uint64_t sz;
-- const elf_shdr *shdr;
-+ ELF_HANDLE_DECL(elf_shdr) shdr;
- int i, type;
-
-- if ( !elf->sym_tab )
-+ if ( !ELF_HANDLE_VALID(elf->sym_tab) )
- return;
-
- pstart = elf_round_up(elf, pstart);
-@@ -166,7 +168,7 @@ void elf_parse_bsdsyms(struct elf_binary *elf, uint64_t pstart)
- for ( i = 0; i < elf_shdr_count(elf); i++ )
- {
- shdr = elf_shdr_by_index(elf, i);
-- type = elf_uval(elf, (elf_shdr *)shdr, sh_type);
-+ type = elf_uval(elf, shdr, sh_type);
- if ( (type == SHT_STRTAB) || (type == SHT_SYMTAB) )
- sz = elf_round_up(elf, sz + elf_uval(elf, shdr, sh_size));
- }
-@@ -177,10 +179,12 @@ void elf_parse_bsdsyms(struct elf_binary *elf, uint64_t pstart)
-
- static void elf_load_bsdsyms(struct elf_binary *elf)
- {
-- elf_ehdr *sym_ehdr;
-+ ELF_HANDLE_DECL_NONCONST(elf_ehdr) sym_ehdr;
- unsigned long sz;
-- char *maxva, *symbase, *symtab_addr;
-- elf_shdr *shdr;
-+ ELF_PTRVAL_VOID maxva;
-+ ELF_PTRVAL_VOID symbase;
-+ ELF_PTRVAL_VOID symtab_addr;
-+ ELF_HANDLE_DECL_NONCONST(elf_shdr) shdr;
- int i, type;
-
- if ( !elf->bsd_symtab_pstart )
-@@ -189,18 +193,18 @@ static void elf_load_bsdsyms(struct elf_binary *elf)
- #define elf_hdr_elm(_elf, _hdr, _elm, _val) \
- do { \
- if ( elf_64bit(_elf) ) \
-- (_hdr)->e64._elm = _val; \
-+ elf_store_field(_elf, _hdr, e64._elm, _val); \
- else \
-- (_hdr)->e32._elm = _val; \
-+ elf_store_field(_elf, _hdr, e32._elm, _val); \
- } while ( 0 )
-
- symbase = elf_get_ptr(elf, elf->bsd_symtab_pstart);
- symtab_addr = maxva = symbase + sizeof(uint32_t);
-
- /* Set up Elf header. */
-- sym_ehdr = (elf_ehdr *)symtab_addr;
-+ sym_ehdr = ELF_MAKE_HANDLE(elf_ehdr, symtab_addr);
- sz = elf_uval(elf, elf->ehdr, e_ehsize);
-- memcpy(sym_ehdr, elf->ehdr, sz);
-+ elf_memcpy_safe(elf, ELF_HANDLE_PTRVAL(sym_ehdr), ELF_HANDLE_PTRVAL(elf->ehdr), sz);
- maxva += sz; /* no round up */
-
- elf_hdr_elm(elf, sym_ehdr, e_phoff, 0);
-@@ -209,37 +213,39 @@ do { \
- elf_hdr_elm(elf, sym_ehdr, e_phnum, 0);
-
- /* Copy Elf section headers. */
-- shdr = (elf_shdr *)maxva;
-+ shdr = ELF_MAKE_HANDLE(elf_shdr, maxva);
- sz = elf_shdr_count(elf) * elf_uval(elf, elf->ehdr, e_shentsize);
-- memcpy(shdr, elf->image + elf_uval(elf, elf->ehdr, e_shoff), sz);
-- maxva = (char *)(long)elf_round_up(elf, (long)maxva + sz);
-+ elf_memcpy_safe(elf, ELF_HANDLE_PTRVAL(shdr),
-+ ELF_IMAGE_BASE(elf) + elf_uval(elf, elf->ehdr, e_shoff),
-+ sz);
-+ maxva = ELF_OBSOLETE_VOIDP_CAST elf_round_up(elf, (long)maxva + sz);
-
- for ( i = 0; i < elf_shdr_count(elf); i++ )
- {
- type = elf_uval(elf, shdr, sh_type);
- if ( (type == SHT_STRTAB) || (type == SHT_SYMTAB) )
- {
-- elf_msg(elf, "%s: shdr %i at 0x%p -> 0x%p\n", __func__, i,
-+ elf_msg(elf, "%s: shdr %i at 0x%"ELF_PRPTRVAL" -> 0x%"ELF_PRPTRVAL"\n", __func__, i,
- elf_section_start(elf, shdr), maxva);
- sz = elf_uval(elf, shdr, sh_size);
-- memcpy(maxva, elf_section_start(elf, shdr), sz);
-+ elf_memcpy_safe(elf, maxva, elf_section_start(elf, shdr), sz);
- /* Mangled to be based on ELF header location. */
- elf_hdr_elm(elf, shdr, sh_offset, maxva - symtab_addr);
-- maxva = (char *)(long)elf_round_up(elf, (long)maxva + sz);
-+ maxva = ELF_OBSOLETE_VOIDP_CAST elf_round_up(elf, (long)maxva + sz);
- }
-- shdr = (elf_shdr *)((long)shdr +
-+ shdr = ELF_MAKE_HANDLE(elf_shdr, ELF_HANDLE_PTRVAL(shdr) +
- (long)elf_uval(elf, elf->ehdr, e_shentsize));
- }
-
- /* Write down the actual sym size. */
-- *(uint32_t *)symbase = maxva - symtab_addr;
-+ elf_store_val(elf, uint32_t, symbase, maxva - symtab_addr);
-
- #undef elf_ehdr_elm
- }
-
- void elf_parse_binary(struct elf_binary *elf)
- {
-- const elf_phdr *phdr;
-+ ELF_HANDLE_DECL(elf_phdr) phdr;
- uint64_t low = -1;
- uint64_t high = 0;
- uint64_t i, count, paddr, memsz;
-@@ -267,9 +273,9 @@ void elf_parse_binary(struct elf_binary *elf)
-
- int elf_load_binary(struct elf_binary *elf)
- {
-- const elf_phdr *phdr;
-+ ELF_HANDLE_DECL(elf_phdr) phdr;
- uint64_t i, count, paddr, offset, filesz, memsz;
-- char *dest;
-+ ELF_PTRVAL_VOID dest;
-
- count = elf_uval(elf, elf->ehdr, e_phnum);
- for ( i = 0; i < count; i++ )
-@@ -282,9 +288,9 @@ int elf_load_binary(struct elf_binary *elf)
- filesz = elf_uval(elf, phdr, p_filesz);
- memsz = elf_uval(elf, phdr, p_memsz);
- dest = elf_get_ptr(elf, paddr);
-- elf_msg(elf, "%s: phdr %" PRIu64 " at 0x%p -> 0x%p\n",
-- __func__, i, dest, dest + filesz);
-- if ( elf_load_image(elf, dest, elf->image + offset, filesz, memsz) != 0 )
-+ elf_msg(elf, "%s: phdr %" PRIu64 " at 0x%"ELF_PRPTRVAL" -> 0x%"ELF_PRPTRVAL"\n",
-+ __func__, i, dest, (ELF_PTRVAL_VOID)(dest + filesz));
-+ if ( elf_load_image(elf, dest, ELF_IMAGE_BASE(elf) + offset, filesz, memsz) != 0 )
- return -1;
- }
-
-@@ -292,18 +298,18 @@ int elf_load_binary(struct elf_binary *elf)
- return 0;
- }
-
--void *elf_get_ptr(struct elf_binary *elf, unsigned long addr)
-+ELF_PTRVAL_VOID elf_get_ptr(struct elf_binary *elf, unsigned long addr)
- {
- return elf->dest + addr - elf->pstart;
- }
-
- uint64_t elf_lookup_addr(struct elf_binary * elf, const char *symbol)
- {
-- const elf_sym *sym;
-+ ELF_HANDLE_DECL(elf_sym) sym;
- uint64_t value;
-
- sym = elf_sym_by_name(elf, symbol);
-- if ( sym == NULL )
-+ if ( !ELF_HANDLE_VALID(sym) )
- {
- elf_err(elf, "%s: not found: %s\n", __FUNCTION__, symbol);
- return -1;
-diff --git a/xen/common/libelf/libelf-tools.c b/xen/common/libelf/libelf-tools.c
-index 2f54142..f1fd886 100644
---- a/xen/common/libelf/libelf-tools.c
-+++ b/xen/common/libelf/libelf-tools.c
-@@ -67,10 +67,10 @@ int elf_phdr_count(struct elf_binary *elf)
- return elf_uval(elf, elf->ehdr, e_phnum);
- }
-
--const elf_shdr *elf_shdr_by_name(struct elf_binary *elf, const char *name)
-+ELF_HANDLE_DECL(elf_shdr) elf_shdr_by_name(struct elf_binary *elf, const char *name)
- {
- uint64_t count = elf_shdr_count(elf);
-- const elf_shdr *shdr;
-+ ELF_HANDLE_DECL(elf_shdr) shdr;
- const char *sname;
- int i;
-
-@@ -81,76 +81,80 @@ const elf_shdr *elf_shdr_by_name(struct elf_binary *elf, const char *name)
- if ( sname && !strcmp(sname, name) )
- return shdr;
- }
-- return NULL;
-+ return ELF_INVALID_HANDLE(elf_shdr);
- }
-
--const elf_shdr *elf_shdr_by_index(struct elf_binary *elf, int index)
-+ELF_HANDLE_DECL(elf_shdr) elf_shdr_by_index(struct elf_binary *elf, int index)
- {
- uint64_t count = elf_shdr_count(elf);
-- const void *ptr;
-+ ELF_PTRVAL_CONST_VOID ptr;
-
- if ( index >= count )
-- return NULL;
-+ return ELF_INVALID_HANDLE(elf_shdr);
-
-- ptr = (elf->image
-+ ptr = (ELF_IMAGE_BASE(elf)
- + elf_uval(elf, elf->ehdr, e_shoff)
- + elf_uval(elf, elf->ehdr, e_shentsize) * index);
-- return ptr;
-+ return ELF_MAKE_HANDLE(elf_shdr, ptr);
- }
-
--const elf_phdr *elf_phdr_by_index(struct elf_binary *elf, int index)
-+ELF_HANDLE_DECL(elf_phdr) elf_phdr_by_index(struct elf_binary *elf, int index)
- {
- uint64_t count = elf_uval(elf, elf->ehdr, e_phnum);
-- const void *ptr;
-+ ELF_PTRVAL_CONST_VOID ptr;
-
- if ( index >= count )
-- return NULL;
-+ return ELF_INVALID_HANDLE(elf_phdr);
-
-- ptr = (elf->image
-+ ptr = (ELF_IMAGE_BASE(elf)
- + elf_uval(elf, elf->ehdr, e_phoff)
- + elf_uval(elf, elf->ehdr, e_phentsize) * index);
-- return ptr;
-+ return ELF_MAKE_HANDLE(elf_phdr, ptr);
- }
-
--const char *elf_section_name(struct elf_binary *elf, const elf_shdr * shdr)
-+
-+const char *elf_section_name(struct elf_binary *elf,
-+ ELF_HANDLE_DECL(elf_shdr) shdr)
- {
-- if ( elf->sec_strtab == NULL )
-+ if ( ELF_PTRVAL_INVALID(elf->sec_strtab) )
- return "unknown";
-+
- return elf->sec_strtab + elf_uval(elf, shdr, sh_name);
- }
-
--const void *elf_section_start(struct elf_binary *elf, const elf_shdr * shdr)
-+ELF_PTRVAL_CONST_VOID elf_section_start(struct elf_binary *elf, ELF_HANDLE_DECL(elf_shdr) shdr)
- {
-- return elf->image + elf_uval(elf, shdr, sh_offset);
-+ return ELF_IMAGE_BASE(elf) + elf_uval(elf, shdr, sh_offset);
- }
-
--const void *elf_section_end(struct elf_binary *elf, const elf_shdr * shdr)
-+ELF_PTRVAL_CONST_VOID elf_section_end(struct elf_binary *elf, ELF_HANDLE_DECL(elf_shdr) shdr)
- {
-- return elf->image
-+ return ELF_IMAGE_BASE(elf)
- + elf_uval(elf, shdr, sh_offset) + elf_uval(elf, shdr, sh_size);
- }
-
--const void *elf_segment_start(struct elf_binary *elf, const elf_phdr * phdr)
-+ELF_PTRVAL_CONST_VOID elf_segment_start(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr)
- {
-- return elf->image + elf_uval(elf, phdr, p_offset);
-+ return ELF_IMAGE_BASE(elf)
-+ + elf_uval(elf, phdr, p_offset);
- }
-
--const void *elf_segment_end(struct elf_binary *elf, const elf_phdr * phdr)
-+ELF_PTRVAL_CONST_VOID elf_segment_end(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr)
- {
-- return elf->image
-+ return ELF_IMAGE_BASE(elf)
- + elf_uval(elf, phdr, p_offset) + elf_uval(elf, phdr, p_filesz);
- }
-
--const elf_sym *elf_sym_by_name(struct elf_binary *elf, const char *symbol)
-+ELF_HANDLE_DECL(elf_sym) elf_sym_by_name(struct elf_binary *elf, const char *symbol)
- {
-- const void *ptr = elf_section_start(elf, elf->sym_tab);
-- const void *end = elf_section_end(elf, elf->sym_tab);
-- const elf_sym *sym;
-+ ELF_PTRVAL_CONST_VOID ptr = elf_section_start(elf, elf->sym_tab);
-+ ELF_PTRVAL_CONST_VOID end = elf_section_end(elf, elf->sym_tab);
-+ ELF_HANDLE_DECL(elf_sym) sym;
- uint64_t info, name;
-
- for ( ; ptr < end; ptr += elf_size(elf, sym) )
- {
-- sym = ptr;
-+ sym = ELF_MAKE_HANDLE(elf_sym, ptr);
- info = elf_uval(elf, sym, st_info);
- name = elf_uval(elf, sym, st_name);
- if ( ELF32_ST_BIND(info) != STB_GLOBAL )
-@@ -159,33 +163,33 @@ const elf_sym *elf_sym_by_name(struct elf_binary *elf, const char *symbol)
- continue;
- return sym;
- }
-- return NULL;
-+ return ELF_INVALID_HANDLE(elf_sym);
- }
-
--const elf_sym *elf_sym_by_index(struct elf_binary *elf, int index)
-+ELF_HANDLE_DECL(elf_sym) elf_sym_by_index(struct elf_binary *elf, int index)
- {
-- const void *ptr = elf_section_start(elf, elf->sym_tab);
-- const elf_sym *sym;
-+ ELF_PTRVAL_CONST_VOID ptr = elf_section_start(elf, elf->sym_tab);
-+ ELF_HANDLE_DECL(elf_sym) sym;
-
-- sym = ptr + index * elf_size(elf, sym);
-+ sym = ELF_MAKE_HANDLE(elf_sym, ptr + index * elf_size(elf, sym));
- return sym;
- }
-
--const char *elf_note_name(struct elf_binary *elf, const elf_note * note)
-+const char *elf_note_name(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note)
- {
-- return (void *)note + elf_size(elf, note);
-+ return ELF_HANDLE_PTRVAL(note) + elf_size(elf, note);
- }
-
--const void *elf_note_desc(struct elf_binary *elf, const elf_note * note)
-+ELF_PTRVAL_CONST_VOID elf_note_desc(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note)
- {
- int namesz = (elf_uval(elf, note, namesz) + 3) & ~3;
-
-- return (void *)note + elf_size(elf, note) + namesz;
-+ return ELF_HANDLE_PTRVAL(note) + elf_size(elf, note) + namesz;
- }
-
--uint64_t elf_note_numeric(struct elf_binary *elf, const elf_note * note)
-+uint64_t elf_note_numeric(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note)
- {
-- const void *desc = elf_note_desc(elf, note);
-+ ELF_PTRVAL_CONST_VOID desc = elf_note_desc(elf, note);
- int descsz = elf_uval(elf, note, descsz);
-
- switch (descsz)
-@@ -200,10 +204,10 @@ uint64_t elf_note_numeric(struct elf_binary *elf, const elf_note * note)
- }
- }
-
--uint64_t elf_note_numeric_array(struct elf_binary *elf, const elf_note *note,
-+uint64_t elf_note_numeric_array(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note,
- unsigned int unitsz, unsigned int idx)
- {
-- const void *desc = elf_note_desc(elf, note);
-+ ELF_PTRVAL_CONST_VOID desc = elf_note_desc(elf, note);
- int descsz = elf_uval(elf, note, descsz);
-
- if ( descsz % unitsz || idx >= descsz / unitsz )
-@@ -220,12 +224,12 @@ uint64_t elf_note_numeric_array(struct elf_binary *elf, const elf_note *note,
- }
- }
-
--const elf_note *elf_note_next(struct elf_binary *elf, const elf_note * note)
-+ELF_HANDLE_DECL(elf_note) elf_note_next(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note)
- {
- int namesz = (elf_uval(elf, note, namesz) + 3) & ~3;
- int descsz = (elf_uval(elf, note, descsz) + 3) & ~3;
-
-- return (void *)note + elf_size(elf, note) + namesz + descsz;
-+ return ELF_MAKE_HANDLE(elf_note, ELF_HANDLE_PTRVAL(note) + elf_size(elf, note) + namesz + descsz);
- }
-
- /* ------------------------------------------------------------------------ */
-@@ -234,10 +238,10 @@ int elf_is_elfbinary(const void *image)
- {
- const Elf32_Ehdr *ehdr = image;
-
-- return IS_ELF(*ehdr);
-+ return IS_ELF(*ehdr); /* fixme unchecked */
- }
-
--int elf_phdr_is_loadable(struct elf_binary *elf, const elf_phdr * phdr)
-+int elf_phdr_is_loadable(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr)
- {
- uint64_t p_type = elf_uval(elf, phdr, p_type);
- uint64_t p_flags = elf_uval(elf, phdr, p_flags);
-diff --git a/xen/include/xen/libelf.h b/xen/include/xen/libelf.h
-index 38e490c..cefd3d3 100644
---- a/xen/include/xen/libelf.h
-+++ b/xen/include/xen/libelf.h
-@@ -48,6 +48,97 @@ typedef void elf_log_callback(struct elf_binary*, void *caller_data,
-
- /* ------------------------------------------------------------------------ */
-
-+/* Macros for accessing the input image and output area. */
-+
-+/*
-+ * We abstract away the pointerness of these pointers, replacing
-+ * various void*, char* and struct* with the following:
-+ * PTRVAL A pointer to a byte; one can do pointer arithmetic
-+ * on this.
-+ * This replaces variables which were char*,void*
-+ * and their const versions, so we provide four
-+ * different declaration macros:
-+ * ELF_PTRVAL_{,CONST}{VOID,CHAR}
-+ * HANDLE A pointer to a struct. There is one of these types
-+ * for each pointer type - that is, for each "structname".
-+ * In the arguments to the various HANDLE macros, structname
-+ * must be a single identifier which is a typedef.
-+ * It is not permitted to do arithmetic on these
-+ * pointers. In the current code attempts to do so will
-+ * compile, but in the next patch this will become a
-+ * compile error.
-+ * We provide two declaration macros for const and
-+ * non-const pointers.
-+ */
-+
-+#define ELF_REALPTR2PTRVAL(realpointer) (realpointer)
-+ /* Converts an actual C pointer into a PTRVAL */
-+
-+#define ELF_HANDLE_DECL_NONCONST(structname) structname *
-+#define ELF_HANDLE_DECL(structname) const structname *
-+ /* Provides a type declaration for a HANDLE. */
-+ /* May only be used to declare ONE variable at a time */
-+
-+#define ELF_PTRVAL_VOID void *
-+#define ELF_PTRVAL_CHAR char *
-+#define ELF_PTRVAL_CONST_VOID const void *
-+#define ELF_PTRVAL_CONST_CHAR const char *
-+ /* Provides a type declaration for a PTRVAL. */
-+ /* May only be used to declare ONE variable at a time */
-+
-+#define ELF_DEFINE_HANDLE(structname) /* empty */
-+ /*
-+ * This must be invoked for each HANDLE type to define
-+ * the actual C type used for that kind of HANDLE.
-+ */
-+
-+#define ELF_PRPTRVAL "p"
-+ /* printf format a la PRId... for a PTRVAL */
-+
-+#define ELF_MAKE_HANDLE(structname, ptrval) (ptrval)
-+ /* Converts a PTRVAL to a HANDLE */
-+
-+#define ELF_IMAGE_BASE(elf) ((elf)->image)
-+ /* Returns the base of the image as a PTRVAL. */
-+
-+#define ELF_HANDLE_PTRVAL(handleval) ((void*)(handleval))
-+ /* Converts a HANDLE to a PTRVAL. */
-+
-+#define ELF_OBSOLETE_VOIDP_CAST (void*)(uintptr_t)
-+ /*
-+ * In some places the existing code needs to
-+ * - cast away const (the existing code uses const a fair
-+ * bit but actually sometimes wants to write to its input)
-+ * from a PTRVAL.
-+ * - convert an integer representing a pointer to a PTRVAL
-+ * This macro provides a suitable cast.
-+ */
-+
-+#define ELF_UNSAFE_PTR(ptrval) ((void*)(uintptr_t)(ptrval))
-+ /*
-+ * Turns a PTRVAL into an actual C pointer. Before this is done
-+ * the caller must have ensured that the PTRVAL does in fact point
-+ * to a permissible location.
-+ */
-+
-+/* PTRVALs can be INVALID (ie, NULL). */
-+#define ELF_INVALID_PTRVAL (NULL) /* returns NULL PTRVAL */
-+#define ELF_INVALID_HANDLE(structname) /* returns NULL handle */ \
-+ ELF_MAKE_HANDLE(structname, ELF_INVALID_PTRVAL)
-+#define ELF_PTRVAL_VALID(ptrval) (ptrval) /* } */
-+#define ELF_HANDLE_VALID(handleval) (handleval) /* } predicates */
-+#define ELF_PTRVAL_INVALID(ptrval) ((ptrval) == NULL) /* } */
-+
-+/* For internal use by other macros here */
-+#define ELF__HANDLE_FIELD_TYPE(handleval, elm) \
-+ typeof((handleval)->elm)
-+#define ELF__HANDLE_FIELD_OFFSET(handleval, elm) \
-+ offsetof(typeof(*(handleval)),elm)
-+
-+
-+/* ------------------------------------------------------------------------ */
-+
-+
- typedef union {
- Elf32_Ehdr e32;
- Elf64_Ehdr e64;
-@@ -83,6 +174,12 @@ typedef union {
- Elf64_Note e64;
- } elf_note;
-
-+ELF_DEFINE_HANDLE(elf_ehdr)
-+ELF_DEFINE_HANDLE(elf_shdr)
-+ELF_DEFINE_HANDLE(elf_phdr)
-+ELF_DEFINE_HANDLE(elf_sym)
-+ELF_DEFINE_HANDLE(elf_note)
-+
- struct elf_binary {
- /* elf binary */
- const char *image;
-@@ -90,10 +187,10 @@ struct elf_binary {
- char class;
- char data;
-
-- const elf_ehdr *ehdr;
-- const char *sec_strtab;
-- const elf_shdr *sym_tab;
-- const char *sym_strtab;
-+ ELF_HANDLE_DECL(elf_ehdr) ehdr;
-+ ELF_PTRVAL_CONST_CHAR sec_strtab;
-+ ELF_HANDLE_DECL(elf_shdr) sym_tab;
-+ ELF_PTRVAL_CONST_CHAR sym_strtab;
-
- /* loaded to */
- char *dest;
-@@ -135,45 +232,72 @@ struct elf_binary {
- : elf_access_unsigned((elf), (str), \
- offsetof(typeof(*(str)),e32.elem), \
- sizeof((str)->e32.elem)))
-+ /*
-+ * Reads an unsigned field in a header structure in the ELF.
-+ * str is a HANDLE, and elem is the field name in it.
-+ */
-
- #define elf_size(elf, str) \
- ((ELFCLASS64 == (elf)->class) \
- ? sizeof((str)->e64) : sizeof((str)->e32))
-+ /*
-+ * Returns the size of the substructure for the appropriate 32/64-bitness.
-+ * str should be a HANDLE.
-+ */
-
--uint64_t elf_access_unsigned(struct elf_binary *elf, const void *ptr,
-+uint64_t elf_access_unsigned(struct elf_binary *elf, ELF_PTRVAL_CONST_VOID ptr,
- uint64_t offset, size_t size);
-+ /* Reads a field at arbitrary offset and alignemnt */
-
- uint64_t elf_round_up(struct elf_binary *elf, uint64_t addr);
-
-+
-+#define elf_memcpy_safe(elf, dst, src, sz) memcpy((dst),(src),(sz))
-+#define elf_memset_safe(elf, dst, c, sz) memset((dst),(c),(sz))
-+ /*
-+ * Versions of memcpy and memset which will (in the next patch)
-+ * arrange never to write outside permitted areas.
-+ */
-+
-+#define elf_store_val(elf, type, ptr, val) (*(type*)(ptr) = (val))
-+ /* Stores a value at a particular PTRVAL. */
-+
-+#define elf_store_field(elf, hdr, elm, val) \
-+ (elf_store_val((elf), ELF__HANDLE_FIELD_TYPE(hdr, elm), \
-+ &((hdr)->elm), \
-+ (val)))
-+ /* Stores a 32/64-bit field. hdr is a HANDLE and elm is the field name. */
-+
-+
- /* ------------------------------------------------------------------------ */
- /* xc_libelf_tools.c */
-
- int elf_shdr_count(struct elf_binary *elf);
- int elf_phdr_count(struct elf_binary *elf);
-
--const elf_shdr *elf_shdr_by_name(struct elf_binary *elf, const char *name);
--const elf_shdr *elf_shdr_by_index(struct elf_binary *elf, int index);
--const elf_phdr *elf_phdr_by_index(struct elf_binary *elf, int index);
-+ELF_HANDLE_DECL(elf_shdr) elf_shdr_by_name(struct elf_binary *elf, const char *name);
-+ELF_HANDLE_DECL(elf_shdr) elf_shdr_by_index(struct elf_binary *elf, int index);
-+ELF_HANDLE_DECL(elf_phdr) elf_phdr_by_index(struct elf_binary *elf, int index);
-
--const char *elf_section_name(struct elf_binary *elf, const elf_shdr * shdr);
--const void *elf_section_start(struct elf_binary *elf, const elf_shdr * shdr);
--const void *elf_section_end(struct elf_binary *elf, const elf_shdr * shdr);
-+const char *elf_section_name(struct elf_binary *elf, ELF_HANDLE_DECL(elf_shdr) shdr);
-+ELF_PTRVAL_CONST_VOID elf_section_start(struct elf_binary *elf, ELF_HANDLE_DECL(elf_shdr) shdr);
-+ELF_PTRVAL_CONST_VOID elf_section_end(struct elf_binary *elf, ELF_HANDLE_DECL(elf_shdr) shdr);
-
--const void *elf_segment_start(struct elf_binary *elf, const elf_phdr * phdr);
--const void *elf_segment_end(struct elf_binary *elf, const elf_phdr * phdr);
-+ELF_PTRVAL_CONST_VOID elf_segment_start(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr);
-+ELF_PTRVAL_CONST_VOID elf_segment_end(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr);
-
--const elf_sym *elf_sym_by_name(struct elf_binary *elf, const char *symbol);
--const elf_sym *elf_sym_by_index(struct elf_binary *elf, int index);
-+ELF_HANDLE_DECL(elf_sym) elf_sym_by_name(struct elf_binary *elf, const char *symbol);
-+ELF_HANDLE_DECL(elf_sym) elf_sym_by_index(struct elf_binary *elf, int index);
-
--const char *elf_note_name(struct elf_binary *elf, const elf_note * note);
--const void *elf_note_desc(struct elf_binary *elf, const elf_note * note);
--uint64_t elf_note_numeric(struct elf_binary *elf, const elf_note * note);
--uint64_t elf_note_numeric_array(struct elf_binary *, const elf_note *,
-+const char *elf_note_name(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note);
-+ELF_PTRVAL_CONST_VOID elf_note_desc(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note);
-+uint64_t elf_note_numeric(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note);
-+uint64_t elf_note_numeric_array(struct elf_binary *, ELF_HANDLE_DECL(elf_note),
- unsigned int unitsz, unsigned int idx);
--const elf_note *elf_note_next(struct elf_binary *elf, const elf_note * note);
-+ELF_HANDLE_DECL(elf_note) elf_note_next(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note);
-
- int elf_is_elfbinary(const void *image);
--int elf_phdr_is_loadable(struct elf_binary *elf, const elf_phdr * phdr);
-+int elf_phdr_is_loadable(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr);
-
- /* ------------------------------------------------------------------------ */
- /* xc_libelf_loader.c */
-@@ -189,7 +313,7 @@ void elf_set_log(struct elf_binary *elf, elf_log_callback*,
- void elf_parse_binary(struct elf_binary *elf);
- int elf_load_binary(struct elf_binary *elf);
-
--void *elf_get_ptr(struct elf_binary *elf, unsigned long addr);
-+ELF_PTRVAL_VOID elf_get_ptr(struct elf_binary *elf, unsigned long addr);
- uint64_t elf_lookup_addr(struct elf_binary *elf, const char *symbol);
-
- void elf_parse_bsdsyms(struct elf_binary *elf, uint64_t pstart); /* private */
-@@ -221,9 +345,9 @@ struct xen_elfnote {
-
- struct elf_dom_parms {
- /* raw */
-- const char *guest_info;
-- const void *elf_note_start;
-- const void *elf_note_end;
-+ ELF_PTRVAL_CONST_CHAR guest_info;
-+ ELF_PTRVAL_CONST_VOID elf_note_start;
-+ ELF_PTRVAL_CONST_VOID elf_note_end;
- struct xen_elfnote elf_notes[XEN_ELFNOTE_MAX + 1];
-
- /* parsed */
-@@ -262,10 +386,22 @@ int elf_xen_parse_features(const char *features,
- uint32_t *required);
- int elf_xen_parse_note(struct elf_binary *elf,
- struct elf_dom_parms *parms,
-- const elf_note *note);
-+ ELF_HANDLE_DECL(elf_note) note);
- int elf_xen_parse_guest_info(struct elf_binary *elf,
- struct elf_dom_parms *parms);
- int elf_xen_parse(struct elf_binary *elf,
- struct elf_dom_parms *parms);
-
-+#define elf_memcpy_unchecked memcpy
-+#define elf_memset_unchecked memset
-+ /*
-+ * Unsafe versions of memcpy and memset which take actual C
-+ * pointers. These are just like real memcpy and memset.
-+ */
-+
-+
-+#define ELF_ADVANCE_DEST(elf, amount) elf->dest += (amount)
-+ /* Advances past amount bytes of the current destination area. */
-+
-+
- #endif /* __XEN_LIBELF_H__ */
---
-1.7.2.5
-
+++ /dev/null
-From 59f66d58180832af6b99a9e4489031b5c2f627ab Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Fri, 14 Jun 2013 16:43:17 +0100
-Subject: [PATCH 09/23] tools/xcutils/readnotes: adjust print_l1_mfn_valid_note
-
-Use the new PTRVAL macros and elf_access_unsigned in
-print_l1_mfn_valid_note.
-
-No functional change unless the input is wrong, or we are reading a
-file for a different endianness.
-
-Separated out from the previous patch because this change does produce
-a difference in the generated code.
-
-This is part of the fix to a security issue, XSA-55.
-
-Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
-Acked-by: Ian Campbell <ian.campbell@citrix.com>
----
- tools/xcutils/readnotes.c | 11 ++++++-----
- 1 files changed, 6 insertions(+), 5 deletions(-)
-
-diff --git a/tools/xcutils/readnotes.c b/tools/xcutils/readnotes.c
-index 2af047d..7ff2530 100644
---- a/tools/xcutils/readnotes.c
-+++ b/tools/xcutils/readnotes.c
-@@ -77,22 +77,23 @@ static void print_numeric_note(const char *prefix, struct elf_binary *elf,
- }
-
- static void print_l1_mfn_valid_note(const char *prefix, struct elf_binary *elf,
-- const elf_note *note)
-+ ELF_HANDLE_DECL(elf_note) note)
- {
- int descsz = elf_uval(elf, note, descsz);
-- const uint32_t *desc32 = elf_note_desc(elf, note);
-- const uint64_t *desc64 = elf_note_desc(elf, note);
-+ ELF_PTRVAL_CONST_VOID desc = elf_note_desc(elf, note);
-
- /* XXX should be able to cope with a list of values. */
- switch ( descsz / 2 )
- {
- case 8:
- printf("%s: mask=%#"PRIx64" value=%#"PRIx64"\n", prefix,
-- desc64[0], desc64[1]);
-+ elf_access_unsigned(elf, desc, 0, 8),
-+ elf_access_unsigned(elf, desc, 8, 8));
- break;
- case 4:
- printf("%s: mask=%#"PRIx32" value=%#"PRIx32"\n", prefix,
-- desc32[0],desc32[1]);
-+ (uint32_t)elf_access_unsigned(elf, desc, 0, 4),
-+ (uint32_t)elf_access_unsigned(elf, desc, 4, 4));
- break;
- }
-
---
-1.7.2.5
-
+++ /dev/null
-From db14d5bd9b6508adfcd2b910f454fae12fa4ba00 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Fri, 14 Jun 2013 16:43:17 +0100
-Subject: [PATCH 10/23] libelf: check nul-terminated strings properly
-
-It is not safe to simply take pointers into the ELF and use them as C
-pointers. They might not be properly nul-terminated (and the pointers
-might be wild).
-
-So we are going to introduce a new function elf_strval for safely
-getting strings. This will check that the addresses are in range and
-that there is a proper nul-terminated string. Of course it might
-discover that there isn't. In that case, it will be made to fail.
-This means that elf_note_name might fail, too.
-
-For the benefit of call sites which are just going to pass the value
-to a printf-like function, we provide elf_strfmt which returns
-"(invalid)" on failure rather than NULL.
-
-In this patch we introduce dummy definitions of these functions. We
-introduce calls to elf_strval and elf_strfmt everywhere, and update
-all the call sites with appropriate error checking.
-
-There is not yet any semantic change, since before this patch all the
-places where we introduce elf_strval dereferenced the value anyway, so
-it mustn't have been NULL.
-
-In future patches, when elf_strval is made able return NULL, when it
-does so it will mark the elf "broken" so that an appropriate
-diagnostic can be printed.
-
-This is part of the fix to a security issue, XSA-55.
-
-Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
-Acked-by: Ian Campbell <ian.campbell@citrix.com>
-Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
----
- tools/xcutils/readnotes.c | 11 ++++++++---
- xen/common/libelf/libelf-dominfo.c | 13 ++++++++++---
- xen/common/libelf/libelf-tools.c | 10 +++++++---
- xen/include/xen/libelf.h | 7 +++++--
- 4 files changed, 30 insertions(+), 11 deletions(-)
-
-diff --git a/tools/xcutils/readnotes.c b/tools/xcutils/readnotes.c
-index 7ff2530..cfae994 100644
---- a/tools/xcutils/readnotes.c
-+++ b/tools/xcutils/readnotes.c
-@@ -63,7 +63,7 @@ struct setup_header {
- static void print_string_note(const char *prefix, struct elf_binary *elf,
- ELF_HANDLE_DECL(elf_note) note)
- {
-- printf("%s: %s\n", prefix, (char*)elf_note_desc(elf, note));
-+ printf("%s: %s\n", prefix, elf_strfmt(elf, elf_note_desc(elf, note)));
- }
-
- static void print_numeric_note(const char *prefix, struct elf_binary *elf,
-@@ -103,10 +103,14 @@ static int print_notes(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) start,
- {
- ELF_HANDLE_DECL(elf_note) note;
- int notes_found = 0;
-+ const char *this_note_name;
-
- for ( note = start; ELF_HANDLE_PTRVAL(note) < ELF_HANDLE_PTRVAL(end); note = elf_note_next(elf, note) )
- {
-- if (0 != strcmp(elf_note_name(elf, note), "Xen"))
-+ this_note_name = elf_note_name(elf, note);
-+ if (NULL == this_note_name)
-+ continue;
-+ if (0 != strcmp(this_note_name, "Xen"))
- continue;
-
- notes_found++;
-@@ -294,7 +298,8 @@ int main(int argc, char **argv)
-
- shdr = elf_shdr_by_name(&elf, "__xen_guest");
- if (ELF_HANDLE_VALID(shdr))
-- printf("__xen_guest: %s\n", (char*)elf_section_start(&elf, shdr));
-+ printf("__xen_guest: %s\n",
-+ elf_strfmt(&elf, elf_section_start(&elf, shdr)));
-
- return 0;
- }
-diff --git a/xen/common/libelf/libelf-dominfo.c b/xen/common/libelf/libelf-dominfo.c
-index 7140d59..b217f8f 100644
---- a/xen/common/libelf/libelf-dominfo.c
-+++ b/xen/common/libelf/libelf-dominfo.c
-@@ -137,7 +137,10 @@ int elf_xen_parse_note(struct elf_binary *elf,
-
- if ( note_desc[type].str )
- {
-- str = elf_note_desc(elf, note);
-+ str = elf_strval(elf, elf_note_desc(elf, note));
-+ if (str == NULL)
-+ /* elf_strval will mark elf broken if it fails so no need to log */
-+ return 0;
- elf_msg(elf, "%s: %s = \"%s\"\n", __FUNCTION__,
- note_desc[type].name, str);
- parms->elf_notes[type].type = XEN_ENT_STR;
-@@ -220,6 +223,7 @@ static int elf_xen_parse_notes(struct elf_binary *elf,
- {
- int xen_elfnotes = 0;
- ELF_HANDLE_DECL(elf_note) note;
-+ const char *note_name;
-
- parms->elf_note_start = start;
- parms->elf_note_end = end;
-@@ -227,7 +231,10 @@ static int elf_xen_parse_notes(struct elf_binary *elf,
- ELF_HANDLE_PTRVAL(note) < parms->elf_note_end;
- note = elf_note_next(elf, note) )
- {
-- if ( strcmp(elf_note_name(elf, note), "Xen") )
-+ note_name = elf_note_name(elf, note);
-+ if ( note_name == NULL )
-+ continue;
-+ if ( strcmp(note_name, "Xen") )
- continue;
- if ( elf_xen_parse_note(elf, parms, note) )
- return -1;
-@@ -541,7 +548,7 @@ int elf_xen_parse(struct elf_binary *elf,
- parms->elf_note_start = ELF_INVALID_PTRVAL;
- parms->elf_note_end = ELF_INVALID_PTRVAL;
- elf_msg(elf, "%s: __xen_guest: \"%s\"\n", __FUNCTION__,
-- parms->guest_info);
-+ elf_strfmt(elf, parms->guest_info));
- elf_xen_parse_guest_info(elf, parms);
- break;
- }
-diff --git a/xen/common/libelf/libelf-tools.c b/xen/common/libelf/libelf-tools.c
-index f1fd886..3a0cde1 100644
---- a/xen/common/libelf/libelf-tools.c
-+++ b/xen/common/libelf/libelf-tools.c
-@@ -119,7 +119,7 @@ const char *elf_section_name(struct elf_binary *elf,
- if ( ELF_PTRVAL_INVALID(elf->sec_strtab) )
- return "unknown";
-
-- return elf->sec_strtab + elf_uval(elf, shdr, sh_name);
-+ return elf_strval(elf, elf->sec_strtab + elf_uval(elf, shdr, sh_name));
- }
-
- ELF_PTRVAL_CONST_VOID elf_section_start(struct elf_binary *elf, ELF_HANDLE_DECL(elf_shdr) shdr)
-@@ -151,6 +151,7 @@ ELF_HANDLE_DECL(elf_sym) elf_sym_by_name(struct elf_binary *elf, const char *sym
- ELF_PTRVAL_CONST_VOID end = elf_section_end(elf, elf->sym_tab);
- ELF_HANDLE_DECL(elf_sym) sym;
- uint64_t info, name;
-+ const char *sym_name;
-
- for ( ; ptr < end; ptr += elf_size(elf, sym) )
- {
-@@ -159,7 +160,10 @@ ELF_HANDLE_DECL(elf_sym) elf_sym_by_name(struct elf_binary *elf, const char *sym
- name = elf_uval(elf, sym, st_name);
- if ( ELF32_ST_BIND(info) != STB_GLOBAL )
- continue;
-- if ( strcmp(elf->sym_strtab + name, symbol) )
-+ sym_name = elf_strval(elf, elf->sym_strtab + name);
-+ if ( sym_name == NULL ) /* out of range, oops */
-+ return ELF_INVALID_HANDLE(elf_sym);
-+ if ( strcmp(sym_name, symbol) )
- continue;
- return sym;
- }
-@@ -177,7 +181,7 @@ ELF_HANDLE_DECL(elf_sym) elf_sym_by_index(struct elf_binary *elf, int index)
-
- const char *elf_note_name(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note)
- {
-- return ELF_HANDLE_PTRVAL(note) + elf_size(elf, note);
-+ return elf_strval(elf, ELF_HANDLE_PTRVAL(note) + elf_size(elf, note));
- }
-
- ELF_PTRVAL_CONST_VOID elf_note_desc(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note)
-diff --git a/xen/include/xen/libelf.h b/xen/include/xen/libelf.h
-index cefd3d3..af5b5c5 100644
---- a/xen/include/xen/libelf.h
-+++ b/xen/include/xen/libelf.h
-@@ -252,6 +252,9 @@ uint64_t elf_access_unsigned(struct elf_binary *elf, ELF_PTRVAL_CONST_VOID ptr,
- uint64_t elf_round_up(struct elf_binary *elf, uint64_t addr);
-
-
-+#define elf_strval(elf,x) ((const char*)(x)) /* may return NULL in the future */
-+#define elf_strfmt(elf,x) ((const char*)(x)) /* will return (invalid) instead */
-+
- #define elf_memcpy_safe(elf, dst, src, sz) memcpy((dst),(src),(sz))
- #define elf_memset_safe(elf, dst, c, sz) memset((dst),(c),(sz))
- /*
-@@ -279,7 +282,7 @@ ELF_HANDLE_DECL(elf_shdr) elf_shdr_by_name(struct elf_binary *elf, const char *n
- ELF_HANDLE_DECL(elf_shdr) elf_shdr_by_index(struct elf_binary *elf, int index);
- ELF_HANDLE_DECL(elf_phdr) elf_phdr_by_index(struct elf_binary *elf, int index);
-
--const char *elf_section_name(struct elf_binary *elf, ELF_HANDLE_DECL(elf_shdr) shdr);
-+const char *elf_section_name(struct elf_binary *elf, ELF_HANDLE_DECL(elf_shdr) shdr); /* might return NULL if inputs are invalid */
- ELF_PTRVAL_CONST_VOID elf_section_start(struct elf_binary *elf, ELF_HANDLE_DECL(elf_shdr) shdr);
- ELF_PTRVAL_CONST_VOID elf_section_end(struct elf_binary *elf, ELF_HANDLE_DECL(elf_shdr) shdr);
-
-@@ -289,7 +292,7 @@ ELF_PTRVAL_CONST_VOID elf_segment_end(struct elf_binary *elf, ELF_HANDLE_DECL(el
- ELF_HANDLE_DECL(elf_sym) elf_sym_by_name(struct elf_binary *elf, const char *symbol);
- ELF_HANDLE_DECL(elf_sym) elf_sym_by_index(struct elf_binary *elf, int index);
-
--const char *elf_note_name(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note);
-+const char *elf_note_name(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note); /* may return NULL */
- ELF_PTRVAL_CONST_VOID elf_note_desc(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note);
- uint64_t elf_note_numeric(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note);
- uint64_t elf_note_numeric_array(struct elf_binary *, ELF_HANDLE_DECL(elf_note),
---
-1.7.2.5
-
+++ /dev/null
-From cc8761371aac432318530c2ddfe2c8234bc0621f Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Fri, 14 Jun 2013 16:43:17 +0100
-Subject: [PATCH 11/23] libelf: check all pointer accesses
-
-We change the ELF_PTRVAL and ELF_HANDLE types and associated macros:
-
- * PTRVAL becomes a uintptr_t, for which we provide a typedef
- elf_ptrval. This means no arithmetic done on it can overflow so
- the compiler cannot do any malicious invalid pointer arithmetic
- "optimisations". It also means that any places where we
- dereference one of these pointers without using the appropriate
- macros or functions become a compilation error.
-
- So we can be sure that we won't miss any memory accesses.
-
- All the PTRVAL variables were previously void* or char*, so
- the actual address calculations are unchanged.
-
- * ELF_HANDLE becomes a union, one half of which keeps the pointer
- value and the other half of which is just there to record the
- type.
-
- The new type is not a pointer type so there can be no address
- calculations on it whose meaning would change. Every assignment or
- access has to go through one of our macros.
-
- * The distinction between const and non-const pointers and char*s
- and void*s in libelf goes away. This was not important (and
- anyway libelf tended to cast away const in various places).
-
- * The fields elf->image and elf->dest are renamed. That proves
- that we haven't missed any unchecked uses of these actual
- pointer values.
-
- * The caller may fill in elf->caller_xdest_base and _size to
- specify another range of memory which is safe for libelf to
- access, besides the input and output images.
-
- * When accesses fail due to being out of range, we mark the elf
- "broken". This will be checked and used for diagnostics in
- a following patch.
-
- We do not check for write accesses to the input image. This is
- because libelf actually does this in a number of places. So we
- simply permit that.
-
- * Each caller of libelf which used to set dest now sets
- dest_base and dest_size.
-
- * In xc_dom_load_elf_symtab we provide a new actual-pointer
- value hdr_ptr which we get from mapping the guest's kernel
- area and use (checking carefully) as the caller_xdest area.
-
- * The STAR(h) macro in libelf-dominfo.c now uses elf_access_unsigned.
-
- * elf-init uses the new elf_uval_3264 accessor to access the 32-bit
- fields, rather than an unchecked field access (ie, unchecked
- pointer access).
-
- * elf_uval has been reworked to use elf_uval_3264. Both of these
- macros are essentially new in this patch (although they are derived
- from the old elf_uval) and need careful review.
-
- * ELF_ADVANCE_DEST is now safe in the sense that you can use it to
- chop parts off the front of the dest area but if you chop more than
- is available, the dest area is simply set to be empty, preventing
- future accesses.
-
- * We introduce some #defines for memcpy, memset, memmove and strcpy:
- - We provide elf_memcpy_safe and elf_memset_safe which take
- PTRVALs and do checking on the supplied pointers.
- - Users inside libelf must all be changed to either
- elf_mem*_unchecked (which are just like mem*), or
- elf_mem*_safe (which take PTRVALs) and are checked. Any
- unchanged call sites become compilation errors.
-
- * We do _not_ at this time fix elf_access_unsigned so that it doesn't
- make unaligned accesses. We hope that unaligned accesses are OK on
- every supported architecture. But it does check the supplied
- pointer for validity.
-
-This is part of the fix to a security issue, XSA-55.
-
-Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
----
- tools/libxc/xc_dom_elfloader.c | 49 ++++++++--
- tools/libxc/xc_hvm_build_x86.c | 10 +-
- xen/arch/x86/domain_build.c | 3 +-
- xen/common/libelf/libelf-dominfo.c | 2 +-
- xen/common/libelf/libelf-loader.c | 16 ++--
- xen/common/libelf/libelf-private.h | 13 +++
- xen/common/libelf/libelf-tools.c | 106 ++++++++++++++++++-
- xen/include/xen/libelf.h | 198 +++++++++++++++++++++++++-----------
- 8 files changed, 312 insertions(+), 85 deletions(-)
-
-diff --git a/tools/libxc/xc_dom_elfloader.c b/tools/libxc/xc_dom_elfloader.c
-index cc0f206..b82a08c 100644
---- a/tools/libxc/xc_dom_elfloader.c
-+++ b/tools/libxc/xc_dom_elfloader.c
-@@ -130,20 +130,30 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom,
-
- if ( load )
- {
-- size_t allow_size; /* will be used in a forthcoming XSA-55 patch */
-+ char *hdr_ptr;
-+ size_t allow_size;
-+
- if ( !dom->bsd_symtab_start )
- return 0;
- size = dom->kernel_seg.vend - dom->bsd_symtab_start;
-- hdr = xc_dom_vaddr_to_ptr(dom, dom->bsd_symtab_start, &allow_size);
-- *(int *)hdr = size - sizeof(int);
-+ hdr_ptr = xc_dom_vaddr_to_ptr(dom, dom->bsd_symtab_start, &allow_size);
-+ elf->caller_xdest_base = hdr_ptr;
-+ elf->caller_xdest_size = allow_size;
-+ hdr = ELF_REALPTR2PTRVAL(hdr_ptr);
-+ elf_store_val(elf, int, hdr, size - sizeof(int));
- }
- else
- {
-+ char *hdr_ptr;
-+
- size = sizeof(int) + elf_size(elf, elf->ehdr) +
- elf_shdr_count(elf) * elf_size(elf, shdr);
-- hdr = xc_dom_malloc(dom, size);
-- if ( hdr == NULL )
-+ hdr_ptr = xc_dom_malloc(dom, size);
-+ if ( hdr_ptr == NULL )
- return 0;
-+ elf->caller_xdest_base = hdr_ptr;
-+ elf->caller_xdest_size = size;
-+ hdr = ELF_REALPTR2PTRVAL(hdr_ptr);
- dom->bsd_symtab_start = elf_round_up(elf, dom->kernel_seg.vend);
- }
-
-@@ -171,9 +181,32 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom,
- ehdr->e_shoff = elf_size(elf, elf->ehdr);
- ehdr->e_shstrndx = SHN_UNDEF;
- }
-- if ( elf_init(&syms, hdr + sizeof(int), size - sizeof(int)) )
-+ if ( elf->caller_xdest_size < sizeof(int) )
-+ {
-+ DOMPRINTF("%s/%s: header size %"PRIx64" too small",
-+ __FUNCTION__, load ? "load" : "parse",
-+ (uint64_t)elf->caller_xdest_size);
-+ return -1;
-+ }
-+ if ( elf_init(&syms, elf->caller_xdest_base + sizeof(int),
-+ elf->caller_xdest_size - sizeof(int)) )
- return -1;
-
-+ /*
-+ * The caller_xdest_{base,size} and dest_{base,size} need to
-+ * remain valid so long as each struct elf_image does. The
-+ * principle we adopt is that these values are set when the
-+ * memory is allocated or mapped, and cleared when (and if)
-+ * they are unmapped.
-+ *
-+ * Mappings of the guest are normally undone by xc_dom_unmap_all
-+ * (directly or via xc_dom_release). We do not explicitly clear
-+ * these because in fact that happens only at the end of
-+ * xc_dom_boot_image, at which time all of these ELF loading
-+ * functions have returned. No relevant struct elf_binary*
-+ * escapes this file.
-+ */
-+
- xc_elf_set_logfile(dom->xch, &syms, 1);
-
- symtab = dom->bsd_symtab_start + sizeof(int);
-@@ -312,8 +345,10 @@ static int xc_dom_load_elf_kernel(struct xc_dom_image *dom)
- {
- struct elf_binary *elf = dom->private_loader;
- int rc;
-+ xen_pfn_t pages;
-
-- elf->dest = xc_dom_seg_to_ptr(dom, &dom->kernel_seg);
-+ elf->dest_base = xc_dom_seg_to_ptr_pages(dom, &dom->kernel_seg, &pages);
-+ elf->dest_size = pages * XC_DOM_PAGE_SIZE(dom);
- rc = elf_load_binary(elf);
- if ( rc < 0 )
- {
-diff --git a/tools/libxc/xc_hvm_build_x86.c b/tools/libxc/xc_hvm_build_x86.c
-index 15b603d..ccfd8b5 100644
---- a/tools/libxc/xc_hvm_build_x86.c
-+++ b/tools/libxc/xc_hvm_build_x86.c
-@@ -104,11 +104,12 @@ static int loadelfimage(
- for ( i = 0; i < pages; i++ )
- entries[i].mfn = parray[(elf->pstart >> PAGE_SHIFT) + i];
-
-- elf->dest = xc_map_foreign_ranges(
-+ elf->dest_base = xc_map_foreign_ranges(
- xch, dom, pages << PAGE_SHIFT, PROT_READ | PROT_WRITE, 1 << PAGE_SHIFT,
- entries, pages);
-- if ( elf->dest == NULL )
-+ if ( elf->dest_base == NULL )
- goto err;
-+ elf->dest_size = pages * PAGE_SIZE;
-
- ELF_ADVANCE_DEST(elf, elf->pstart & (PAGE_SIZE - 1));
-
-@@ -117,8 +118,9 @@ static int loadelfimage(
- if ( rc < 0 )
- PERROR("Failed to load elf binary\n");
-
-- munmap(elf->dest, pages << PAGE_SHIFT);
-- elf->dest = NULL;
-+ munmap(elf->dest_base, pages << PAGE_SHIFT);
-+ elf->dest_base = NULL;
-+ elf->dest_size = 0;
-
- err:
- free(entries);
-diff --git a/xen/arch/x86/domain_build.c b/xen/arch/x86/domain_build.c
-index 469d363..a655b21 100644
---- a/xen/arch/x86/domain_build.c
-+++ b/xen/arch/x86/domain_build.c
-@@ -908,7 +908,8 @@ int __init construct_dom0(
- write_ptbase(v);
-
- /* Copy the OS image and free temporary buffer. */
-- elf.dest = (void*)vkern_start;
-+ elf.dest_base = (void*)vkern_start;
-+ elf.dest_size = vkern_end - vkern_start;
- rc = elf_load_binary(&elf);
- if ( rc < 0 )
- {
-diff --git a/xen/common/libelf/libelf-dominfo.c b/xen/common/libelf/libelf-dominfo.c
-index b217f8f..98c80dc 100644
---- a/xen/common/libelf/libelf-dominfo.c
-+++ b/xen/common/libelf/libelf-dominfo.c
-@@ -254,7 +254,7 @@ int elf_xen_parse_guest_info(struct elf_binary *elf,
- int len;
-
- h = parms->guest_info;
--#define STAR(h) (*(h))
-+#define STAR(h) (elf_access_unsigned(elf, (h), 0, 1))
- while ( STAR(h) )
- {
- elf_memset_unchecked(name, 0, sizeof(name));
-diff --git a/xen/common/libelf/libelf-loader.c b/xen/common/libelf/libelf-loader.c
-index 0fef84c..a3310e7 100644
---- a/xen/common/libelf/libelf-loader.c
-+++ b/xen/common/libelf/libelf-loader.c
-@@ -24,23 +24,25 @@
-
- /* ------------------------------------------------------------------------ */
-
--int elf_init(struct elf_binary *elf, const char *image, size_t size)
-+int elf_init(struct elf_binary *elf, const char *image_input, size_t size)
- {
- ELF_HANDLE_DECL(elf_shdr) shdr;
- uint64_t i, count, section, offset;
-
-- if ( !elf_is_elfbinary(image) )
-+ if ( !elf_is_elfbinary(image_input) )
- {
- elf_err(elf, "%s: not an ELF binary\n", __FUNCTION__);
- return -1;
- }
-
- elf_memset_unchecked(elf, 0, sizeof(*elf));
-- elf->image = image;
-+ elf->image_base = image_input;
- elf->size = size;
-- elf->ehdr = (elf_ehdr *)image;
-- elf->class = elf->ehdr->e32.e_ident[EI_CLASS];
-- elf->data = elf->ehdr->e32.e_ident[EI_DATA];
-+ elf->ehdr = ELF_MAKE_HANDLE(elf_ehdr, (elf_ptrval)image_input);
-+ elf->class = elf_uval_3264(elf, elf->ehdr, e32.e_ident[EI_CLASS]);
-+ elf->data = elf_uval_3264(elf, elf->ehdr, e32.e_ident[EI_DATA]);
-+ elf->caller_xdest_base = NULL;
-+ elf->caller_xdest_size = 0;
-
- /* Sanity check phdr. */
- offset = elf_uval(elf, elf->ehdr, e_phoff) +
-@@ -300,7 +302,7 @@ int elf_load_binary(struct elf_binary *elf)
-
- ELF_PTRVAL_VOID elf_get_ptr(struct elf_binary *elf, unsigned long addr)
- {
-- return elf->dest + addr - elf->pstart;
-+ return ELF_REALPTR2PTRVAL(elf->dest_base) + addr - elf->pstart;
- }
-
- uint64_t elf_lookup_addr(struct elf_binary * elf, const char *symbol)
-diff --git a/xen/common/libelf/libelf-private.h b/xen/common/libelf/libelf-private.h
-index 3ef753c..280dfd1 100644
---- a/xen/common/libelf/libelf-private.h
-+++ b/xen/common/libelf/libelf-private.h
-@@ -86,6 +86,19 @@ do { strncpy((d),(s),sizeof((d))-1); \
-
- #endif
-
-+#undef memcpy
-+#undef memset
-+#undef memmove
-+#undef strcpy
-+
-+#define memcpy MISTAKE_unspecified_memcpy
-+#define memset MISTAKE_unspecified_memset
-+#define memmove MISTAKE_unspecified_memmove
-+#define strcpy MISTAKE_unspecified_strcpy
-+ /* This prevents libelf from using these undecorated versions
-+ * of memcpy, memset, memmove and strcpy. Every call site
-+ * must either use elf_mem*_unchecked, or elf_mem*_safe. */
-+
- #endif /* __LIBELF_PRIVATE_H_ */
-
- /*
-diff --git a/xen/common/libelf/libelf-tools.c b/xen/common/libelf/libelf-tools.c
-index 3a0cde1..46ca553 100644
---- a/xen/common/libelf/libelf-tools.c
-+++ b/xen/common/libelf/libelf-tools.c
-@@ -20,28 +20,100 @@
-
- /* ------------------------------------------------------------------------ */
-
--uint64_t elf_access_unsigned(struct elf_binary * elf, const void *ptr,
-- uint64_t offset, size_t size)
-+void elf_mark_broken(struct elf_binary *elf, const char *msg)
- {
-+ if ( elf->broken == NULL )
-+ elf->broken = msg;
-+}
-+
-+const char *elf_check_broken(const struct elf_binary *elf)
-+{
-+ return elf->broken;
-+}
-+
-+static int elf_ptrval_in_range(elf_ptrval ptrval, uint64_t size,
-+ const void *region, uint64_t regionsize)
-+ /*
-+ * Returns true if the putative memory area [ptrval,ptrval+size>
-+ * is completely inside the region [region,region+regionsize>.
-+ *
-+ * ptrval and size are the untrusted inputs to be checked.
-+ * region and regionsize are trusted and must be correct and valid,
-+ * although it is OK for region to perhaps be maliciously NULL
-+ * (but not some other malicious value).
-+ */
-+{
-+ elf_ptrval regionp = (elf_ptrval)region;
-+
-+ if ( (region == NULL) ||
-+ (ptrval < regionp) || /* start is before region */
-+ (ptrval > regionp + regionsize) || /* start is after region */
-+ (size > regionsize - (ptrval - regionp)) ) /* too big */
-+ return 0;
-+ return 1;
-+}
-+
-+int elf_access_ok(struct elf_binary * elf,
-+ uint64_t ptrval, size_t size)
-+{
-+ if ( elf_ptrval_in_range(ptrval, size, elf->image_base, elf->size) )
-+ return 1;
-+ if ( elf_ptrval_in_range(ptrval, size, elf->dest_base, elf->dest_size) )
-+ return 1;
-+ if ( elf_ptrval_in_range(ptrval, size,
-+ elf->caller_xdest_base, elf->caller_xdest_size) )
-+ return 1;
-+ elf_mark_broken(elf, "out of range access");
-+ return 0;
-+}
-+
-+void elf_memcpy_safe(struct elf_binary *elf, elf_ptrval dst,
-+ elf_ptrval src, size_t size)
-+{
-+ if ( elf_access_ok(elf, dst, size) &&
-+ elf_access_ok(elf, src, size) )
-+ {
-+ /* use memmove because these checks do not prove that the
-+ * regions don't overlap and overlapping regions grant
-+ * permission for compiler malice */
-+ elf_memmove_unchecked(ELF_UNSAFE_PTR(dst), ELF_UNSAFE_PTR(src), size);
-+ }
-+}
-+
-+void elf_memset_safe(struct elf_binary *elf, elf_ptrval dst, int c, size_t size)
-+{
-+ if ( elf_access_ok(elf, dst, size) )
-+ {
-+ elf_memset_unchecked(ELF_UNSAFE_PTR(dst), c, size);
-+ }
-+}
-+
-+uint64_t elf_access_unsigned(struct elf_binary * elf, elf_ptrval base,
-+ uint64_t moreoffset, size_t size)
-+{
-+ elf_ptrval ptrval = base + moreoffset;
- int need_swap = elf_swap(elf);
- const uint8_t *u8;
- const uint16_t *u16;
- const uint32_t *u32;
- const uint64_t *u64;
-
-+ if ( !elf_access_ok(elf, ptrval, size) )
-+ return 0;
-+
- switch ( size )
- {
- case 1:
-- u8 = ptr + offset;
-+ u8 = (const void*)ptrval;
- return *u8;
- case 2:
-- u16 = ptr + offset;
-+ u16 = (const void*)ptrval;
- return need_swap ? bswap_16(*u16) : *u16;
- case 4:
-- u32 = ptr + offset;
-+ u32 = (const void*)ptrval;
- return need_swap ? bswap_32(*u32) : *u32;
- case 8:
-- u64 = ptr + offset;
-+ u64 = (const void*)ptrval;
- return need_swap ? bswap_64(*u64) : *u64;
- default:
- return 0;
-@@ -122,6 +194,28 @@ const char *elf_section_name(struct elf_binary *elf,
- return elf_strval(elf, elf->sec_strtab + elf_uval(elf, shdr, sh_name));
- }
-
-+const char *elf_strval(struct elf_binary *elf, elf_ptrval start)
-+{
-+ uint64_t length;
-+
-+ for ( length = 0; ; length++ ) {
-+ if ( !elf_access_ok(elf, start + length, 1) )
-+ return NULL;
-+ if ( !elf_access_unsigned(elf, start, length, 1) )
-+ /* ok */
-+ return ELF_UNSAFE_PTR(start);
-+ }
-+}
-+
-+const char *elf_strfmt(struct elf_binary *elf, elf_ptrval start)
-+{
-+ const char *str = elf_strval(elf, start);
-+
-+ if ( str == NULL )
-+ return "(invalid)";
-+ return str;
-+}
-+
- ELF_PTRVAL_CONST_VOID elf_section_start(struct elf_binary *elf, ELF_HANDLE_DECL(elf_shdr) shdr)
- {
- return ELF_IMAGE_BASE(elf) + elf_uval(elf, shdr, sh_offset);
-diff --git a/xen/include/xen/libelf.h b/xen/include/xen/libelf.h
-index af5b5c5..ddc3ed7 100644
---- a/xen/include/xen/libelf.h
-+++ b/xen/include/xen/libelf.h
-@@ -57,8 +57,9 @@ typedef void elf_log_callback(struct elf_binary*, void *caller_data,
- * on this.
- * This replaces variables which were char*,void*
- * and their const versions, so we provide four
-- * different declaration macros:
-+ * different obsolete declaration macros:
- * ELF_PTRVAL_{,CONST}{VOID,CHAR}
-+ * New code can simply use the elf_ptrval typedef.
- * HANDLE A pointer to a struct. There is one of these types
- * for each pointer type - that is, for each "structname".
- * In the arguments to the various HANDLE macros, structname
-@@ -67,54 +68,66 @@ typedef void elf_log_callback(struct elf_binary*, void *caller_data,
- * pointers. In the current code attempts to do so will
- * compile, but in the next patch this will become a
- * compile error.
-- * We provide two declaration macros for const and
-- * non-const pointers.
-+ * We also provide a second declaration macro for
-+ * pointers which were to const; this is obsolete.
- */
-
--#define ELF_REALPTR2PTRVAL(realpointer) (realpointer)
-+typedef uintptr_t elf_ptrval;
-+
-+#define ELF_REALPTR2PTRVAL(realpointer) ((elf_ptrval)(realpointer))
- /* Converts an actual C pointer into a PTRVAL */
-
--#define ELF_HANDLE_DECL_NONCONST(structname) structname *
--#define ELF_HANDLE_DECL(structname) const structname *
-+#define ELF_HANDLE_DECL_NONCONST(structname) structname##_handle /*obsolete*/
-+#define ELF_HANDLE_DECL(structname) structname##_handle
- /* Provides a type declaration for a HANDLE. */
-- /* May only be used to declare ONE variable at a time */
-
--#define ELF_PTRVAL_VOID void *
--#define ELF_PTRVAL_CHAR char *
--#define ELF_PTRVAL_CONST_VOID const void *
--#define ELF_PTRVAL_CONST_CHAR const char *
-- /* Provides a type declaration for a PTRVAL. */
-- /* May only be used to declare ONE variable at a time */
-+#define ELF_PTRVAL_VOID elf_ptrval /*obsolete*/
-+#define ELF_PTRVAL_CHAR elf_ptrval /*obsolete*/
-+#define ELF_PTRVAL_CONST_VOID elf_ptrval /*obsolete*/
-+#define ELF_PTRVAL_CONST_CHAR elf_ptrval /*obsolete*/
-+
-+#ifdef __XEN__
-+# define ELF_PRPTRVAL "lu"
-+ /*
-+ * PRIuPTR is misdefined in xen/include/xen/inttypes.h, on 32-bit,
-+ * to "u", when in fact uintptr_t is an unsigned long.
-+ */
-+#else
-+# define ELF_PRPTRVAL PRIuPTR
-+#endif
-+ /* printf format a la PRId... for a PTRVAL */
-
--#define ELF_DEFINE_HANDLE(structname) /* empty */
-+#define ELF_DEFINE_HANDLE(structname) \
-+ typedef union { \
-+ elf_ptrval ptrval; \
-+ const structname *typeonly; /* for sizeof, offsetof, &c only */ \
-+ } structname##_handle;
- /*
- * This must be invoked for each HANDLE type to define
- * the actual C type used for that kind of HANDLE.
- */
-
--#define ELF_PRPTRVAL "p"
-- /* printf format a la PRId... for a PTRVAL */
--
--#define ELF_MAKE_HANDLE(structname, ptrval) (ptrval)
-+#define ELF_MAKE_HANDLE(structname, ptrval) ((structname##_handle){ ptrval })
- /* Converts a PTRVAL to a HANDLE */
-
--#define ELF_IMAGE_BASE(elf) ((elf)->image)
-+#define ELF_IMAGE_BASE(elf) ((elf_ptrval)(elf)->image_base)
- /* Returns the base of the image as a PTRVAL. */
-
--#define ELF_HANDLE_PTRVAL(handleval) ((void*)(handleval))
-+#define ELF_HANDLE_PTRVAL(handleval) ((handleval).ptrval)
- /* Converts a HANDLE to a PTRVAL. */
-
--#define ELF_OBSOLETE_VOIDP_CAST (void*)(uintptr_t)
-+#define ELF_OBSOLETE_VOIDP_CAST /*empty*/
- /*
-- * In some places the existing code needs to
-+ * In some places the old code used to need to
- * - cast away const (the existing code uses const a fair
- * bit but actually sometimes wants to write to its input)
- * from a PTRVAL.
- * - convert an integer representing a pointer to a PTRVAL
-- * This macro provides a suitable cast.
-+ * Nowadays all of these re uintptr_ts so there is no const problem
-+ * and no need for any casting.
- */
-
--#define ELF_UNSAFE_PTR(ptrval) ((void*)(uintptr_t)(ptrval))
-+#define ELF_UNSAFE_PTR(ptrval) ((void*)(elf_ptrval)(ptrval))
- /*
- * Turns a PTRVAL into an actual C pointer. Before this is done
- * the caller must have ensured that the PTRVAL does in fact point
-@@ -122,18 +135,21 @@ typedef void elf_log_callback(struct elf_binary*, void *caller_data,
- */
-
- /* PTRVALs can be INVALID (ie, NULL). */
--#define ELF_INVALID_PTRVAL (NULL) /* returns NULL PTRVAL */
-+#define ELF_INVALID_PTRVAL ((elf_ptrval)0) /* returns NULL PTRVAL */
- #define ELF_INVALID_HANDLE(structname) /* returns NULL handle */ \
- ELF_MAKE_HANDLE(structname, ELF_INVALID_PTRVAL)
--#define ELF_PTRVAL_VALID(ptrval) (ptrval) /* } */
--#define ELF_HANDLE_VALID(handleval) (handleval) /* } predicates */
--#define ELF_PTRVAL_INVALID(ptrval) ((ptrval) == NULL) /* } */
-+#define ELF_PTRVAL_VALID(ptrval) (!!(ptrval)) /* } */
-+#define ELF_HANDLE_VALID(handleval) (!!(handleval).ptrval) /* } predicates */
-+#define ELF_PTRVAL_INVALID(ptrval) (!ELF_PTRVAL_VALID((ptrval))) /* } */
-+
-+#define ELF_MAX_PTRVAL (~(elf_ptrval)0)
-+ /* PTRVAL value guaranteed to compare > to any valid PTRVAL */
-
- /* For internal use by other macros here */
- #define ELF__HANDLE_FIELD_TYPE(handleval, elm) \
-- typeof((handleval)->elm)
-+ typeof((handleval).typeonly->elm)
- #define ELF__HANDLE_FIELD_OFFSET(handleval, elm) \
-- offsetof(typeof(*(handleval)),elm)
-+ offsetof(typeof(*(handleval).typeonly),elm)
-
-
- /* ------------------------------------------------------------------------ */
-@@ -182,7 +198,7 @@ ELF_DEFINE_HANDLE(elf_note)
-
- struct elf_binary {
- /* elf binary */
-- const char *image;
-+ const void *image_base;
- size_t size;
- char class;
- char data;
-@@ -190,10 +206,16 @@ struct elf_binary {
- ELF_HANDLE_DECL(elf_ehdr) ehdr;
- ELF_PTRVAL_CONST_CHAR sec_strtab;
- ELF_HANDLE_DECL(elf_shdr) sym_tab;
-- ELF_PTRVAL_CONST_CHAR sym_strtab;
-+ uint64_t sym_strtab;
-
- /* loaded to */
-- char *dest;
-+ /*
-+ * dest_base and dest_size are trusted and must be correct;
-+ * whenever dest_size is not 0, both of these must be valid
-+ * so long as the struct elf_binary is in use.
-+ */
-+ char *dest_base;
-+ size_t dest_size;
- uint64_t pstart;
- uint64_t pend;
- uint64_t reloc_offset;
-@@ -201,12 +223,22 @@ struct elf_binary {
- uint64_t bsd_symtab_pstart;
- uint64_t bsd_symtab_pend;
-
-+ /*
-+ * caller's other acceptable destination
-+ *
-+ * Again, these are trusted and must be valid (or 0) so long
-+ * as the struct elf_binary is in use.
-+ */
-+ void *caller_xdest_base;
-+ uint64_t caller_xdest_size;
-+
- #ifndef __XEN__
- /* misc */
- elf_log_callback *log_callback;
- void *log_caller_data;
- #endif
- int verbose;
-+ const char *broken;
- };
-
- /* ------------------------------------------------------------------------ */
-@@ -224,22 +256,27 @@ struct elf_binary {
- #define elf_lsb(elf) (ELFDATA2LSB == (elf)->data)
- #define elf_swap(elf) (NATIVE_ELFDATA != (elf)->data)
-
--#define elf_uval(elf, str, elem) \
-- ((ELFCLASS64 == (elf)->class) \
-- ? elf_access_unsigned((elf), (str), \
-- offsetof(typeof(*(str)),e64.elem), \
-- sizeof((str)->e64.elem)) \
-- : elf_access_unsigned((elf), (str), \
-- offsetof(typeof(*(str)),e32.elem), \
-- sizeof((str)->e32.elem)))
-+#define elf_uval_3264(elf, handle, elem) \
-+ elf_access_unsigned((elf), (handle).ptrval, \
-+ offsetof(typeof(*(handle).typeonly),elem), \
-+ sizeof((handle).typeonly->elem))
-+
-+#define elf_uval(elf, handle, elem) \
-+ ((ELFCLASS64 == (elf)->class) \
-+ ? elf_uval_3264(elf, handle, e64.elem) \
-+ : elf_uval_3264(elf, handle, e32.elem))
- /*
- * Reads an unsigned field in a header structure in the ELF.
- * str is a HANDLE, and elem is the field name in it.
- */
-
--#define elf_size(elf, str) \
-+
-+#define elf_size(elf, handle_or_handletype) ({ \
-+ typeof(handle_or_handletype) elf_size__dummy; \
- ((ELFCLASS64 == (elf)->class) \
-- ? sizeof((str)->e64) : sizeof((str)->e32))
-+ ? sizeof(elf_size__dummy.typeonly->e64) \
-+ : sizeof(elf_size__dummy.typeonly->e32)); \
-+})
- /*
- * Returns the size of the substructure for the appropriate 32/64-bitness.
- * str should be a HANDLE.
-@@ -251,23 +288,37 @@ uint64_t elf_access_unsigned(struct elf_binary *elf, ELF_PTRVAL_CONST_VOID ptr,
-
- uint64_t elf_round_up(struct elf_binary *elf, uint64_t addr);
-
-+const char *elf_strval(struct elf_binary *elf, elf_ptrval start);
-+ /* may return NULL if the string is out of range etc. */
-
--#define elf_strval(elf,x) ((const char*)(x)) /* may return NULL in the future */
--#define elf_strfmt(elf,x) ((const char*)(x)) /* will return (invalid) instead */
-+const char *elf_strfmt(struct elf_binary *elf, elf_ptrval start);
-+ /* like elf_strval but returns "(invalid)" instead of NULL */
-
--#define elf_memcpy_safe(elf, dst, src, sz) memcpy((dst),(src),(sz))
--#define elf_memset_safe(elf, dst, c, sz) memset((dst),(c),(sz))
-+void elf_memcpy_safe(struct elf_binary*, elf_ptrval dst, elf_ptrval src, size_t);
-+void elf_memset_safe(struct elf_binary*, elf_ptrval dst, int c, size_t);
- /*
-- * Versions of memcpy and memset which will (in the next patch)
-- * arrange never to write outside permitted areas.
-+ * Versions of memcpy and memset which arrange never to write
-+ * outside permitted areas.
- */
-
--#define elf_store_val(elf, type, ptr, val) (*(type*)(ptr) = (val))
-+int elf_access_ok(struct elf_binary * elf,
-+ uint64_t ptrval, size_t size);
-+
-+#define elf_store_val(elf, type, ptr, val) \
-+ ({ \
-+ typeof(type) elf_store__val = (val); \
-+ elf_ptrval elf_store__targ = ptr; \
-+ if (elf_access_ok((elf), elf_store__targ, \
-+ sizeof(elf_store__val))) { \
-+ elf_memcpy_unchecked((void*)elf_store__targ, &elf_store__val, \
-+ sizeof(elf_store__val)); \
-+ } \
-+ }) \
- /* Stores a value at a particular PTRVAL. */
-
--#define elf_store_field(elf, hdr, elm, val) \
-- (elf_store_val((elf), ELF__HANDLE_FIELD_TYPE(hdr, elm), \
-- &((hdr)->elm), \
-+#define elf_store_field(elf, hdr, elm, val) \
-+ (elf_store_val((elf), ELF__HANDLE_FIELD_TYPE(hdr, elm), \
-+ ELF_HANDLE_PTRVAL(hdr) + ELF__HANDLE_FIELD_OFFSET(hdr, elm), \
- (val)))
- /* Stores a 32/64-bit field. hdr is a HANDLE and elm is the field name. */
-
-@@ -306,6 +357,10 @@ int elf_phdr_is_loadable(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr)
- /* xc_libelf_loader.c */
-
- int elf_init(struct elf_binary *elf, const char *image, size_t size);
-+ /*
-+ * image and size must be correct. They will be recorded in
-+ * *elf, and must remain valid while the elf is in use.
-+ */
- #ifdef __XEN__
- void elf_set_verbose(struct elf_binary *elf);
- #else
-@@ -321,6 +376,9 @@ uint64_t elf_lookup_addr(struct elf_binary *elf, const char *symbol);
-
- void elf_parse_bsdsyms(struct elf_binary *elf, uint64_t pstart); /* private */
-
-+void elf_mark_broken(struct elf_binary *elf, const char *msg);
-+const char *elf_check_broken(const struct elf_binary *elf); /* NULL means OK */
-+
- /* ------------------------------------------------------------------------ */
- /* xc_libelf_relocate.c */
-
-@@ -395,16 +453,38 @@ int elf_xen_parse_guest_info(struct elf_binary *elf,
- int elf_xen_parse(struct elf_binary *elf,
- struct elf_dom_parms *parms);
-
--#define elf_memcpy_unchecked memcpy
--#define elf_memset_unchecked memset
-+static inline void *elf_memcpy_unchecked(void *dest, const void *src, size_t n)
-+ { return memcpy(dest, src, n); }
-+static inline void *elf_memmove_unchecked(void *dest, const void *src, size_t n)
-+ { return memmove(dest, src, n); }
-+static inline void *elf_memset_unchecked(void *s, int c, size_t n)
-+ { return memset(s, c, n); }
- /*
-- * Unsafe versions of memcpy and memset which take actual C
-- * pointers. These are just like real memcpy and memset.
-+ * Unsafe versions of memcpy, memmove memset which take actual C
-+ * pointers. These are just like the real functions.
-+ * We provide these so that in libelf-private.h we can #define
-+ * memcpy, memset and memmove to undefined MISTAKE things.
- */
-
-
--#define ELF_ADVANCE_DEST(elf, amount) elf->dest += (amount)
-- /* Advances past amount bytes of the current destination area. */
-+/* Advances past amount bytes of the current destination area. */
-+static inline void ELF_ADVANCE_DEST(struct elf_binary *elf, uint64_t amount)
-+{
-+ if ( elf->dest_base == NULL )
-+ {
-+ elf_mark_broken(elf, "advancing in null image");
-+ }
-+ else if ( elf->dest_size >= amount )
-+ {
-+ elf->dest_base += amount;
-+ elf->dest_size -= amount;
-+ }
-+ else
-+ {
-+ elf->dest_size = 0;
-+ elf_mark_broken(elf, "advancing past end (image very short?)");
-+ }
-+}
-
-
- #endif /* __XEN_LIBELF_H__ */
---
-1.7.2.5
-
+++ /dev/null
-From d0790bdad7496e720416b2d4a04563c4c27e7b95 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Fri, 14 Jun 2013 16:43:17 +0100
-Subject: [PATCH 12/23] libelf: Check pointer references in elf_is_elfbinary
-
-elf_is_elfbinary didn't take a length parameter and could potentially
-access out of range when provided with a very short image.
-
-We only need to check the size is enough for the actual dereference in
-elf_is_elfbinary; callers are just using it to check the magic number
-and do their own checks (usually via the new elf_ptrval system) before
-dereferencing other parts of the header.
-
-This is part of the fix to a security issue, XSA-55.
-
-Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
-Acked-by: Ian Campbell <ian.campbell@citrix.com>
-Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
----
- tools/libxc/xc_dom_elfloader.c | 2 +-
- xen/arch/x86/bzimage.c | 4 ++--
- xen/common/libelf/libelf-loader.c | 2 +-
- xen/common/libelf/libelf-tools.c | 9 ++++++---
- xen/include/xen/libelf.h | 4 +++-
- 5 files changed, 13 insertions(+), 8 deletions(-)
-
-diff --git a/tools/libxc/xc_dom_elfloader.c b/tools/libxc/xc_dom_elfloader.c
-index b82a08c..ea45886 100644
---- a/tools/libxc/xc_dom_elfloader.c
-+++ b/tools/libxc/xc_dom_elfloader.c
-@@ -95,7 +95,7 @@ static int check_elf_kernel(struct xc_dom_image *dom, int verbose)
- return -EINVAL;
- }
-
-- if ( !elf_is_elfbinary(dom->kernel_blob) )
-+ if ( !elf_is_elfbinary(dom->kernel_blob, dom->kernel_size) )
- {
- if ( verbose )
- xc_dom_panic(dom->xch,
-diff --git a/xen/arch/x86/bzimage.c b/xen/arch/x86/bzimage.c
-index 5adc223..3600dca 100644
---- a/xen/arch/x86/bzimage.c
-+++ b/xen/arch/x86/bzimage.c
-@@ -220,7 +220,7 @@ unsigned long __init bzimage_headroom(char *image_start,
- image_length = hdr->payload_length;
- }
-
-- if ( elf_is_elfbinary(image_start) )
-+ if ( elf_is_elfbinary(image_start, image_length) )
- return 0;
-
- orig_image_len = image_length;
-@@ -251,7 +251,7 @@ int __init bzimage_parse(char *image_base, char **image_start, unsigned long *im
- *image_len = hdr->payload_length;
- }
-
-- if ( elf_is_elfbinary(*image_start) )
-+ if ( elf_is_elfbinary(*image_start, *image_len) )
- return 0;
-
- BUG_ON(!(image_base < *image_start));
-diff --git a/xen/common/libelf/libelf-loader.c b/xen/common/libelf/libelf-loader.c
-index a3310e7..f8be635 100644
---- a/xen/common/libelf/libelf-loader.c
-+++ b/xen/common/libelf/libelf-loader.c
-@@ -29,7 +29,7 @@ int elf_init(struct elf_binary *elf, const char *image_input, size_t size)
- ELF_HANDLE_DECL(elf_shdr) shdr;
- uint64_t i, count, section, offset;
-
-- if ( !elf_is_elfbinary(image_input) )
-+ if ( !elf_is_elfbinary(image_input, size) )
- {
- elf_err(elf, "%s: not an ELF binary\n", __FUNCTION__);
- return -1;
-diff --git a/xen/common/libelf/libelf-tools.c b/xen/common/libelf/libelf-tools.c
-index 46ca553..744027e 100644
---- a/xen/common/libelf/libelf-tools.c
-+++ b/xen/common/libelf/libelf-tools.c
-@@ -332,11 +332,14 @@ ELF_HANDLE_DECL(elf_note) elf_note_next(struct elf_binary *elf, ELF_HANDLE_DECL(
-
- /* ------------------------------------------------------------------------ */
-
--int elf_is_elfbinary(const void *image)
-+int elf_is_elfbinary(const void *image_start, size_t image_size)
- {
-- const Elf32_Ehdr *ehdr = image;
-+ const Elf32_Ehdr *ehdr = image_start;
-
-- return IS_ELF(*ehdr); /* fixme unchecked */
-+ if ( image_size < sizeof(*ehdr) )
-+ return 0;
-+
-+ return IS_ELF(*ehdr);
- }
-
- int elf_phdr_is_loadable(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr)
-diff --git a/xen/include/xen/libelf.h b/xen/include/xen/libelf.h
-index ddc3ed7..ac93858 100644
---- a/xen/include/xen/libelf.h
-+++ b/xen/include/xen/libelf.h
-@@ -350,7 +350,9 @@ uint64_t elf_note_numeric_array(struct elf_binary *, ELF_HANDLE_DECL(elf_note),
- unsigned int unitsz, unsigned int idx);
- ELF_HANDLE_DECL(elf_note) elf_note_next(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note);
-
--int elf_is_elfbinary(const void *image);
-+/* (Only) checks that the image has the right magic number. */
-+int elf_is_elfbinary(const void *image_start, size_t image_size);
-+
- int elf_phdr_is_loadable(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr);
-
- /* ------------------------------------------------------------------------ */
---
-1.7.2.5
-
+++ /dev/null
-From a965b8f80388603d439ae2b8ee7b9b018a079f90 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Fri, 14 Jun 2013 16:43:17 +0100
-Subject: [PATCH 13/23] libelf: Make all callers call elf_check_broken
-
-This arranges that if the new pointer reference error checking
-tripped, we actually get a message about it. In this patch these
-messages do not change the actual return values from the various
-functions: so pointer reference errors do not prevent loading. This
-is for fear that some existing kernels might cause the code to make
-these wild references, which would then break, which is not a good
-thing in a security patch.
-
-In xen/arch/x86/domain_build.c we have to introduce an "out" label and
-change all of the "return rc" beyond the relevant point into "goto
-out".
-
-Difference in the 4.2 series, compared to unstable:
-
-* tools/libxc/xc_hvm_build_x86.c:setup_guest and
- xen/arch/arm/kernel.c:kernel_try_elf_prepare have different
- error handling in 4.2 to unstable; patch adjusted accordingly.
-
-This is part of the fix to a security issue, XSA-55.
-
-Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
-
-xen-unstable version Reviewed-by: George Dunlap <george.dunlap@eu.citrix.com>
----
- tools/libxc/xc_dom_elfloader.c | 25 +++++++++++++++++++++----
- tools/libxc/xc_hvm_build_x86.c | 5 +++++
- tools/xcutils/readnotes.c | 3 +++
- xen/arch/arm/kernel.c | 15 ++++++++++++++-
- xen/arch/x86/domain_build.c | 28 +++++++++++++++++++++-------
- 5 files changed, 64 insertions(+), 12 deletions(-)
-
-diff --git a/tools/libxc/xc_dom_elfloader.c b/tools/libxc/xc_dom_elfloader.c
-index ea45886..4fb4da2 100644
---- a/tools/libxc/xc_dom_elfloader.c
-+++ b/tools/libxc/xc_dom_elfloader.c
-@@ -276,6 +276,13 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom,
- elf_store_field(elf, shdr, e32.sh_name, 0);
- }
-
-+ if ( elf_check_broken(&syms) )
-+ DOMPRINTF("%s: symbols ELF broken: %s", __FUNCTION__,
-+ elf_check_broken(&syms));
-+ if ( elf_check_broken(elf) )
-+ DOMPRINTF("%s: ELF broken: %s", __FUNCTION__,
-+ elf_check_broken(elf));
-+
- if ( tables == 0 )
- {
- DOMPRINTF("%s: no symbol table present", __FUNCTION__);
-@@ -312,19 +319,23 @@ static int xc_dom_parse_elf_kernel(struct xc_dom_image *dom)
- {
- xc_dom_panic(dom->xch, XC_INVALID_KERNEL, "%s: ELF image"
- " has no shstrtab", __FUNCTION__);
-- return -EINVAL;
-+ rc = -EINVAL;
-+ goto out;
- }
-
- /* parse binary and get xen meta info */
- elf_parse_binary(elf);
- if ( (rc = elf_xen_parse(elf, &dom->parms)) != 0 )
-- return rc;
-+ {
-+ goto out;
-+ }
-
- if ( elf_xen_feature_get(XENFEAT_dom0, dom->parms.f_required) )
- {
- xc_dom_panic(dom->xch, XC_INVALID_KERNEL, "%s: Kernel does not"
- " support unprivileged (DomU) operation", __FUNCTION__);
-- return -EINVAL;
-+ rc = -EINVAL;
-+ goto out;
- }
-
- /* find kernel segment */
-@@ -338,7 +349,13 @@ static int xc_dom_parse_elf_kernel(struct xc_dom_image *dom)
- DOMPRINTF("%s: %s: 0x%" PRIx64 " -> 0x%" PRIx64 "",
- __FUNCTION__, dom->guest_type,
- dom->kernel_seg.vstart, dom->kernel_seg.vend);
-- return 0;
-+ rc = 0;
-+out:
-+ if ( elf_check_broken(elf) )
-+ DOMPRINTF("%s: ELF broken: %s", __FUNCTION__,
-+ elf_check_broken(elf));
-+
-+ return rc;
- }
-
- static int xc_dom_load_elf_kernel(struct xc_dom_image *dom)
-diff --git a/tools/libxc/xc_hvm_build_x86.c b/tools/libxc/xc_hvm_build_x86.c
-index ccfd8b5..8165287 100644
---- a/tools/libxc/xc_hvm_build_x86.c
-+++ b/tools/libxc/xc_hvm_build_x86.c
-@@ -403,11 +403,16 @@ static int setup_guest(xc_interface *xch,
- munmap(page0, PAGE_SIZE);
- }
-
-+ if ( elf_check_broken(&elf) )
-+ ERROR("HVM ELF broken: %s", elf_check_broken(&elf));
-+
- free(page_array);
- return 0;
-
- error_out:
- free(page_array);
-+ if ( elf_check_broken(&elf) )
-+ ERROR("HVM ELF broken, failing: %s", elf_check_broken(&elf));
- return -1;
- }
-
-diff --git a/tools/xcutils/readnotes.c b/tools/xcutils/readnotes.c
-index cfae994..d1f7a30 100644
---- a/tools/xcutils/readnotes.c
-+++ b/tools/xcutils/readnotes.c
-@@ -301,6 +301,9 @@ int main(int argc, char **argv)
- printf("__xen_guest: %s\n",
- elf_strfmt(&elf, elf_section_start(&elf, shdr)));
-
-+ if (elf_check_broken(&elf))
-+ printf("warning: broken ELF: %s\n", elf_check_broken(&elf));
-+
- return 0;
- }
-
-diff --git a/xen/arch/arm/kernel.c b/xen/arch/arm/kernel.c
-index 2d56130..dec0519 100644
---- a/xen/arch/arm/kernel.c
-+++ b/xen/arch/arm/kernel.c
-@@ -146,6 +146,8 @@ static int kernel_try_elf_prepare(struct kernel_info *info)
- {
- int rc;
-
-+ memset(&info->elf.elf, 0, sizeof(info->elf.elf));
-+
- info->kernel_order = get_order_from_bytes(KERNEL_FLASH_SIZE);
- info->kernel_img = alloc_xenheap_pages(info->kernel_order, 0);
- if ( info->kernel_img == NULL )
-@@ -160,7 +162,7 @@ static int kernel_try_elf_prepare(struct kernel_info *info)
- #endif
- elf_parse_binary(&info->elf.elf);
- if ( (rc = elf_xen_parse(&info->elf.elf, &info->elf.parms)) != 0 )
-- return rc;
-+ goto err;
-
- /*
- * TODO: can the ELF header be used to find the physical address
-@@ -169,7 +171,18 @@ static int kernel_try_elf_prepare(struct kernel_info *info)
- info->entry = info->elf.parms.virt_entry;
- info->load = kernel_elf_load;
-
-+ if ( elf_check_broken(&info->elf.elf) )
-+ printk("Xen: warning: ELF kernel broken: %s\n",
-+ elf_check_broken(&info->elf.elf));
-+
- return 0;
-+
-+err:
-+ if ( elf_check_broken(&info->elf.elf) )
-+ printk("Xen: ELF kernel broken: %s\n",
-+ elf_check_broken(&info->elf.elf));
-+
-+ return rc;
- }
-
- int kernel_prepare(struct kernel_info *info)
-diff --git a/xen/arch/x86/domain_build.c b/xen/arch/x86/domain_build.c
-index a655b21..0dbec96 100644
---- a/xen/arch/x86/domain_build.c
-+++ b/xen/arch/x86/domain_build.c
-@@ -374,7 +374,7 @@ int __init construct_dom0(
- #endif
- elf_parse_binary(&elf);
- if ( (rc = elf_xen_parse(&elf, &parms)) != 0 )
-- return rc;
-+ goto out;
-
- /* compatibility check */
- compatible = 0;
-@@ -413,14 +413,16 @@ int __init construct_dom0(
- if ( !compatible )
- {
- printk("Mismatch between Xen and DOM0 kernel\n");
-- return -EINVAL;
-+ rc = -EINVAL;
-+ goto out;
- }
-
- if ( parms.elf_notes[XEN_ELFNOTE_SUPPORTED_FEATURES].type != XEN_ENT_NONE &&
- !test_bit(XENFEAT_dom0, parms.f_supported) )
- {
- printk("Kernel does not support Dom0 operation\n");
-- return -EINVAL;
-+ rc = -EINVAL;
-+ goto out;
- }
-
- #if defined(__x86_64__)
-@@ -734,7 +736,8 @@ int __init construct_dom0(
- (v_end > HYPERVISOR_COMPAT_VIRT_START(d)) )
- {
- printk("DOM0 image overlaps with Xen private area.\n");
-- return -EINVAL;
-+ rc = -EINVAL;
-+ goto out;
- }
-
- if ( is_pv_32on64_domain(d) )
-@@ -914,7 +917,7 @@ int __init construct_dom0(
- if ( rc < 0 )
- {
- printk("Failed to load the kernel binary\n");
-- return rc;
-+ goto out;
- }
- bootstrap_map(NULL);
-
-@@ -925,7 +928,8 @@ int __init construct_dom0(
- {
- write_ptbase(current);
- printk("Invalid HYPERCALL_PAGE field in ELF notes.\n");
-- return -1;
-+ rc = -1;
-+ goto out;
- }
- hypercall_page_initialise(
- d, (void *)(unsigned long)parms.virt_hypercall);
-@@ -1272,9 +1276,19 @@ int __init construct_dom0(
-
- BUG_ON(rc != 0);
-
-- iommu_dom0_init(dom0);
-+ if ( elf_check_broken(&elf) )
-+ printk(" Xen warning: dom0 kernel broken ELF: %s\n",
-+ elf_check_broken(&elf));
-
-+ iommu_dom0_init(dom0);
- return 0;
-+
-+out:
-+ if ( elf_check_broken(&elf) )
-+ printk(" Xen dom0 kernel broken ELF: %s\n",
-+ elf_check_broken(&elf));
-+
-+ return rc;
- }
-
- /*
---
-1.7.2.5
-
+++ /dev/null
-From 3fb6ccf2faccaf5e22e33a3155ccc72d732896d8 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Fri, 14 Jun 2013 16:43:18 +0100
-Subject: [PATCH 14/23] libelf: use C99 bool for booleans
-
-We want to remove uses of "int" because signed integers have
-undesirable undefined behaviours on overflow. Malicious compilers can
-turn apparently-correct code into code with security vulnerabilities
-etc.
-
-In this patch we change all the booleans in libelf to C99 bool,
-from <stdbool.h>.
-
-For the one visible libelf boolean in libxc's public interface we
-retain the use of int to avoid changing the ABI; libxc converts it to
-a bool for consumption by libelf.
-
-It is OK to change all values only ever used as booleans to _Bool
-(bool) because conversion from any scalar type to a _Bool works the
-same as the boolean test in if() or ?: and is always defined (C99
-6.3.1.2). But we do need to check that all these variables really are
-only ever used that way. (It is theoretically possible that the old
-code truncated some 64-bit values to 32-bit ints which might become
-zero depending on the value, which would mean a behavioural change in
-this patch, but it seems implausible that treating 0x????????00000000
-as false could have been intended.)
-
-This is part of the fix to a security issue, XSA-55.
-
-Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
-Acked-by: George Dunlap <george.dunlap@eu.citrix.com>
----
- tools/libxc/xc_dom_elfloader.c | 8 ++++----
- xen/common/libelf/libelf-dominfo.c | 2 +-
- xen/common/libelf/libelf-loader.c | 4 ++--
- xen/common/libelf/libelf-private.h | 2 +-
- xen/common/libelf/libelf-tools.c | 10 +++++-----
- xen/include/xen/libelf.h | 18 ++++++++++--------
- 6 files changed, 23 insertions(+), 21 deletions(-)
-
-diff --git a/tools/libxc/xc_dom_elfloader.c b/tools/libxc/xc_dom_elfloader.c
-index 4fb4da2..9ba64ae 100644
---- a/tools/libxc/xc_dom_elfloader.c
-+++ b/tools/libxc/xc_dom_elfloader.c
-@@ -34,7 +34,7 @@
- /* ------------------------------------------------------------------------ */
-
- static void log_callback(struct elf_binary *elf, void *caller_data,
-- int iserr, const char *fmt, va_list al) {
-+ bool iserr, const char *fmt, va_list al) {
- xc_interface *xch = caller_data;
-
- xc_reportv(xch,
-@@ -46,7 +46,7 @@ static void log_callback(struct elf_binary *elf, void *caller_data,
-
- void xc_elf_set_logfile(xc_interface *xch, struct elf_binary *elf,
- int verbose) {
-- elf_set_log(elf, log_callback, xch, verbose);
-+ elf_set_log(elf, log_callback, xch, verbose /* convert to bool */);
- }
-
- /* ------------------------------------------------------------------------ */
-@@ -84,7 +84,7 @@ static char *xc_dom_guest_type(struct xc_dom_image *dom,
- /* ------------------------------------------------------------------------ */
- /* parse elf binary */
-
--static int check_elf_kernel(struct xc_dom_image *dom, int verbose)
-+static int check_elf_kernel(struct xc_dom_image *dom, bool verbose)
- {
- if ( dom->kernel_blob == NULL )
- {
-@@ -112,7 +112,7 @@ static int xc_dom_probe_elf_kernel(struct xc_dom_image *dom)
- }
-
- static int xc_dom_load_elf_symtab(struct xc_dom_image *dom,
-- struct elf_binary *elf, int load)
-+ struct elf_binary *elf, bool load)
- {
- struct elf_binary syms;
- ELF_HANDLE_DECL_NONCONST(elf_shdr) shdr; ELF_HANDLE_DECL(elf_shdr) shdr2;
-diff --git a/xen/common/libelf/libelf-dominfo.c b/xen/common/libelf/libelf-dominfo.c
-index 98c80dc..12b6c2a 100644
---- a/xen/common/libelf/libelf-dominfo.c
-+++ b/xen/common/libelf/libelf-dominfo.c
-@@ -101,7 +101,7 @@ int elf_xen_parse_note(struct elf_binary *elf,
- /* *INDENT-OFF* */
- static const struct {
- char *name;
-- int str;
-+ bool str;
- } note_desc[] = {
- [XEN_ELFNOTE_ENTRY] = { "ENTRY", 0},
- [XEN_ELFNOTE_HYPERCALL_PAGE] = { "HYPERCALL_PAGE", 0},
-diff --git a/xen/common/libelf/libelf-loader.c b/xen/common/libelf/libelf-loader.c
-index f8be635..0dccd4d 100644
---- a/xen/common/libelf/libelf-loader.c
-+++ b/xen/common/libelf/libelf-loader.c
-@@ -92,7 +92,7 @@ int elf_init(struct elf_binary *elf, const char *image_input, size_t size)
- }
-
- #ifndef __XEN__
--void elf_call_log_callback(struct elf_binary *elf, int iserr,
-+void elf_call_log_callback(struct elf_binary *elf, bool iserr,
- const char *fmt,...) {
- va_list al;
-
-@@ -107,7 +107,7 @@ void elf_call_log_callback(struct elf_binary *elf, int iserr,
- }
-
- void elf_set_log(struct elf_binary *elf, elf_log_callback *log_callback,
-- void *log_caller_data, int verbose)
-+ void *log_caller_data, bool verbose)
- {
- elf->log_callback = log_callback;
- elf->log_caller_data = log_caller_data;
-diff --git a/xen/common/libelf/libelf-private.h b/xen/common/libelf/libelf-private.h
-index 280dfd1..277be04 100644
---- a/xen/common/libelf/libelf-private.h
-+++ b/xen/common/libelf/libelf-private.h
-@@ -77,7 +77,7 @@
- #define elf_err(elf, fmt, args ... ) \
- elf_call_log_callback(elf, 1, fmt , ## args );
-
--void elf_call_log_callback(struct elf_binary*, int iserr, const char *fmt,...);
-+void elf_call_log_callback(struct elf_binary*, bool iserr, const char *fmt,...);
-
- #define safe_strcpy(d,s) \
- do { strncpy((d),(s),sizeof((d))-1); \
-diff --git a/xen/common/libelf/libelf-tools.c b/xen/common/libelf/libelf-tools.c
-index 744027e..fa58f76 100644
---- a/xen/common/libelf/libelf-tools.c
-+++ b/xen/common/libelf/libelf-tools.c
-@@ -31,7 +31,7 @@ const char *elf_check_broken(const struct elf_binary *elf)
- return elf->broken;
- }
-
--static int elf_ptrval_in_range(elf_ptrval ptrval, uint64_t size,
-+static bool elf_ptrval_in_range(elf_ptrval ptrval, uint64_t size,
- const void *region, uint64_t regionsize)
- /*
- * Returns true if the putative memory area [ptrval,ptrval+size>
-@@ -53,7 +53,7 @@ static int elf_ptrval_in_range(elf_ptrval ptrval, uint64_t size,
- return 1;
- }
-
--int elf_access_ok(struct elf_binary * elf,
-+bool elf_access_ok(struct elf_binary * elf,
- uint64_t ptrval, size_t size)
- {
- if ( elf_ptrval_in_range(ptrval, size, elf->image_base, elf->size) )
-@@ -92,7 +92,7 @@ uint64_t elf_access_unsigned(struct elf_binary * elf, elf_ptrval base,
- uint64_t moreoffset, size_t size)
- {
- elf_ptrval ptrval = base + moreoffset;
-- int need_swap = elf_swap(elf);
-+ bool need_swap = elf_swap(elf);
- const uint8_t *u8;
- const uint16_t *u16;
- const uint32_t *u32;
-@@ -332,7 +332,7 @@ ELF_HANDLE_DECL(elf_note) elf_note_next(struct elf_binary *elf, ELF_HANDLE_DECL(
-
- /* ------------------------------------------------------------------------ */
-
--int elf_is_elfbinary(const void *image_start, size_t image_size)
-+bool elf_is_elfbinary(const void *image_start, size_t image_size)
- {
- const Elf32_Ehdr *ehdr = image_start;
-
-@@ -342,7 +342,7 @@ int elf_is_elfbinary(const void *image_start, size_t image_size)
- return IS_ELF(*ehdr);
- }
-
--int elf_phdr_is_loadable(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr)
-+bool elf_phdr_is_loadable(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr)
- {
- uint64_t p_type = elf_uval(elf, phdr, p_type);
- uint64_t p_flags = elf_uval(elf, phdr, p_flags);
-diff --git a/xen/include/xen/libelf.h b/xen/include/xen/libelf.h
-index ac93858..951430f 100644
---- a/xen/include/xen/libelf.h
-+++ b/xen/include/xen/libelf.h
-@@ -29,6 +29,8 @@
- #error define architectural endianness
- #endif
-
-+#include <stdbool.h>
-+
- #undef ELFSIZE
- #include "elfstructs.h"
- #ifdef __XEN__
-@@ -42,7 +44,7 @@
-
- struct elf_binary;
- typedef void elf_log_callback(struct elf_binary*, void *caller_data,
-- int iserr, const char *fmt, va_list al);
-+ bool iserr, const char *fmt, va_list al);
-
- #endif
-
-@@ -237,7 +239,7 @@ struct elf_binary {
- elf_log_callback *log_callback;
- void *log_caller_data;
- #endif
-- int verbose;
-+ bool verbose;
- const char *broken;
- };
-
-@@ -301,8 +303,8 @@ void elf_memset_safe(struct elf_binary*, elf_ptrval dst, int c, size_t);
- * outside permitted areas.
- */
-
--int elf_access_ok(struct elf_binary * elf,
-- uint64_t ptrval, size_t size);
-+bool elf_access_ok(struct elf_binary * elf,
-+ uint64_t ptrval, size_t size);
-
- #define elf_store_val(elf, type, ptr, val) \
- ({ \
-@@ -351,9 +353,9 @@ uint64_t elf_note_numeric_array(struct elf_binary *, ELF_HANDLE_DECL(elf_note),
- ELF_HANDLE_DECL(elf_note) elf_note_next(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note);
-
- /* (Only) checks that the image has the right magic number. */
--int elf_is_elfbinary(const void *image_start, size_t image_size);
-+bool elf_is_elfbinary(const void *image_start, size_t image_size);
-
--int elf_phdr_is_loadable(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr);
-+bool elf_phdr_is_loadable(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr);
-
- /* ------------------------------------------------------------------------ */
- /* xc_libelf_loader.c */
-@@ -367,7 +369,7 @@ int elf_init(struct elf_binary *elf, const char *image, size_t size);
- void elf_set_verbose(struct elf_binary *elf);
- #else
- void elf_set_log(struct elf_binary *elf, elf_log_callback*,
-- void *log_caller_pointer, int verbose);
-+ void *log_caller_pointer, bool verbose);
- #endif
-
- void elf_parse_binary(struct elf_binary *elf);
-@@ -419,7 +421,7 @@ struct elf_dom_parms {
- char xen_ver[16];
- char loader[16];
- int pae;
-- int bsd_symtab;
-+ bool bsd_symtab;
- uint64_t virt_base;
- uint64_t virt_entry;
- uint64_t virt_hypercall;
---
-1.7.2.5
-
+++ /dev/null
-From e673ca50127b6c1263727aa31de0b8bb966ca7a2 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Fri, 14 Jun 2013 16:43:18 +0100
-Subject: [PATCH 15/23] libelf: use only unsigned integers
-
-Signed integers have undesirable undefined behaviours on overflow.
-Malicious compilers can turn apparently-correct code into code with
-security vulnerabilities etc.
-
-So use only unsigned integers. Exceptions are booleans (which we have
-already changed) and error codes.
-
-We _do_ change all the chars which aren't fixed constants from our own
-text segment, but not the char*s. This is because it is safe to
-access an arbitrary byte through a char*, but not necessarily safe to
-convert an arbitrary value to a char.
-
-As a consequence we need to compile libelf with -Wno-pointer-sign.
-
-It is OK to change all the signed integers to unsigned because all the
-inequalities in libelf are in contexts where we don't "expect"
-negative numbers.
-
-In libelf-dominfo.c:elf_xen_parse we rename a variable "rc" to
-"more_notes" as it actually contains a note count derived from the
-input image. The "error" return value from elf_xen_parse_notes is
-changed from -1 to ~0U.
-
-grepping shows only one occurrence of "PRId" or "%d" or "%ld" in
-libelf and xc_dom_elfloader.c (a "%d" which becomes "%u").
-
-This is part of the fix to a security issue, XSA-55.
-
-For those concerned about unintentional functional changes, the
-following rune produces a version of the patch which is much smaller
-and eliminates only non-functional changes:
-
- GIT_EXTERNAL_DIFF=.../unsigned-differ git-diff <before>..<after>
-
-where <before> and <after> are git refs for the code before and after
-this patch, and unsigned-differ is this shell script:
-
- #!/bin/bash
- set -e
-
- seddery () {
- perl -pe 's/\b(?:elf_errorstatus|elf_negerrnoval)\b/int/g'
- }
-
- path="$1"
- in="$2"
- out="$5"
-
- set +e
- diff -pu --label "$path~" <(seddery <"$in") --label "$path" <(seddery <"$out")
- rc=$?
- set -e
- if [ $rc = 1 ]; then rc=0; fi
- exit $rc
-
-Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
----
- tools/libxc/Makefile | 9 +++++-
- tools/libxc/xc_dom.h | 7 +++--
- tools/libxc/xc_dom_elfloader.c | 42 ++++++++++++++++-------------
- tools/xcutils/readnotes.c | 15 +++++-----
- xen/common/libelf/Makefile | 2 +
- xen/common/libelf/libelf-dominfo.c | 52 ++++++++++++++++++-----------------
- xen/common/libelf/libelf-loader.c | 20 +++++++-------
- xen/common/libelf/libelf-tools.c | 24 ++++++++--------
- xen/include/xen/libelf.h | 21 ++++++++------
- 9 files changed, 105 insertions(+), 87 deletions(-)
-
-diff --git a/tools/libxc/Makefile b/tools/libxc/Makefile
-index d8c6a60..a3fd90c 100644
---- a/tools/libxc/Makefile
-+++ b/tools/libxc/Makefile
-@@ -52,8 +52,13 @@ endif
- vpath %.c ../../xen/common/libelf
- CFLAGS += -I../../xen/common/libelf
-
--GUEST_SRCS-y += libelf-tools.c libelf-loader.c
--GUEST_SRCS-y += libelf-dominfo.c
-+ELF_SRCS-y += libelf-tools.c libelf-loader.c
-+ELF_SRCS-y += libelf-dominfo.c
-+
-+GUEST_SRCS-y += $(ELF_SRCS-y)
-+
-+$(patsubst %.c,%.o,$(ELF_SRCS-y)): CFLAGS += -Wno-pointer-sign
-+$(patsubst %.c,%.opic,$(ELF_SRCS-y)): CFLAGS += -Wno-pointer-sign
-
- # new domain builder
- GUEST_SRCS-y += xc_dom_core.c xc_dom_boot.c
-diff --git a/tools/libxc/xc_dom.h b/tools/libxc/xc_dom.h
-index 9f8037e..0161459 100644
---- a/tools/libxc/xc_dom.h
-+++ b/tools/libxc/xc_dom.h
-@@ -140,9 +140,10 @@ struct xc_dom_image {
-
- struct xc_dom_loader {
- char *name;
-- int (*probe) (struct xc_dom_image * dom);
-- int (*parser) (struct xc_dom_image * dom);
-- int (*loader) (struct xc_dom_image * dom);
-+ /* Sadly the error returns from these functions are not consistent: */
-+ elf_negerrnoval (*probe) (struct xc_dom_image * dom);
-+ elf_negerrnoval (*parser) (struct xc_dom_image * dom);
-+ elf_errorstatus (*loader) (struct xc_dom_image * dom);
-
- struct xc_dom_loader *next;
- };
-diff --git a/tools/libxc/xc_dom_elfloader.c b/tools/libxc/xc_dom_elfloader.c
-index 9ba64ae..62a0d3b 100644
---- a/tools/libxc/xc_dom_elfloader.c
-+++ b/tools/libxc/xc_dom_elfloader.c
-@@ -84,7 +84,7 @@ static char *xc_dom_guest_type(struct xc_dom_image *dom,
- /* ------------------------------------------------------------------------ */
- /* parse elf binary */
-
--static int check_elf_kernel(struct xc_dom_image *dom, bool verbose)
-+static elf_negerrnoval check_elf_kernel(struct xc_dom_image *dom, bool verbose)
- {
- if ( dom->kernel_blob == NULL )
- {
-@@ -106,12 +106,12 @@ static int check_elf_kernel(struct xc_dom_image *dom, bool verbose)
- return 0;
- }
-
--static int xc_dom_probe_elf_kernel(struct xc_dom_image *dom)
-+static elf_negerrnoval xc_dom_probe_elf_kernel(struct xc_dom_image *dom)
- {
- return check_elf_kernel(dom, 0);
- }
-
--static int xc_dom_load_elf_symtab(struct xc_dom_image *dom,
-+static elf_errorstatus xc_dom_load_elf_symtab(struct xc_dom_image *dom,
- struct elf_binary *elf, bool load)
- {
- struct elf_binary syms;
-@@ -119,7 +119,7 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom,
- xen_vaddr_t symtab, maxaddr;
- ELF_PTRVAL_CHAR hdr;
- size_t size;
-- int h, count, type, i, tables = 0;
-+ unsigned h, count, type, i, tables = 0;
-
- if ( elf_swap(elf) )
- {
-@@ -140,13 +140,13 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom,
- elf->caller_xdest_base = hdr_ptr;
- elf->caller_xdest_size = allow_size;
- hdr = ELF_REALPTR2PTRVAL(hdr_ptr);
-- elf_store_val(elf, int, hdr, size - sizeof(int));
-+ elf_store_val(elf, unsigned, hdr, size - sizeof(unsigned));
- }
- else
- {
- char *hdr_ptr;
-
-- size = sizeof(int) + elf_size(elf, elf->ehdr) +
-+ size = sizeof(unsigned) + elf_size(elf, elf->ehdr) +
- elf_shdr_count(elf) * elf_size(elf, shdr);
- hdr_ptr = xc_dom_malloc(dom, size);
- if ( hdr_ptr == NULL )
-@@ -157,15 +157,15 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom,
- dom->bsd_symtab_start = elf_round_up(elf, dom->kernel_seg.vend);
- }
-
-- elf_memcpy_safe(elf, hdr + sizeof(int),
-+ elf_memcpy_safe(elf, hdr + sizeof(unsigned),
- ELF_IMAGE_BASE(elf),
- elf_size(elf, elf->ehdr));
-- elf_memcpy_safe(elf, hdr + sizeof(int) + elf_size(elf, elf->ehdr),
-+ elf_memcpy_safe(elf, hdr + sizeof(unsigned) + elf_size(elf, elf->ehdr),
- ELF_IMAGE_BASE(elf) + elf_uval(elf, elf->ehdr, e_shoff),
- elf_shdr_count(elf) * elf_size(elf, shdr));
- if ( elf_64bit(elf) )
- {
-- Elf64_Ehdr *ehdr = (Elf64_Ehdr *)(hdr + sizeof(int));
-+ Elf64_Ehdr *ehdr = (Elf64_Ehdr *)(hdr + sizeof(unsigned));
- ehdr->e_phoff = 0;
- ehdr->e_phentsize = 0;
- ehdr->e_phnum = 0;
-@@ -174,22 +174,22 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom,
- }
- else
- {
-- Elf32_Ehdr *ehdr = (Elf32_Ehdr *)(hdr + sizeof(int));
-+ Elf32_Ehdr *ehdr = (Elf32_Ehdr *)(hdr + sizeof(unsigned));
- ehdr->e_phoff = 0;
- ehdr->e_phentsize = 0;
- ehdr->e_phnum = 0;
- ehdr->e_shoff = elf_size(elf, elf->ehdr);
- ehdr->e_shstrndx = SHN_UNDEF;
- }
-- if ( elf->caller_xdest_size < sizeof(int) )
-+ if ( elf->caller_xdest_size < sizeof(unsigned) )
- {
- DOMPRINTF("%s/%s: header size %"PRIx64" too small",
- __FUNCTION__, load ? "load" : "parse",
- (uint64_t)elf->caller_xdest_size);
- return -1;
- }
-- if ( elf_init(&syms, elf->caller_xdest_base + sizeof(int),
-- elf->caller_xdest_size - sizeof(int)) )
-+ if ( elf_init(&syms, elf->caller_xdest_base + sizeof(unsigned),
-+ elf->caller_xdest_size - sizeof(unsigned)) )
- return -1;
-
- /*
-@@ -209,7 +209,7 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom,
-
- xc_elf_set_logfile(dom->xch, &syms, 1);
-
-- symtab = dom->bsd_symtab_start + sizeof(int);
-+ symtab = dom->bsd_symtab_start + sizeof(unsigned);
- maxaddr = elf_round_up(&syms, symtab + elf_size(&syms, syms.ehdr) +
- elf_shdr_count(&syms) * elf_size(&syms, shdr));
-
-@@ -255,7 +255,7 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom,
- size = elf_uval(&syms, shdr, sh_size);
- maxaddr = elf_round_up(&syms, maxaddr + size);
- tables++;
-- DOMPRINTF("%s: h=%d %s, size=0x%zx, maxaddr=0x%" PRIx64 "",
-+ DOMPRINTF("%s: h=%u %s, size=0x%zx, maxaddr=0x%" PRIx64 "",
- __FUNCTION__, h,
- type == SHT_SYMTAB ? "symtab" : "strtab",
- size, maxaddr);
-@@ -294,10 +294,14 @@ static int xc_dom_load_elf_symtab(struct xc_dom_image *dom,
- return 0;
- }
-
--static int xc_dom_parse_elf_kernel(struct xc_dom_image *dom)
-+static elf_errorstatus xc_dom_parse_elf_kernel(struct xc_dom_image *dom)
-+ /*
-+ * This function sometimes returns -1 for error and sometimes
-+ * an errno value. ?!?!
-+ */
- {
- struct elf_binary *elf;
-- int rc;
-+ elf_errorstatus rc;
-
- rc = check_elf_kernel(dom, 1);
- if ( rc != 0 )
-@@ -358,10 +362,10 @@ out:
- return rc;
- }
-
--static int xc_dom_load_elf_kernel(struct xc_dom_image *dom)
-+static elf_errorstatus xc_dom_load_elf_kernel(struct xc_dom_image *dom)
- {
- struct elf_binary *elf = dom->private_loader;
-- int rc;
-+ elf_errorstatus rc;
- xen_pfn_t pages;
-
- elf->dest_base = xc_dom_seg_to_ptr_pages(dom, &dom->kernel_seg, &pages);
-diff --git a/tools/xcutils/readnotes.c b/tools/xcutils/readnotes.c
-index d1f7a30..2ca7732 100644
---- a/tools/xcutils/readnotes.c
-+++ b/tools/xcutils/readnotes.c
-@@ -70,7 +70,7 @@ static void print_numeric_note(const char *prefix, struct elf_binary *elf,
- ELF_HANDLE_DECL(elf_note) note)
- {
- uint64_t value = elf_note_numeric(elf, note);
-- int descsz = elf_uval(elf, note, descsz);
-+ unsigned descsz = elf_uval(elf, note, descsz);
-
- printf("%s: %#*" PRIx64 " (%d bytes)\n",
- prefix, 2+2*descsz, value, descsz);
-@@ -79,7 +79,7 @@ static void print_numeric_note(const char *prefix, struct elf_binary *elf,
- static void print_l1_mfn_valid_note(const char *prefix, struct elf_binary *elf,
- ELF_HANDLE_DECL(elf_note) note)
- {
-- int descsz = elf_uval(elf, note, descsz);
-+ unsigned descsz = elf_uval(elf, note, descsz);
- ELF_PTRVAL_CONST_VOID desc = elf_note_desc(elf, note);
-
- /* XXX should be able to cope with a list of values. */
-@@ -99,10 +99,10 @@ static void print_l1_mfn_valid_note(const char *prefix, struct elf_binary *elf,
-
- }
-
--static int print_notes(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) start, ELF_HANDLE_DECL(elf_note) end)
-+static unsigned print_notes(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) start, ELF_HANDLE_DECL(elf_note) end)
- {
- ELF_HANDLE_DECL(elf_note) note;
-- int notes_found = 0;
-+ unsigned notes_found = 0;
- const char *this_note_name;
-
- for ( note = start; ELF_HANDLE_PTRVAL(note) < ELF_HANDLE_PTRVAL(end); note = elf_note_next(elf, note) )
-@@ -161,7 +161,7 @@ static int print_notes(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) start,
- break;
- default:
- printf("unknown note type %#x\n",
-- (int)elf_uval(elf, note, type));
-+ (unsigned)elf_uval(elf, note, type));
- break;
- }
- }
-@@ -171,12 +171,13 @@ static int print_notes(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) start,
- int main(int argc, char **argv)
- {
- const char *f;
-- int fd,h,size,usize,count;
-+ int fd;
-+ unsigned h,size,usize,count;
- void *image,*tmp;
- struct stat st;
- struct elf_binary elf;
- ELF_HANDLE_DECL(elf_shdr) shdr;
-- int notes_found = 0;
-+ unsigned notes_found = 0;
-
- struct setup_header *hdr;
- uint64_t payload_offset, payload_length;
-diff --git a/xen/common/libelf/Makefile b/xen/common/libelf/Makefile
-index 18dc8e2..5bf8f76 100644
---- a/xen/common/libelf/Makefile
-+++ b/xen/common/libelf/Makefile
-@@ -2,6 +2,8 @@ obj-bin-y := libelf.o
-
- SECTIONS := text data $(SPECIAL_DATA_SECTIONS)
-
-+CFLAGS += -Wno-pointer-sign
-+
- libelf.o: libelf-temp.o Makefile
- $(OBJCOPY) $(foreach s,$(SECTIONS),--rename-section .$(s)=.init.$(s)) $< $@
-
-diff --git a/xen/common/libelf/libelf-dominfo.c b/xen/common/libelf/libelf-dominfo.c
-index 12b6c2a..cdd0d31 100644
---- a/xen/common/libelf/libelf-dominfo.c
-+++ b/xen/common/libelf/libelf-dominfo.c
-@@ -29,15 +29,15 @@ static const char *const elf_xen_feature_names[] = {
- [XENFEAT_pae_pgdir_above_4gb] = "pae_pgdir_above_4gb",
- [XENFEAT_dom0] = "dom0"
- };
--static const int elf_xen_features =
-+static const unsigned elf_xen_features =
- sizeof(elf_xen_feature_names) / sizeof(elf_xen_feature_names[0]);
-
--int elf_xen_parse_features(const char *features,
-+elf_errorstatus elf_xen_parse_features(const char *features,
- uint32_t *supported,
- uint32_t *required)
- {
-- char feature[64];
-- int pos, len, i;
-+ unsigned char feature[64];
-+ unsigned pos, len, i;
-
- if ( features == NULL )
- return 0;
-@@ -94,7 +94,7 @@ int elf_xen_parse_features(const char *features,
- /* ------------------------------------------------------------------------ */
- /* xen elf notes */
-
--int elf_xen_parse_note(struct elf_binary *elf,
-+elf_errorstatus elf_xen_parse_note(struct elf_binary *elf,
- struct elf_dom_parms *parms,
- ELF_HANDLE_DECL(elf_note) note)
- {
-@@ -125,7 +125,7 @@ int elf_xen_parse_note(struct elf_binary *elf,
- const char *str = NULL;
- uint64_t val = 0;
- unsigned int i;
-- int type = elf_uval(elf, note, type);
-+ unsigned type = elf_uval(elf, note, type);
-
- if ( (type >= sizeof(note_desc) / sizeof(note_desc[0])) ||
- (note_desc[type].name == NULL) )
-@@ -216,12 +216,14 @@ int elf_xen_parse_note(struct elf_binary *elf,
- return 0;
- }
-
--static int elf_xen_parse_notes(struct elf_binary *elf,
-+#define ELF_NOTE_INVALID (~0U)
-+
-+static unsigned elf_xen_parse_notes(struct elf_binary *elf,
- struct elf_dom_parms *parms,
- ELF_PTRVAL_CONST_VOID start,
- ELF_PTRVAL_CONST_VOID end)
- {
-- int xen_elfnotes = 0;
-+ unsigned xen_elfnotes = 0;
- ELF_HANDLE_DECL(elf_note) note;
- const char *note_name;
-
-@@ -237,7 +239,7 @@ static int elf_xen_parse_notes(struct elf_binary *elf,
- if ( strcmp(note_name, "Xen") )
- continue;
- if ( elf_xen_parse_note(elf, parms, note) )
-- return -1;
-+ return ELF_NOTE_INVALID;
- xen_elfnotes++;
- }
- return xen_elfnotes;
-@@ -246,12 +248,12 @@ static int elf_xen_parse_notes(struct elf_binary *elf,
- /* ------------------------------------------------------------------------ */
- /* __xen_guest section */
-
--int elf_xen_parse_guest_info(struct elf_binary *elf,
-+elf_errorstatus elf_xen_parse_guest_info(struct elf_binary *elf,
- struct elf_dom_parms *parms)
- {
- ELF_PTRVAL_CONST_CHAR h;
-- char name[32], value[128];
-- int len;
-+ unsigned char name[32], value[128];
-+ unsigned len;
-
- h = parms->guest_info;
- #define STAR(h) (elf_access_unsigned(elf, (h), 0, 1))
-@@ -334,13 +336,13 @@ int elf_xen_parse_guest_info(struct elf_binary *elf,
- /* ------------------------------------------------------------------------ */
- /* sanity checks */
-
--static int elf_xen_note_check(struct elf_binary *elf,
-+static elf_errorstatus elf_xen_note_check(struct elf_binary *elf,
- struct elf_dom_parms *parms)
- {
- if ( (ELF_PTRVAL_INVALID(parms->elf_note_start)) &&
- (ELF_PTRVAL_INVALID(parms->guest_info)) )
- {
-- int machine = elf_uval(elf, elf->ehdr, e_machine);
-+ unsigned machine = elf_uval(elf, elf->ehdr, e_machine);
- if ( (machine == EM_386) || (machine == EM_X86_64) )
- {
- elf_err(elf, "%s: ERROR: Not a Xen-ELF image: "
-@@ -378,7 +380,7 @@ static int elf_xen_note_check(struct elf_binary *elf,
- return 0;
- }
-
--static int elf_xen_addr_calc_check(struct elf_binary *elf,
-+static elf_errorstatus elf_xen_addr_calc_check(struct elf_binary *elf,
- struct elf_dom_parms *parms)
- {
- if ( (parms->elf_paddr_offset != UNSET_ADDR) &&
-@@ -464,13 +466,13 @@ static int elf_xen_addr_calc_check(struct elf_binary *elf,
- /* ------------------------------------------------------------------------ */
- /* glue it all together ... */
-
--int elf_xen_parse(struct elf_binary *elf,
-+elf_errorstatus elf_xen_parse(struct elf_binary *elf,
- struct elf_dom_parms *parms)
- {
- ELF_HANDLE_DECL(elf_shdr) shdr;
- ELF_HANDLE_DECL(elf_phdr) phdr;
-- int xen_elfnotes = 0;
-- int i, count, rc;
-+ unsigned xen_elfnotes = 0;
-+ unsigned i, count, more_notes;
-
- elf_memset_unchecked(parms, 0, sizeof(*parms));
- parms->virt_base = UNSET_ADDR;
-@@ -495,13 +497,13 @@ int elf_xen_parse(struct elf_binary *elf,
- if (elf_uval(elf, phdr, p_offset) == 0)
- continue;
-
-- rc = elf_xen_parse_notes(elf, parms,
-+ more_notes = elf_xen_parse_notes(elf, parms,
- elf_segment_start(elf, phdr),
- elf_segment_end(elf, phdr));
-- if ( rc == -1 )
-+ if ( more_notes == ELF_NOTE_INVALID )
- return -1;
-
-- xen_elfnotes += rc;
-+ xen_elfnotes += more_notes;
- }
-
- /*
-@@ -518,17 +520,17 @@ int elf_xen_parse(struct elf_binary *elf,
- if ( elf_uval(elf, shdr, sh_type) != SHT_NOTE )
- continue;
-
-- rc = elf_xen_parse_notes(elf, parms,
-+ more_notes = elf_xen_parse_notes(elf, parms,
- elf_section_start(elf, shdr),
- elf_section_end(elf, shdr));
-
-- if ( rc == -1 )
-+ if ( more_notes == ELF_NOTE_INVALID )
- return -1;
-
-- if ( xen_elfnotes == 0 && rc > 0 )
-+ if ( xen_elfnotes == 0 && more_notes > 0 )
- elf_msg(elf, "%s: using notes from SHT_NOTE section\n", __FUNCTION__);
-
-- xen_elfnotes += rc;
-+ xen_elfnotes += more_notes;
- }
-
- }
-diff --git a/xen/common/libelf/libelf-loader.c b/xen/common/libelf/libelf-loader.c
-index 0dccd4d..c3a9e51 100644
---- a/xen/common/libelf/libelf-loader.c
-+++ b/xen/common/libelf/libelf-loader.c
-@@ -24,7 +24,7 @@
-
- /* ------------------------------------------------------------------------ */
-
--int elf_init(struct elf_binary *elf, const char *image_input, size_t size)
-+elf_errorstatus elf_init(struct elf_binary *elf, const char *image_input, size_t size)
- {
- ELF_HANDLE_DECL(elf_shdr) shdr;
- uint64_t i, count, section, offset;
-@@ -114,7 +114,7 @@ void elf_set_log(struct elf_binary *elf, elf_log_callback *log_callback,
- elf->verbose = verbose;
- }
-
--static int elf_load_image(struct elf_binary *elf,
-+static elf_errorstatus elf_load_image(struct elf_binary *elf,
- ELF_PTRVAL_VOID dst, ELF_PTRVAL_CONST_VOID src,
- uint64_t filesz, uint64_t memsz)
- {
-@@ -129,9 +129,9 @@ void elf_set_verbose(struct elf_binary *elf)
- elf->verbose = 1;
- }
-
--static int elf_load_image(struct elf_binary *elf, ELF_PTRVAL_VOID dst, ELF_PTRVAL_CONST_VOID src, uint64_t filesz, uint64_t memsz)
-+static elf_errorstatus elf_load_image(struct elf_binary *elf, ELF_PTRVAL_VOID dst, ELF_PTRVAL_CONST_VOID src, uint64_t filesz, uint64_t memsz)
- {
-- int rc;
-+ elf_errorstatus rc;
- if ( filesz > ULONG_MAX || memsz > ULONG_MAX )
- return -1;
- /* We trust the dom0 kernel image completely, so we don't care
-@@ -151,7 +151,7 @@ void elf_parse_bsdsyms(struct elf_binary *elf, uint64_t pstart)
- {
- uint64_t sz;
- ELF_HANDLE_DECL(elf_shdr) shdr;
-- int i, type;
-+ unsigned i, type;
-
- if ( !ELF_HANDLE_VALID(elf->sym_tab) )
- return;
-@@ -187,7 +187,7 @@ static void elf_load_bsdsyms(struct elf_binary *elf)
- ELF_PTRVAL_VOID symbase;
- ELF_PTRVAL_VOID symtab_addr;
- ELF_HANDLE_DECL_NONCONST(elf_shdr) shdr;
-- int i, type;
-+ unsigned i, type;
-
- if ( !elf->bsd_symtab_pstart )
- return;
-@@ -220,7 +220,7 @@ do { \
- elf_memcpy_safe(elf, ELF_HANDLE_PTRVAL(shdr),
- ELF_IMAGE_BASE(elf) + elf_uval(elf, elf->ehdr, e_shoff),
- sz);
-- maxva = ELF_OBSOLETE_VOIDP_CAST elf_round_up(elf, (long)maxva + sz);
-+ maxva = ELF_OBSOLETE_VOIDP_CAST elf_round_up(elf, (unsigned long)maxva + sz);
-
- for ( i = 0; i < elf_shdr_count(elf); i++ )
- {
-@@ -233,10 +233,10 @@ do { \
- elf_memcpy_safe(elf, maxva, elf_section_start(elf, shdr), sz);
- /* Mangled to be based on ELF header location. */
- elf_hdr_elm(elf, shdr, sh_offset, maxva - symtab_addr);
-- maxva = ELF_OBSOLETE_VOIDP_CAST elf_round_up(elf, (long)maxva + sz);
-+ maxva = ELF_OBSOLETE_VOIDP_CAST elf_round_up(elf, (unsigned long)maxva + sz);
- }
- shdr = ELF_MAKE_HANDLE(elf_shdr, ELF_HANDLE_PTRVAL(shdr) +
-- (long)elf_uval(elf, elf->ehdr, e_shentsize));
-+ (unsigned long)elf_uval(elf, elf->ehdr, e_shentsize));
- }
-
- /* Write down the actual sym size. */
-@@ -273,7 +273,7 @@ void elf_parse_binary(struct elf_binary *elf)
- __FUNCTION__, elf->pstart, elf->pend);
- }
-
--int elf_load_binary(struct elf_binary *elf)
-+elf_errorstatus elf_load_binary(struct elf_binary *elf)
- {
- ELF_HANDLE_DECL(elf_phdr) phdr;
- uint64_t i, count, paddr, offset, filesz, memsz;
-diff --git a/xen/common/libelf/libelf-tools.c b/xen/common/libelf/libelf-tools.c
-index fa58f76..46d4ab1 100644
---- a/xen/common/libelf/libelf-tools.c
-+++ b/xen/common/libelf/libelf-tools.c
-@@ -122,19 +122,19 @@ uint64_t elf_access_unsigned(struct elf_binary * elf, elf_ptrval base,
-
- uint64_t elf_round_up(struct elf_binary *elf, uint64_t addr)
- {
-- int elf_round = (elf_64bit(elf) ? 8 : 4) - 1;
-+ uint64_t elf_round = (elf_64bit(elf) ? 8 : 4) - 1;
-
- return (addr + elf_round) & ~elf_round;
- }
-
- /* ------------------------------------------------------------------------ */
-
--int elf_shdr_count(struct elf_binary *elf)
-+unsigned elf_shdr_count(struct elf_binary *elf)
- {
- return elf_uval(elf, elf->ehdr, e_shnum);
- }
-
--int elf_phdr_count(struct elf_binary *elf)
-+unsigned elf_phdr_count(struct elf_binary *elf)
- {
- return elf_uval(elf, elf->ehdr, e_phnum);
- }
-@@ -144,7 +144,7 @@ ELF_HANDLE_DECL(elf_shdr) elf_shdr_by_name(struct elf_binary *elf, const char *n
- uint64_t count = elf_shdr_count(elf);
- ELF_HANDLE_DECL(elf_shdr) shdr;
- const char *sname;
-- int i;
-+ unsigned i;
-
- for ( i = 0; i < count; i++ )
- {
-@@ -156,7 +156,7 @@ ELF_HANDLE_DECL(elf_shdr) elf_shdr_by_name(struct elf_binary *elf, const char *n
- return ELF_INVALID_HANDLE(elf_shdr);
- }
-
--ELF_HANDLE_DECL(elf_shdr) elf_shdr_by_index(struct elf_binary *elf, int index)
-+ELF_HANDLE_DECL(elf_shdr) elf_shdr_by_index(struct elf_binary *elf, unsigned index)
- {
- uint64_t count = elf_shdr_count(elf);
- ELF_PTRVAL_CONST_VOID ptr;
-@@ -170,7 +170,7 @@ ELF_HANDLE_DECL(elf_shdr) elf_shdr_by_index(struct elf_binary *elf, int index)
- return ELF_MAKE_HANDLE(elf_shdr, ptr);
- }
-
--ELF_HANDLE_DECL(elf_phdr) elf_phdr_by_index(struct elf_binary *elf, int index)
-+ELF_HANDLE_DECL(elf_phdr) elf_phdr_by_index(struct elf_binary *elf, unsigned index)
- {
- uint64_t count = elf_uval(elf, elf->ehdr, e_phnum);
- ELF_PTRVAL_CONST_VOID ptr;
-@@ -264,7 +264,7 @@ ELF_HANDLE_DECL(elf_sym) elf_sym_by_name(struct elf_binary *elf, const char *sym
- return ELF_INVALID_HANDLE(elf_sym);
- }
-
--ELF_HANDLE_DECL(elf_sym) elf_sym_by_index(struct elf_binary *elf, int index)
-+ELF_HANDLE_DECL(elf_sym) elf_sym_by_index(struct elf_binary *elf, unsigned index)
- {
- ELF_PTRVAL_CONST_VOID ptr = elf_section_start(elf, elf->sym_tab);
- ELF_HANDLE_DECL(elf_sym) sym;
-@@ -280,7 +280,7 @@ const char *elf_note_name(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note
-
- ELF_PTRVAL_CONST_VOID elf_note_desc(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note)
- {
-- int namesz = (elf_uval(elf, note, namesz) + 3) & ~3;
-+ unsigned namesz = (elf_uval(elf, note, namesz) + 3) & ~3;
-
- return ELF_HANDLE_PTRVAL(note) + elf_size(elf, note) + namesz;
- }
-@@ -288,7 +288,7 @@ ELF_PTRVAL_CONST_VOID elf_note_desc(struct elf_binary *elf, ELF_HANDLE_DECL(elf_
- uint64_t elf_note_numeric(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note)
- {
- ELF_PTRVAL_CONST_VOID desc = elf_note_desc(elf, note);
-- int descsz = elf_uval(elf, note, descsz);
-+ unsigned descsz = elf_uval(elf, note, descsz);
-
- switch (descsz)
- {
-@@ -306,7 +306,7 @@ uint64_t elf_note_numeric_array(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note
- unsigned int unitsz, unsigned int idx)
- {
- ELF_PTRVAL_CONST_VOID desc = elf_note_desc(elf, note);
-- int descsz = elf_uval(elf, note, descsz);
-+ unsigned descsz = elf_uval(elf, note, descsz);
-
- if ( descsz % unitsz || idx >= descsz / unitsz )
- return 0;
-@@ -324,8 +324,8 @@ uint64_t elf_note_numeric_array(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note
-
- ELF_HANDLE_DECL(elf_note) elf_note_next(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note)
- {
-- int namesz = (elf_uval(elf, note, namesz) + 3) & ~3;
-- int descsz = (elf_uval(elf, note, descsz) + 3) & ~3;
-+ unsigned namesz = (elf_uval(elf, note, namesz) + 3) & ~3;
-+ unsigned descsz = (elf_uval(elf, note, descsz) + 3) & ~3;
-
- return ELF_MAKE_HANDLE(elf_note, ELF_HANDLE_PTRVAL(note) + elf_size(elf, note) + namesz + descsz);
- }
-diff --git a/xen/include/xen/libelf.h b/xen/include/xen/libelf.h
-index 951430f..87e126a 100644
---- a/xen/include/xen/libelf.h
-+++ b/xen/include/xen/libelf.h
-@@ -31,6 +31,9 @@
-
- #include <stdbool.h>
-
-+typedef int elf_errorstatus; /* 0: ok; -ve (normally -1): error */
-+typedef int elf_negerrnoval; /* 0: ok; -EFOO: error */
-+
- #undef ELFSIZE
- #include "elfstructs.h"
- #ifdef __XEN__
-@@ -328,12 +331,12 @@ bool elf_access_ok(struct elf_binary * elf,
- /* ------------------------------------------------------------------------ */
- /* xc_libelf_tools.c */
-
--int elf_shdr_count(struct elf_binary *elf);
--int elf_phdr_count(struct elf_binary *elf);
-+unsigned elf_shdr_count(struct elf_binary *elf);
-+unsigned elf_phdr_count(struct elf_binary *elf);
-
- ELF_HANDLE_DECL(elf_shdr) elf_shdr_by_name(struct elf_binary *elf, const char *name);
--ELF_HANDLE_DECL(elf_shdr) elf_shdr_by_index(struct elf_binary *elf, int index);
--ELF_HANDLE_DECL(elf_phdr) elf_phdr_by_index(struct elf_binary *elf, int index);
-+ELF_HANDLE_DECL(elf_shdr) elf_shdr_by_index(struct elf_binary *elf, unsigned index);
-+ELF_HANDLE_DECL(elf_phdr) elf_phdr_by_index(struct elf_binary *elf, unsigned index);
-
- const char *elf_section_name(struct elf_binary *elf, ELF_HANDLE_DECL(elf_shdr) shdr); /* might return NULL if inputs are invalid */
- ELF_PTRVAL_CONST_VOID elf_section_start(struct elf_binary *elf, ELF_HANDLE_DECL(elf_shdr) shdr);
-@@ -343,7 +346,7 @@ ELF_PTRVAL_CONST_VOID elf_segment_start(struct elf_binary *elf, ELF_HANDLE_DECL(
- ELF_PTRVAL_CONST_VOID elf_segment_end(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr);
-
- ELF_HANDLE_DECL(elf_sym) elf_sym_by_name(struct elf_binary *elf, const char *symbol);
--ELF_HANDLE_DECL(elf_sym) elf_sym_by_index(struct elf_binary *elf, int index);
-+ELF_HANDLE_DECL(elf_sym) elf_sym_by_index(struct elf_binary *elf, unsigned index);
-
- const char *elf_note_name(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note); /* may return NULL */
- ELF_PTRVAL_CONST_VOID elf_note_desc(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note);
-@@ -360,7 +363,7 @@ bool elf_phdr_is_loadable(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr
- /* ------------------------------------------------------------------------ */
- /* xc_libelf_loader.c */
-
--int elf_init(struct elf_binary *elf, const char *image, size_t size);
-+elf_errorstatus elf_init(struct elf_binary *elf, const char *image, size_t size);
- /*
- * image and size must be correct. They will be recorded in
- * *elf, and must remain valid while the elf is in use.
-@@ -373,7 +376,7 @@ void elf_set_log(struct elf_binary *elf, elf_log_callback*,
- #endif
-
- void elf_parse_binary(struct elf_binary *elf);
--int elf_load_binary(struct elf_binary *elf);
-+elf_errorstatus elf_load_binary(struct elf_binary *elf);
-
- ELF_PTRVAL_VOID elf_get_ptr(struct elf_binary *elf, unsigned long addr);
- uint64_t elf_lookup_addr(struct elf_binary *elf, const char *symbol);
-@@ -386,7 +389,7 @@ const char *elf_check_broken(const struct elf_binary *elf); /* NULL means OK */
- /* ------------------------------------------------------------------------ */
- /* xc_libelf_relocate.c */
-
--int elf_reloc(struct elf_binary *elf);
-+elf_errorstatus elf_reloc(struct elf_binary *elf);
-
- /* ------------------------------------------------------------------------ */
- /* xc_libelf_dominfo.c */
-@@ -420,7 +423,7 @@ struct elf_dom_parms {
- char guest_ver[16];
- char xen_ver[16];
- char loader[16];
-- int pae;
-+ int pae; /* some kind of enum apparently */
- bool bsd_symtab;
- uint64_t virt_base;
- uint64_t virt_entry;
---
-1.7.2.5
-
+++ /dev/null
-From 52d8cc2dd3bb3e0f6d51e00280da934e8d91653a Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Fri, 14 Jun 2013 16:43:18 +0100
-Subject: [PATCH 16/23] libelf: check loops for running away
-
-Ensure that libelf does not have any loops which can run away
-indefinitely even if the input is bogus. (Grepped for \bfor, \bwhile
-and \bgoto in libelf and xc_dom_*loader*.c.)
-
-Changes needed:
- * elf_note_next uses the note's unchecked alleged length, which might
- wrap round. If it does, return ELF_MAX_PTRVAL (0xfff..fff) instead,
- which will be beyond the end of the section and so terminate the
- caller's loop. Also check that the returned psuedopointer is sane.
- * In various loops over section and program headers, check that the
- calculated header pointer is still within the image, and quit the
- loop if it isn't.
- * Some fixed limits to avoid potentially O(image_size^2) loops:
- - maximum length of strings: 4K (longer ones ignored totally)
- - maximum total number of ELF notes: 65536 (any more are ignored)
- * Check that the total program contents (text, data) we copy or
- initialise doesn't exceed twice the output image area size.
- * Remove an entirely useless loop from elf_xen_parse (!)
- * Replace a nested search loop in in xc_dom_load_elf_symtab in
- xc_dom_elfloader.c by a precomputation of a bitmap of referenced
- symtabs.
-
-We have not changed loops which might, in principle, iterate over the
-whole image - even if they might do so one byte at a time with a
-nontrivial access check function in the middle.
-
-This is part of the fix to a security issue, XSA-55.
-
-Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
----
- tools/libxc/xc_dom_elfloader.c | 33 ++++++++++++++++++-------
- xen/common/libelf/libelf-dominfo.c | 43 ++++++++++++++++++++------------
- xen/common/libelf/libelf-loader.c | 47 ++++++++++++++++++++++++++++++++++-
- xen/common/libelf/libelf-tools.c | 28 ++++++++++++++++++++-
- xen/include/xen/libelf.h | 13 ++++++++++
- 5 files changed, 135 insertions(+), 29 deletions(-)
-
-diff --git a/tools/libxc/xc_dom_elfloader.c b/tools/libxc/xc_dom_elfloader.c
-index 62a0d3b..c5014d2 100644
---- a/tools/libxc/xc_dom_elfloader.c
-+++ b/tools/libxc/xc_dom_elfloader.c
-@@ -28,6 +28,7 @@
-
- #include "xg_private.h"
- #include "xc_dom.h"
-+#include "xc_bitops.h"
-
- #define XEN_VER "xen-3.0"
-
-@@ -120,6 +121,7 @@ static elf_errorstatus xc_dom_load_elf_symtab(struct xc_dom_image *dom,
- ELF_PTRVAL_CHAR hdr;
- size_t size;
- unsigned h, count, type, i, tables = 0;
-+ unsigned long *strtab_referenced = NULL;
-
- if ( elf_swap(elf) )
- {
-@@ -220,22 +222,35 @@ static elf_errorstatus xc_dom_load_elf_symtab(struct xc_dom_image *dom,
- symtab, maxaddr);
-
- count = elf_shdr_count(&syms);
-+ /* elf_shdr_count guarantees that count is reasonable */
-+
-+ strtab_referenced = xc_dom_malloc(dom, bitmap_size(count));
-+ if ( strtab_referenced == NULL )
-+ return -1;
-+ bitmap_clear(strtab_referenced, count);
-+ /* Note the symtabs @h linked to by any strtab @i. */
-+ for ( i = 0; i < count; i++ )
-+ {
-+ shdr2 = elf_shdr_by_index(&syms, i);
-+ if ( elf_uval(&syms, shdr2, sh_type) == SHT_SYMTAB )
-+ {
-+ h = elf_uval(&syms, shdr2, sh_link);
-+ if (h < count)
-+ set_bit(h, strtab_referenced);
-+ }
-+ }
-+
- for ( h = 0; h < count; h++ )
- {
- shdr = ELF_OBSOLETE_VOIDP_CAST elf_shdr_by_index(&syms, h);
-+ if ( !elf_access_ok(elf, ELF_HANDLE_PTRVAL(shdr), 1) )
-+ /* input has an insane section header count field */
-+ break;
- type = elf_uval(&syms, shdr, sh_type);
- if ( type == SHT_STRTAB )
- {
-- /* Look for a strtab @i linked to symtab @h. */
-- for ( i = 0; i < count; i++ )
-- {
-- shdr2 = elf_shdr_by_index(&syms, i);
-- if ( (elf_uval(&syms, shdr2, sh_type) == SHT_SYMTAB) &&
-- (elf_uval(&syms, shdr2, sh_link) == h) )
-- break;
-- }
- /* Skip symtab @h if we found no corresponding strtab @i. */
-- if ( i == count )
-+ if ( !test_bit(h, strtab_referenced) )
- {
- if ( elf_64bit(&syms) )
- elf_store_field(elf, shdr, e64.sh_offset, 0);
-diff --git a/xen/common/libelf/libelf-dominfo.c b/xen/common/libelf/libelf-dominfo.c
-index cdd0d31..25a10d7 100644
---- a/xen/common/libelf/libelf-dominfo.c
-+++ b/xen/common/libelf/libelf-dominfo.c
-@@ -221,7 +221,8 @@ elf_errorstatus elf_xen_parse_note(struct elf_binary *elf,
- static unsigned elf_xen_parse_notes(struct elf_binary *elf,
- struct elf_dom_parms *parms,
- ELF_PTRVAL_CONST_VOID start,
-- ELF_PTRVAL_CONST_VOID end)
-+ ELF_PTRVAL_CONST_VOID end,
-+ unsigned *total_note_count)
- {
- unsigned xen_elfnotes = 0;
- ELF_HANDLE_DECL(elf_note) note;
-@@ -233,6 +234,12 @@ static unsigned elf_xen_parse_notes(struct elf_binary *elf,
- ELF_HANDLE_PTRVAL(note) < parms->elf_note_end;
- note = elf_note_next(elf, note) )
- {
-+ if ( *total_note_count >= ELF_MAX_TOTAL_NOTE_COUNT )
-+ {
-+ elf_mark_broken(elf, "too many ELF notes");
-+ break;
-+ }
-+ (*total_note_count)++;
- note_name = elf_note_name(elf, note);
- if ( note_name == NULL )
- continue;
-@@ -473,6 +480,7 @@ elf_errorstatus elf_xen_parse(struct elf_binary *elf,
- ELF_HANDLE_DECL(elf_phdr) phdr;
- unsigned xen_elfnotes = 0;
- unsigned i, count, more_notes;
-+ unsigned total_note_count = 0;
-
- elf_memset_unchecked(parms, 0, sizeof(*parms));
- parms->virt_base = UNSET_ADDR;
-@@ -487,6 +495,9 @@ elf_errorstatus elf_xen_parse(struct elf_binary *elf,
- for ( i = 0; i < count; i++ )
- {
- phdr = elf_phdr_by_index(elf, i);
-+ if ( !elf_access_ok(elf, ELF_HANDLE_PTRVAL(phdr), 1) )
-+ /* input has an insane program header count field */
-+ break;
- if ( elf_uval(elf, phdr, p_type) != PT_NOTE )
- continue;
-
-@@ -499,7 +510,8 @@ elf_errorstatus elf_xen_parse(struct elf_binary *elf,
-
- more_notes = elf_xen_parse_notes(elf, parms,
- elf_segment_start(elf, phdr),
-- elf_segment_end(elf, phdr));
-+ elf_segment_end(elf, phdr),
-+ &total_note_count);
- if ( more_notes == ELF_NOTE_INVALID )
- return -1;
-
-@@ -516,13 +528,17 @@ elf_errorstatus elf_xen_parse(struct elf_binary *elf,
- for ( i = 0; i < count; i++ )
- {
- shdr = elf_shdr_by_index(elf, i);
-+ if ( !elf_access_ok(elf, ELF_HANDLE_PTRVAL(shdr), 1) )
-+ /* input has an insane section header count field */
-+ break;
-
- if ( elf_uval(elf, shdr, sh_type) != SHT_NOTE )
- continue;
-
- more_notes = elf_xen_parse_notes(elf, parms,
- elf_section_start(elf, shdr),
-- elf_section_end(elf, shdr));
-+ elf_section_end(elf, shdr),
-+ &total_note_count);
-
- if ( more_notes == ELF_NOTE_INVALID )
- return -1;
-@@ -540,20 +556,15 @@ elf_errorstatus elf_xen_parse(struct elf_binary *elf,
- */
- if ( xen_elfnotes == 0 )
- {
-- count = elf_shdr_count(elf);
-- for ( i = 0; i < count; i++ )
-+ shdr = elf_shdr_by_name(elf, "__xen_guest");
-+ if ( ELF_HANDLE_VALID(shdr) )
- {
-- shdr = elf_shdr_by_name(elf, "__xen_guest");
-- if ( ELF_HANDLE_VALID(shdr) )
-- {
-- parms->guest_info = elf_section_start(elf, shdr);
-- parms->elf_note_start = ELF_INVALID_PTRVAL;
-- parms->elf_note_end = ELF_INVALID_PTRVAL;
-- elf_msg(elf, "%s: __xen_guest: \"%s\"\n", __FUNCTION__,
-- elf_strfmt(elf, parms->guest_info));
-- elf_xen_parse_guest_info(elf, parms);
-- break;
-- }
-+ parms->guest_info = elf_section_start(elf, shdr);
-+ parms->elf_note_start = ELF_INVALID_PTRVAL;
-+ parms->elf_note_end = ELF_INVALID_PTRVAL;
-+ elf_msg(elf, "%s: __xen_guest: \"%s\"\n", __FUNCTION__,
-+ elf_strfmt(elf, parms->guest_info));
-+ elf_xen_parse_guest_info(elf, parms);
- }
- }
-
-diff --git a/xen/common/libelf/libelf-loader.c b/xen/common/libelf/libelf-loader.c
-index c3a9e51..06799af 100644
---- a/xen/common/libelf/libelf-loader.c
-+++ b/xen/common/libelf/libelf-loader.c
-@@ -75,6 +75,9 @@ elf_errorstatus elf_init(struct elf_binary *elf, const char *image_input, size_t
- for ( i = 0; i < count; i++ )
- {
- shdr = elf_shdr_by_index(elf, i);
-+ if ( !elf_access_ok(elf, ELF_HANDLE_PTRVAL(shdr), 1) )
-+ /* input has an insane section header count field */
-+ break;
- if ( elf_uval(elf, shdr, sh_type) != SHT_SYMTAB )
- continue;
- elf->sym_tab = shdr;
-@@ -170,6 +173,9 @@ void elf_parse_bsdsyms(struct elf_binary *elf, uint64_t pstart)
- for ( i = 0; i < elf_shdr_count(elf); i++ )
- {
- shdr = elf_shdr_by_index(elf, i);
-+ if ( !elf_access_ok(elf, ELF_HANDLE_PTRVAL(shdr), 1) )
-+ /* input has an insane section header count field */
-+ break;
- type = elf_uval(elf, shdr, sh_type);
- if ( (type == SHT_STRTAB) || (type == SHT_SYMTAB) )
- sz = elf_round_up(elf, sz + elf_uval(elf, shdr, sh_size));
-@@ -224,6 +230,9 @@ do { \
-
- for ( i = 0; i < elf_shdr_count(elf); i++ )
- {
-+ elf_ptrval old_shdr_p;
-+ elf_ptrval new_shdr_p;
-+
- type = elf_uval(elf, shdr, sh_type);
- if ( (type == SHT_STRTAB) || (type == SHT_SYMTAB) )
- {
-@@ -235,8 +244,16 @@ do { \
- elf_hdr_elm(elf, shdr, sh_offset, maxva - symtab_addr);
- maxva = ELF_OBSOLETE_VOIDP_CAST elf_round_up(elf, (unsigned long)maxva + sz);
- }
-- shdr = ELF_MAKE_HANDLE(elf_shdr, ELF_HANDLE_PTRVAL(shdr) +
-- (unsigned long)elf_uval(elf, elf->ehdr, e_shentsize));
-+ old_shdr_p = ELF_HANDLE_PTRVAL(shdr);
-+ new_shdr_p = old_shdr_p + elf_uval(elf, elf->ehdr, e_shentsize);
-+ if ( new_shdr_p <= old_shdr_p ) /* wrapped or stuck */
-+ {
-+ elf_mark_broken(elf, "bad section header length");
-+ break;
-+ }
-+ if ( !elf_access_ok(elf, new_shdr_p, 1) ) /* outside image */
-+ break;
-+ shdr = ELF_MAKE_HANDLE(elf_shdr, new_shdr_p);
- }
-
- /* Write down the actual sym size. */
-@@ -256,6 +273,9 @@ void elf_parse_binary(struct elf_binary *elf)
- for ( i = 0; i < count; i++ )
- {
- phdr = elf_phdr_by_index(elf, i);
-+ if ( !elf_access_ok(elf, ELF_HANDLE_PTRVAL(phdr), 1) )
-+ /* input has an insane program header count field */
-+ break;
- if ( !elf_phdr_is_loadable(elf, phdr) )
- continue;
- paddr = elf_uval(elf, phdr, p_paddr);
-@@ -278,11 +298,20 @@ elf_errorstatus elf_load_binary(struct elf_binary *elf)
- ELF_HANDLE_DECL(elf_phdr) phdr;
- uint64_t i, count, paddr, offset, filesz, memsz;
- ELF_PTRVAL_VOID dest;
-+ /*
-+ * Let bizarre ELFs write the output image up to twice; this
-+ * calculation is just to ensure our copying loop is no worse than
-+ * O(domain_size).
-+ */
-+ uint64_t remain_allow_copy = (uint64_t)elf->dest_size * 2;
-
- count = elf_uval(elf, elf->ehdr, e_phnum);
- for ( i = 0; i < count; i++ )
- {
- phdr = elf_phdr_by_index(elf, i);
-+ if ( !elf_access_ok(elf, ELF_HANDLE_PTRVAL(phdr), 1) )
-+ /* input has an insane program header count field */
-+ break;
- if ( !elf_phdr_is_loadable(elf, phdr) )
- continue;
- paddr = elf_uval(elf, phdr, p_paddr);
-@@ -290,6 +319,20 @@ elf_errorstatus elf_load_binary(struct elf_binary *elf)
- filesz = elf_uval(elf, phdr, p_filesz);
- memsz = elf_uval(elf, phdr, p_memsz);
- dest = elf_get_ptr(elf, paddr);
-+
-+ /*
-+ * We need to check that the input image doesn't have us copy
-+ * the whole image zillions of times, as that could lead to
-+ * O(n^2) time behaviour and possible DoS by a malicous ELF.
-+ */
-+ if ( remain_allow_copy < memsz )
-+ {
-+ elf_mark_broken(elf, "program segments total to more"
-+ " than the input image size");
-+ break;
-+ }
-+ remain_allow_copy -= memsz;
-+
- elf_msg(elf, "%s: phdr %" PRIu64 " at 0x%"ELF_PRPTRVAL" -> 0x%"ELF_PRPTRVAL"\n",
- __func__, i, dest, (ELF_PTRVAL_VOID)(dest + filesz));
- if ( elf_load_image(elf, dest, ELF_IMAGE_BASE(elf) + offset, filesz, memsz) != 0 )
-diff --git a/xen/common/libelf/libelf-tools.c b/xen/common/libelf/libelf-tools.c
-index 46d4ab1..4a83133 100644
---- a/xen/common/libelf/libelf-tools.c
-+++ b/xen/common/libelf/libelf-tools.c
-@@ -131,7 +131,16 @@ uint64_t elf_round_up(struct elf_binary *elf, uint64_t addr)
-
- unsigned elf_shdr_count(struct elf_binary *elf)
- {
-- return elf_uval(elf, elf->ehdr, e_shnum);
-+ unsigned count = elf_uval(elf, elf->ehdr, e_shnum);
-+ uint64_t max = elf->size / sizeof(Elf32_Shdr);
-+ if (max > ~(unsigned)0)
-+ max = ~(unsigned)0; /* Xen doesn't have limits.h :-/ */
-+ if (count > max)
-+ {
-+ elf_mark_broken(elf, "far too many section headers");
-+ count = max;
-+ }
-+ return count;
- }
-
- unsigned elf_phdr_count(struct elf_binary *elf)
-@@ -149,6 +158,9 @@ ELF_HANDLE_DECL(elf_shdr) elf_shdr_by_name(struct elf_binary *elf, const char *n
- for ( i = 0; i < count; i++ )
- {
- shdr = elf_shdr_by_index(elf, i);
-+ if ( !elf_access_ok(elf, ELF_HANDLE_PTRVAL(shdr), 1) )
-+ /* input has an insane section header count field */
-+ break;
- sname = elf_section_name(elf, shdr);
- if ( sname && !strcmp(sname, name) )
- return shdr;
-@@ -204,6 +216,11 @@ const char *elf_strval(struct elf_binary *elf, elf_ptrval start)
- if ( !elf_access_unsigned(elf, start, length, 1) )
- /* ok */
- return ELF_UNSAFE_PTR(start);
-+ if ( length >= ELF_MAX_STRING_LENGTH )
-+ {
-+ elf_mark_broken(elf, "excessively long string");
-+ return NULL;
-+ }
- }
- }
-
-@@ -327,7 +344,14 @@ ELF_HANDLE_DECL(elf_note) elf_note_next(struct elf_binary *elf, ELF_HANDLE_DECL(
- unsigned namesz = (elf_uval(elf, note, namesz) + 3) & ~3;
- unsigned descsz = (elf_uval(elf, note, descsz) + 3) & ~3;
-
-- return ELF_MAKE_HANDLE(elf_note, ELF_HANDLE_PTRVAL(note) + elf_size(elf, note) + namesz + descsz);
-+ elf_ptrval ptrval = ELF_HANDLE_PTRVAL(note)
-+ + elf_size(elf, note) + namesz + descsz;
-+
-+ if ( ( ptrval <= ELF_HANDLE_PTRVAL(note) || /* wrapped or stuck */
-+ !elf_access_ok(elf, ELF_HANDLE_PTRVAL(note), 1) ) )
-+ ptrval = ELF_MAX_PTRVAL; /* terminate caller's loop */
-+
-+ return ELF_MAKE_HANDLE(elf_note, ptrval);
- }
-
- /* ------------------------------------------------------------------------ */
-diff --git a/xen/include/xen/libelf.h b/xen/include/xen/libelf.h
-index 87e126a..f95fe88 100644
---- a/xen/include/xen/libelf.h
-+++ b/xen/include/xen/libelf.h
-@@ -51,6 +51,9 @@ typedef void elf_log_callback(struct elf_binary*, void *caller_data,
-
- #endif
-
-+#define ELF_MAX_STRING_LENGTH 4096
-+#define ELF_MAX_TOTAL_NOTE_COUNT 65536
-+
- /* ------------------------------------------------------------------------ */
-
- /* Macros for accessing the input image and output area. */
-@@ -353,6 +356,16 @@ ELF_PTRVAL_CONST_VOID elf_note_desc(struct elf_binary *elf, ELF_HANDLE_DECL(elf_
- uint64_t elf_note_numeric(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note);
- uint64_t elf_note_numeric_array(struct elf_binary *, ELF_HANDLE_DECL(elf_note),
- unsigned int unitsz, unsigned int idx);
-+
-+/*
-+ * If you use elf_note_next in a loop, you must put a nontrivial upper
-+ * bound on the returned value as part of your loop condition. In
-+ * some cases elf_note_next will substitute ELF_PTRVAL_MAX as return
-+ * value to indicate that the iteration isn't going well (for example,
-+ * the putative "next" value would be earlier in memory). In this
-+ * case the caller's loop must terminate. Checking against the
-+ * end of the notes segment with a strict inequality is sufficient.
-+ */
- ELF_HANDLE_DECL(elf_note) elf_note_next(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note);
-
- /* (Only) checks that the image has the right magic number. */
---
-1.7.2.5
-
+++ /dev/null
-From 3baaa4ffcd3e7dd6227f9bdf817f90e5b75aeda2 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Fri, 14 Jun 2013 16:43:19 +0100
-Subject: [PATCH 17/23] libelf: abolish obsolete macros
-
-Abolish ELF_PTRVAL_[CONST_]{CHAR,VOID}; change uses to elf_ptrval.
-Abolish ELF_HANDLE_DECL_NONCONST; change uses to ELF_HANDLE_DECL.
-Abolish ELF_OBSOLETE_VOIDP_CAST; simply remove all uses.
-
-No functional change. (Verified by diffing assembler output.)
-
-Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
-Acked-by: Ian Campbell <ian.campbell@citrix.com>
-
-v2: New patch.
----
- tools/libxc/xc_dom_elfloader.c | 8 +++---
- tools/xcutils/readnotes.c | 2 +-
- xen/common/libelf/libelf-dominfo.c | 6 ++--
- xen/common/libelf/libelf-loader.c | 24 +++++++++---------
- xen/common/libelf/libelf-tools.c | 24 +++++++++---------
- xen/include/xen/libelf.h | 48 +++++++++---------------------------
- 6 files changed, 44 insertions(+), 68 deletions(-)
-
-diff --git a/tools/libxc/xc_dom_elfloader.c b/tools/libxc/xc_dom_elfloader.c
-index c5014d2..9fc4b94 100644
---- a/tools/libxc/xc_dom_elfloader.c
-+++ b/tools/libxc/xc_dom_elfloader.c
-@@ -116,9 +116,9 @@ static elf_errorstatus xc_dom_load_elf_symtab(struct xc_dom_image *dom,
- struct elf_binary *elf, bool load)
- {
- struct elf_binary syms;
-- ELF_HANDLE_DECL_NONCONST(elf_shdr) shdr; ELF_HANDLE_DECL(elf_shdr) shdr2;
-+ ELF_HANDLE_DECL(elf_shdr) shdr; ELF_HANDLE_DECL(elf_shdr) shdr2;
- xen_vaddr_t symtab, maxaddr;
-- ELF_PTRVAL_CHAR hdr;
-+ elf_ptrval hdr;
- size_t size;
- unsigned h, count, type, i, tables = 0;
- unsigned long *strtab_referenced = NULL;
-@@ -242,7 +242,7 @@ static elf_errorstatus xc_dom_load_elf_symtab(struct xc_dom_image *dom,
-
- for ( h = 0; h < count; h++ )
- {
-- shdr = ELF_OBSOLETE_VOIDP_CAST elf_shdr_by_index(&syms, h);
-+ shdr = elf_shdr_by_index(&syms, h);
- if ( !elf_access_ok(elf, ELF_HANDLE_PTRVAL(shdr), 1) )
- /* input has an insane section header count field */
- break;
-@@ -278,7 +278,7 @@ static elf_errorstatus xc_dom_load_elf_symtab(struct xc_dom_image *dom,
- if ( load )
- {
- shdr2 = elf_shdr_by_index(elf, h);
-- elf_memcpy_safe(elf, ELF_OBSOLETE_VOIDP_CAST elf_section_start(&syms, shdr),
-+ elf_memcpy_safe(elf, elf_section_start(&syms, shdr),
- elf_section_start(elf, shdr2),
- size);
- }
-diff --git a/tools/xcutils/readnotes.c b/tools/xcutils/readnotes.c
-index 2ca7732..5fa445e 100644
---- a/tools/xcutils/readnotes.c
-+++ b/tools/xcutils/readnotes.c
-@@ -80,7 +80,7 @@ static void print_l1_mfn_valid_note(const char *prefix, struct elf_binary *elf,
- ELF_HANDLE_DECL(elf_note) note)
- {
- unsigned descsz = elf_uval(elf, note, descsz);
-- ELF_PTRVAL_CONST_VOID desc = elf_note_desc(elf, note);
-+ elf_ptrval desc = elf_note_desc(elf, note);
-
- /* XXX should be able to cope with a list of values. */
- switch ( descsz / 2 )
-diff --git a/xen/common/libelf/libelf-dominfo.c b/xen/common/libelf/libelf-dominfo.c
-index 25a10d7..412ea70 100644
---- a/xen/common/libelf/libelf-dominfo.c
-+++ b/xen/common/libelf/libelf-dominfo.c
-@@ -220,8 +220,8 @@ elf_errorstatus elf_xen_parse_note(struct elf_binary *elf,
-
- static unsigned elf_xen_parse_notes(struct elf_binary *elf,
- struct elf_dom_parms *parms,
-- ELF_PTRVAL_CONST_VOID start,
-- ELF_PTRVAL_CONST_VOID end,
-+ elf_ptrval start,
-+ elf_ptrval end,
- unsigned *total_note_count)
- {
- unsigned xen_elfnotes = 0;
-@@ -258,7 +258,7 @@ static unsigned elf_xen_parse_notes(struct elf_binary *elf,
- elf_errorstatus elf_xen_parse_guest_info(struct elf_binary *elf,
- struct elf_dom_parms *parms)
- {
-- ELF_PTRVAL_CONST_CHAR h;
-+ elf_ptrval h;
- unsigned char name[32], value[128];
- unsigned len;
-
-diff --git a/xen/common/libelf/libelf-loader.c b/xen/common/libelf/libelf-loader.c
-index 06799af..e2e75af 100644
---- a/xen/common/libelf/libelf-loader.c
-+++ b/xen/common/libelf/libelf-loader.c
-@@ -118,7 +118,7 @@ void elf_set_log(struct elf_binary *elf, elf_log_callback *log_callback,
- }
-
- static elf_errorstatus elf_load_image(struct elf_binary *elf,
-- ELF_PTRVAL_VOID dst, ELF_PTRVAL_CONST_VOID src,
-+ elf_ptrval dst, elf_ptrval src,
- uint64_t filesz, uint64_t memsz)
- {
- elf_memcpy_safe(elf, dst, src, filesz);
-@@ -132,7 +132,7 @@ void elf_set_verbose(struct elf_binary *elf)
- elf->verbose = 1;
- }
-
--static elf_errorstatus elf_load_image(struct elf_binary *elf, ELF_PTRVAL_VOID dst, ELF_PTRVAL_CONST_VOID src, uint64_t filesz, uint64_t memsz)
-+static elf_errorstatus elf_load_image(struct elf_binary *elf, elf_ptrval dst, elf_ptrval src, uint64_t filesz, uint64_t memsz)
- {
- elf_errorstatus rc;
- if ( filesz > ULONG_MAX || memsz > ULONG_MAX )
-@@ -187,12 +187,12 @@ void elf_parse_bsdsyms(struct elf_binary *elf, uint64_t pstart)
-
- static void elf_load_bsdsyms(struct elf_binary *elf)
- {
-- ELF_HANDLE_DECL_NONCONST(elf_ehdr) sym_ehdr;
-+ ELF_HANDLE_DECL(elf_ehdr) sym_ehdr;
- unsigned long sz;
-- ELF_PTRVAL_VOID maxva;
-- ELF_PTRVAL_VOID symbase;
-- ELF_PTRVAL_VOID symtab_addr;
-- ELF_HANDLE_DECL_NONCONST(elf_shdr) shdr;
-+ elf_ptrval maxva;
-+ elf_ptrval symbase;
-+ elf_ptrval symtab_addr;
-+ ELF_HANDLE_DECL(elf_shdr) shdr;
- unsigned i, type;
-
- if ( !elf->bsd_symtab_pstart )
-@@ -226,7 +226,7 @@ do { \
- elf_memcpy_safe(elf, ELF_HANDLE_PTRVAL(shdr),
- ELF_IMAGE_BASE(elf) + elf_uval(elf, elf->ehdr, e_shoff),
- sz);
-- maxva = ELF_OBSOLETE_VOIDP_CAST elf_round_up(elf, (unsigned long)maxva + sz);
-+ maxva = elf_round_up(elf, (unsigned long)maxva + sz);
-
- for ( i = 0; i < elf_shdr_count(elf); i++ )
- {
-@@ -242,7 +242,7 @@ do { \
- elf_memcpy_safe(elf, maxva, elf_section_start(elf, shdr), sz);
- /* Mangled to be based on ELF header location. */
- elf_hdr_elm(elf, shdr, sh_offset, maxva - symtab_addr);
-- maxva = ELF_OBSOLETE_VOIDP_CAST elf_round_up(elf, (unsigned long)maxva + sz);
-+ maxva = elf_round_up(elf, (unsigned long)maxva + sz);
- }
- old_shdr_p = ELF_HANDLE_PTRVAL(shdr);
- new_shdr_p = old_shdr_p + elf_uval(elf, elf->ehdr, e_shentsize);
-@@ -297,7 +297,7 @@ elf_errorstatus elf_load_binary(struct elf_binary *elf)
- {
- ELF_HANDLE_DECL(elf_phdr) phdr;
- uint64_t i, count, paddr, offset, filesz, memsz;
-- ELF_PTRVAL_VOID dest;
-+ elf_ptrval dest;
- /*
- * Let bizarre ELFs write the output image up to twice; this
- * calculation is just to ensure our copying loop is no worse than
-@@ -334,7 +334,7 @@ elf_errorstatus elf_load_binary(struct elf_binary *elf)
- remain_allow_copy -= memsz;
-
- elf_msg(elf, "%s: phdr %" PRIu64 " at 0x%"ELF_PRPTRVAL" -> 0x%"ELF_PRPTRVAL"\n",
-- __func__, i, dest, (ELF_PTRVAL_VOID)(dest + filesz));
-+ __func__, i, dest, (elf_ptrval)(dest + filesz));
- if ( elf_load_image(elf, dest, ELF_IMAGE_BASE(elf) + offset, filesz, memsz) != 0 )
- return -1;
- }
-@@ -343,7 +343,7 @@ elf_errorstatus elf_load_binary(struct elf_binary *elf)
- return 0;
- }
-
--ELF_PTRVAL_VOID elf_get_ptr(struct elf_binary *elf, unsigned long addr)
-+elf_ptrval elf_get_ptr(struct elf_binary *elf, unsigned long addr)
- {
- return ELF_REALPTR2PTRVAL(elf->dest_base) + addr - elf->pstart;
- }
-diff --git a/xen/common/libelf/libelf-tools.c b/xen/common/libelf/libelf-tools.c
-index 4a83133..e202249 100644
---- a/xen/common/libelf/libelf-tools.c
-+++ b/xen/common/libelf/libelf-tools.c
-@@ -171,7 +171,7 @@ ELF_HANDLE_DECL(elf_shdr) elf_shdr_by_name(struct elf_binary *elf, const char *n
- ELF_HANDLE_DECL(elf_shdr) elf_shdr_by_index(struct elf_binary *elf, unsigned index)
- {
- uint64_t count = elf_shdr_count(elf);
-- ELF_PTRVAL_CONST_VOID ptr;
-+ elf_ptrval ptr;
-
- if ( index >= count )
- return ELF_INVALID_HANDLE(elf_shdr);
-@@ -185,7 +185,7 @@ ELF_HANDLE_DECL(elf_shdr) elf_shdr_by_index(struct elf_binary *elf, unsigned ind
- ELF_HANDLE_DECL(elf_phdr) elf_phdr_by_index(struct elf_binary *elf, unsigned index)
- {
- uint64_t count = elf_uval(elf, elf->ehdr, e_phnum);
-- ELF_PTRVAL_CONST_VOID ptr;
-+ elf_ptrval ptr;
-
- if ( index >= count )
- return ELF_INVALID_HANDLE(elf_phdr);
-@@ -233,24 +233,24 @@ const char *elf_strfmt(struct elf_binary *elf, elf_ptrval start)
- return str;
- }
-
--ELF_PTRVAL_CONST_VOID elf_section_start(struct elf_binary *elf, ELF_HANDLE_DECL(elf_shdr) shdr)
-+elf_ptrval elf_section_start(struct elf_binary *elf, ELF_HANDLE_DECL(elf_shdr) shdr)
- {
- return ELF_IMAGE_BASE(elf) + elf_uval(elf, shdr, sh_offset);
- }
-
--ELF_PTRVAL_CONST_VOID elf_section_end(struct elf_binary *elf, ELF_HANDLE_DECL(elf_shdr) shdr)
-+elf_ptrval elf_section_end(struct elf_binary *elf, ELF_HANDLE_DECL(elf_shdr) shdr)
- {
- return ELF_IMAGE_BASE(elf)
- + elf_uval(elf, shdr, sh_offset) + elf_uval(elf, shdr, sh_size);
- }
-
--ELF_PTRVAL_CONST_VOID elf_segment_start(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr)
-+elf_ptrval elf_segment_start(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr)
- {
- return ELF_IMAGE_BASE(elf)
- + elf_uval(elf, phdr, p_offset);
- }
-
--ELF_PTRVAL_CONST_VOID elf_segment_end(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr)
-+elf_ptrval elf_segment_end(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr)
- {
- return ELF_IMAGE_BASE(elf)
- + elf_uval(elf, phdr, p_offset) + elf_uval(elf, phdr, p_filesz);
-@@ -258,8 +258,8 @@ ELF_PTRVAL_CONST_VOID elf_segment_end(struct elf_binary *elf, ELF_HANDLE_DECL(el
-
- ELF_HANDLE_DECL(elf_sym) elf_sym_by_name(struct elf_binary *elf, const char *symbol)
- {
-- ELF_PTRVAL_CONST_VOID ptr = elf_section_start(elf, elf->sym_tab);
-- ELF_PTRVAL_CONST_VOID end = elf_section_end(elf, elf->sym_tab);
-+ elf_ptrval ptr = elf_section_start(elf, elf->sym_tab);
-+ elf_ptrval end = elf_section_end(elf, elf->sym_tab);
- ELF_HANDLE_DECL(elf_sym) sym;
- uint64_t info, name;
- const char *sym_name;
-@@ -283,7 +283,7 @@ ELF_HANDLE_DECL(elf_sym) elf_sym_by_name(struct elf_binary *elf, const char *sym
-
- ELF_HANDLE_DECL(elf_sym) elf_sym_by_index(struct elf_binary *elf, unsigned index)
- {
-- ELF_PTRVAL_CONST_VOID ptr = elf_section_start(elf, elf->sym_tab);
-+ elf_ptrval ptr = elf_section_start(elf, elf->sym_tab);
- ELF_HANDLE_DECL(elf_sym) sym;
-
- sym = ELF_MAKE_HANDLE(elf_sym, ptr + index * elf_size(elf, sym));
-@@ -295,7 +295,7 @@ const char *elf_note_name(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note
- return elf_strval(elf, ELF_HANDLE_PTRVAL(note) + elf_size(elf, note));
- }
-
--ELF_PTRVAL_CONST_VOID elf_note_desc(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note)
-+elf_ptrval elf_note_desc(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note)
- {
- unsigned namesz = (elf_uval(elf, note, namesz) + 3) & ~3;
-
-@@ -304,7 +304,7 @@ ELF_PTRVAL_CONST_VOID elf_note_desc(struct elf_binary *elf, ELF_HANDLE_DECL(elf_
-
- uint64_t elf_note_numeric(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note)
- {
-- ELF_PTRVAL_CONST_VOID desc = elf_note_desc(elf, note);
-+ elf_ptrval desc = elf_note_desc(elf, note);
- unsigned descsz = elf_uval(elf, note, descsz);
-
- switch (descsz)
-@@ -322,7 +322,7 @@ uint64_t elf_note_numeric(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note
- uint64_t elf_note_numeric_array(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note,
- unsigned int unitsz, unsigned int idx)
- {
-- ELF_PTRVAL_CONST_VOID desc = elf_note_desc(elf, note);
-+ elf_ptrval desc = elf_note_desc(elf, note);
- unsigned descsz = elf_uval(elf, note, descsz);
-
- if ( descsz % unitsz || idx >= descsz / unitsz )
-diff --git a/xen/include/xen/libelf.h b/xen/include/xen/libelf.h
-index f95fe88..174f8da 100644
---- a/xen/include/xen/libelf.h
-+++ b/xen/include/xen/libelf.h
-@@ -61,13 +61,8 @@ typedef void elf_log_callback(struct elf_binary*, void *caller_data,
- /*
- * We abstract away the pointerness of these pointers, replacing
- * various void*, char* and struct* with the following:
-- * PTRVAL A pointer to a byte; one can do pointer arithmetic
-+ * elf_ptrval A pointer to a byte; one can do pointer arithmetic
- * on this.
-- * This replaces variables which were char*,void*
-- * and their const versions, so we provide four
-- * different obsolete declaration macros:
-- * ELF_PTRVAL_{,CONST}{VOID,CHAR}
-- * New code can simply use the elf_ptrval typedef.
- * HANDLE A pointer to a struct. There is one of these types
- * for each pointer type - that is, for each "structname".
- * In the arguments to the various HANDLE macros, structname
-@@ -76,8 +71,6 @@ typedef void elf_log_callback(struct elf_binary*, void *caller_data,
- * pointers. In the current code attempts to do so will
- * compile, but in the next patch this will become a
- * compile error.
-- * We also provide a second declaration macro for
-- * pointers which were to const; this is obsolete.
- */
-
- typedef uintptr_t elf_ptrval;
-@@ -85,15 +78,9 @@ typedef uintptr_t elf_ptrval;
- #define ELF_REALPTR2PTRVAL(realpointer) ((elf_ptrval)(realpointer))
- /* Converts an actual C pointer into a PTRVAL */
-
--#define ELF_HANDLE_DECL_NONCONST(structname) structname##_handle /*obsolete*/
- #define ELF_HANDLE_DECL(structname) structname##_handle
- /* Provides a type declaration for a HANDLE. */
-
--#define ELF_PTRVAL_VOID elf_ptrval /*obsolete*/
--#define ELF_PTRVAL_CHAR elf_ptrval /*obsolete*/
--#define ELF_PTRVAL_CONST_VOID elf_ptrval /*obsolete*/
--#define ELF_PTRVAL_CONST_CHAR elf_ptrval /*obsolete*/
--
- #ifdef __XEN__
- # define ELF_PRPTRVAL "lu"
- /*
-@@ -124,17 +111,6 @@ typedef uintptr_t elf_ptrval;
- #define ELF_HANDLE_PTRVAL(handleval) ((handleval).ptrval)
- /* Converts a HANDLE to a PTRVAL. */
-
--#define ELF_OBSOLETE_VOIDP_CAST /*empty*/
-- /*
-- * In some places the old code used to need to
-- * - cast away const (the existing code uses const a fair
-- * bit but actually sometimes wants to write to its input)
-- * from a PTRVAL.
-- * - convert an integer representing a pointer to a PTRVAL
-- * Nowadays all of these re uintptr_ts so there is no const problem
-- * and no need for any casting.
-- */
--
- #define ELF_UNSAFE_PTR(ptrval) ((void*)(elf_ptrval)(ptrval))
- /*
- * Turns a PTRVAL into an actual C pointer. Before this is done
-@@ -212,7 +188,7 @@ struct elf_binary {
- char data;
-
- ELF_HANDLE_DECL(elf_ehdr) ehdr;
-- ELF_PTRVAL_CONST_CHAR sec_strtab;
-+ elf_ptrval sec_strtab;
- ELF_HANDLE_DECL(elf_shdr) sym_tab;
- uint64_t sym_strtab;
-
-@@ -290,7 +266,7 @@ struct elf_binary {
- * str should be a HANDLE.
- */
-
--uint64_t elf_access_unsigned(struct elf_binary *elf, ELF_PTRVAL_CONST_VOID ptr,
-+uint64_t elf_access_unsigned(struct elf_binary *elf, elf_ptrval ptr,
- uint64_t offset, size_t size);
- /* Reads a field at arbitrary offset and alignemnt */
-
-@@ -342,17 +318,17 @@ ELF_HANDLE_DECL(elf_shdr) elf_shdr_by_index(struct elf_binary *elf, unsigned ind
- ELF_HANDLE_DECL(elf_phdr) elf_phdr_by_index(struct elf_binary *elf, unsigned index);
-
- const char *elf_section_name(struct elf_binary *elf, ELF_HANDLE_DECL(elf_shdr) shdr); /* might return NULL if inputs are invalid */
--ELF_PTRVAL_CONST_VOID elf_section_start(struct elf_binary *elf, ELF_HANDLE_DECL(elf_shdr) shdr);
--ELF_PTRVAL_CONST_VOID elf_section_end(struct elf_binary *elf, ELF_HANDLE_DECL(elf_shdr) shdr);
-+elf_ptrval elf_section_start(struct elf_binary *elf, ELF_HANDLE_DECL(elf_shdr) shdr);
-+elf_ptrval elf_section_end(struct elf_binary *elf, ELF_HANDLE_DECL(elf_shdr) shdr);
-
--ELF_PTRVAL_CONST_VOID elf_segment_start(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr);
--ELF_PTRVAL_CONST_VOID elf_segment_end(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr);
-+elf_ptrval elf_segment_start(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr);
-+elf_ptrval elf_segment_end(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr);
-
- ELF_HANDLE_DECL(elf_sym) elf_sym_by_name(struct elf_binary *elf, const char *symbol);
- ELF_HANDLE_DECL(elf_sym) elf_sym_by_index(struct elf_binary *elf, unsigned index);
-
- const char *elf_note_name(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note); /* may return NULL */
--ELF_PTRVAL_CONST_VOID elf_note_desc(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note);
-+elf_ptrval elf_note_desc(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note);
- uint64_t elf_note_numeric(struct elf_binary *elf, ELF_HANDLE_DECL(elf_note) note);
- uint64_t elf_note_numeric_array(struct elf_binary *, ELF_HANDLE_DECL(elf_note),
- unsigned int unitsz, unsigned int idx);
-@@ -391,7 +367,7 @@ void elf_set_log(struct elf_binary *elf, elf_log_callback*,
- void elf_parse_binary(struct elf_binary *elf);
- elf_errorstatus elf_load_binary(struct elf_binary *elf);
-
--ELF_PTRVAL_VOID elf_get_ptr(struct elf_binary *elf, unsigned long addr);
-+elf_ptrval elf_get_ptr(struct elf_binary *elf, unsigned long addr);
- uint64_t elf_lookup_addr(struct elf_binary *elf, const char *symbol);
-
- void elf_parse_bsdsyms(struct elf_binary *elf, uint64_t pstart); /* private */
-@@ -426,9 +402,9 @@ struct xen_elfnote {
-
- struct elf_dom_parms {
- /* raw */
-- ELF_PTRVAL_CONST_CHAR guest_info;
-- ELF_PTRVAL_CONST_VOID elf_note_start;
-- ELF_PTRVAL_CONST_VOID elf_note_end;
-+ elf_ptrval guest_info;
-+ elf_ptrval elf_note_start;
-+ elf_ptrval elf_note_end;
- struct xen_elfnote elf_notes[XEN_ELFNOTE_MAX + 1];
-
- /* parsed */
---
-1.7.2.5
-
+++ /dev/null
-From b06e277b1fc08c7da3befeb3ac3950e1d941585d Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Fri, 14 Jun 2013 16:43:19 +0100
-Subject: [PATCH 18/23] libxc: Add range checking to xc_dom_binloader
-
-This is a simple binary image loader with its own metadata format.
-However, it is too careless with image-supplied values.
-
-Add the following checks:
-
- * That the image is bigger than the metadata table; otherwise the
- pointer arithmetic to calculate the metadata table location may
- yield undefined and dangerous values.
-
- * When clamping the end of the region to search, that we do not
- calculate pointers beyond the end of the image. The C
- specification does not permit this and compilers are becoming ever
- more determined to miscompile code when they can "prove" various
- falsehoods based on assertions from the C spec.
-
- * That the supplied image is big enough for the text we are allegedly
- copying from it. Otherwise we might have a read overrun and copy
- the results (perhaps a lot of secret data) into the guest.
-
-This is part of the fix to a security issue, XSA-55.
-
-Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
----
- tools/libxc/xc_dom_binloader.c | 15 +++++++++++++--
- 1 files changed, 13 insertions(+), 2 deletions(-)
-
-diff --git a/tools/libxc/xc_dom_binloader.c b/tools/libxc/xc_dom_binloader.c
-index bde93f7..8596a28 100644
---- a/tools/libxc/xc_dom_binloader.c
-+++ b/tools/libxc/xc_dom_binloader.c
-@@ -123,10 +123,13 @@ static struct xen_bin_image_table *find_table(struct xc_dom_image *dom)
- uint32_t *probe_ptr;
- uint32_t *probe_end;
-
-+ if ( dom->kernel_size < sizeof(*table) )
-+ return NULL;
- probe_ptr = dom->kernel_blob;
-- probe_end = dom->kernel_blob + dom->kernel_size - sizeof(*table);
-- if ( (void*)probe_end > (dom->kernel_blob + 8192) )
-+ if ( dom->kernel_size > (8192 + sizeof(*table)) )
- probe_end = dom->kernel_blob + 8192;
-+ else
-+ probe_end = dom->kernel_blob + dom->kernel_size - sizeof(*table);
-
- for ( table = NULL; probe_ptr < probe_end; probe_ptr++ )
- {
-@@ -282,6 +285,14 @@ static int xc_dom_load_bin_kernel(struct xc_dom_image *dom)
- return -EINVAL;
- }
-
-+ if ( image_size < skip ||
-+ image_size - skip < text_size )
-+ {
-+ DOMPRINTF("%s: image is too small for declared text size",
-+ __FUNCTION__);
-+ return -EINVAL;
-+ }
-+
- memcpy(dest, image + skip, text_size);
- memset(dest + text_size, 0, bss_size);
-
---
-1.7.2.5
-
+++ /dev/null
-From 77c0829fa751f052f7b8ec08287aef6e7ba97bc5 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Fri, 14 Jun 2013 16:43:19 +0100
-Subject: [PATCH 19/23] libxc: check failure of xc_dom_*_to_ptr, xc_map_foreign_range
-
-The return values from xc_dom_*_to_ptr and xc_map_foreign_range are
-sometimes dereferenced, or subjected to pointer arithmetic, without
-checking whether the relevant function failed and returned NULL.
-
-Add an appropriate error check at every call site.
-
-Changes in the 4.2 backport of this series:
-* Fix tools/libxc/xc_dom_x86.c:setup_pgtables_x86_32.
-* Fix tools/libxc/xc_dom_ia64.c:start_info_ia64.
-* Fix tools/libxc/ia64/xc_ia64_dom_fwloader.c:xc_dom_load_fw_kernel.
-
-This is part of the fix to a security issue, XSA-55.
-
-Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
----
- tools/libxc/ia64/xc_ia64_dom_fwloader.c | 2 +
- tools/libxc/xc_dom_binloader.c | 6 +++
- tools/libxc/xc_dom_core.c | 6 +++
- tools/libxc/xc_dom_elfloader.c | 13 +++++++
- tools/libxc/xc_dom_ia64.c | 6 +++
- tools/libxc/xc_dom_x86.c | 55 +++++++++++++++++++++++++++++++
- tools/libxc/xc_domain_restore.c | 27 +++++++++++++++
- tools/libxc/xc_offline_page.c | 5 +++
- 8 files changed, 120 insertions(+), 0 deletions(-)
-
-diff --git a/tools/libxc/ia64/xc_ia64_dom_fwloader.c b/tools/libxc/ia64/xc_ia64_dom_fwloader.c
-index cdf3333..dbd3349 100644
---- a/tools/libxc/ia64/xc_ia64_dom_fwloader.c
-+++ b/tools/libxc/ia64/xc_ia64_dom_fwloader.c
-@@ -60,6 +60,8 @@ static int xc_dom_load_fw_kernel(struct xc_dom_image *dom)
- unsigned long i;
-
- dest = xc_dom_vaddr_to_ptr(dom, dom->kernel_seg.vstart);
-+ if ( dest == NULL )
-+ return -1;
- memcpy(dest, dom->kernel_blob, FW_SIZE);
-
- /* Synchronize cache. */
-diff --git a/tools/libxc/xc_dom_binloader.c b/tools/libxc/xc_dom_binloader.c
-index 8596a28..553b366 100644
---- a/tools/libxc/xc_dom_binloader.c
-+++ b/tools/libxc/xc_dom_binloader.c
-@@ -277,6 +277,12 @@ static int xc_dom_load_bin_kernel(struct xc_dom_image *dom)
- DOMPRINTF(" bss_size: 0x%" PRIx32 "", bss_size);
-
- dest = xc_dom_vaddr_to_ptr(dom, dom->kernel_seg.vstart, &dest_size);
-+ if ( dest == NULL )
-+ {
-+ DOMPRINTF("%s: xc_dom_vaddr_to_ptr(dom, dom->kernel_seg.vstart)"
-+ " => NULL", __FUNCTION__);
-+ return -EINVAL;
-+ }
-
- if ( dest_size < text_size ||
- dest_size - text_size < bss_size )
-diff --git a/tools/libxc/xc_dom_core.c b/tools/libxc/xc_dom_core.c
-index 8913e41..a54ddae 100644
---- a/tools/libxc/xc_dom_core.c
-+++ b/tools/libxc/xc_dom_core.c
-@@ -868,6 +868,12 @@ int xc_dom_build_image(struct xc_dom_image *dom)
- ramdisklen) != 0 )
- goto err;
- ramdiskmap = xc_dom_seg_to_ptr(dom, &dom->ramdisk_seg);
-+ if ( ramdiskmap == NULL )
-+ {
-+ DOMPRINTF("%s: xc_dom_seg_to_ptr(dom, &dom->ramdisk_seg) => NULL",
-+ __FUNCTION__);
-+ goto err;
-+ }
- if ( unziplen )
- {
- if ( xc_dom_do_gunzip(dom->xch,
-diff --git a/tools/libxc/xc_dom_elfloader.c b/tools/libxc/xc_dom_elfloader.c
-index 9fc4b94..61b5798 100644
---- a/tools/libxc/xc_dom_elfloader.c
-+++ b/tools/libxc/xc_dom_elfloader.c
-@@ -139,6 +139,12 @@ static elf_errorstatus xc_dom_load_elf_symtab(struct xc_dom_image *dom,
- return 0;
- size = dom->kernel_seg.vend - dom->bsd_symtab_start;
- hdr_ptr = xc_dom_vaddr_to_ptr(dom, dom->bsd_symtab_start, &allow_size);
-+ if ( hdr_ptr == NULL )
-+ {
-+ DOMPRINTF("%s/load: xc_dom_vaddr_to_ptr(dom,dom->bsd_symtab_start"
-+ " => NULL", __FUNCTION__);
-+ return -1;
-+ }
- elf->caller_xdest_base = hdr_ptr;
- elf->caller_xdest_size = allow_size;
- hdr = ELF_REALPTR2PTRVAL(hdr_ptr);
-@@ -384,7 +390,14 @@ static elf_errorstatus xc_dom_load_elf_kernel(struct xc_dom_image *dom)
- xen_pfn_t pages;
-
- elf->dest_base = xc_dom_seg_to_ptr_pages(dom, &dom->kernel_seg, &pages);
-+ if ( elf->dest_base == NULL )
-+ {
-+ DOMPRINTF("%s: xc_dom_vaddr_to_ptr(dom,dom->kernel_seg)"
-+ " => NULL", __FUNCTION__);
-+ return -1;
-+ }
- elf->dest_size = pages * XC_DOM_PAGE_SIZE(dom);
-+
- rc = elf_load_binary(elf);
- if ( rc < 0 )
- {
-diff --git a/tools/libxc/xc_dom_ia64.c b/tools/libxc/xc_dom_ia64.c
-index dcd1523..7c0eff1 100644
---- a/tools/libxc/xc_dom_ia64.c
-+++ b/tools/libxc/xc_dom_ia64.c
-@@ -60,6 +60,12 @@ int start_info_ia64(struct xc_dom_image *dom)
-
- DOMPRINTF_CALLED(dom->xch);
-
-+ if ( start_info == NULL )
-+ {
-+ DOMPRINTF("%s: xc_dom_pfn_to_ptr failed on start_info", __FUNCTION__);
-+ return -1; /* our caller throws away our return value :-/ */
-+ }
-+
- memset(start_info, 0, sizeof(*start_info));
- sprintf(start_info->magic, dom->guest_type);
- start_info->flags = dom->flags;
-diff --git a/tools/libxc/xc_dom_x86.c b/tools/libxc/xc_dom_x86.c
-index 0cf1687..75d6b83 100644
---- a/tools/libxc/xc_dom_x86.c
-+++ b/tools/libxc/xc_dom_x86.c
-@@ -144,6 +144,9 @@ static int setup_pgtables_x86_32(struct xc_dom_image *dom)
- xen_vaddr_t addr;
- xen_pfn_t pgpfn;
-
-+ if ( l2tab == NULL )
-+ goto pfn_error;
-+
- for ( addr = dom->parms.virt_base; addr < dom->virt_pgtab_end;
- addr += PAGE_SIZE_X86 )
- {
-@@ -151,6 +154,8 @@ static int setup_pgtables_x86_32(struct xc_dom_image *dom)
- {
- /* get L1 tab, make L2 entry */
- l1tab = xc_dom_pfn_to_ptr(dom, l1pfn, 1);
-+ if ( l1tab == NULL )
-+ goto pfn_error;
- l2off = l2_table_offset_i386(addr);
- l2tab[l2off] =
- pfn_to_paddr(xc_dom_p2m_guest(dom, l1pfn)) | L2_PROT;
-@@ -169,6 +174,11 @@ static int setup_pgtables_x86_32(struct xc_dom_image *dom)
- l1tab = NULL;
- }
- return 0;
-+
-+pfn_error:
-+ xc_dom_panic(dom->xch, XC_INTERNAL_ERROR,
-+ "%s: xc_dom_pfn_to_ptr failed", __FUNCTION__);
-+ return -EINVAL;
- }
-
- /*
-@@ -219,6 +229,12 @@ static xen_pfn_t move_l3_below_4G(struct xc_dom_image *dom,
- goto out;
-
- l3tab = xc_dom_pfn_to_ptr(dom, l3pfn, 1);
-+ if ( l3tab == NULL )
-+ {
-+ DOMPRINTF("%s: xc_dom_pfn_to_ptr(dom, l3pfn, 1) => NULL",
-+ __FUNCTION__);
-+ return l3mfn; /* our one call site will call xc_dom_panic and fail */
-+ }
- memset(l3tab, 0, XC_DOM_PAGE_SIZE(dom));
-
- DOMPRINTF("%s: successfully relocated L3 below 4G. "
-@@ -262,6 +278,8 @@ static int setup_pgtables_x86_32_pae(struct xc_dom_image *dom)
- }
-
- l3tab = xc_dom_pfn_to_ptr(dom, l3pfn, 1);
-+ if ( l3tab == NULL )
-+ goto pfn_error;
-
- for ( addr = dom->parms.virt_base; addr < dom->virt_pgtab_end;
- addr += PAGE_SIZE_X86 )
-@@ -270,6 +288,8 @@ static int setup_pgtables_x86_32_pae(struct xc_dom_image *dom)
- {
- /* get L2 tab, make L3 entry */
- l2tab = xc_dom_pfn_to_ptr(dom, l2pfn, 1);
-+ if ( l2tab == NULL )
-+ goto pfn_error;
- l3off = l3_table_offset_pae(addr);
- l3tab[l3off] =
- pfn_to_paddr(xc_dom_p2m_guest(dom, l2pfn)) | L3_PROT;
-@@ -280,6 +300,8 @@ static int setup_pgtables_x86_32_pae(struct xc_dom_image *dom)
- {
- /* get L1 tab, make L2 entry */
- l1tab = xc_dom_pfn_to_ptr(dom, l1pfn, 1);
-+ if ( l1tab == NULL )
-+ goto pfn_error;
- l2off = l2_table_offset_pae(addr);
- l2tab[l2off] =
- pfn_to_paddr(xc_dom_p2m_guest(dom, l1pfn)) | L2_PROT;
-@@ -306,6 +328,11 @@ static int setup_pgtables_x86_32_pae(struct xc_dom_image *dom)
- l3tab[3] = pfn_to_paddr(xc_dom_p2m_guest(dom, l2pfn)) | L3_PROT;
- }
- return 0;
-+
-+pfn_error:
-+ xc_dom_panic(dom->xch, XC_INTERNAL_ERROR,
-+ "%s: xc_dom_pfn_to_ptr failed", __FUNCTION__);
-+ return -EINVAL;
- }
-
- #undef L1_PROT
-@@ -344,6 +371,9 @@ static int setup_pgtables_x86_64(struct xc_dom_image *dom)
- uint64_t addr;
- xen_pfn_t pgpfn;
-
-+ if ( l4tab == NULL )
-+ goto pfn_error;
-+
- for ( addr = dom->parms.virt_base; addr < dom->virt_pgtab_end;
- addr += PAGE_SIZE_X86 )
- {
-@@ -351,6 +381,8 @@ static int setup_pgtables_x86_64(struct xc_dom_image *dom)
- {
- /* get L3 tab, make L4 entry */
- l3tab = xc_dom_pfn_to_ptr(dom, l3pfn, 1);
-+ if ( l3tab == NULL )
-+ goto pfn_error;
- l4off = l4_table_offset_x86_64(addr);
- l4tab[l4off] =
- pfn_to_paddr(xc_dom_p2m_guest(dom, l3pfn)) | L4_PROT;
-@@ -361,6 +393,8 @@ static int setup_pgtables_x86_64(struct xc_dom_image *dom)
- {
- /* get L2 tab, make L3 entry */
- l2tab = xc_dom_pfn_to_ptr(dom, l2pfn, 1);
-+ if ( l2tab == NULL )
-+ goto pfn_error;
- l3off = l3_table_offset_x86_64(addr);
- l3tab[l3off] =
- pfn_to_paddr(xc_dom_p2m_guest(dom, l2pfn)) | L3_PROT;
-@@ -373,6 +407,8 @@ static int setup_pgtables_x86_64(struct xc_dom_image *dom)
- {
- /* get L1 tab, make L2 entry */
- l1tab = xc_dom_pfn_to_ptr(dom, l1pfn, 1);
-+ if ( l1tab == NULL )
-+ goto pfn_error;
- l2off = l2_table_offset_x86_64(addr);
- l2tab[l2off] =
- pfn_to_paddr(xc_dom_p2m_guest(dom, l1pfn)) | L2_PROT;
-@@ -393,6 +429,11 @@ static int setup_pgtables_x86_64(struct xc_dom_image *dom)
- l1tab = NULL;
- }
- return 0;
-+
-+pfn_error:
-+ xc_dom_panic(dom->xch, XC_INTERNAL_ERROR,
-+ "%s: xc_dom_pfn_to_ptr failed", __FUNCTION__);
-+ return -EINVAL;
- }
-
- #undef L1_PROT
-@@ -410,6 +451,8 @@ static int alloc_magic_pages(struct xc_dom_image *dom)
- if ( xc_dom_alloc_segment(dom, &dom->p2m_seg, "phys2mach", 0, p2m_size) )
- return -1;
- dom->p2m_guest = xc_dom_seg_to_ptr(dom, &dom->p2m_seg);
-+ if ( dom->p2m_guest == NULL )
-+ return -1;
-
- /* allocate special pages */
- dom->start_info_pfn = xc_dom_alloc_page(dom, "start info");
-@@ -434,6 +477,12 @@ static int start_info_x86_32(struct xc_dom_image *dom)
-
- DOMPRINTF_CALLED(dom->xch);
-
-+ if ( start_info == NULL )
-+ {
-+ DOMPRINTF("%s: xc_dom_pfn_to_ptr failed on start_info", __FUNCTION__);
-+ return -1; /* our caller throws away our return value :-/ */
-+ }
-+
- memset(start_info, 0, sizeof(*start_info));
- strncpy(start_info->magic, dom->guest_type, sizeof(start_info->magic));
- start_info->magic[sizeof(start_info->magic) - 1] = '\0';
-@@ -474,6 +523,12 @@ static int start_info_x86_64(struct xc_dom_image *dom)
-
- DOMPRINTF_CALLED(dom->xch);
-
-+ if ( start_info == NULL )
-+ {
-+ DOMPRINTF("%s: xc_dom_pfn_to_ptr failed on start_info", __FUNCTION__);
-+ return -1; /* our caller throws away our return value :-/ */
-+ }
-+
- memset(start_info, 0, sizeof(*start_info));
- strncpy(start_info->magic, dom->guest_type, sizeof(start_info->magic));
- start_info->magic[sizeof(start_info->magic) - 1] = '\0';
-diff --git a/tools/libxc/xc_domain_restore.c b/tools/libxc/xc_domain_restore.c
-index b4c0b10..3994f8f 100644
---- a/tools/libxc/xc_domain_restore.c
-+++ b/tools/libxc/xc_domain_restore.c
-@@ -1556,6 +1556,12 @@ int xc_domain_restore(xc_interface *xch, int io_fd, uint32_t dom,
- mfn = ctx->p2m[pfn];
- buf = xc_map_foreign_range(xch, dom, PAGE_SIZE,
- PROT_READ | PROT_WRITE, mfn);
-+ if ( buf == NULL )
-+ {
-+ ERROR("xc_map_foreign_range for generation id"
-+ " buffer failed");
-+ goto out;
-+ }
-
- generationid = *(unsigned long long *)(buf + offset);
- *(unsigned long long *)(buf + offset) = generationid + 1;
-@@ -1713,6 +1719,11 @@ int xc_domain_restore(xc_interface *xch, int io_fd, uint32_t dom,
- l3tab = (uint64_t *)
- xc_map_foreign_range(xch, dom, PAGE_SIZE,
- PROT_READ, ctx->p2m[i]);
-+ if ( l3tab == NULL )
-+ {
-+ PERROR("xc_map_foreign_range failed (for l3tab)");
-+ goto out;
-+ }
-
- for ( j = 0; j < 4; j++ )
- l3ptes[j] = l3tab[j];
-@@ -1739,6 +1750,11 @@ int xc_domain_restore(xc_interface *xch, int io_fd, uint32_t dom,
- l3tab = (uint64_t *)
- xc_map_foreign_range(xch, dom, PAGE_SIZE,
- PROT_READ | PROT_WRITE, ctx->p2m[i]);
-+ if ( l3tab == NULL )
-+ {
-+ PERROR("xc_map_foreign_range failed (for l3tab, 2nd)");
-+ goto out;
-+ }
-
- for ( j = 0; j < 4; j++ )
- l3tab[j] = l3ptes[j];
-@@ -1909,6 +1925,12 @@ int xc_domain_restore(xc_interface *xch, int io_fd, uint32_t dom,
- SET_FIELD(ctxt, user_regs.edx, mfn);
- start_info = xc_map_foreign_range(
- xch, dom, PAGE_SIZE, PROT_READ | PROT_WRITE, mfn);
-+ if ( start_info == NULL )
-+ {
-+ PERROR("xc_map_foreign_range failed (for start_info)");
-+ goto out;
-+ }
-+
- SET_FIELD(start_info, nr_pages, dinfo->p2m_size);
- SET_FIELD(start_info, shared_info, shared_info_frame<<PAGE_SHIFT);
- SET_FIELD(start_info, flags, 0);
-@@ -2056,6 +2078,11 @@ int xc_domain_restore(xc_interface *xch, int io_fd, uint32_t dom,
- /* Restore contents of shared-info page. No checking needed. */
- new_shared_info = xc_map_foreign_range(
- xch, dom, PAGE_SIZE, PROT_WRITE, shared_info_frame);
-+ if ( new_shared_info == NULL )
-+ {
-+ PERROR("xc_map_foreign_range failed (for new_shared_info)");
-+ goto out;
-+ }
-
- /* restore saved vcpu_info and arch specific info */
- MEMCPY_FIELD(new_shared_info, old_shared_info, vcpu_info);
-diff --git a/tools/libxc/xc_offline_page.c b/tools/libxc/xc_offline_page.c
-index 089a361..36b9812 100644
---- a/tools/libxc/xc_offline_page.c
-+++ b/tools/libxc/xc_offline_page.c
-@@ -714,6 +714,11 @@ int xc_exchange_page(xc_interface *xch, int domid, xen_pfn_t mfn)
-
- new_p = xc_map_foreign_range(xch, domid, PAGE_SIZE,
- PROT_READ|PROT_WRITE, new_mfn);
-+ if ( new_p == NULL )
-+ {
-+ ERROR("failed to map new_p for copy, guest may be broken?");
-+ goto failed;
-+ }
- memcpy(new_p, backup, PAGE_SIZE);
- munmap(new_p, PAGE_SIZE);
- mops.arg1.mfn = new_mfn;
---
-1.7.2.5
-
+++ /dev/null
-From 8dc90d163650ce8aa36ae0b46debab83cc61edb6 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Fri, 14 Jun 2013 16:43:19 +0100
-Subject: [PATCH 20/23] libxc: check return values from malloc
-
-A sufficiently malformed input to libxc (such as a malformed input ELF
-or other guest-controlled data) might cause one of libxc's malloc() to
-fail. In this case we need to make sure we don't dereference or do
-pointer arithmetic on the result.
-
-Search for all occurrences of \b(m|c|re)alloc in libxc, and all
-functions which call them, and add appropriate error checking where
-missing.
-
-This includes the functions xc_dom_malloc*, which now print a message
-when they fail so that callers don't have to do so.
-
-The function xc_cpuid_to_str wasn't provided with a sane return value
-and has a pretty strange API, which now becomes a little stranger.
-There are no in-tree callers.
-
-Changes in the Xen 4.2 version of this series:
-* No need to fix code relating to ARM.
-* No need to fix code relating to superpage support.
-* Additionally fix `dom->p2m_host = xc_dom_malloc...' in xc_dom_ia64.c.
-
-This is part of the fix to a security issue, XSA-55.
-
-Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
----
- tools/libxc/xc_cpuid_x86.c | 20 ++++++++++++++++++--
- tools/libxc/xc_dom_core.c | 13 +++++++++++++
- tools/libxc/xc_dom_elfloader.c | 2 ++
- tools/libxc/xc_dom_ia64.c | 6 ++++++
- tools/libxc/xc_dom_x86.c | 3 +++
- tools/libxc/xc_domain_restore.c | 5 +++++
- tools/libxc/xc_linux_osdep.c | 4 ++++
- tools/libxc/xc_private.c | 2 ++
- tools/libxc/xenctrl.h | 2 +-
- 9 files changed, 54 insertions(+), 3 deletions(-)
-
-diff --git a/tools/libxc/xc_cpuid_x86.c b/tools/libxc/xc_cpuid_x86.c
-index 0882ce6..da435ce 100644
---- a/tools/libxc/xc_cpuid_x86.c
-+++ b/tools/libxc/xc_cpuid_x86.c
-@@ -589,6 +589,8 @@ static int xc_cpuid_do_domctl(
- static char *alloc_str(void)
- {
- char *s = malloc(33);
-+ if ( s == NULL )
-+ return s;
- memset(s, 0, 33);
- return s;
- }
-@@ -600,6 +602,8 @@ void xc_cpuid_to_str(const unsigned int *regs, char **strs)
- for ( i = 0; i < 4; i++ )
- {
- strs[i] = alloc_str();
-+ if ( strs[i] == NULL )
-+ continue;
- for ( j = 0; j < 32; j++ )
- strs[i][j] = !!((regs[i] & (1U << (31 - j)))) ? '1' : '0';
- }
-@@ -680,7 +684,7 @@ int xc_cpuid_check(
- const char **config,
- char **config_transformed)
- {
-- int i, j;
-+ int i, j, rc;
- unsigned int regs[4];
-
- memset(config_transformed, 0, 4 * sizeof(*config_transformed));
-@@ -692,6 +696,11 @@ int xc_cpuid_check(
- if ( config[i] == NULL )
- continue;
- config_transformed[i] = alloc_str();
-+ if ( config_transformed[i] == NULL )
-+ {
-+ rc = -ENOMEM;
-+ goto fail_rc;
-+ }
- for ( j = 0; j < 32; j++ )
- {
- unsigned char val = !!((regs[i] & (1U << (31 - j))));
-@@ -708,12 +717,14 @@ int xc_cpuid_check(
- return 0;
-
- fail:
-+ rc = -EPERM;
-+ fail_rc:
- for ( i = 0; i < 4; i++ )
- {
- free(config_transformed[i]);
- config_transformed[i] = NULL;
- }
-- return -EPERM;
-+ return rc;
- }
-
- /*
-@@ -758,6 +769,11 @@ int xc_cpuid_set(
- }
-
- config_transformed[i] = alloc_str();
-+ if ( config_transformed[i] == NULL )
-+ {
-+ rc = -ENOMEM;
-+ goto fail;
-+ }
-
- for ( j = 0; j < 32; j++ )
- {
-diff --git a/tools/libxc/xc_dom_core.c b/tools/libxc/xc_dom_core.c
-index a54ddae..3cbf9f7 100644
---- a/tools/libxc/xc_dom_core.c
-+++ b/tools/libxc/xc_dom_core.c
-@@ -120,9 +120,17 @@ void *xc_dom_malloc(struct xc_dom_image *dom, size_t size)
- {
- struct xc_dom_mem *block;
-
-+ if ( size > SIZE_MAX - sizeof(*block) )
-+ {
-+ DOMPRINTF("%s: unreasonable allocation size", __FUNCTION__);
-+ return NULL;
-+ }
- block = malloc(sizeof(*block) + size);
- if ( block == NULL )
-+ {
-+ DOMPRINTF("%s: allocation failed", __FUNCTION__);
- return NULL;
-+ }
- memset(block, 0, sizeof(*block) + size);
- block->next = dom->memblocks;
- dom->memblocks = block;
-@@ -138,7 +146,10 @@ void *xc_dom_malloc_page_aligned(struct xc_dom_image *dom, size_t size)
-
- block = malloc(sizeof(*block));
- if ( block == NULL )
-+ {
-+ DOMPRINTF("%s: allocation failed", __FUNCTION__);
- return NULL;
-+ }
- memset(block, 0, sizeof(*block));
- block->mmap_len = size;
- block->mmap_ptr = mmap(NULL, block->mmap_len,
-@@ -146,6 +157,7 @@ void *xc_dom_malloc_page_aligned(struct xc_dom_image *dom, size_t size)
- -1, 0);
- if ( block->mmap_ptr == MAP_FAILED )
- {
-+ DOMPRINTF("%s: mmap failed", __FUNCTION__);
- free(block);
- return NULL;
- }
-@@ -202,6 +214,7 @@ void *xc_dom_malloc_filemap(struct xc_dom_image *dom,
- close(fd);
- if ( block != NULL )
- free(block);
-+ DOMPRINTF("%s: failed (on file `%s')", __FUNCTION__, filename);
- return NULL;
- }
-
-diff --git a/tools/libxc/xc_dom_elfloader.c b/tools/libxc/xc_dom_elfloader.c
-index 61b5798..be58276 100644
---- a/tools/libxc/xc_dom_elfloader.c
-+++ b/tools/libxc/xc_dom_elfloader.c
-@@ -329,6 +329,8 @@ static elf_errorstatus xc_dom_parse_elf_kernel(struct xc_dom_image *dom)
- return rc;
-
- elf = xc_dom_malloc(dom, sizeof(*elf));
-+ if ( elf == NULL )
-+ return -1;
- dom->private_loader = elf;
- rc = elf_init(elf, dom->kernel_blob, dom->kernel_size);
- xc_elf_set_logfile(dom->xch, elf, 1);
-diff --git a/tools/libxc/xc_dom_ia64.c b/tools/libxc/xc_dom_ia64.c
-index 7c0eff1..076821c 100644
---- a/tools/libxc/xc_dom_ia64.c
-+++ b/tools/libxc/xc_dom_ia64.c
-@@ -188,6 +188,12 @@ int arch_setup_meminit(struct xc_dom_image *dom)
-
- /* setup initial p2m */
- dom->p2m_host = xc_dom_malloc(dom, sizeof(xen_pfn_t) * nbr);
-+ if ( dom->p2m_host == NULL )
-+ {
-+ DOMPRINTF("%s: xc_dom_malloc failed for p2m_host",
-+ __FUNCTION__);
-+ return -1;
-+ }
- for ( pfn = 0; pfn < nbr; pfn++ )
- dom->p2m_host[pfn] = start + pfn;
-
-diff --git a/tools/libxc/xc_dom_x86.c b/tools/libxc/xc_dom_x86.c
-index 75d6b83..448d9a1 100644
---- a/tools/libxc/xc_dom_x86.c
-+++ b/tools/libxc/xc_dom_x86.c
-@@ -780,6 +780,9 @@ int arch_setup_meminit(struct xc_dom_image *dom)
- }
-
- dom->p2m_host = xc_dom_malloc(dom, sizeof(xen_pfn_t) * dom->total_pages);
-+ if ( dom->p2m_host == NULL )
-+ return -EINVAL;
-+
- if ( dom->superpages )
- {
- int count = dom->total_pages >> SUPERPAGE_PFN_SHIFT;
-diff --git a/tools/libxc/xc_domain_restore.c b/tools/libxc/xc_domain_restore.c
-index 3994f8f..f9ed6b2 100644
---- a/tools/libxc/xc_domain_restore.c
-+++ b/tools/libxc/xc_domain_restore.c
-@@ -1180,6 +1180,11 @@ static int apply_batch(xc_interface *xch, uint32_t dom, struct restore_ctx *ctx,
-
- /* Map relevant mfns */
- pfn_err = calloc(j, sizeof(*pfn_err));
-+ if ( pfn_err == NULL )
-+ {
-+ PERROR("allocation for pfn_err failed");
-+ return -1;
-+ }
- region_base = xc_map_foreign_bulk(
- xch, dom, PROT_WRITE, region_mfn, pfn_err, j);
-
-diff --git a/tools/libxc/xc_linux_osdep.c b/tools/libxc/xc_linux_osdep.c
-index 787e742..98e041c 100644
---- a/tools/libxc/xc_linux_osdep.c
-+++ b/tools/libxc/xc_linux_osdep.c
-@@ -378,6 +378,8 @@ static void *linux_privcmd_map_foreign_range(xc_interface *xch, xc_osdep_handle
-
- num = (size + XC_PAGE_SIZE - 1) >> XC_PAGE_SHIFT;
- arr = calloc(num, sizeof(xen_pfn_t));
-+ if ( arr == NULL )
-+ return NULL;
-
- for ( i = 0; i < num; i++ )
- arr[i] = mfn + i;
-@@ -402,6 +404,8 @@ static void *linux_privcmd_map_foreign_ranges(xc_interface *xch, xc_osdep_handle
- num_per_entry = chunksize >> XC_PAGE_SHIFT;
- num = num_per_entry * nentries;
- arr = calloc(num, sizeof(xen_pfn_t));
-+ if ( arr == NULL )
-+ return NULL;
-
- for ( i = 0; i < nentries; i++ )
- for ( j = 0; j < num_per_entry; j++ )
-diff --git a/tools/libxc/xc_private.c b/tools/libxc/xc_private.c
-index 3e03a91..848ceed 100644
---- a/tools/libxc/xc_private.c
-+++ b/tools/libxc/xc_private.c
-@@ -771,6 +771,8 @@ const char *xc_strerror(xc_interface *xch, int errcode)
- errbuf = pthread_getspecific(errbuf_pkey);
- if (errbuf == NULL) {
- errbuf = malloc(XS_BUFSIZE);
-+ if ( errbuf == NULL )
-+ return "(failed to allocate errbuf)";
- pthread_setspecific(errbuf_pkey, errbuf);
- }
-
-diff --git a/tools/libxc/xenctrl.h b/tools/libxc/xenctrl.h
-index b7741ca..8952048 100644
---- a/tools/libxc/xenctrl.h
-+++ b/tools/libxc/xenctrl.h
-@@ -1778,7 +1778,7 @@ int xc_cpuid_set(xc_interface *xch,
- int xc_cpuid_apply_policy(xc_interface *xch,
- domid_t domid);
- void xc_cpuid_to_str(const unsigned int *regs,
-- char **strs);
-+ char **strs); /* some strs[] may be NULL if ENOMEM */
- int xc_mca_op(xc_interface *xch, struct xen_mc *mc);
- #endif
-
---
-1.7.2.5
-
+++ /dev/null
-From 052a689aa526ca51fd70528d4b0f83dfb2de99c1 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Fri, 14 Jun 2013 16:43:19 +0100
-Subject: [PATCH 21/23] libxc: range checks in xc_dom_p2m_host and _guest
-
-These functions take guest pfns and look them up in the p2m. They did
-no range checking.
-
-However, some callers, notably xc_dom_boot.c:setup_hypercall_page want
-to pass untrusted guest-supplied value(s). It is most convenient to
-detect this here and return INVALID_MFN.
-
-This is part of the fix to a security issue, XSA-55.
-
-Changes from Xen 4.2 version of this patch:
-* 4.2 lacks dom->rambase_pfn, so don't add/subtract/check it.
-
-Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
----
- tools/libxc/xc_dom.h | 4 ++++
- 1 files changed, 4 insertions(+), 0 deletions(-)
-
-diff --git a/tools/libxc/xc_dom.h b/tools/libxc/xc_dom.h
-index 0161459..d801f66 100644
---- a/tools/libxc/xc_dom.h
-+++ b/tools/libxc/xc_dom.h
-@@ -331,6 +331,8 @@ static inline xen_pfn_t xc_dom_p2m_host(struct xc_dom_image *dom, xen_pfn_t pfn)
- {
- if (dom->shadow_enabled)
- return pfn;
-+ if (pfn >= dom->total_pages)
-+ return INVALID_MFN;
- return dom->p2m_host[pfn];
- }
-
-@@ -339,6 +341,8 @@ static inline xen_pfn_t xc_dom_p2m_guest(struct xc_dom_image *dom,
- {
- if (xc_dom_feature_translated(dom))
- return pfn;
-+ if (pfn >= dom->total_pages)
-+ return INVALID_MFN;
- return dom->p2m_host[pfn];
- }
-
---
-1.7.2.5
-
+++ /dev/null
-From 2a548e22915535ac13694eb38222903bca7245e3 Mon Sep 17 00:00:00 2001
-From: Matthew Daley <mattjd@gmail.com>
-Date: Fri, 14 Jun 2013 16:43:19 +0100
-Subject: [PATCH 22/23] libxc: check blob size before proceeding in xc_dom_check_gzip
-
-This is part of the fix to a security issue, XSA-55.
-
-Signed-off-by: Matthew Daley <mattjd@gmail.com>
----
- tools/libxc/xc_dom_core.c | 5 +++++
- 1 files changed, 5 insertions(+), 0 deletions(-)
-
-diff --git a/tools/libxc/xc_dom_core.c b/tools/libxc/xc_dom_core.c
-index 3cbf9f7..f8d1b08 100644
---- a/tools/libxc/xc_dom_core.c
-+++ b/tools/libxc/xc_dom_core.c
-@@ -284,6 +284,11 @@ size_t xc_dom_check_gzip(xc_interface *xch, void *blob, size_t ziplen)
- unsigned char *gzlen;
- size_t unziplen;
-
-+ if ( ziplen < 6 )
-+ /* Too small. We need (i.e. the subsequent code relies on)
-+ * 2 bytes for the magic number plus 4 bytes length. */
-+ return 0;
-+
- if ( strncmp(blob, "\037\213", 2) )
- /* not gzipped */
- return 0;
---
-1.7.2.5
-
+++ /dev/null
-From d21d36e84354c04638b60a739a5f7c3d9f8adaf8 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Fri, 14 Jun 2013 16:43:19 +0100
-Subject: [PATCH 23/23] libxc: Better range check in xc_dom_alloc_segment
-
-If seg->pfn is too large, the arithmetic in the range check might
-overflow, defeating the range check.
-
-This is part of the fix to a security issue, XSA-55.
-
-Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
-Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
----
- tools/libxc/xc_dom_core.c | 3 ++-
- 1 files changed, 2 insertions(+), 1 deletions(-)
-
-diff --git a/tools/libxc/xc_dom_core.c b/tools/libxc/xc_dom_core.c
-index f8d1b08..e79e38d 100644
---- a/tools/libxc/xc_dom_core.c
-+++ b/tools/libxc/xc_dom_core.c
-@@ -509,7 +509,8 @@ int xc_dom_alloc_segment(struct xc_dom_image *dom,
- seg->vstart = start;
- seg->pfn = (seg->vstart - dom->parms.virt_base) / page_size;
-
-- if ( pages > dom->total_pages || /* double test avoids overflow probs */
-+ if ( pages > dom->total_pages || /* multiple test avoids overflow probs */
-+ seg->pfn > dom->total_pages ||
- pages > dom->total_pages - seg->pfn)
- {
- xc_dom_panic(dom->xch, XC_OUT_OF_MEMORY,
---
-1.7.2.5
-
+++ /dev/null
-x86: fix page refcount handling in page table pin error path
-
-In the original patch 7 of the series addressing XSA-45 I mistakenly
-took the addition of the call to get_page_light() in alloc_page_type()
-to cover two decrements that would happen: One for the PGT_partial bit
-that is getting set along with the call, and the other for the page
-reference the caller hold (and would be dropping on its error path).
-But of course the additional page reference is tied to the PGT_partial
-bit, and hence any caller of a function that may leave
-->arch.old_guest_table non-NULL for error cleanup purposes has to make
-sure a respective page reference gets retained.
-
-Similar issues were then also spotted elsewhere: In effect all callers
-of get_page_type_preemptible() need to deal with errors in similar
-ways. To make sure error handling can work this way without leaking
-page references, a respective assertion gets added to that function.
-
-This is CVE-2013-1432 / XSA-58.
-
-Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Tested-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Reviewed-by: Tim Deegan <tim@xen.org>
-
---- a/xen/arch/x86/domain.c
-+++ b/xen/arch/x86/domain.c
-@@ -941,6 +941,10 @@ int arch_set_info_guest(
- if ( v->vcpu_id == 0 )
- d->vm_assist = c(vm_assist);
-
-+ rc = put_old_guest_table(current);
-+ if ( rc )
-+ return rc;
-+
- if ( !compat )
- rc = (int)set_gdt(v, c.nat->gdt_frames, c.nat->gdt_ents);
- #ifdef CONFIG_COMPAT
-@@ -980,18 +984,24 @@ int arch_set_info_guest(
- }
- else
- {
-- /*
-- * Since v->arch.guest_table{,_user} are both NULL, this effectively
-- * is just a call to put_old_guest_table().
-- */
- if ( !compat )
-- rc = vcpu_destroy_pagetables(v);
-+ rc = put_old_guest_table(v);
- if ( !rc )
- rc = get_page_type_preemptible(cr3_page,
- !compat ? PGT_root_page_table
- : PGT_l3_page_table);
-- if ( rc == -EINTR )
-+ switch ( rc )
-+ {
-+ case -EINTR:
- rc = -EAGAIN;
-+ case -EAGAIN:
-+ case 0:
-+ break;
-+ default:
-+ if ( cr3_page == current->arch.old_guest_table )
-+ cr3_page = NULL;
-+ break;
-+ }
- }
- if ( rc )
- /* handled below */;
-@@ -1018,6 +1028,11 @@ int arch_set_info_guest(
- pagetable_get_page(v->arch.guest_table);
- v->arch.guest_table = pagetable_null();
- break;
-+ default:
-+ if ( cr3_page == current->arch.old_guest_table )
-+ cr3_page = NULL;
-+ case 0:
-+ break;
- }
- }
- if ( !rc )
---- a/xen/arch/x86/mm.c
-+++ b/xen/arch/x86/mm.c
-@@ -718,7 +718,8 @@ static int get_page_and_type_from_pagenr
- get_page_type_preemptible(page, type) :
- (get_page_type(page, type) ? 0 : -EINVAL));
-
-- if ( unlikely(rc) && partial >= 0 )
-+ if ( unlikely(rc) && partial >= 0 &&
-+ (!preemptible || page != current->arch.old_guest_table) )
- put_page(page);
-
- return rc;
-@@ -2638,6 +2639,7 @@ int put_page_type_preemptible(struct pag
-
- int get_page_type_preemptible(struct page_info *page, unsigned long type)
- {
-+ ASSERT(!current->arch.old_guest_table);
- return __get_page_type(page, type, 1);
- }
-
-@@ -2848,7 +2850,7 @@ static void put_superpage(unsigned long
-
- #endif
-
--static int put_old_guest_table(struct vcpu *v)
-+int put_old_guest_table(struct vcpu *v)
- {
- int rc;
-
-@@ -3253,7 +3255,8 @@ long do_mmuext_op(
- rc = -EAGAIN;
- else if ( rc != -EAGAIN )
- MEM_LOG("Error while pinning mfn %lx", page_to_mfn(page));
-- put_page(page);
-+ if ( page != curr->arch.old_guest_table )
-+ put_page(page);
- break;
- }
-
---- a/xen/include/asm-x86/mm.h
-+++ b/xen/include/asm-x86/mm.h
-@@ -374,6 +374,7 @@ void put_page_type(struct page_info *pag
- int get_page_type(struct page_info *page, unsigned long type);
- int put_page_type_preemptible(struct page_info *page);
- int get_page_type_preemptible(struct page_info *page, unsigned long type);
-+int put_old_guest_table(struct vcpu *);
- int get_page_from_l1e(
- l1_pgentry_t l1e, struct domain *l1e_owner, struct domain *pg_owner);
- void put_page_from_l1e(l1_pgentry_t l1e, struct domain *l1e_owner);
+++ /dev/null
-Description: x86: make vcpu_destroy_pagetables() preemptible
- ... as it may take significant amounts of time.
- .
- The function, being moved to mm.c as the better home for it anyway, and
- to avoid having to make a new helper function there non-static, is
- given a "preemptible" parameter temporarily (until, in a subsequent
- patch, its other caller is also being made capable of dealing with
- preemption).
-From: Jan Beulich <jbeulich@suse.com>
-Origin: upstream
-Id: CVE-2013-1918 XSA-45
----
---- a/xen/arch/x86/domain.c
-+++ b/xen/arch/x86/domain.c
-@@ -73,8 +73,6 @@ void (*dead_idle) (void) __read_mostly = default_dead_idle;
- static void paravirt_ctxt_switch_from(struct vcpu *v);
- static void paravirt_ctxt_switch_to(struct vcpu *v);
-
--static void vcpu_destroy_pagetables(struct vcpu *v);
--
- static void default_idle(void)
- {
- local_irq_disable();
-@@ -1058,7 +1056,7 @@ void arch_vcpu_reset(struct vcpu *v)
- if ( !is_hvm_vcpu(v) )
- {
- destroy_gdt(v);
-- vcpu_destroy_pagetables(v);
-+ vcpu_destroy_pagetables(v, 0);
- }
- else
- {
-@@ -2069,63 +2067,6 @@ static int relinquish_memory(
- return ret;
- }
-
--static void vcpu_destroy_pagetables(struct vcpu *v)
--{
-- struct domain *d = v->domain;
-- unsigned long pfn;
--
--#ifdef __x86_64__
-- if ( is_pv_32on64_vcpu(v) )
-- {
-- pfn = l4e_get_pfn(*(l4_pgentry_t *)
-- __va(pagetable_get_paddr(v->arch.guest_table)));
--
-- if ( pfn != 0 )
-- {
-- if ( paging_mode_refcounts(d) )
-- put_page(mfn_to_page(pfn));
-- else
-- put_page_and_type(mfn_to_page(pfn));
-- }
--
-- l4e_write(
-- (l4_pgentry_t *)__va(pagetable_get_paddr(v->arch.guest_table)),
-- l4e_empty());
--
-- v->arch.cr3 = 0;
-- return;
-- }
--#endif
--
-- pfn = pagetable_get_pfn(v->arch.guest_table);
-- if ( pfn != 0 )
-- {
-- if ( paging_mode_refcounts(d) )
-- put_page(mfn_to_page(pfn));
-- else
-- put_page_and_type(mfn_to_page(pfn));
-- v->arch.guest_table = pagetable_null();
-- }
--
--#ifdef __x86_64__
-- /* Drop ref to guest_table_user (from MMUEXT_NEW_USER_BASEPTR) */
-- pfn = pagetable_get_pfn(v->arch.guest_table_user);
-- if ( pfn != 0 )
-- {
-- if ( !is_pv_32bit_vcpu(v) )
-- {
-- if ( paging_mode_refcounts(d) )
-- put_page(mfn_to_page(pfn));
-- else
-- put_page_and_type(mfn_to_page(pfn));
-- }
-- v->arch.guest_table_user = pagetable_null();
-- }
--#endif
--
-- v->arch.cr3 = 0;
--}
--
- int domain_relinquish_resources(struct domain *d)
- {
- int ret;
-@@ -2143,7 +2084,11 @@ int domain_relinquish_resources(struct domain *d)
-
- /* Drop the in-use references to page-table bases. */
- for_each_vcpu ( d, v )
-- vcpu_destroy_pagetables(v);
-+ {
-+ ret = vcpu_destroy_pagetables(v, 1);
-+ if ( ret )
-+ return ret;
-+ }
-
- if ( !is_hvm_domain(d) )
- {
---- a/xen/arch/x86/mm.c
-+++ b/xen/arch/x86/mm.c
-@@ -2808,6 +2808,82 @@ static void put_superpage(unsigned long mfn)
-
- #endif
-
-+static int put_old_guest_table(struct vcpu *v)
-+{
-+ int rc;
-+
-+ if ( !v->arch.old_guest_table )
-+ return 0;
-+
-+ switch ( rc = put_page_and_type_preemptible(v->arch.old_guest_table, 1) )
-+ {
-+ case -EINTR:
-+ case -EAGAIN:
-+ return -EAGAIN;
-+ }
-+
-+ v->arch.old_guest_table = NULL;
-+
-+ return rc;
-+}
-+
-+int vcpu_destroy_pagetables(struct vcpu *v, bool_t preemptible)
-+{
-+ unsigned long mfn = pagetable_get_pfn(v->arch.guest_table);
-+ struct page_info *page;
-+ int rc = put_old_guest_table(v);
-+
-+ if ( rc )
-+ return rc;
-+
-+#ifdef __x86_64__
-+ if ( is_pv_32on64_vcpu(v) )
-+ mfn = l4e_get_pfn(*(l4_pgentry_t *)mfn_to_virt(mfn));
-+#endif
-+
-+ if ( mfn )
-+ {
-+ page = mfn_to_page(mfn);
-+ if ( paging_mode_refcounts(v->domain) )
-+ put_page(page);
-+ else
-+ rc = put_page_and_type_preemptible(page, preemptible);
-+ }
-+
-+#ifdef __x86_64__
-+ if ( is_pv_32on64_vcpu(v) )
-+ {
-+ if ( !rc )
-+ l4e_write(
-+ (l4_pgentry_t *)__va(pagetable_get_paddr(v->arch.guest_table)),
-+ l4e_empty());
-+ }
-+ else
-+#endif
-+ if ( !rc )
-+ {
-+ v->arch.guest_table = pagetable_null();
-+
-+#ifdef __x86_64__
-+ /* Drop ref to guest_table_user (from MMUEXT_NEW_USER_BASEPTR) */
-+ mfn = pagetable_get_pfn(v->arch.guest_table_user);
-+ if ( mfn )
-+ {
-+ page = mfn_to_page(mfn);
-+ if ( paging_mode_refcounts(v->domain) )
-+ put_page(page);
-+ else
-+ rc = put_page_and_type_preemptible(page, preemptible);
-+ }
-+ if ( !rc )
-+ v->arch.guest_table_user = pagetable_null();
-+#endif
-+ }
-+
-+ v->arch.cr3 = 0;
-+
-+ return rc;
-+}
-
- int new_guest_cr3(unsigned long mfn)
- {
-@@ -2994,12 +3070,21 @@ long do_mmuext_op(
- unsigned int foreigndom)
- {
- struct mmuext_op op;
-- int rc = 0, i = 0, okay;
- unsigned long type;
-- unsigned int done = 0;
-+ unsigned int i = 0, done = 0;
- struct vcpu *curr = current;
- struct domain *d = curr->domain;
- struct domain *pg_owner;
-+ int okay, rc = put_old_guest_table(curr);
-+
-+ if ( unlikely(rc) )
-+ {
-+ if ( likely(rc == -EAGAIN) )
-+ rc = hypercall_create_continuation(
-+ __HYPERVISOR_mmuext_op, "hihi", uops, count, pdone,
-+ foreigndom);
-+ return rc;
-+ }
-
- if ( unlikely(count & MMU_UPDATE_PREEMPTED) )
- {
---- a/xen/arch/x86/x86_64/compat/mm.c
-+++ b/xen/arch/x86/x86_64/compat/mm.c
-@@ -365,7 +365,7 @@ int compat_mmuext_op(XEN_GUEST_HANDLE(mmuext_op_compat_t) cmp_uops,
- : mcs->call.args[1];
- unsigned int left = arg1 & ~MMU_UPDATE_PREEMPTED;
-
-- BUG_ON(left == arg1);
-+ BUG_ON(left == arg1 && left != i);
- BUG_ON(left > count);
- guest_handle_add_offset(nat_ops, i - left);
- guest_handle_subtract_offset(cmp_uops, left);
---- a/xen/include/asm-x86/domain.h
-+++ b/xen/include/asm-x86/domain.h
-@@ -464,6 +464,7 @@ struct arch_vcpu
- pagetable_t guest_table_user; /* (MFN) x86/64 user-space pagetable */
- #endif
- pagetable_t guest_table; /* (MFN) guest notion of cr3 */
-+ struct page_info *old_guest_table; /* partially destructed pagetable */
- /* guest_table holds a ref to the page, and also a type-count unless
- * shadow refcounts are in use */
- pagetable_t shadow_table[4]; /* (MFN) shadow(s) of guest */
---- a/xen/include/asm-x86/mm.h
-+++ b/xen/include/asm-x86/mm.h
-@@ -605,6 +605,7 @@ void audit_domains(void);
- int new_guest_cr3(unsigned long pfn);
- void make_cr3(struct vcpu *v, unsigned long mfn);
- void update_cr3(struct vcpu *v);
-+int vcpu_destroy_pagetables(struct vcpu *, bool_t preemptible);
- void propagate_page_fault(unsigned long addr, u16 error_code);
- void *do_page_walk(struct vcpu *v, unsigned long addr);
-
+++ /dev/null
-Description: x86: make new_guest_cr3() preemptible
- ... as it may take significant amounts of time.
-From: Jan Beulich <jbeulich@suse.com>
-Origin: upstream
-Id: CVE-2013-1918 XSA-45
----
---- a/xen/arch/x86/mm.c
-+++ b/xen/arch/x86/mm.c
-@@ -2889,44 +2889,69 @@ int new_guest_cr3(unsigned long mfn)
- {
- struct vcpu *curr = current;
- struct domain *d = curr->domain;
-- int okay;
-+ int rc;
- unsigned long old_base_mfn;
-
- #ifdef __x86_64__
- if ( is_pv_32on64_domain(d) )
- {
-- okay = paging_mode_refcounts(d)
-- ? 0 /* Old code was broken, but what should it be? */
-- : mod_l4_entry(
-+ rc = paging_mode_refcounts(d)
-+ ? -EINVAL /* Old code was broken, but what should it be? */
-+ : mod_l4_entry(
- __va(pagetable_get_paddr(curr->arch.guest_table)),
- l4e_from_pfn(
- mfn,
- (_PAGE_PRESENT|_PAGE_RW|_PAGE_USER|_PAGE_ACCESSED)),
-- pagetable_get_pfn(curr->arch.guest_table), 0, 0, curr) == 0;
-- if ( unlikely(!okay) )
-+ pagetable_get_pfn(curr->arch.guest_table), 0, 1, curr);
-+ switch ( rc )
- {
-+ case 0:
-+ break;
-+ case -EINTR:
-+ case -EAGAIN:
-+ return -EAGAIN;
-+ default:
- MEM_LOG("Error while installing new compat baseptr %lx", mfn);
-- return 0;
-+ return rc;
- }
-
- invalidate_shadow_ldt(curr, 0);
- write_ptbase(curr);
-
-- return 1;
-+ return 0;
- }
- #endif
-- okay = paging_mode_refcounts(d)
-- ? get_page_from_pagenr(mfn, d)
-- : !get_page_and_type_from_pagenr(mfn, PGT_root_page_table, d, 0, 0);
-- if ( unlikely(!okay) )
-+ rc = put_old_guest_table(curr);
-+ if ( unlikely(rc) )
-+ return rc;
-+
-+ old_base_mfn = pagetable_get_pfn(curr->arch.guest_table);
-+ /*
-+ * This is particularly important when getting restarted after the
-+ * previous attempt got preempted in the put-old-MFN phase.
-+ */
-+ if ( old_base_mfn == mfn )
- {
-- MEM_LOG("Error while installing new baseptr %lx", mfn);
-+ write_ptbase(curr);
- return 0;
- }
-
-- invalidate_shadow_ldt(curr, 0);
-+ rc = paging_mode_refcounts(d)
-+ ? (get_page_from_pagenr(mfn, d) ? 0 : -EINVAL)
-+ : get_page_and_type_from_pagenr(mfn, PGT_root_page_table, d, 0, 1);
-+ switch ( rc )
-+ {
-+ case 0:
-+ break;
-+ case -EINTR:
-+ case -EAGAIN:
-+ return -EAGAIN;
-+ default:
-+ MEM_LOG("Error while installing new baseptr %lx", mfn);
-+ return rc;
-+ }
-
-- old_base_mfn = pagetable_get_pfn(curr->arch.guest_table);
-+ invalidate_shadow_ldt(curr, 0);
-
- curr->arch.guest_table = pagetable_from_pfn(mfn);
- update_cr3(curr);
-@@ -2935,13 +2960,25 @@ int new_guest_cr3(unsigned long mfn)
-
- if ( likely(old_base_mfn != 0) )
- {
-+ struct page_info *page = mfn_to_page(old_base_mfn);
-+
- if ( paging_mode_refcounts(d) )
-- put_page(mfn_to_page(old_base_mfn));
-+ put_page(page);
- else
-- put_page_and_type(mfn_to_page(old_base_mfn));
-+ switch ( rc = put_page_and_type_preemptible(page, 1) )
-+ {
-+ case -EINTR:
-+ rc = -EAGAIN;
-+ case -EAGAIN:
-+ curr->arch.old_guest_table = page;
-+ break;
-+ default:
-+ BUG_ON(rc);
-+ break;
-+ }
- }
-
-- return 1;
-+ return rc;
- }
-
- static struct domain *get_pg_owner(domid_t domid)
-@@ -3239,8 +3276,13 @@ long do_mmuext_op(
- }
-
- case MMUEXT_NEW_BASEPTR:
-- okay = (!paging_mode_translate(d)
-- && new_guest_cr3(op.arg1.mfn));
-+ if ( paging_mode_translate(d) )
-+ okay = 0;
-+ else
-+ {
-+ rc = new_guest_cr3(op.arg1.mfn);
-+ okay = !rc;
-+ }
- break;
-
-
-diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c
-index 692281a..eada470 100644
---- a/xen/arch/x86/traps.c
-+++ b/xen/arch/x86/traps.c
-@@ -2407,12 +2407,23 @@ static int emulate_privileged_op(struct cpu_user_regs *regs)
- #endif
- }
- page = get_page_from_gfn(v->domain, gfn, NULL, P2M_ALLOC);
-- rc = page ? new_guest_cr3(page_to_mfn(page)) : 0;
- if ( page )
-+ {
-+ rc = new_guest_cr3(page_to_mfn(page));
- put_page(page);
-+ }
-+ else
-+ rc = -EINVAL;
- domain_unlock(v->domain);
-- if ( rc == 0 ) /* not okay */
-+ switch ( rc )
-+ {
-+ case 0:
-+ break;
-+ case -EAGAIN: /* retry after preemption */
-+ goto skip;
-+ default: /* not okay */
- goto fail;
-+ }
- break;
- }
-
+++ /dev/null
-Description: x86: make MMUEXT_NEW_USER_BASEPTR preemptible
- ... as it may take significant amounts of time.
-From: Jan Beulich <jbeulich@suse.com>
-Origin: upstream
-Id: CVE-2013-1918 XSA-45
----
---- a/xen/arch/x86/mm.c
-+++ b/xen/arch/x86/mm.c
-@@ -3296,29 +3296,56 @@ long do_mmuext_op(
- break;
- }
-
-+ old_mfn = pagetable_get_pfn(curr->arch.guest_table_user);
-+ /*
-+ * This is particularly important when getting restarted after the
-+ * previous attempt got preempted in the put-old-MFN phase.
-+ */
-+ if ( old_mfn == op.arg1.mfn )
-+ break;
-+
- if ( op.arg1.mfn != 0 )
- {
- if ( paging_mode_refcounts(d) )
- okay = get_page_from_pagenr(op.arg1.mfn, d);
- else
-- okay = !get_page_and_type_from_pagenr(
-- op.arg1.mfn, PGT_root_page_table, d, 0, 0);
-+ {
-+ rc = get_page_and_type_from_pagenr(
-+ op.arg1.mfn, PGT_root_page_table, d, 0, 1);
-+ okay = !rc;
-+ }
- if ( unlikely(!okay) )
- {
-- MEM_LOG("Error while installing new mfn %lx", op.arg1.mfn);
-+ if ( rc == -EINTR )
-+ rc = -EAGAIN;
-+ else if ( rc != -EAGAIN )
-+ MEM_LOG("Error while installing new mfn %lx",
-+ op.arg1.mfn);
- break;
- }
- }
-
-- old_mfn = pagetable_get_pfn(curr->arch.guest_table_user);
- curr->arch.guest_table_user = pagetable_from_pfn(op.arg1.mfn);
-
- if ( old_mfn != 0 )
- {
-+ struct page_info *page = mfn_to_page(old_mfn);
-+
- if ( paging_mode_refcounts(d) )
-- put_page(mfn_to_page(old_mfn));
-+ put_page(page);
- else
-- put_page_and_type(mfn_to_page(old_mfn));
-+ switch ( rc = put_page_and_type_preemptible(page, 1) )
-+ {
-+ case -EINTR:
-+ rc = -EAGAIN;
-+ case -EAGAIN:
-+ curr->arch.old_guest_table = page;
-+ okay = 0;
-+ break;
-+ default:
-+ BUG_ON(rc);
-+ break;
-+ }
- }
-
- break;
+++ /dev/null
-Description: x86: make vcpu_reset() preemptible
- ... as dropping the old page tables may take significant amounts of
- time.
-From: Jan Beulich <jbeulich@suse.com>
-Origin: upstream
-Id: CVE-2013-1918 XSA-45
----
---- a/xen/arch/x86/domain.c
-+++ b/xen/arch/x86/domain.c
-@@ -1051,17 +1051,16 @@ int arch_set_info_guest(
- #undef c
- }
-
--void arch_vcpu_reset(struct vcpu *v)
-+int arch_vcpu_reset(struct vcpu *v)
- {
- if ( !is_hvm_vcpu(v) )
- {
- destroy_gdt(v);
-- vcpu_destroy_pagetables(v, 0);
-- }
-- else
-- {
-- vcpu_end_shutdown_deferral(v);
-+ return vcpu_destroy_pagetables(v);
- }
-+
-+ vcpu_end_shutdown_deferral(v);
-+ return 0;
- }
-
- /*
-@@ -2085,7 +2084,7 @@ int domain_relinquish_resources(struct domain *d)
- /* Drop the in-use references to page-table bases. */
- for_each_vcpu ( d, v )
- {
-- ret = vcpu_destroy_pagetables(v, 1);
-+ ret = vcpu_destroy_pagetables(v);
- if ( ret )
- return ret;
- }
---- a/xen/arch/x86/hvm/hvm.c
-+++ b/xen/arch/x86/hvm/hvm.c
-@@ -3509,8 +3509,11 @@ static void hvm_s3_suspend(struct domain *d)
-
- for_each_vcpu ( d, v )
- {
-+ int rc;
-+
- vlapic_reset(vcpu_vlapic(v));
-- vcpu_reset(v);
-+ rc = vcpu_reset(v);
-+ ASSERT(!rc);
- }
-
- vpic_reset(d);
---- a/xen/arch/x86/hvm/vlapic.c
-+++ b/xen/arch/x86/hvm/vlapic.c
-@@ -252,10 +252,13 @@ static void vlapic_init_sipi_action(unsigned long _vcpu)
- {
- case APIC_DM_INIT: {
- bool_t fpu_initialised;
-+ int rc;
-+
- domain_lock(target->domain);
- /* Reset necessary VCPU state. This does not include FPU state. */
- fpu_initialised = target->fpu_initialised;
-- vcpu_reset(target);
-+ rc = vcpu_reset(target);
-+ ASSERT(!rc);
- target->fpu_initialised = fpu_initialised;
- vlapic_reset(vcpu_vlapic(target));
- domain_unlock(target->domain);
---- a/xen/arch/x86/mm.c
-+++ b/xen/arch/x86/mm.c
-@@ -2827,7 +2827,7 @@ static int put_old_guest_table(struct vcpu *v)
- return rc;
- }
-
--int vcpu_destroy_pagetables(struct vcpu *v, bool_t preemptible)
-+int vcpu_destroy_pagetables(struct vcpu *v)
- {
- unsigned long mfn = pagetable_get_pfn(v->arch.guest_table);
- struct page_info *page;
-@@ -2847,7 +2847,7 @@ int vcpu_destroy_pagetables(struct vcpu *v, bool_t preemptible)
- if ( paging_mode_refcounts(v->domain) )
- put_page(page);
- else
-- rc = put_page_and_type_preemptible(page, preemptible);
-+ rc = put_page_and_type_preemptible(page, 1);
- }
-
- #ifdef __x86_64__
-@@ -2873,7 +2873,7 @@ int vcpu_destroy_pagetables(struct vcpu *v, bool_t preemptible)
- if ( paging_mode_refcounts(v->domain) )
- put_page(page);
- else
-- rc = put_page_and_type_preemptible(page, preemptible);
-+ rc = put_page_and_type_preemptible(page, 1);
- }
- if ( !rc )
- v->arch.guest_table_user = pagetable_null();
---- a/xen/common/domain.c
-+++ b/xen/common/domain.c
-@@ -779,14 +779,18 @@ void domain_unpause_by_systemcontroller(struct domain *d)
- domain_unpause(d);
- }
-
--void vcpu_reset(struct vcpu *v)
-+int vcpu_reset(struct vcpu *v)
- {
- struct domain *d = v->domain;
-+ int rc;
-
- vcpu_pause(v);
- domain_lock(d);
-
-- arch_vcpu_reset(v);
-+ set_bit(_VPF_in_reset, &v->pause_flags);
-+ rc = arch_vcpu_reset(v);
-+ if ( rc )
-+ goto out_unlock;
-
- set_bit(_VPF_down, &v->pause_flags);
-
-@@ -802,9 +806,13 @@ void vcpu_reset(struct vcpu *v)
- #endif
- cpumask_clear(v->cpu_affinity_tmp);
- clear_bit(_VPF_blocked, &v->pause_flags);
-+ clear_bit(_VPF_in_reset, &v->pause_flags);
-
-+ out_unlock:
- domain_unlock(v->domain);
- vcpu_unpause(v);
-+
-+ return rc;
- }
-
-
---- a/xen/common/domctl.c
-+++ b/xen/common/domctl.c
-@@ -307,8 +307,10 @@ long do_domctl(XEN_GUEST_HANDLE(xen_domctl_t) u_domctl)
-
- if ( guest_handle_is_null(op->u.vcpucontext.ctxt) )
- {
-- vcpu_reset(v);
-- ret = 0;
-+ ret = vcpu_reset(v);
-+ if ( ret == -EAGAIN )
-+ ret = hypercall_create_continuation(
-+ __HYPERVISOR_domctl, "h", u_domctl);
- goto svc_out;
- }
-
---- a/xen/include/asm-x86/mm.h
-+++ b/xen/include/asm-x86/mm.h
-@@ -605,7 +605,7 @@ void audit_domains(void);
- int new_guest_cr3(unsigned long pfn);
- void make_cr3(struct vcpu *v, unsigned long mfn);
- void update_cr3(struct vcpu *v);
--int vcpu_destroy_pagetables(struct vcpu *, bool_t preemptible);
-+int vcpu_destroy_pagetables(struct vcpu *);
- void propagate_page_fault(unsigned long addr, u16 error_code);
- void *do_page_walk(struct vcpu *v, unsigned long addr);
-
---- a/xen/include/xen/domain.h
-+++ b/xen/include/xen/domain.h
-@@ -13,7 +13,7 @@ typedef union {
- struct vcpu *alloc_vcpu(
- struct domain *d, unsigned int vcpu_id, unsigned int cpu_id);
- struct vcpu *alloc_dom0_vcpu0(void);
--void vcpu_reset(struct vcpu *v);
-+int vcpu_reset(struct vcpu *);
-
- struct xen_domctl_getdomaininfo;
- void getdomaininfo(struct domain *d, struct xen_domctl_getdomaininfo *info);
-@@ -67,7 +67,7 @@ void arch_dump_vcpu_info(struct vcpu *v);
-
- void arch_dump_domain_info(struct domain *d);
-
--void arch_vcpu_reset(struct vcpu *v);
-+int arch_vcpu_reset(struct vcpu *);
-
- extern spinlock_t vcpu_alloc_lock;
- bool_t domctl_lock_acquire(void);
---- a/xen/include/xen/sched.h
-+++ b/xen/include/xen/sched.h
-@@ -644,6 +644,9 @@ static inline struct domain *next_domain_in_cpupool(
- /* VCPU is blocked due to missing mem_sharing ring. */
- #define _VPF_mem_sharing 6
- #define VPF_mem_sharing (1UL<<_VPF_mem_sharing)
-+ /* VCPU is being reset. */
-+#define _VPF_in_reset 7
-+#define VPF_in_reset (1UL<<_VPF_in_reset)
-
- static inline int vcpu_runnable(struct vcpu *v)
- {
+++ /dev/null
-Description: x86: make arch_set_info_guest() preemptible
- .. as the root page table validation (and the dropping of an eventual
- old one) can require meaningful amounts of time.
-From: Jan Beulich <jbeulich@suse.com>
-Origin: upstream
-Id: CVE-2013-1918 XSA-45
----
---- a/xen/arch/x86/domain.c
-+++ b/xen/arch/x86/domain.c
-@@ -858,6 +858,9 @@ int arch_set_info_guest(
-
- if ( !v->is_initialised )
- {
-+ if ( !compat && !(flags & VGCF_in_kernel) && !c.nat->ctrlreg[1] )
-+ return -EINVAL;
-+
- v->arch.pv_vcpu.ldt_base = c(ldt_base);
- v->arch.pv_vcpu.ldt_ents = c(ldt_ents);
- }
-@@ -955,24 +958,44 @@ int arch_set_info_guest(
- if ( rc != 0 )
- return rc;
-
-+ set_bit(_VPF_in_reset, &v->pause_flags);
-+
- if ( !compat )
-- {
- cr3_gfn = xen_cr3_to_pfn(c.nat->ctrlreg[3]);
-- cr3_page = get_page_from_gfn(d, cr3_gfn, NULL, P2M_ALLOC);
--
-- if ( !cr3_page )
-- {
-- destroy_gdt(v);
-- return -EINVAL;
-- }
-- if ( !paging_mode_refcounts(d)
-- && !get_page_type(cr3_page, PGT_base_page_table) )
-- {
-- put_page(cr3_page);
-- destroy_gdt(v);
-- return -EINVAL;
-- }
-+#ifdef CONFIG_COMPAT
-+ else
-+ cr3_gfn = compat_cr3_to_pfn(c.cmp->ctrlreg[3]);
-+#endif
-+ cr3_page = get_page_from_gfn(d, cr3_gfn, NULL, P2M_ALLOC);
-
-+ if ( !cr3_page )
-+ rc = -EINVAL;
-+ else if ( paging_mode_refcounts(d) )
-+ /* nothing */;
-+ else if ( cr3_page == v->arch.old_guest_table )
-+ {
-+ v->arch.old_guest_table = NULL;
-+ put_page(cr3_page);
-+ }
-+ else
-+ {
-+ /*
-+ * Since v->arch.guest_table{,_user} are both NULL, this effectively
-+ * is just a call to put_old_guest_table().
-+ */
-+ if ( !compat )
-+ rc = vcpu_destroy_pagetables(v);
-+ if ( !rc )
-+ rc = get_page_type_preemptible(cr3_page,
-+ !compat ? PGT_root_page_table
-+ : PGT_l3_page_table);
-+ if ( rc == -EINTR )
-+ rc = -EAGAIN;
-+ }
-+ if ( rc )
-+ /* handled below */;
-+ else if ( !compat )
-+ {
- v->arch.guest_table = pagetable_from_page(cr3_page);
- #ifdef __x86_64__
- if ( c.nat->ctrlreg[1] )
-@@ -980,56 +1003,44 @@ int arch_set_info_guest(
- cr3_gfn = xen_cr3_to_pfn(c.nat->ctrlreg[1]);
- cr3_page = get_page_from_gfn(d, cr3_gfn, NULL, P2M_ALLOC);
-
-- if ( !cr3_page ||
-- (!paging_mode_refcounts(d)
-- && !get_page_type(cr3_page, PGT_base_page_table)) )
-+ if ( !cr3_page )
-+ rc = -EINVAL;
-+ else if ( !paging_mode_refcounts(d) )
- {
-- if (cr3_page)
-- put_page(cr3_page);
-- cr3_page = pagetable_get_page(v->arch.guest_table);
-- v->arch.guest_table = pagetable_null();
-- if ( paging_mode_refcounts(d) )
-- put_page(cr3_page);
-- else
-- put_page_and_type(cr3_page);
-- destroy_gdt(v);
-- return -EINVAL;
-+ rc = get_page_type_preemptible(cr3_page, PGT_root_page_table);
-+ switch ( rc )
-+ {
-+ case -EINTR:
-+ rc = -EAGAIN;
-+ case -EAGAIN:
-+ v->arch.old_guest_table =
-+ pagetable_get_page(v->arch.guest_table);
-+ v->arch.guest_table = pagetable_null();
-+ break;
-+ }
- }
--
-- v->arch.guest_table_user = pagetable_from_page(cr3_page);
-- }
-- else if ( !(flags & VGCF_in_kernel) )
-- {
-- destroy_gdt(v);
-- return -EINVAL;
-+ if ( !rc )
-+ v->arch.guest_table_user = pagetable_from_page(cr3_page);
- }
- }
- else
- {
- l4_pgentry_t *l4tab;
-
-- cr3_gfn = compat_cr3_to_pfn(c.cmp->ctrlreg[3]);
-- cr3_page = get_page_from_gfn(d, cr3_gfn, NULL, P2M_ALLOC);
--
-- if ( !cr3_page)
-- {
-- destroy_gdt(v);
-- return -EINVAL;
-- }
--
-- if (!paging_mode_refcounts(d)
-- && !get_page_type(cr3_page, PGT_l3_page_table) )
-- {
-- put_page(cr3_page);
-- destroy_gdt(v);
-- return -EINVAL;
-- }
--
- l4tab = __va(pagetable_get_paddr(v->arch.guest_table));
- *l4tab = l4e_from_pfn(page_to_mfn(cr3_page),
- _PAGE_PRESENT|_PAGE_RW|_PAGE_USER|_PAGE_ACCESSED);
- #endif
- }
-+ if ( rc )
-+ {
-+ if ( cr3_page )
-+ put_page(cr3_page);
-+ destroy_gdt(v);
-+ return rc;
-+ }
-+
-+ clear_bit(_VPF_in_reset, &v->pause_flags);
-
- if ( v->vcpu_id == 0 )
- update_domain_wallclock_time(d);
---- a/xen/common/compat/domain.c
-+++ b/xen/common/compat/domain.c
-@@ -50,6 +50,10 @@ int compat_vcpu_op(int cmd, int vcpuid, XEN_GUEST_HANDLE(void) arg)
- rc = v->is_initialised ? -EEXIST : arch_set_info_guest(v, cmp_ctxt);
- domain_unlock(d);
-
-+ if ( rc == -EAGAIN )
-+ rc = hypercall_create_continuation(__HYPERVISOR_vcpu_op, "iih",
-+ cmd, vcpuid, arg);
-+
- xfree(cmp_ctxt);
- break;
- }
---- a/xen/common/domain.c
-+++ b/xen/common/domain.c
-@@ -849,6 +849,11 @@ long do_vcpu_op(int cmd, int vcpuid, XEN_GUEST_HANDLE(void) arg)
- domain_unlock(d);
-
- free_vcpu_guest_context(ctxt);
-+
-+ if ( rc == -EAGAIN )
-+ rc = hypercall_create_continuation(__HYPERVISOR_vcpu_op, "iih",
-+ cmd, vcpuid, arg);
-+
- break;
-
- case VCPUOP_up: {
---- a/xen/common/domctl.c
-+++ b/xen/common/domctl.c
-@@ -339,6 +339,10 @@ long do_domctl(XEN_GUEST_HANDLE(xen_domctl_t) u_domctl)
- domain_pause(d);
- ret = arch_set_info_guest(v, c);
- domain_unpause(d);
-+
-+ if ( ret == -EAGAIN )
-+ ret = hypercall_create_continuation(
-+ __HYPERVISOR_domctl, "h", u_domctl);
- }
-
- svc_out:
+++ /dev/null
-Description: x86: make page table unpinning preemptible
- ... as it may take significant amounts of time.
- .
- Since we can't re-invoke the operation in a second attempt, the
- continuation logic must be slightly tweaked so that we make sure
- do_mmuext_op() gets run one more time even when the preempted unpin
- operation was the last one in a batch.
-From: Jan Beulich <jbeulich@suse.com>
-Origin: upstream
-Id: CVE-2013-1918 XSA-45
----
---- a/xen/arch/x86/mm.c
-+++ b/xen/arch/x86/mm.c
-@@ -3123,6 +3123,14 @@ long do_mmuext_op(
- return rc;
- }
-
-+ if ( unlikely(count == MMU_UPDATE_PREEMPTED) &&
-+ likely(guest_handle_is_null(uops)) )
-+ {
-+ /* See the curr->arch.old_guest_table related
-+ * hypercall_create_continuation() below. */
-+ return (int)foreigndom;
-+ }
-+
- if ( unlikely(count & MMU_UPDATE_PREEMPTED) )
- {
- count &= ~MMU_UPDATE_PREEMPTED;
-@@ -3146,7 +3154,7 @@ long do_mmuext_op(
-
- for ( i = 0; i < count; i++ )
- {
-- if ( hypercall_preempt_check() )
-+ if ( curr->arch.old_guest_table || hypercall_preempt_check() )
- {
- rc = -EAGAIN;
- break;
-@@ -3266,7 +3274,17 @@ long do_mmuext_op(
- break;
- }
-
-- put_page_and_type(page);
-+ switch ( rc = put_page_and_type_preemptible(page, 1) )
-+ {
-+ case -EINTR:
-+ case -EAGAIN:
-+ curr->arch.old_guest_table = page;
-+ rc = 0;
-+ break;
-+ default:
-+ BUG_ON(rc);
-+ break;
-+ }
- put_page(page);
-
- /* A page is dirtied when its pin status is cleared. */
-@@ -3587,9 +3605,27 @@ long do_mmuext_op(
- }
-
- if ( rc == -EAGAIN )
-+ {
-+ ASSERT(i < count);
- rc = hypercall_create_continuation(
- __HYPERVISOR_mmuext_op, "hihi",
- uops, (count - i) | MMU_UPDATE_PREEMPTED, pdone, foreigndom);
-+ }
-+ else if ( curr->arch.old_guest_table )
-+ {
-+ XEN_GUEST_HANDLE(void) null;
-+
-+ ASSERT(rc || i == count);
-+ set_xen_guest_handle(null, NULL);
-+ /*
-+ * In order to have a way to communicate the final return value to
-+ * our continuation, we pass this in place of "foreigndom", building
-+ * on the fact that this argument isn't needed anymore.
-+ */
-+ rc = hypercall_create_continuation(
-+ __HYPERVISOR_mmuext_op, "hihi", null,
-+ MMU_UPDATE_PREEMPTED, null, rc);
-+ }
-
- put_pg_owner(pg_owner);
-
---- a/xen/arch/x86/x86_64/compat/mm.c
-+++ b/xen/arch/x86/x86_64/compat/mm.c
-@@ -268,6 +268,13 @@ int compat_mmuext_op(XEN_GUEST_HANDLE(mmuext_op_compat_t) cmp_uops,
- int rc = 0;
- XEN_GUEST_HANDLE(mmuext_op_t) nat_ops;
-
-+ if ( unlikely(count == MMU_UPDATE_PREEMPTED) &&
-+ likely(guest_handle_is_null(cmp_uops)) )
-+ {
-+ set_xen_guest_handle(nat_ops, NULL);
-+ return do_mmuext_op(nat_ops, count, pdone, foreigndom);
-+ }
-+
- preempt_mask = count & MMU_UPDATE_PREEMPTED;
- count ^= preempt_mask;
-
-@@ -370,12 +377,18 @@ int compat_mmuext_op(XEN_GUEST_HANDLE(mmuext_op_compat_t) cmp_uops,
- guest_handle_add_offset(nat_ops, i - left);
- guest_handle_subtract_offset(cmp_uops, left);
- left = 1;
-- BUG_ON(!hypercall_xlat_continuation(&left, 0x01, nat_ops, cmp_uops));
-- BUG_ON(left != arg1);
-- if (!test_bit(_MCSF_in_multicall, &mcs->flags))
-- regs->_ecx += count - i;
-+ if ( arg1 != MMU_UPDATE_PREEMPTED )
-+ {
-+ BUG_ON(!hypercall_xlat_continuation(&left, 0x01, nat_ops,
-+ cmp_uops));
-+ if ( !test_bit(_MCSF_in_multicall, &mcs->flags) )
-+ regs->_ecx += count - i;
-+ else
-+ mcs->compat_call.args[1] += count - i;
-+ }
- else
-- mcs->compat_call.args[1] += count - i;
-+ BUG_ON(hypercall_xlat_continuation(&left, 0));
-+ BUG_ON(left != arg1);
- }
- else
- BUG_ON(err > 0);
+++ /dev/null
-Description: x86: make page table handling error paths preemptible
- ... as they may take significant amounts of time.
- .
- This requires cloning the tweaked continuation logic from
- do_mmuext_op() to do_mmu_update().
- .
- Note that in mod_l[34]_entry() a negative "preemptible" value gets
- passed to put_page_from_l[34]e() now, telling the callee to store the
- respective page in current->arch.old_guest_table (for a hypercall
- continuation to pick up), rather than carrying out the put right away.
- This is going to be made a little more explicit by a subsequent cleanup
- patch.
-From: Jan Beulich <jbeulich@suse.com>
-Origin: upstream
-Id: CVE-2013-1918 XSA-45
----
---- a/xen/arch/x86/mm.c
-+++ b/xen/arch/x86/mm.c
-@@ -1241,7 +1241,16 @@ static int put_page_from_l3e(l3_pgentry_t l3e, unsigned long pfn,
- #endif
-
- if ( unlikely(partial > 0) )
-+ {
-+ ASSERT(preemptible >= 0);
- return __put_page_type(l3e_get_page(l3e), preemptible);
-+ }
-+
-+ if ( preemptible < 0 )
-+ {
-+ current->arch.old_guest_table = l3e_get_page(l3e);
-+ return 0;
-+ }
-
- return put_page_and_type_preemptible(l3e_get_page(l3e), preemptible);
- }
-@@ -1254,7 +1263,17 @@ static int put_page_from_l4e(l4_pgentry_t l4e, unsigned long pfn,
- (l4e_get_pfn(l4e) != pfn) )
- {
- if ( unlikely(partial > 0) )
-+ {
-+ ASSERT(preemptible >= 0);
- return __put_page_type(l4e_get_page(l4e), preemptible);
-+ }
-+
-+ if ( preemptible < 0 )
-+ {
-+ current->arch.old_guest_table = l4e_get_page(l4e);
-+ return 0;
-+ }
-+
- return put_page_and_type_preemptible(l4e_get_page(l4e), preemptible);
- }
- return 1;
-@@ -1549,12 +1568,17 @@ static int alloc_l3_table(struct page_info *page, int preemptible)
- if ( rc < 0 && rc != -EAGAIN && rc != -EINTR )
- {
- MEM_LOG("Failure in alloc_l3_table: entry %d", i);
-+ if ( i )
-+ {
-+ page->nr_validated_ptes = i;
-+ page->partial_pte = 0;
-+ current->arch.old_guest_table = page;
-+ }
- while ( i-- > 0 )
- {
- if ( !is_guest_l3_slot(i) )
- continue;
- unadjust_guest_l3e(pl3e[i], d);
-- put_page_from_l3e(pl3e[i], pfn, 0, 0);
- }
- }
-
-@@ -1584,22 +1608,24 @@ static int alloc_l4_table(struct page_info *page, int preemptible)
- page->nr_validated_ptes = i;
- page->partial_pte = partial ?: 1;
- }
-- else if ( rc == -EINTR )
-+ else if ( rc < 0 )
- {
-+ if ( rc != -EINTR )
-+ MEM_LOG("Failure in alloc_l4_table: entry %d", i);
- if ( i )
- {
- page->nr_validated_ptes = i;
- page->partial_pte = 0;
-- rc = -EAGAIN;
-+ if ( rc == -EINTR )
-+ rc = -EAGAIN;
-+ else
-+ {
-+ if ( current->arch.old_guest_table )
-+ page->nr_validated_ptes++;
-+ current->arch.old_guest_table = page;
-+ }
- }
- }
-- else if ( rc < 0 )
-- {
-- MEM_LOG("Failure in alloc_l4_table: entry %d", i);
-- while ( i-- > 0 )
-- if ( is_guest_l4_slot(d, i) )
-- put_page_from_l4e(pl4e[i], pfn, 0, 0);
-- }
- if ( rc < 0 )
- return rc;
-
-@@ -2047,7 +2073,7 @@ static int mod_l3_entry(l3_pgentry_t *pl3e,
- pae_flush_pgd(pfn, pgentry_ptr_to_slot(pl3e), nl3e);
- }
-
-- put_page_from_l3e(ol3e, pfn, 0, 0);
-+ put_page_from_l3e(ol3e, pfn, 0, -preemptible);
- return rc;
- }
-
-@@ -2110,7 +2136,7 @@ static int mod_l4_entry(l4_pgentry_t *pl4e,
- return -EFAULT;
- }
-
-- put_page_from_l4e(ol4e, pfn, 0, 0);
-+ put_page_from_l4e(ol4e, pfn, 0, -preemptible);
- return rc;
- }
-
-@@ -2268,7 +2294,15 @@ static int alloc_page_type(struct page_info *page, unsigned long type,
- PRtype_info ": caf=%08lx taf=%" PRtype_info,
- page_to_mfn(page), get_gpfn_from_mfn(page_to_mfn(page)),
- type, page->count_info, page->u.inuse.type_info);
-- page->u.inuse.type_info = 0;
-+ if ( page != current->arch.old_guest_table )
-+ page->u.inuse.type_info = 0;
-+ else
-+ {
-+ ASSERT((page->u.inuse.type_info &
-+ (PGT_count_mask | PGT_validated)) == 1);
-+ get_page_light(page);
-+ page->u.inuse.type_info |= PGT_partial;
-+ }
- }
- else
- {
-@@ -3218,21 +3252,17 @@ long do_mmuext_op(
- }
-
- if ( (rc = xsm_memory_pin_page(d, pg_owner, page)) != 0 )
-- {
-- put_page_and_type(page);
- okay = 0;
-- break;
-- }
--
-- if ( unlikely(test_and_set_bit(_PGT_pinned,
-- &page->u.inuse.type_info)) )
-+ else if ( unlikely(test_and_set_bit(_PGT_pinned,
-+ &page->u.inuse.type_info)) )
- {
- MEM_LOG("Mfn %lx already pinned", page_to_mfn(page));
-- put_page_and_type(page);
- okay = 0;
-- break;
- }
-
-+ if ( unlikely(!okay) )
-+ goto pin_drop;
-+
- /* A page is dirtied when its pin status is set. */
- paging_mark_dirty(pg_owner, page_to_mfn(page));
-
-@@ -3246,7 +3276,13 @@ long do_mmuext_op(
- &page->u.inuse.type_info));
- spin_unlock(&pg_owner->page_alloc_lock);
- if ( drop_ref )
-- put_page_and_type(page);
-+ {
-+ pin_drop:
-+ if ( type == PGT_l1_page_table )
-+ put_page_and_type(page);
-+ else
-+ curr->arch.old_guest_table = page;
-+ }
- }
-
- break;
-@@ -3652,11 +3688,28 @@ long do_mmu_update(
- void *va;
- unsigned long gpfn, gmfn, mfn;
- struct page_info *page;
-- int rc = 0, i = 0;
-- unsigned int cmd, done = 0, pt_dom;
-- struct vcpu *v = current;
-+ unsigned int cmd, i = 0, done = 0, pt_dom;
-+ struct vcpu *curr = current, *v = curr;
- struct domain *d = v->domain, *pt_owner = d, *pg_owner;
- struct domain_mmap_cache mapcache;
-+ int rc = put_old_guest_table(curr);
-+
-+ if ( unlikely(rc) )
-+ {
-+ if ( likely(rc == -EAGAIN) )
-+ rc = hypercall_create_continuation(
-+ __HYPERVISOR_mmu_update, "hihi", ureqs, count, pdone,
-+ foreigndom);
-+ return rc;
-+ }
-+
-+ if ( unlikely(count == MMU_UPDATE_PREEMPTED) &&
-+ likely(guest_handle_is_null(ureqs)) )
-+ {
-+ /* See the curr->arch.old_guest_table related
-+ * hypercall_create_continuation() below. */
-+ return (int)foreigndom;
-+ }
-
- if ( unlikely(count & MMU_UPDATE_PREEMPTED) )
- {
-@@ -3705,7 +3758,7 @@ long do_mmu_update(
-
- for ( i = 0; i < count; i++ )
- {
-- if ( hypercall_preempt_check() )
-+ if ( curr->arch.old_guest_table || hypercall_preempt_check() )
- {
- rc = -EAGAIN;
- break;
-@@ -3886,9 +3939,27 @@ long do_mmu_update(
- }
-
- if ( rc == -EAGAIN )
-+ {
-+ ASSERT(i < count);
- rc = hypercall_create_continuation(
- __HYPERVISOR_mmu_update, "hihi",
- ureqs, (count - i) | MMU_UPDATE_PREEMPTED, pdone, foreigndom);
-+ }
-+ else if ( curr->arch.old_guest_table )
-+ {
-+ XEN_GUEST_HANDLE(void) null;
-+
-+ ASSERT(rc || i == count);
-+ set_xen_guest_handle(null, NULL);
-+ /*
-+ * In order to have a way to communicate the final return value to
-+ * our continuation, we pass this in place of "foreigndom", building
-+ * on the fact that this argument isn't needed anymore.
-+ */
-+ rc = hypercall_create_continuation(
-+ __HYPERVISOR_mmu_update, "hihi", null,
-+ MMU_UPDATE_PREEMPTED, null, rc);
-+ }
-
- put_pg_owner(pg_owner);
-
+++ /dev/null
-Description: VT-d: don't permit SVT_NO_VERIFY entries for known device types
- Only in cases where we don't know what to do we should leave the IRTE
- blank (suppressing all validation), but we should always log a warning
- in those cases (as being insecure).
-From: Jan Beulich <jbeulich@suse.com>
-Id: CVE-2013-1952 XSA-49
----
---- a/xen/drivers/passthrough/vtd/intremap.c
-+++ b/xen/drivers/passthrough/vtd/intremap.c
-@@ -440,16 +440,15 @@ static void set_msi_source_id(struct pci_dev *pdev, struct iremap_entry *ire)
- type = pdev_type(seg, bus, devfn);
- switch ( type )
- {
-+ case DEV_TYPE_PCIe_ENDPOINT:
- case DEV_TYPE_PCIe_BRIDGE:
- case DEV_TYPE_PCIe2PCI_BRIDGE:
-- case DEV_TYPE_LEGACY_PCI_BRIDGE:
-- break;
--
-- case DEV_TYPE_PCIe_ENDPOINT:
- set_ire_sid(ire, SVT_VERIFY_SID_SQ, SQ_ALL_16, PCI_BDF2(bus, devfn));
- break;
-
- case DEV_TYPE_PCI:
-+ case DEV_TYPE_LEGACY_PCI_BRIDGE:
-+ /* case DEV_TYPE_PCI2PCIe_BRIDGE: */
- ret = find_upstream_bridge(seg, &bus, &devfn, &secbus);
- if ( ret == 0 ) /* integrated PCI device */
- {
-@@ -461,10 +460,15 @@ static void set_msi_source_id(struct pci_dev *pdev, struct iremap_entry *ire)
- if ( pdev_type(seg, bus, devfn) == DEV_TYPE_PCIe2PCI_BRIDGE )
- set_ire_sid(ire, SVT_VERIFY_BUS, SQ_ALL_16,
- (bus << 8) | pdev->bus);
-- else if ( pdev_type(seg, bus, devfn) == DEV_TYPE_LEGACY_PCI_BRIDGE )
-+ else
- set_ire_sid(ire, SVT_VERIFY_SID_SQ, SQ_ALL_16,
- PCI_BDF2(bus, devfn));
- }
-+ else
-+ dprintk(XENLOG_WARNING VTDPREFIX,
-+ "d%d: no upstream bridge for %04x:%02x:%02x.%u\n",
-+ pdev->domain->domain_id,
-+ seg, bus, PCI_SLOT(devfn), PCI_FUNC(devfn));
- break;
-
- default:
+++ /dev/null
-Description: libxc: limit cpu values when setting vcpu affinity
- When support for pinning more than 64 cpus was added, check for cpu
- out-of-range values was removed. This can lead to subsequent
- out-of-bounds cpumap array accesses in case the cpu number is higher
- than the actual count.
- .
- This patch returns the check.
-From: Petr Matousek <pmatouse@redhat.com>
-Origin: upstream
-Id: CVE-2013-2072 XSA-56
----
---- a/tools/python/xen/lowlevel/xc/xc.c
-+++ b/tools/python/xen/lowlevel/xc/xc.c
-@@ -228,6 +228,7 @@ static PyObject *pyxc_vcpu_setaffinity(XcObject *self,
- int vcpu = 0, i;
- xc_cpumap_t cpumap;
- PyObject *cpulist = NULL;
-+ int nr_cpus;
-
- static char *kwd_list[] = { "domid", "vcpu", "cpumap", NULL };
-
-@@ -235,6 +236,10 @@ static PyObject *pyxc_vcpu_setaffinity(XcObject *self,
- &dom, &vcpu, &cpulist) )
- return NULL;
-
-+ nr_cpus = xc_get_max_cpus(self->xc_handle);
-+ if ( nr_cpus == 0 )
-+ return pyxc_error_to_exception(self->xc_handle);
-+
- cpumap = xc_cpumap_alloc(self->xc_handle);
- if(cpumap == NULL)
- return pyxc_error_to_exception(self->xc_handle);
-@@ -244,6 +249,13 @@ static PyObject *pyxc_vcpu_setaffinity(XcObject *self,
- for ( i = 0; i < PyList_Size(cpulist); i++ )
- {
- long cpu = PyInt_AsLong(PyList_GetItem(cpulist, i));
-+ if ( cpu < 0 || cpu >= nr_cpus )
-+ {
-+ free(cpumap);
-+ errno = EINVAL;
-+ PyErr_SetFromErrno(xc_error_obj);
-+ return NULL;
-+ }
- cpumap[cpu / 8] |= 1 << (cpu % 8);
- }
- }
+++ /dev/null
-Description: x86/xsave: fix information leak on AMD CPUs
- Just like for FXSAVE/FXRSTOR, XSAVE/XRSTOR also don't save/restore the
- last instruction and operand pointers as well as the last opcode if
- there's no pending unmasked exception (see CVE-2006-1056 and commit
- 9747:4d667a139318).
- .
- While the FXSR solution sits in the save path, I prefer to have this in
- the restore path because there the handling is simpler (namely in the
- context of the pending changes to properly save the selector values for
- 32-bit guest code).
- .
- Also this is using FFREE instead of EMMS, as it doesn't seem unlikely
- that in the future we may see CPUs with x87 and SSE/AVX but no MMX
- support. The goal here anyway is just to avoid an FPU stack overflow.
- I would have preferred to use FFREEP instead of FFREE (freeing two
- stack slots at once), but AMD doesn't document that instruction.
-From: Jan Beulich <jbeulich@suse.com>
-Origin: upstream
-Id: CVE-2013-2076 XSA-52.
----
---- a/xen/arch/x86/xstate.c
-+++ b/xen/arch/x86/xstate.c
-@@ -78,6 +78,21 @@ void xrstor(struct vcpu *v, uint64_t mask)
-
- struct xsave_struct *ptr = v->arch.xsave_area;
-
-+ /*
-+ * AMD CPUs don't save/restore FDP/FIP/FOP unless an exception
-+ * is pending. Clear the x87 state here by setting it to fixed
-+ * values. The hypervisor data segment can be sometimes 0 and
-+ * sometimes new user value. Both should be ok. Use the FPU saved
-+ * data block as a safe address because it should be in L1.
-+ */
-+ if ( (mask & ptr->xsave_hdr.xstate_bv & XSTATE_FP) &&
-+ !(ptr->fpu_sse.fsw & 0x0080) &&
-+ boot_cpu_data.x86_vendor == X86_VENDOR_AMD )
-+ asm volatile ( "fnclex\n\t" /* clear exceptions */
-+ "ffree %%st(7)\n\t" /* clear stack tag */
-+ "fildl %0" /* load to clear state */
-+ : : "m" (ptr->fpu_sse) );
-+
- asm volatile (
- ".byte " REX_PREFIX "0x0f,0xae,0x2f"
- :
+++ /dev/null
-Description: x86/xsave: recover from faults on XRSTOR
- Just like FXRSTOR, XRSTOR can raise #GP if bad content is being passed
- to it in the memory block (i.e. aspects not under the control of the
- hypervisor, other than e.g. proper alignment of the block).
- .
- Also correct the comment explaining why FXRSTOR needs exception
- recovery code to not wrongly state that this can only be a result of
- the control tools passing a bad image.
-From: Jan Beulich <jbeulich@suse.com>
-Id: CVE-2013-2077 XSA-53
----
---- a/xen/arch/x86/i387.c
-+++ b/xen/arch/x86/i387.c
-@@ -53,7 +53,7 @@ static inline void fpu_fxrstor(struct vcpu *v)
- /*
- * FXRSTOR can fault if passed a corrupted data block. We handle this
- * possibility, which may occur if the block was passed to us by control
-- * tools, by silently clearing the block.
-+ * tools or through VCPUOP_initialise, by silently clearing the block.
- */
- asm volatile (
- #ifdef __i386__
---- a/xen/arch/x86/xstate.c
-+++ b/xen/arch/x86/xstate.c
-@@ -93,10 +93,25 @@ void xrstor(struct vcpu *v, uint64_t mask)
- "fildl %0" /* load to clear state */
- : : "m" (ptr->fpu_sse) );
-
-- asm volatile (
-- ".byte " REX_PREFIX "0x0f,0xae,0x2f"
-- :
-- : "m" (*ptr), "a" (lmask), "d" (hmask), "D"(ptr) );
-+ /*
-+ * XRSTOR can fault if passed a corrupted data block. We handle this
-+ * possibility, which may occur if the block was passed to us by control
-+ * tools or through VCPUOP_initialise, by silently clearing the block.
-+ */
-+ asm volatile ( "1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n"
-+ ".section .fixup,\"ax\"\n"
-+ "2: mov %5,%%ecx \n"
-+ " xor %1,%1 \n"
-+ " rep stosb \n"
-+ " lea %2,%0 \n"
-+ " mov %3,%1 \n"
-+ " jmp 1b \n"
-+ ".previous \n"
-+ _ASM_EXTABLE(1b, 2b)
-+ : "+&D" (ptr), "+&a" (lmask)
-+ : "m" (*ptr), "g" (lmask), "d" (hmask),
-+ "m" (xsave_cntxt_size)
-+ : "ecx" );
- }
-
- bool_t xsave_enabled(const struct vcpu *v)
+++ /dev/null
-Description: x86/xsave: properly check guest input to XSETBV
- Other than the HVM emulation path, the PV case so far failed to check
- that YMM state requires SSE state to be enabled, allowing for a #GP to
- occur upon passing the inputs to XSETBV inside the hypervisor.
-From: Jan Beulich <jbeulich@suse.com>
-Id: CVE-2013-2078 XSA-54.
----
---- a/xen/arch/x86/traps.c
-+++ b/xen/arch/x86/traps.c
-@@ -2286,6 +2286,11 @@ static int emulate_privileged_op(struct cpu_user_regs *regs)
- if ( !(new_xfeature & XSTATE_FP) || (new_xfeature & ~xfeature_mask) )
- goto fail;
-
-+ /* YMM state takes SSE state as prerequisite. */
-+ if ( (xfeature_mask & new_xfeature & XSTATE_YMM) &&
-+ !(new_xfeature & XSTATE_SSE) )
-+ goto fail;
-+
- v->arch.xcr0 = new_xfeature;
- v->arch.xcr0_accum |= new_xfeature;
- set_xcr0(new_xfeature);
+++ /dev/null
-libxl: Restrict permissions on PV console device xenstore nodes
-
-Matthew Daley has observed that the PV console protocol places sensitive host
-state into a guest writeable xenstore locations, this includes:
-
- - The pty used to communicate between the console backend daemon and its
- client, allowing the guest administrator to read and write arbitrary host
- files.
- - The output file, allowing the guest administrator to write arbitrary host
- files or to target arbitrary qemu chardevs which include sockets, udp, ptr,
- pipes etc (see -chardev in qemu(1) for a more complete list).
- - The maximum buffer size, allowing the guest administrator to consume more
- resources than the host administrator has configured.
- - The backend to use (qemu vs xenconsoled), potentially allowing the guest
- administrator to confuse host software.
-
-So we arrange to make the sensitive keys in the xenstore frontend directory
-read only for the guest. This is safe since the xenstore permissions model,
-unlike POSIX directory permissions, does not allow the guest to remove and
-recreate a node if it has write access to the containing directory.
-
-There are a few associated wrinkles:
-
- - The primary PV console is "special". It's xenstore node is not under the
- usual /devices/ subtree and it does not use the customary xenstore state
- machine protocol. Unfortunately its directory is used for other things,
- including the vnc-port node, which we do not want the guest to be able to
- write to. Rather than trying to track down all the possible secondary uses
- of this directory just make it r/o to the guest. All newly created
- subdirectories inherit these permissions and so are now safe by default.
-
- - The other serial consoles do use the customary xenstore state machine and
- therefore need write access to at least the "protocol" and "state" nodes,
- however they may also want to use arbitrary "feature-foo" nodes (although
- I'm not aware of any) and therefore we cannot simply lock down the entire
- frontend directory. Instead we add support to libxl__device_generic_add for
- frontend keys which are explicitly read only and use that to lock down the
- sensitive keys.
-
- - Minios' console frontend wants to write the "type" node, which it has no
- business doing since this is a host/toolstack level decision. This fails
- now that the node has become read only to the PV guest. Since the toolstack
- already writes this node just remove the attempt to set it.
-
-This is CVE-XXXX-XXX / XSA-57
-
-Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
-
-Conflicts:
- tools/libxl/libxl.c (no vtpm, free front_ro on error in
- libxl__device_console_add)
-
-diff --git a/extras/mini-os/console/xenbus.c b/extras/mini-os/console/xenbus.c
-index 77de82a..e65baf7 100644
---- a/extras/mini-os/console/xenbus.c
-+++ b/extras/mini-os/console/xenbus.c
-@@ -122,12 +122,6 @@ again:
- goto abort_transaction;
- }
-
-- err = xenbus_printf(xbt, nodename, "type", "%s", "ioemu");
-- if (err) {
-- message = "writing type";
-- goto abort_transaction;
-- }
--
- snprintf(path, sizeof(path), "%s/state", nodename);
- err = xenbus_switch_state(xbt, path, XenbusStateConnected);
- if (err) {
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index a6e9601..32d788a 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-@@ -1920,8 +1920,9 @@ static void device_disk_add(libxl__egc *egc, uint32_t domid,
- flexarray_append(front, disk->is_cdrom ? "cdrom" : "disk");
-
- libxl__device_generic_add(gc, t, device,
-- libxl__xs_kvs_of_flexarray(gc, back, back->count),
-- libxl__xs_kvs_of_flexarray(gc, front, front->count));
-+ libxl__xs_kvs_of_flexarray(gc, back, back->count),
-+ libxl__xs_kvs_of_flexarray(gc, front, front->count),
-+ NULL);
-
- rc = libxl__xs_transaction_commit(gc, &t);
- if (!rc) break;
-@@ -2633,8 +2634,9 @@ void libxl__device_nic_add(libxl__egc *egc, uint32_t domid,
- flexarray_append(front, libxl__sprintf(gc,
- LIBXL_MAC_FMT, LIBXL_MAC_BYTES(nic->mac)));
- libxl__device_generic_add(gc, XBT_NULL, device,
-- libxl__xs_kvs_of_flexarray(gc, back, back->count),
-- libxl__xs_kvs_of_flexarray(gc, front, front->count));
-+ libxl__xs_kvs_of_flexarray(gc, back, back->count),
-+ libxl__xs_kvs_of_flexarray(gc, front, front->count),
-+ NULL);
-
- aodev->dev = device;
- aodev->action = DEVICE_CONNECT;
-@@ -2830,7 +2832,7 @@ int libxl__device_console_add(libxl__gc *gc, uint32_t domid,
- libxl__device_console *console,
- libxl__domain_build_state *state)
- {
-- flexarray_t *front;
-+ flexarray_t *front, *ro_front;
- flexarray_t *back;
- libxl__device device;
- int rc;
-@@ -2845,6 +2847,11 @@ int libxl__device_console_add(libxl__gc *gc, uint32_t domid,
- rc = ERROR_NOMEM;
- goto out;
- }
-+ ro_front = flexarray_make(16, 1);
-+ if (!ro_front) {
-+ rc = ERROR_NOMEM;
-+ goto out;
-+ }
- back = flexarray_make(16, 1);
- if (!back) {
- rc = ERROR_NOMEM;
-@@ -2871,21 +2878,24 @@ int libxl__device_console_add(libxl__gc *gc, uint32_t domid,
-
- flexarray_append(front, "backend-id");
- flexarray_append(front, libxl__sprintf(gc, "%d", console->backend_domid));
-- flexarray_append(front, "limit");
-- flexarray_append(front, libxl__sprintf(gc, "%d", LIBXL_XENCONSOLE_LIMIT));
-- flexarray_append(front, "type");
-+
-+ flexarray_append(ro_front, "limit");
-+ flexarray_append(ro_front, libxl__sprintf(gc, "%d", LIBXL_XENCONSOLE_LIMIT));
-+ flexarray_append(ro_front, "type");
- if (console->consback == LIBXL__CONSOLE_BACKEND_XENCONSOLED)
-- flexarray_append(front, "xenconsoled");
-+ flexarray_append(ro_front, "xenconsoled");
- else
-- flexarray_append(front, "ioemu");
-- flexarray_append(front, "output");
-- flexarray_append(front, console->output);
-+ flexarray_append(ro_front, "ioemu");
-+ flexarray_append(ro_front, "output");
-+ flexarray_append(ro_front, console->output);
-+ flexarray_append(ro_front, "tty");
-+ flexarray_append(ro_front, "");
-
- if (state) {
-- flexarray_append(front, "port");
-- flexarray_append(front, libxl__sprintf(gc, "%"PRIu32, state->console_port));
-- flexarray_append(front, "ring-ref");
-- flexarray_append(front, libxl__sprintf(gc, "%lu", state->console_mfn));
-+ flexarray_append(ro_front, "port");
-+ flexarray_append(ro_front, libxl__sprintf(gc, "%"PRIu32, state->console_port));
-+ flexarray_append(ro_front, "ring-ref");
-+ flexarray_append(ro_front, libxl__sprintf(gc, "%lu", state->console_mfn));
- } else {
- flexarray_append(front, "state");
- flexarray_append(front, libxl__sprintf(gc, "%d", 1));
-@@ -2894,11 +2904,13 @@ int libxl__device_console_add(libxl__gc *gc, uint32_t domid,
- }
-
- libxl__device_generic_add(gc, XBT_NULL, &device,
-- libxl__xs_kvs_of_flexarray(gc, back, back->count),
-- libxl__xs_kvs_of_flexarray(gc, front, front->count));
-+ libxl__xs_kvs_of_flexarray(gc, back, back->count),
-+ libxl__xs_kvs_of_flexarray(gc, front, front->count),
-+ libxl__xs_kvs_of_flexarray(gc, ro_front, ro_front->count));
- rc = 0;
- out_free:
- flexarray_free(back);
-+ flexarray_free(ro_front);
- flexarray_free(front);
- out:
- return rc;
-@@ -2982,8 +2994,9 @@ int libxl__device_vkb_add(libxl__gc *gc, uint32_t domid,
- flexarray_append(front, libxl__sprintf(gc, "%d", 1));
-
- libxl__device_generic_add(gc, XBT_NULL, &device,
-- libxl__xs_kvs_of_flexarray(gc, back, back->count),
-- libxl__xs_kvs_of_flexarray(gc, front, front->count));
-+ libxl__xs_kvs_of_flexarray(gc, back, back->count),
-+ libxl__xs_kvs_of_flexarray(gc, front, front->count),
-+ NULL);
- rc = 0;
- out_free:
- flexarray_free(back);
-@@ -3096,8 +3109,9 @@ int libxl__device_vfb_add(libxl__gc *gc, uint32_t domid, libxl_device_vfb *vfb)
- flexarray_append_pair(front, "state", libxl__sprintf(gc, "%d", 1));
-
- libxl__device_generic_add(gc, XBT_NULL, &device,
-- libxl__xs_kvs_of_flexarray(gc, back, back->count),
-- libxl__xs_kvs_of_flexarray(gc, front, front->count));
-+ libxl__xs_kvs_of_flexarray(gc, back, back->count),
-+ libxl__xs_kvs_of_flexarray(gc, front, front->count),
-+ NULL);
- rc = 0;
- out_free:
- flexarray_free(front);
-diff --git a/tools/libxl/libxl_device.c b/tools/libxl/libxl_device.c
-index c3283f1..1c04a21 100644
---- a/tools/libxl/libxl_device.c
-+++ b/tools/libxl/libxl_device.c
-@@ -84,11 +84,12 @@ out:
- }
-
- int libxl__device_generic_add(libxl__gc *gc, xs_transaction_t t,
-- libxl__device *device, char **bents, char **fents)
-+ libxl__device *device, char **bents, char **fents, char **ro_fents)
- {
- libxl_ctx *ctx = libxl__gc_owner(gc);
- char *frontend_path, *backend_path;
- struct xs_permissions frontend_perms[2];
-+ struct xs_permissions ro_frontend_perms[2];
- struct xs_permissions backend_perms[2];
- int create_transaction = t == XBT_NULL;
-
-@@ -100,22 +101,37 @@ int libxl__device_generic_add(libxl__gc *gc, xs_transaction_t t,
- frontend_perms[1].id = device->backend_domid;
- frontend_perms[1].perms = XS_PERM_READ;
-
-- backend_perms[0].id = device->backend_domid;
-- backend_perms[0].perms = XS_PERM_NONE;
-- backend_perms[1].id = device->domid;
-- backend_perms[1].perms = XS_PERM_READ;
-+ ro_frontend_perms[0].id = backend_perms[0].id = device->backend_domid;
-+ ro_frontend_perms[0].perms = backend_perms[0].perms = XS_PERM_NONE;
-+ ro_frontend_perms[1].id = backend_perms[1].id = device->domid;
-+ ro_frontend_perms[1].perms = backend_perms[1].perms = XS_PERM_READ;
-
- retry_transaction:
- if (create_transaction)
- t = xs_transaction_start(ctx->xsh);
- /* FIXME: read frontend_path and check state before removing stuff */
-
-- if (fents) {
-+ if (fents || ro_fents) {
- xs_rm(ctx->xsh, t, frontend_path);
- xs_mkdir(ctx->xsh, t, frontend_path);
-- xs_set_permissions(ctx->xsh, t, frontend_path, frontend_perms, ARRAY_SIZE(frontend_perms));
-+ /* Console 0 is a special case. It doesn't use the regular PV
-+ * state machine but also the frontend directory has
-+ * historically contained other information, such as the
-+ * vnc-port, which we don't want the guest fiddling with.
-+ */
-+ if (device->kind == LIBXL__DEVICE_KIND_CONSOLE && device->devid == 0)
-+ xs_set_permissions(ctx->xsh, t, frontend_path,
-+ ro_frontend_perms, ARRAY_SIZE(ro_frontend_perms));
-+ else
-+ xs_set_permissions(ctx->xsh, t, frontend_path,
-+ frontend_perms, ARRAY_SIZE(frontend_perms));
- xs_write(ctx->xsh, t, libxl__sprintf(gc, "%s/backend", frontend_path), backend_path, strlen(backend_path));
-- libxl__xs_writev(gc, t, frontend_path, fents);
-+ if (fents)
-+ libxl__xs_writev_perms(gc, t, frontend_path, fents,
-+ frontend_perms, ARRAY_SIZE(frontend_perms));
-+ if (ro_fents)
-+ libxl__xs_writev_perms(gc, t, frontend_path, ro_fents,
-+ ro_frontend_perms, ARRAY_SIZE(ro_frontend_perms));
- }
-
- if (bents) {
-diff --git a/tools/libxl/libxl_internal.h b/tools/libxl/libxl_internal.h
-index 13fa509..ae96a74 100644
---- a/tools/libxl/libxl_internal.h
-+++ b/tools/libxl/libxl_internal.h
-@@ -516,6 +516,11 @@ _hidden char **libxl__xs_kvs_of_flexarray(libxl__gc *gc, flexarray_t *array, int
- /* treats kvs as pairs of keys and values and writes each to dir. */
- _hidden int libxl__xs_writev(libxl__gc *gc, xs_transaction_t t,
- const char *dir, char **kvs);
-+/* as writev but also sets the permissions on each path */
-+_hidden int libxl__xs_writev_perms(libxl__gc *gc, xs_transaction_t t,
-+ const char *dir, char *kvs[],
-+ struct xs_permissions *perms,
-+ unsigned int num_perms);
- /* _atonce creates a transaction and writes all keys at once */
- _hidden int libxl__xs_writev_atonce(libxl__gc *gc,
- const char *dir, char **kvs);
-@@ -930,7 +935,7 @@ _hidden int libxl__device_console_add(libxl__gc *gc, uint32_t domid,
- libxl__domain_build_state *state);
-
- _hidden int libxl__device_generic_add(libxl__gc *gc, xs_transaction_t t,
-- libxl__device *device, char **bents, char **fents);
-+ libxl__device *device, char **bents, char **fents, char **ro_fents);
- _hidden char *libxl__device_backend_path(libxl__gc *gc, libxl__device *device);
- _hidden char *libxl__device_frontend_path(libxl__gc *gc, libxl__device *device);
- _hidden int libxl__parse_backend_path(libxl__gc *gc, const char *path,
-diff --git a/tools/libxl/libxl_pci.c b/tools/libxl/libxl_pci.c
-index 48986f3..d373b4d 100644
---- a/tools/libxl/libxl_pci.c
-+++ b/tools/libxl/libxl_pci.c
-@@ -106,7 +106,8 @@ int libxl__create_pci_backend(libxl__gc *gc, uint32_t domid,
-
- libxl__device_generic_add(gc, XBT_NULL, &device,
- libxl__xs_kvs_of_flexarray(gc, back, back->count),
-- libxl__xs_kvs_of_flexarray(gc, front, front->count));
-+ libxl__xs_kvs_of_flexarray(gc, front, front->count),
-+ NULL);
-
- out:
- if (back)
-diff --git a/tools/libxl/libxl_xshelp.c b/tools/libxl/libxl_xshelp.c
-index 52af484..d7eaa66 100644
---- a/tools/libxl/libxl_xshelp.c
-+++ b/tools/libxl/libxl_xshelp.c
-@@ -41,8 +41,10 @@ char **libxl__xs_kvs_of_flexarray(libxl__gc *gc, flexarray_t *array, int length)
- return kvs;
- }
-
--int libxl__xs_writev(libxl__gc *gc, xs_transaction_t t,
-- const char *dir, char *kvs[])
-+int libxl__xs_writev_perms(libxl__gc *gc, xs_transaction_t t,
-+ const char *dir, char *kvs[],
-+ struct xs_permissions *perms,
-+ unsigned int num_perms)
- {
- libxl_ctx *ctx = libxl__gc_owner(gc);
- char *path;
-@@ -56,11 +58,19 @@ int libxl__xs_writev(libxl__gc *gc, xs_transaction_t t,
- if (path && kvs[i + 1]) {
- int length = strlen(kvs[i + 1]);
- xs_write(ctx->xsh, t, path, kvs[i + 1], length);
-+ if (perms)
-+ xs_set_permissions(ctx->xsh, t, path, perms, num_perms);
- }
- }
- return 0;
- }
-
-+int libxl__xs_writev(libxl__gc *gc, xs_transaction_t t,
-+ const char *dir, char *kvs[])
-+{
-+ return libxl__xs_writev_perms(gc, t, dir, kvs, NULL, 0);
-+}
-+
- int libxl__xs_writev_atonce(libxl__gc *gc,
- const char *dir, char *kvs[])
- {
+++ /dev/null
-
-# HG changeset patch
-# User Olaf Hering <olaf@aepfle.de>
-# Date 1350549301 -3600
-# Node ID b3b03536789abbf2c4b7d62377034c1f14c6340c
-# Parent 019ca95dfa34efc71b1707f785b5112573e7d02e
-hotplug/Linux: close lockfd after lock attempt
-
-When a HVM guest is shutdown some of the 'remove' events can not claim
-the lock for some reason. Instead they try to grab the lock in a busy
-loop, until udev reaps the xen-hotplug-cleanup helper.
-After analyzing the resulting logfile its not obvious what the cause is.
-The only explanation is that bash (?) gets confused if the same lockfd
-is opened again and again. Closing it in each iteration seem to fix the
-issue.
-
-This was observed with sles11sp2 (bash 3.2) and 4.2 xend.
-
-Signed-off-by: Olaf Hering <olaf@aepfle.de>
-Acked-by: Ian Campbell <Ian.campbell@citrix.com>
-[ ijc -- added the comment ]
-Committed-by: Ian Campbell <ian.campbell@citrix.com>
-
-diff -r 019ca95dfa34 -r b3b03536789a tools/hotplug/Linux/locking.sh
---- a/tools/hotplug/Linux/locking.sh Thu Oct 18 09:35:00 2012 +0100
-+++ b/tools/hotplug/Linux/locking.sh Thu Oct 18 09:35:01 2012 +0100
-@@ -59,6 +59,9 @@ claim_lock()
- print "y\n" if $fd_inum eq $file_inum;
- ' "$_lockfile" )
- if [ x$rightfile = xy ]; then break; fi
-+ # Some versions of bash appear to be buggy if the same
-+ # $_lockfile is opened repeatedly. Close the current fd here.
-+ eval "exec $_lockfd<&-"
- done
- }
-
-
-diff -ur xen-4.2.2/docs/man/xl.cfg.pod.5 xen-4.2.2.doc/docs/man/xl.cfg.pod.5
---- xen-4.2.2/docs/man/xl.cfg.pod.5 2013-04-23 18:42:55.000000000 +0200
-+++ xen-4.2.2.doc/docs/man/xl.cfg.pod.5 2013-07-22 13:43:13.044717979 +0200
-@@ -402,10 +402,10 @@
-
- =back
-
--=item B<ioports=[ "IOPORT_RANGE", "IOPORT_RANGE", ... ]>
--
- =over 4
-
-+=item B<ioports=[ "IOPORT_RANGE", "IOPORT_RANGE", ... ]>
-+
- Allow guest to access specific legacy I/O ports. Each B<IOPORT_RANGE>
- is given in hexadecimal and may either a span e.g. C<2f8-2ff>
- (inclusive) or a single I/O port C<2f8>.
-@@ -415,10 +415,10 @@
-
- =back
-
--=item B<irqs=[ NUMBER, NUMBER, ... ]>
--
- =over 4
-
-+=item B<irqs=[ NUMBER, NUMBER, ... ]>
-+
- Allow a guest to access specific physical IRQs.
-
- It is recommended to use this option only for trusted VMs under
-@@ -680,8 +680,6 @@
-
- =back
-
--=back
--
- Please see F<docs/misc/tscmode.txt> for more information on this option.
-
- =item B<localtime=BOOLEAN>
-@@ -692,6 +690,8 @@
-
- Set the real time clock offset in seconds. 0 by default.
-
-+=back
-+
- =head3 Support for Paravirtualisation of HVM Guests
-
- The following options allow Paravirtualised features (such as devices)
-diff -ur xen-4.2.2/docs/man/xl.pod.1 xen-4.2.2.doc/docs/man/xl.pod.1
---- xen-4.2.2/docs/man/xl.pod.1 2013-04-23 18:42:55.000000000 +0200
-+++ xen-4.2.2.doc/docs/man/xl.pod.1 2013-07-22 13:41:46.400526793 +0200
-@@ -851,8 +851,6 @@
-
- =item B<-p [pool] -d>... : Illegal
-
--=item
--
- =back
-
- =item B<sched-credit2> [I<OPTIONS>]
--- xen-4.2.2/tools/qemu-xen/qemu-options.hx~ 2013-04-06 01:39:54.000000000 +0200
+++ xen-4.2.2/tools/qemu-xen/qemu-options.hx 2013-07-22 14:17:13.970296816 +0200
@@ -1799,7 +1799,7 @@
+++ /dev/null
-Adjust librt checks for glibc 2.17+:
-Since glibc 2.17 clock interface is in libc, but timer interface remains in librt;
-qemu needs both.
---- xen-4.2.1/tools/qemu-xen-traditional/configure.orig 2013-01-12 20:42:53.970053672 +0100
-+++ xen-4.2.1/tools/qemu-xen-traditional/configure 2013-01-12 21:44:40.249976425 +0100
-@@ -1097,7 +1097,7 @@
- cat > $TMPC <<EOF
- #include <signal.h>
- #include <time.h>
--int main(void) { clockid_t id; return clock_gettime(id, NULL); }
-+int main(void) { clockid_t id; timer_t tid; (void)timer_gettime(tid, NULL); return clock_gettime(id, NULL); }
- EOF
-
- rt=no
---- xen-4.2.1/tools/qemu-xen/configure.orig 2013-01-12 20:42:53.986720338 +0100
-+++ xen-4.2.1/tools/qemu-xen/configure 2013-01-12 21:44:39.856643097 +0100
-@@ -2463,7 +2463,7 @@
- cat > $TMPC <<EOF
- #include <signal.h>
- #include <time.h>
--int main(void) { clockid_t id; return clock_gettime(id, NULL); }
-+int main(void) { clockid_t id; timer_t tid; (void)timer_gettime(tid, NULL); return clock_gettime(id, NULL); }
- EOF
-
- if compile_prog "" "" ; then
--- /dev/null
+--- xen-4.3.0/tools/Makefile.orig 2013-08-24 06:55:14.928431689 +0200
++++ xen-4.3.0/tools/Makefile 2013-08-24 09:11:37.931421617 +0200
+@@ -188,7 +188,7 @@
+ fi; \
+ cd qemu-xen-dir; \
+ $$source/configure --enable-xen --target-list=i386-softmmu \
+- --prefix=$(PREFIX) \
++ --prefix=$(PREFIX) --libexecdir=$(LIBEXEC) \
+ --source-path=$$source \
+ --extra-cflags="-I$(XEN_ROOT)/tools/include \
+ -I$(XEN_ROOT)/tools/libxc \
-diff -dur xen-4.2.0.orig/docs/pythfilter.py xen-4.2.0/docs/pythfilter.py
---- xen-4.2.0.orig/docs/pythfilter.py 2012-09-17 12:21:17.000000000 +0200
-+++ xen-4.2.0/docs/pythfilter.py 2012-10-22 10:46:31.000000000 +0200
-@@ -1,4 +1,4 @@
--#!/usr/bin/env python\r
-+#!/usr/bin/python\r
- \r
- # pythfilter.py v1.5.5, written by Matthias Baas (baas@ira.uka.de)\r
- \r
diff -dur xen-4.2.0.orig/tools/misc/xenpvnetboot xen-4.2.0/tools/misc/xenpvnetboot
--- xen-4.2.0.orig/tools/misc/xenpvnetboot 2012-09-17 12:21:18.000000000 +0200
+++ xen-4.2.0/tools/misc/xenpvnetboot 2012-10-22 10:46:30.000000000 +0200
qemu-xen-traditional/configure: define _GNU_SOURCE for NPTL defs
qemu-xen/configure: use -O2 for tests to eliminate fortify warnings (-Werror is in effect sometimes)
-qemu-xen/configure: support usbredir 0.5+
-tools/qemu-xen/block/iscsi.c: update for libiscsi 1.6.0(?)
--- xen-4.2.0/tools/qemu-xen-traditional/configure.orig 2012-09-06 18:05:30.000000000 +0200
+++ xen-4.2.0/tools/qemu-xen-traditional/configure 2012-10-27 08:16:21.702515768 +0200
@@ -738,10 +738,10 @@
aa="no"
`$sdl_config --static-libs 2>/dev/null | grep \\\-laa > /dev/null` && aa="yes"
sdl_static_libs=`$sdl_config --static-libs 2>/dev/null`
---- xen-4.2.0/tools/qemu-xen/configure.orig 2012-09-10 20:10:52.000000000 +0200
-+++ xen-4.2.0/tools/qemu-xen/configure 2012-10-27 13:28:33.178396347 +0200
-@@ -21,14 +21,14 @@
- rm -f config.log
+--- xen-4.3.0/tools/qemu-xen/configure.orig 2013-08-22 20:01:19.903704095 +0200
++++ xen-4.3.0/tools/qemu-xen/configure 2013-08-22 20:35:51.880283814 +0200
+@@ -270,10 +270,6 @@
+ QEMU_CFLAGS="-Wstrict-prototypes -Wredundant-decls $QEMU_CFLAGS"
+ QEMU_CFLAGS="-D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE $QEMU_CFLAGS"
+ QEMU_INCLUDES="-I. -I\$(SRC_PATH) -I\$(SRC_PATH)/fpu"
+-if test "$debug_info" = "yes"; then
+- CFLAGS="-g $CFLAGS"
+- LDFLAGS="-g $LDFLAGS"
+-fi
- compile_object() {
-- echo $cc $QEMU_CFLAGS -c -o $TMPO $TMPC >> config.log
-- $cc $QEMU_CFLAGS -c -o $TMPO $TMPC >> config.log 2>&1
-+ echo $cc -O2 $QEMU_CFLAGS -c -o $TMPO $TMPC >> config.log
-+ $cc -O2 $QEMU_CFLAGS -c -o $TMPO $TMPC >> config.log 2>&1
- }
+ # make source path absolute
+ source_path=`cd "$source_path"; pwd`
+@@ -3067,7 +3063,7 @@
+ # After here, no more $cc or $ld runs
- compile_prog() {
- local_cflags="$1"
- local_ldflags="$2"
-- echo $cc $QEMU_CFLAGS $local_cflags -o $TMPE $TMPC $LDFLAGS $local_ldflags >> config.log
-- $cc $QEMU_CFLAGS $local_cflags -o $TMPE $TMPC $LDFLAGS $local_ldflags >> config.log 2>&1
-+ echo $cc -O2 $QEMU_CFLAGS $local_cflags -o $TMPE $TMPC $LDFLAGS $local_ldflags >> config.log
-+ $cc -O2 $QEMU_CFLAGS $local_cflags -o $TMPE $TMPC $LDFLAGS $local_ldflags >> config.log 2>&1
- }
+ if test "$debug" = "no" ; then
+- CFLAGS="-O2 -D_FORTIFY_SOURCE=2 $CFLAGS"
++ CFLAGS="-O2 $CFLAGS"
+ fi
-@@ -2543,6 +2543,12 @@
- usb_redir_libs=$($pkg_config --libs libusbredirparser 2>/dev/null)
- QEMU_CFLAGS="$QEMU_CFLAGS $usb_redir_cflags"
- LIBS="$LIBS $usb_redir_libs"
-+ elif $pkg_config libusbredirparser-0.5 >/dev/null 2>&1 ; then
-+ usb_redir="yes"
-+ usb_redir_cflags=$($pkg_config --cflags libusbredirparser-0.5 2>/dev/null)
-+ usb_redir_libs=$($pkg_config --libs libusbredirparser-0.5 2>/dev/null)
-+ QEMU_CFLAGS="$QEMU_CFLAGS $usb_redir_cflags"
-+ LIBS="$LIBS $usb_redir_libs"
- else
- if test "$usb_redir" = "yes"; then
- feature_not_found "usb-redir"
---- xen-4.2.0/tools/qemu-xen/block/iscsi.c.orig 2012-09-10 20:10:52.000000000 +0200
-+++ xen-4.2.0/tools/qemu-xen/block/iscsi.c 2012-10-27 21:27:02.120524882 +0200
-@@ -224,9 +224,9 @@
- size = nb_sectors * BDRV_SECTOR_SIZE;
- acb->buf = g_malloc(size);
- qemu_iovec_to_buffer(acb->qiov, acb->buf);
-- acb->task = iscsi_write10_task(iscsi, iscsilun->lun, acb->buf, size,
-- sector_qemu2lun(sector_num, iscsilun),
-- fua, 0, iscsilun->block_size,
-+ acb->task = iscsi_write10_task(iscsi, iscsilun->lun, sector_qemu2lun(sector_num, iscsilun),
-+ acb->buf, size, iscsilun->block_size,
-+ 0, 0, fua, 0, 0,
- iscsi_aio_write10_cb, acb);
- if (acb->task == NULL) {
- error_report("iSCSI: Failed to send write10 command. %s",
-@@ -309,6 +309,7 @@
- acb->task = iscsi_read10_task(iscsi, iscsilun->lun,
- sector_qemu2lun(sector_num, iscsilun),
- lun_read_size, iscsilun->block_size,
-+ 0, 0, 0, 0, 0,
- iscsi_aio_read10_cb, acb);
- if (acb->task == NULL) {
- error_report("iSCSI: Failed to send read10 command. %s",
+ # Disable zero malloc errors for official releases unless explicitly told to
+++ /dev/null
-From: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=3bf7e40ab9140e577a6e7e17d3f5711b28aed833
-
-From: Avi Kivity <avi@redhat.com>
-Date: Tue, 27 Dec 2011 15:11:20 +0000 (+0200)
-Subject: softfloat: fix for C99
-
-softfloat: fix for C99
-
-C99 appears to consider compound literals as non-constants, and complains
-when they are used in static initializers. Switch to ordinary initializer
-syntax.
-
-
-diff -dur xen-4.2.0.orig/tools/qemu-xen/fpu/softfloat-specialize.h xen-4.2.0/tools/qemu-xen/fpu/softfloat-specialize.h
---- xen-4.2.0.orig/tools/qemu-xen/fpu/softfloat-specialize.h 2012-09-10 20:10:52.000000000 +0200
-+++ xen-4.2.0/tools/qemu-xen/fpu/softfloat-specialize.h 2012-10-22 14:58:26.000000000 +0200
-@@ -89,8 +89,8 @@
- #define floatx80_default_nan_low LIT64( 0xC000000000000000 )
- #endif
-
--const floatx80 floatx80_default_nan = make_floatx80(floatx80_default_nan_high,
-- floatx80_default_nan_low);
-+const floatx80 floatx80_default_nan
-+ = make_floatx80_init(floatx80_default_nan_high, floatx80_default_nan_low);
-
- /*----------------------------------------------------------------------------
- | The pattern for a default generated quadruple-precision NaN. The `high' and
-@@ -104,8 +104,8 @@
- #define float128_default_nan_low LIT64( 0x0000000000000000 )
- #endif
-
--const float128 float128_default_nan = make_float128(float128_default_nan_high,
-- float128_default_nan_low);
-+const float128 float128_default_nan
-+ = make_float128_init(float128_default_nan_high, float128_default_nan_low);
-
- /*----------------------------------------------------------------------------
- | Raises the exceptions specified by `flags'. Floating-point traps can be
-diff -dur xen-4.2.0.orig/tools/qemu-xen/fpu/softfloat.h xen-4.2.0/tools/qemu-xen/fpu/softfloat.h
---- xen-4.2.0.orig/tools/qemu-xen/fpu/softfloat.h 2012-09-10 20:10:52.000000000 +0200
-+++ xen-4.2.0/tools/qemu-xen/fpu/softfloat.h 2012-10-22 14:58:26.000000000 +0200
-@@ -129,6 +129,7 @@
- uint16_t high;
- } floatx80;
- #define make_floatx80(exp, mant) ((floatx80) { mant, exp })
-+#define make_floatx80_init(exp, mant) { .low = mant, .high = exp }
- typedef struct {
- #ifdef HOST_WORDS_BIGENDIAN
- uint64_t high, low;
-@@ -137,6 +138,7 @@
- #endif
- } float128;
- #define make_float128(high_, low_) ((float128) { .high = high_, .low = low_ })
-+#define make_float128_init(high_, low_) { .high = high_, .low = low_ }
-
- /*----------------------------------------------------------------------------
- | Software IEC/IEEE floating-point underflow tininess-detection mode.
+++ /dev/null
-commit a4ef9c9753467ae2eaeff858bcb63a5ba5337d18
-Author: Jacek Konieczny <jajcus@jajcus.net>
-Date: Fri Nov 9 14:47:40 2012 +0100
-
- Fix locking in tools/hotplug/Linux/locking.sh
-
- The claim_lock() function would fail in the perl code with:
-
- Invalid argument at -e line 2.
-
- because the Perl snippet opens for reading the file descriptor, which
- was earlier opened for write (append).
-
- Signed-off-by: Jacek Konieczny <jajcus@jajcus.net>
-
-diff --git a/tools/hotplug/Linux/locking.sh b/tools/hotplug/Linux/locking.sh
-index 0e2a531..5c4f365 100644
---- a/tools/hotplug/Linux/locking.sh
-+++ b/tools/hotplug/Linux/locking.sh
-@@ -44,7 +44,7 @@ claim_lock()
- # See below for a correctness proof.
- local rightfile
- while true; do
-- eval "exec $_lockfd>>$_lockfile"
-+ eval "exec $_lockfd<>$_lockfile"
- flock -x $_lockfd || return $?
- # We can't just stat /dev/stdin or /proc/self/fd/$_lockfd or
- # use bash's test -ef because those all go through what is
# - now the build dependencies are insane (because of what qemu can use)
# we should make them optional or get rid of them all properly
#
-#
# Conditional build:
-%bcond_without opengl # disable OpenGL support in Xen qemu
-%bcond_without sdl # disable SDL support in Xen qemu
-%bcond_without bluetooth # disable bluetooth support in Xen qemu
-%bcond_without brlapi # disable brlapi support in Xen qemu
-%bcond_without ocaml # build Ocaml libraries for Xen tools
-%bcond_without efi # build the EFI hypervisor
-
+%bcond_without opengl # OpenGL support in Xen qemu
+%bcond_without sdl # SDL support in Xen qemu
+%bcond_without bluetooth # bluetooth support in Xen qemu
+%bcond_without brlapi # brlapi support in Xen qemu
+%bcond_without ocaml # Ocaml libraries for Xen tools
+%bcond_without efi # EFI hypervisor
+%bcond_without hypervisor # Xen hypervisor build
+%bcond_without stubdom # stubdom build
+
+%ifnarch %{x8664} arm
+%undefine with_hypervisor
+%endif
%ifnarch %{x8664}
%undefine with_efi
%endif
+%ifnarch %{ix86} %{x8664}
+%undefine with_stubdom
+%endif
# from Config.mk:
%define seabios_version 1.6.3.2
Summary: Xen - a virtual machine monitor
Summary(pl.UTF-8): Xen - monitor maszyny wirtualnej
Name: xen
-Version: 4.2.2
-Release: 4
+Version: 4.3.0
+Release: 1
License: GPL v2, interface parts on BSD-like
Group: Applications/System
Source0: http://bits.xensource.com/oss-xen/release/%{version}/%{name}-%{version}.tar.gz
-# Source0-md5: f7362b19401a47826f2d8fd603a1782a
+# Source0-md5: 7b18cfb58f1ac2ce39cf35a1867f0c0a
# used by stubdoms
Source10: %{xen_extfiles_url}/lwip-1.3.0.tar.gz
# Source10-md5: 36cc57650cffda9a0269493be2a169bb
Patch7: %{name}-net-disable-iptables-on-bridge.patch
Patch8: %{name}-configure-xend.patch
Patch9: %{name}-initscript.patch
-Patch10: %{name}-quemu-softloat-c99.patch
-Patch11: %{name}-qemu.patch
-Patch12: %{name}-scripts-locking.patch
-Patch13: %{name}-close_lockfd_after_lock_attempt.patch
-Patch14: %{name}-librt.patch
-Patch15: %{name}-ulong.patch
-Patch16: %{name}-doc.patch
-Patch100: CVE-2013-1918-1
-Patch101: CVE-2013-1918-2
-Patch102: CVE-2013-1918-3
-Patch103: CVE-2013-1918-4
-Patch104: CVE-2013-1918-5
-Patch105: CVE-2013-1918-6
-Patch106: CVE-2013-1918-7
-Patch107: CVE-2013-1952
-Patch108: CVE-2013-2072
-Patch109: CVE-2013-2076
-Patch110: CVE-2013-2077
-Patch111: CVE-2013-2078
-#CVE-2013-2194 XEN XSA-55 integer overflows
-#CVE-2013-2195 XEN XSA-55 pointer dereferences
-#CVE-2013-2196 XEN XSA-55 other problems
-Patch112: 0001-libelf-abolish-libelf-relocate.c.patch
-Patch113: 0002-libxc-introduce-xc_dom_seg_to_ptr_pages.patch
-Patch114: 0003-libxc-Fix-range-checking-in-xc_dom_pfn_to_ptr-etc.patch
-Patch115: 0004-libelf-add-struct-elf_binary-parameter-to-elf_load_i.patch
-Patch116: 0005-libelf-abolish-elf_sval-and-elf_access_signed.patch
-Patch117: 0006-libelf-move-include-of-asm-guest_access.h-to-top-of-.patch
-Patch118: 0007-libelf-xc_dom_load_elf_symtab-Do-not-use-syms-uninit.patch
-Patch119: 0008-libelf-introduce-macros-for-memory-access-and-pointe.patch
-Patch120: 0009-tools-xcutils-readnotes-adjust-print_l1_mfn_valid_no.patch
-Patch121: 0010-libelf-check-nul-terminated-strings-properly.patch
-Patch122: 0011-libelf-check-all-pointer-accesses.patch
-Patch123: 0012-libelf-Check-pointer-references-in-elf_is_elfbinary.patch
-Patch124: 0013-libelf-Make-all-callers-call-elf_check_broken.patch
-Patch125: 0014-libelf-use-C99-bool-for-booleans.patch
-Patch126: 0015-libelf-use-only-unsigned-integers.patch
-Patch127: 0016-libelf-check-loops-for-running-away.patch
-Patch128: 0017-libelf-abolish-obsolete-macros.patch
-Patch129: 0018-libxc-Add-range-checking-to-xc_dom_binloader.patch
-Patch130: 0019-libxc-check-failure-of-xc_dom_-_to_ptr-xc_map_foreig.patch
-Patch131: 0020-libxc-check-return-values-from-malloc.patch
-Patch132: 0021-libxc-range-checks-in-xc_dom_p2m_host-and-_guest.patch
-Patch133: 0022-libxc-check-blob-size-before-proceeding-in-xc_dom_ch.patch
-Patch134: 0023-libxc-Better-range-check-in-xc_dom_alloc_segment.patch
-Patch135: CVE-2013-2211
-Patch136: CVE-2013-1432
+Patch10: %{name}-qemu.patch
+Patch11: %{name}-ulong.patch
+Patch12: %{name}-doc.patch
+Patch13: %{name}-paths.patch
URL: http://www.xen.org/products/xenhyp.html
%{?with_opengl:BuildRequires: OpenGL-devel}
%{?with_sdl:BuildRequires: SDL-devel >= 1.2.1}
%ifarch %{ix86} %{x8664}
BuildRequires: acpica
BuildRequires: bcc
+BuildRequires: bin86
%endif
%{?with_bluetooth:BuildRequires: bluez-libs-devel}
%{?with_brlapi:BuildRequires: brlapi-devel}
BuildRequires: curl-devel
BuildRequires: cyrus-sasl-devel >= 2
BuildRequires: e2fsprogs-devel
-BuildRequires: gcc >= 5:3.4
+BuildRequires: gcc >= 6:4.1
BuildRequires: gettext-devel
BuildRequires: glib2-devel >= 1:2.12
+BuildRequires: glusterfs-devel >= 3.4
BuildRequires: gnutls-devel
BuildRequires: latex2html >= 2008
BuildRequires: libaio-devel
+BuildRequires: libcap-devel
+BuildRequires: libcap-ng-devel
BuildRequires: libiscsi-devel
BuildRequires: libjpeg-devel
BuildRequires: libpng-devel
+BuildRequires: libseccomp-devel >= 1.0.0
BuildRequires: libuuid-devel
BuildRequires: lzo-devel >= 2
BuildRequires: ncurses-devel
BuildRequires: openssl-devel
BuildRequires: pciutils-devel
BuildRequires: perl-base
+BuildRequires: perl-tools-pod
+BuildRequires: pixman-devel
BuildRequires: pkgconfig
BuildRequires: python-devel
BuildRequires: rpm-pythonprov
BuildRequires: rpmbuild(macros) >= 1.647
-BuildRequires: spice-protocol >= 0.6.0
-BuildRequires: spice-server-devel >= 0.6.0
+BuildRequires: spice-protocol >= 0.12.2
+BuildRequires: spice-server-devel >= 0.12.0
BuildRequires: texi2html
BuildRequires: texlive-dvips
BuildRequires: texlive-latex-psnfss
BuildRequires: texlive-xetex
-BuildRequires: usbredir-devel
+BuildRequires: transfig
+BuildRequires: usbredir-devel >= 0.5.3
BuildRequires: vde2-devel
BuildRequires: which
# for xfsctl (<xfs/xfs.h>)
Requires: %{name}-guest = %{version}-%{release}
Obsoletes: xen-doc
Obsoletes: xen-udev
-ExclusiveArch: %{ix86} %{x8664}
+ExclusiveArch: %{ix86} %{x8664} arm
BuildRoot: %{tmpdir}/%{name}-%{version}-root-%(id -u -n)
# some PPC/SPARC boot images in ELF format
-%define _noautostrip .*%{_datadir}/\\(xen/qemu\\|qemu-xen\\)/\\(openbios-.*\\|palcode-clipper\\)
+%define _noautostrip .*%{_datadir}/\\(xen\\|qemu-xen\\)/qemu/\\(openbios-.*\\|palcode-clipper\\)
%description
This package contains the Xen hypervisor and Xen tools, needed to run
%patch11 -p1
%patch12 -p1
%patch13 -p1
-%patch14 -p1
-%patch15 -p1
-%patch16 -p1
-# CVE
-%patch100 -p1
-%patch101 -p1
-%patch102 -p1
-%patch103 -p1
-%patch104 -p1
-%patch105 -p1
-%patch106 -p1
-%patch107 -p1
-%patch108 -p1
-%patch109 -p1
-%patch110 -p1
-%patch111 -p1
-%patch112 -p1
-%patch113 -p1
-%patch114 -p1
-%patch115 -p1
-%patch116 -p1
-%patch117 -p1
-%patch118 -p1
-%patch119 -p1
-%patch120 -p1
-%patch121 -p1
-%patch122 -p1
-%patch123 -p1
-%patch124 -p1
-%patch125 -p1
-%patch126 -p1
-%patch127 -p1
-%patch128 -p1
-%patch129 -p1
-%patch130 -p1
-%patch131 -p1
-%patch132 -p1
-%patch133 -p1
-%patch134 -p1
-%patch135 -p1
-%patch136 -p1
# stubdom sources
ln -s %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} stubdom
# openssl is used instead of gcrypt; that's OK, openssl is obligatory
# anyway (see configure), gcrypt is optional
# - prevent libiconv from being detected (not needed with glibc)
-cd tools
%configure \
CPPFLAGS="%{rpmcppflags} -I/usr/include/ncurses" \
ac_cv_lib_iconv_libiconv_open=no \
--disable-debug
-cd ..
%{__make} dist-xen dist-tools dist-docs \
%{!?with_ocaml:OCAML_TOOLS=n} \
- prefix=%{_prefix} \
CC="%{__cc}" \
CXX="%{__cxx}" \
V=1
unset CFLAGS
unset CXXFLAGS
+%if %{with stubdom}
%{__make} -j1 dist-stubdom \
%{!?with_ocaml:OCAML_TOOLS=n} \
CC="%{__cc}" \
CXX="%{__cxx}" \
V=1
+%endif
%install
rm -rf $RPM_BUILD_ROOT
install -d $RPM_BUILD_ROOT/etc/{xen/examples,modules-load.d,logrotate.d} \
- $RPM_BUILD_ROOT{%{systemdtmpfilesdir},%{systemdunitdir},/var/log/xen/console} \
- $RPM_BUILD_ROOT/etc/efi-boot/update.d
+ $RPM_BUILD_ROOT{%{systemdtmpfilesdir},%{systemdunitdir},/var/log/xen/console}
-%{__make} -j1 install-xen install-tools install-stubdom install-docs \
+%if %{with efi}
+install -d $RPM_BUILD_ROOT/etc/efi-boot/update.d
+%endif
+
+%{__make} -j1 install-xen install-tools %{?with_stubdom:install-stubdom} install-docs \
%{!?with_ocaml:OCAML_TOOLS=n} \
- prefix=%{_prefix} \
DESTDIR=$RPM_BUILD_ROOT \
HOTPLUGS=install-udev
%py_postclean
-%{__rm} $RPM_BUILD_ROOT%{_mandir}/man1/qemu.1
-mv $RPM_BUILD_ROOT%{_mandir}/man1/qemu-img{,-xen}.1
-mv $RPM_BUILD_ROOT%{_mandir}/man8/qemu-nbd{,-xen}.8
# seems not needed, the path is wrong anyway
%{__rm} $RPM_BUILD_ROOT%{_prefix}/etc/qemu/target-x86_64.conf
# remove unneeded files
-%{__rm} $RPM_BUILD_ROOT/boot/xen-4.2.gz
+%if %{with hypervisor}
+%{__rm} $RPM_BUILD_ROOT/boot/xen-4.3.gz
%{__rm} $RPM_BUILD_ROOT/boot/xen-4.gz
+%endif
%{__rm} -r $RPM_BUILD_ROOT%{_docdir}/xen
-%{__rm} -r $RPM_BUILD_ROOT%{_docdir}/qemu
%{__rm} $RPM_BUILD_ROOT%{_includedir}/%{name}/COPYING
%clean
%files
%defattr(644,root,root,755)
-%doc COPYING README* docs/misc/*
-%doc docs/html/*
-%doc tools/qemu-xen-dir/*.html
-%doc _doc/*
+%doc COPYING README* docs/misc/* docs/html/* _doc/*
+%if %{with hypervisor}
/boot/%{name}-syms-%{version}
/boot/%{name}-%{version}.gz
/boot/%{name}.gz
+%endif
%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/sysconfig/xenconsoled
%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/sysconfig/xenstored
%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/sysconfig/xendomains
%attr(755,root,root) %{_bindir}/qemu-nbd-xen
%attr(755,root,root) %{_bindir}/remus
%attr(755,root,root) %{_bindir}/xencons
+%attr(755,root,root) %{_bindir}/xencov_split
%attr(755,root,root) %{_bindir}/xentrace*
%attr(755,root,root) %{_sbindir}/blktapctrl
%attr(755,root,root) %{_sbindir}/flask-*
%attr(755,root,root) %{_sbindir}/xen-*
%attr(755,root,root) %{_sbindir}/xenbaked
%attr(755,root,root) %{_sbindir}/xenconsoled
+%attr(755,root,root) %{_sbindir}/xencov
%attr(755,root,root) %{_sbindir}/xenlockprof
%attr(755,root,root) %{_sbindir}/xenmon.py
%attr(755,root,root) %{_sbindir}/xenperf
%attr(755,root,root) %{_prefix}/lib/%{name}/bin/*
%endif
%dir %{_prefix}/lib/%{name}/boot
+%if %{with stubdom}
%{_prefix}/lib/%{name}/boot/ioemu-stubdom.gz
+%ifarch %{ix86} %{x8664}
%{_prefix}/lib/%{name}/boot/pv-grub-x86_32.gz
+%endif
%ifarch %{x8664}
%{_prefix}/lib/%{name}/boot/pv-grub-x86_64.gz
%endif
+%{_prefix}/lib/%{name}/boot/vtpm-stubdom.gz
+%{_prefix}/lib/%{name}/boot/vtpmmgr-stubdom.gz
%{_prefix}/lib/%{name}/boot/xenstore-stubdom.gz
+%endif
%attr(744,root,root) %{_prefix}/lib/%{name}/boot/hvmloader
%{_datadir}/xen
-%{_mandir}/man1/qemu-img-xen.1*
%{_mandir}/man1/xentop.1*
%{_mandir}/man1/xentrace_format.1*
%{_mandir}/man1/xl.1*
%{_mandir}/man5/xl.conf.5*
%{_mandir}/man5/xlcpupool.cfg.5*
%{_mandir}/man5/xmdomain.cfg.5*
-%{_mandir}/man8/qemu-nbd-xen.8*
%{_mandir}/man8/xentrace.8*
%{_sharedstatedir}/xen
%{_sharedstatedir}/xenstored
%attr(755,root,root) %{_libdir}/libvhd.so.*.*.*
%attr(755,root,root) %ghost %{_libdir}/libvhd.so.1.0
%attr(755,root,root) %{_libdir}/libxenctrl.so.*.*.*
-%attr(755,root,root) %ghost %{_libdir}/libxenctrl.so.4.2
+%attr(755,root,root) %ghost %{_libdir}/libxenctrl.so.4.3
%attr(755,root,root) %{_libdir}/libxenguest.so.*.*.*
-%attr(755,root,root) %ghost %{_libdir}/libxenguest.so.4.2
+%attr(755,root,root) %ghost %{_libdir}/libxenguest.so.4.3
%attr(755,root,root) %{_libdir}/libxenlight.so.*.*.*
-%attr(755,root,root) %ghost %{_libdir}/libxenlight.so.2.0
+%attr(755,root,root) %ghost %{_libdir}/libxenlight.so.4.3
%attr(755,root,root) %{_libdir}/libxenstat.so.*.*
%attr(755,root,root) %ghost %{_libdir}/libxenstat.so.0
%attr(755,root,root) %{_libdir}/libxenvchan.so.*.*.*
%attr(755,root,root) %ghost %{_libdir}/libxenvchan.so.1.0
%attr(755,root,root) %{_libdir}/libxlutil.so.*.*.*
-%attr(755,root,root) %ghost %{_libdir}/libxlutil.so.1.0
+%attr(755,root,root) %ghost %{_libdir}/libxlutil.so.4.3
%dir %{_libdir}/fs
%dir %{_libdir}/fs/ext2fs-lib
%dir %{_libdir}/fs/fat
projects / packages / xen.git / commitdiff