1 | /* |
2 | * Utility functions for x86 operand and address decoding |
3 | * |
4 | * Copyright (C) Intel Corporation 2017 |
5 | */ |
6 | #include <linux/kernel.h> |
7 | #include <linux/string.h> |
8 | #include <linux/ratelimit.h> |
9 | #include <linux/mmu_context.h> |
10 | #include <asm/desc_defs.h> |
11 | #include <asm/desc.h> |
12 | #include <asm/inat.h> |
13 | #include <asm/insn.h> |
14 | #include <asm/insn-eval.h> |
15 | #include <asm/ldt.h> |
16 | #include <asm/vm86.h> |
17 | |
18 | #undef pr_fmt |
19 | #define pr_fmt(fmt) "insn: " fmt |
20 | |
21 | enum reg_type { |
22 | REG_TYPE_RM = 0, |
23 | REG_TYPE_REG, |
24 | REG_TYPE_INDEX, |
25 | REG_TYPE_BASE, |
26 | }; |
27 | |
28 | /** |
29 | * is_string_insn() - Determine if instruction is a string instruction |
30 | * @insn: Instruction containing the opcode to inspect |
31 | * |
32 | * Returns: |
33 | * |
34 | * true if the instruction, determined by the opcode, is any of the |
35 | * string instructions as defined in the Intel Software Development manual. |
36 | * False otherwise. |
37 | */ |
38 | static bool is_string_insn(struct insn *insn) |
39 | { |
40 | /* All string instructions have a 1-byte opcode. */ |
41 | if (insn->opcode.nbytes != 1) |
42 | return false; |
43 | |
44 | switch (insn->opcode.bytes[0]) { |
45 | case 0x6c ... 0x6f: /* INS, OUTS */ |
46 | case 0xa4 ... 0xa7: /* MOVS, CMPS */ |
47 | case 0xaa ... 0xaf: /* STOS, LODS, SCAS */ |
48 | return true; |
49 | default: |
50 | return false; |
51 | } |
52 | } |
53 | |
54 | /** |
55 | * insn_has_rep_prefix() - Determine if instruction has a REP prefix |
56 | * @insn: Instruction containing the prefix to inspect |
57 | * |
58 | * Returns: |
59 | * |
60 | * true if the instruction has a REP prefix, false if not. |
61 | */ |
62 | bool insn_has_rep_prefix(struct insn *insn) |
63 | { |
64 | insn_byte_t p; |
65 | int i; |
66 | |
67 | insn_get_prefixes(insn); |
68 | |
69 | for_each_insn_prefix(insn, i, p) { |
70 | if (p == 0xf2 || p == 0xf3) |
71 | return true; |
72 | } |
73 | |
74 | return false; |
75 | } |
76 | |
77 | /** |
78 | * get_seg_reg_override_idx() - obtain segment register override index |
79 | * @insn: Valid instruction with segment override prefixes |
80 | * |
81 | * Inspect the instruction prefixes in @insn and find segment overrides, if any. |
82 | * |
83 | * Returns: |
84 | * |
85 | * A constant identifying the segment register to use, among CS, SS, DS, |
86 | * ES, FS, or GS. INAT_SEG_REG_DEFAULT is returned if no segment override |
87 | * prefixes were found. |
88 | * |
89 | * -EINVAL in case of error. |
90 | */ |
91 | static int get_seg_reg_override_idx(struct insn *insn) |
92 | { |
93 | int idx = INAT_SEG_REG_DEFAULT; |
94 | int num_overrides = 0, i; |
95 | insn_byte_t p; |
96 | |
97 | insn_get_prefixes(insn); |
98 | |
99 | /* Look for any segment override prefixes. */ |
100 | for_each_insn_prefix(insn, i, p) { |
101 | insn_attr_t attr; |
102 | |
103 | attr = inat_get_opcode_attribute(opcode: p); |
104 | switch (attr) { |
105 | case INAT_MAKE_PREFIX(INAT_PFX_CS): |
106 | idx = INAT_SEG_REG_CS; |
107 | num_overrides++; |
108 | break; |
109 | case INAT_MAKE_PREFIX(INAT_PFX_SS): |
110 | idx = INAT_SEG_REG_SS; |
111 | num_overrides++; |
112 | break; |
113 | case INAT_MAKE_PREFIX(INAT_PFX_DS): |
114 | idx = INAT_SEG_REG_DS; |
115 | num_overrides++; |
116 | break; |
117 | case INAT_MAKE_PREFIX(INAT_PFX_ES): |
118 | idx = INAT_SEG_REG_ES; |
119 | num_overrides++; |
120 | break; |
121 | case INAT_MAKE_PREFIX(INAT_PFX_FS): |
122 | idx = INAT_SEG_REG_FS; |
123 | num_overrides++; |
124 | break; |
125 | case INAT_MAKE_PREFIX(INAT_PFX_GS): |
126 | idx = INAT_SEG_REG_GS; |
127 | num_overrides++; |
128 | break; |
129 | /* No default action needed. */ |
130 | } |
131 | } |
132 | |
133 | /* More than one segment override prefix leads to undefined behavior. */ |
134 | if (num_overrides > 1) |
135 | return -EINVAL; |
136 | |
137 | return idx; |
138 | } |
139 | |
140 | /** |
141 | * check_seg_overrides() - check if segment override prefixes are allowed |
142 | * @insn: Valid instruction with segment override prefixes |
143 | * @regoff: Operand offset, in pt_regs, for which the check is performed |
144 | * |
145 | * For a particular register used in register-indirect addressing, determine if |
146 | * segment override prefixes can be used. Specifically, no overrides are allowed |
147 | * for rDI if used with a string instruction. |
148 | * |
149 | * Returns: |
150 | * |
151 | * True if segment override prefixes can be used with the register indicated |
152 | * in @regoff. False if otherwise. |
153 | */ |
154 | static bool check_seg_overrides(struct insn *insn, int regoff) |
155 | { |
156 | if (regoff == offsetof(struct pt_regs, di) && is_string_insn(insn)) |
157 | return false; |
158 | |
159 | return true; |
160 | } |
161 | |
162 | /** |
163 | * resolve_default_seg() - resolve default segment register index for an operand |
164 | * @insn: Instruction with opcode and address size. Must be valid. |
165 | * @regs: Register values as seen when entering kernel mode |
166 | * @off: Operand offset, in pt_regs, for which resolution is needed |
167 | * |
168 | * Resolve the default segment register index associated with the instruction |
169 | * operand register indicated by @off. Such index is resolved based on defaults |
170 | * described in the Intel Software Development Manual. |
171 | * |
172 | * Returns: |
173 | * |
174 | * If in protected mode, a constant identifying the segment register to use, |
175 | * among CS, SS, ES or DS. If in long mode, INAT_SEG_REG_IGNORE. |
176 | * |
177 | * -EINVAL in case of error. |
178 | */ |
179 | static int resolve_default_seg(struct insn *insn, struct pt_regs *regs, int off) |
180 | { |
181 | if (any_64bit_mode(regs)) |
182 | return INAT_SEG_REG_IGNORE; |
183 | /* |
184 | * Resolve the default segment register as described in Section 3.7.4 |
185 | * of the Intel Software Development Manual Vol. 1: |
186 | * |
187 | * + DS for all references involving r[ABCD]X, and rSI. |
188 | * + If used in a string instruction, ES for rDI. Otherwise, DS. |
189 | * + AX, CX and DX are not valid register operands in 16-bit address |
190 | * encodings but are valid for 32-bit and 64-bit encodings. |
191 | * + -EDOM is reserved to identify for cases in which no register |
192 | * is used (i.e., displacement-only addressing). Use DS. |
193 | * + SS for rSP or rBP. |
194 | * + CS for rIP. |
195 | */ |
196 | |
197 | switch (off) { |
198 | case offsetof(struct pt_regs, ax): |
199 | case offsetof(struct pt_regs, cx): |
200 | case offsetof(struct pt_regs, dx): |
201 | /* Need insn to verify address size. */ |
202 | if (insn->addr_bytes == 2) |
203 | return -EINVAL; |
204 | |
205 | fallthrough; |
206 | |
207 | case -EDOM: |
208 | case offsetof(struct pt_regs, bx): |
209 | case offsetof(struct pt_regs, si): |
210 | return INAT_SEG_REG_DS; |
211 | |
212 | case offsetof(struct pt_regs, di): |
213 | if (is_string_insn(insn)) |
214 | return INAT_SEG_REG_ES; |
215 | return INAT_SEG_REG_DS; |
216 | |
217 | case offsetof(struct pt_regs, bp): |
218 | case offsetof(struct pt_regs, sp): |
219 | return INAT_SEG_REG_SS; |
220 | |
221 | case offsetof(struct pt_regs, ip): |
222 | return INAT_SEG_REG_CS; |
223 | |
224 | default: |
225 | return -EINVAL; |
226 | } |
227 | } |
228 | |
229 | /** |
230 | * resolve_seg_reg() - obtain segment register index |
231 | * @insn: Instruction with operands |
232 | * @regs: Register values as seen when entering kernel mode |
233 | * @regoff: Operand offset, in pt_regs, used to determine segment register |
234 | * |
235 | * Determine the segment register associated with the operands and, if |
236 | * applicable, prefixes and the instruction pointed by @insn. |
237 | * |
238 | * The segment register associated to an operand used in register-indirect |
239 | * addressing depends on: |
240 | * |
241 | * a) Whether running in long mode (in such a case segments are ignored, except |
242 | * if FS or GS are used). |
243 | * |
244 | * b) Whether segment override prefixes can be used. Certain instructions and |
245 | * registers do not allow override prefixes. |
246 | * |
247 | * c) Whether segment overrides prefixes are found in the instruction prefixes. |
248 | * |
249 | * d) If there are not segment override prefixes or they cannot be used, the |
250 | * default segment register associated with the operand register is used. |
251 | * |
252 | * The function checks first if segment override prefixes can be used with the |
253 | * operand indicated by @regoff. If allowed, obtain such overridden segment |
254 | * register index. Lastly, if not prefixes were found or cannot be used, resolve |
255 | * the segment register index to use based on the defaults described in the |
256 | * Intel documentation. In long mode, all segment register indexes will be |
257 | * ignored, except if overrides were found for FS or GS. All these operations |
258 | * are done using helper functions. |
259 | * |
260 | * The operand register, @regoff, is represented as the offset from the base of |
261 | * pt_regs. |
262 | * |
263 | * As stated, the main use of this function is to determine the segment register |
264 | * index based on the instruction, its operands and prefixes. Hence, @insn |
265 | * must be valid. However, if @regoff indicates rIP, we don't need to inspect |
266 | * @insn at all as in this case CS is used in all cases. This case is checked |
267 | * before proceeding further. |
268 | * |
269 | * Please note that this function does not return the value in the segment |
270 | * register (i.e., the segment selector) but our defined index. The segment |
271 | * selector needs to be obtained using get_segment_selector() and passing the |
272 | * segment register index resolved by this function. |
273 | * |
274 | * Returns: |
275 | * |
276 | * An index identifying the segment register to use, among CS, SS, DS, |
277 | * ES, FS, or GS. INAT_SEG_REG_IGNORE is returned if running in long mode. |
278 | * |
279 | * -EINVAL in case of error. |
280 | */ |
281 | static int resolve_seg_reg(struct insn *insn, struct pt_regs *regs, int regoff) |
282 | { |
283 | int idx; |
284 | |
285 | /* |
286 | * In the unlikely event of having to resolve the segment register |
287 | * index for rIP, do it first. Segment override prefixes should not |
288 | * be used. Hence, it is not necessary to inspect the instruction, |
289 | * which may be invalid at this point. |
290 | */ |
291 | if (regoff == offsetof(struct pt_regs, ip)) { |
292 | if (any_64bit_mode(regs)) |
293 | return INAT_SEG_REG_IGNORE; |
294 | else |
295 | return INAT_SEG_REG_CS; |
296 | } |
297 | |
298 | if (!insn) |
299 | return -EINVAL; |
300 | |
301 | if (!check_seg_overrides(insn, regoff)) |
302 | return resolve_default_seg(insn, regs, off: regoff); |
303 | |
304 | idx = get_seg_reg_override_idx(insn); |
305 | if (idx < 0) |
306 | return idx; |
307 | |
308 | if (idx == INAT_SEG_REG_DEFAULT) |
309 | return resolve_default_seg(insn, regs, off: regoff); |
310 | |
311 | /* |
312 | * In long mode, segment override prefixes are ignored, except for |
313 | * overrides for FS and GS. |
314 | */ |
315 | if (any_64bit_mode(regs)) { |
316 | if (idx != INAT_SEG_REG_FS && |
317 | idx != INAT_SEG_REG_GS) |
318 | idx = INAT_SEG_REG_IGNORE; |
319 | } |
320 | |
321 | return idx; |
322 | } |
323 | |
324 | /** |
325 | * get_segment_selector() - obtain segment selector |
326 | * @regs: Register values as seen when entering kernel mode |
327 | * @seg_reg_idx: Segment register index to use |
328 | * |
329 | * Obtain the segment selector from any of the CS, SS, DS, ES, FS, GS segment |
330 | * registers. In CONFIG_X86_32, the segment is obtained from either pt_regs or |
331 | * kernel_vm86_regs as applicable. In CONFIG_X86_64, CS and SS are obtained |
332 | * from pt_regs. DS, ES, FS and GS are obtained by reading the actual CPU |
333 | * registers. This done for only for completeness as in CONFIG_X86_64 segment |
334 | * registers are ignored. |
335 | * |
336 | * Returns: |
337 | * |
338 | * Value of the segment selector, including null when running in |
339 | * long mode. |
340 | * |
341 | * -EINVAL on error. |
342 | */ |
343 | static short get_segment_selector(struct pt_regs *regs, int seg_reg_idx) |
344 | { |
345 | unsigned short sel; |
346 | |
347 | #ifdef CONFIG_X86_64 |
348 | switch (seg_reg_idx) { |
349 | case INAT_SEG_REG_IGNORE: |
350 | return 0; |
351 | case INAT_SEG_REG_CS: |
352 | return (unsigned short)(regs->cs & 0xffff); |
353 | case INAT_SEG_REG_SS: |
354 | return (unsigned short)(regs->ss & 0xffff); |
355 | case INAT_SEG_REG_DS: |
356 | savesegment(ds, sel); |
357 | return sel; |
358 | case INAT_SEG_REG_ES: |
359 | savesegment(es, sel); |
360 | return sel; |
361 | case INAT_SEG_REG_FS: |
362 | savesegment(fs, sel); |
363 | return sel; |
364 | case INAT_SEG_REG_GS: |
365 | savesegment(gs, sel); |
366 | return sel; |
367 | default: |
368 | return -EINVAL; |
369 | } |
370 | #else /* CONFIG_X86_32 */ |
371 | struct kernel_vm86_regs *vm86regs = (struct kernel_vm86_regs *)regs; |
372 | |
373 | if (v8086_mode(regs)) { |
374 | switch (seg_reg_idx) { |
375 | case INAT_SEG_REG_CS: |
376 | return (unsigned short)(regs->cs & 0xffff); |
377 | case INAT_SEG_REG_SS: |
378 | return (unsigned short)(regs->ss & 0xffff); |
379 | case INAT_SEG_REG_DS: |
380 | return vm86regs->ds; |
381 | case INAT_SEG_REG_ES: |
382 | return vm86regs->es; |
383 | case INAT_SEG_REG_FS: |
384 | return vm86regs->fs; |
385 | case INAT_SEG_REG_GS: |
386 | return vm86regs->gs; |
387 | case INAT_SEG_REG_IGNORE: |
388 | default: |
389 | return -EINVAL; |
390 | } |
391 | } |
392 | |
393 | switch (seg_reg_idx) { |
394 | case INAT_SEG_REG_CS: |
395 | return (unsigned short)(regs->cs & 0xffff); |
396 | case INAT_SEG_REG_SS: |
397 | return (unsigned short)(regs->ss & 0xffff); |
398 | case INAT_SEG_REG_DS: |
399 | return (unsigned short)(regs->ds & 0xffff); |
400 | case INAT_SEG_REG_ES: |
401 | return (unsigned short)(regs->es & 0xffff); |
402 | case INAT_SEG_REG_FS: |
403 | return (unsigned short)(regs->fs & 0xffff); |
404 | case INAT_SEG_REG_GS: |
405 | savesegment(gs, sel); |
406 | return sel; |
407 | case INAT_SEG_REG_IGNORE: |
408 | default: |
409 | return -EINVAL; |
410 | } |
411 | #endif /* CONFIG_X86_64 */ |
412 | } |
413 | |
414 | static const int pt_regoff[] = { |
415 | offsetof(struct pt_regs, ax), |
416 | offsetof(struct pt_regs, cx), |
417 | offsetof(struct pt_regs, dx), |
418 | offsetof(struct pt_regs, bx), |
419 | offsetof(struct pt_regs, sp), |
420 | offsetof(struct pt_regs, bp), |
421 | offsetof(struct pt_regs, si), |
422 | offsetof(struct pt_regs, di), |
423 | #ifdef CONFIG_X86_64 |
424 | offsetof(struct pt_regs, r8), |
425 | offsetof(struct pt_regs, r9), |
426 | offsetof(struct pt_regs, r10), |
427 | offsetof(struct pt_regs, r11), |
428 | offsetof(struct pt_regs, r12), |
429 | offsetof(struct pt_regs, r13), |
430 | offsetof(struct pt_regs, r14), |
431 | offsetof(struct pt_regs, r15), |
432 | #else |
433 | offsetof(struct pt_regs, ds), |
434 | offsetof(struct pt_regs, es), |
435 | offsetof(struct pt_regs, fs), |
436 | offsetof(struct pt_regs, gs), |
437 | #endif |
438 | }; |
439 | |
440 | int pt_regs_offset(struct pt_regs *regs, int regno) |
441 | { |
442 | if ((unsigned)regno < ARRAY_SIZE(pt_regoff)) |
443 | return pt_regoff[regno]; |
444 | return -EDOM; |
445 | } |
446 | |
447 | static int get_regno(struct insn *insn, enum reg_type type) |
448 | { |
449 | int nr_registers = ARRAY_SIZE(pt_regoff); |
450 | int regno = 0; |
451 | |
452 | /* |
453 | * Don't possibly decode a 32-bit instructions as |
454 | * reading a 64-bit-only register. |
455 | */ |
456 | if (IS_ENABLED(CONFIG_X86_64) && !insn->x86_64) |
457 | nr_registers -= 8; |
458 | |
459 | switch (type) { |
460 | case REG_TYPE_RM: |
461 | regno = X86_MODRM_RM(insn->modrm.value); |
462 | |
463 | /* |
464 | * ModRM.mod == 0 and ModRM.rm == 5 means a 32-bit displacement |
465 | * follows the ModRM byte. |
466 | */ |
467 | if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5) |
468 | return -EDOM; |
469 | |
470 | if (X86_REX_B(insn->rex_prefix.value)) |
471 | regno += 8; |
472 | break; |
473 | |
474 | case REG_TYPE_REG: |
475 | regno = X86_MODRM_REG(insn->modrm.value); |
476 | |
477 | if (X86_REX_R(insn->rex_prefix.value)) |
478 | regno += 8; |
479 | break; |
480 | |
481 | case REG_TYPE_INDEX: |
482 | regno = X86_SIB_INDEX(insn->sib.value); |
483 | if (X86_REX_X(insn->rex_prefix.value)) |
484 | regno += 8; |
485 | |
486 | /* |
487 | * If ModRM.mod != 3 and SIB.index = 4 the scale*index |
488 | * portion of the address computation is null. This is |
489 | * true only if REX.X is 0. In such a case, the SIB index |
490 | * is used in the address computation. |
491 | */ |
492 | if (X86_MODRM_MOD(insn->modrm.value) != 3 && regno == 4) |
493 | return -EDOM; |
494 | break; |
495 | |
496 | case REG_TYPE_BASE: |
497 | regno = X86_SIB_BASE(insn->sib.value); |
498 | /* |
499 | * If ModRM.mod is 0 and SIB.base == 5, the base of the |
500 | * register-indirect addressing is 0. In this case, a |
501 | * 32-bit displacement follows the SIB byte. |
502 | */ |
503 | if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5) |
504 | return -EDOM; |
505 | |
506 | if (X86_REX_B(insn->rex_prefix.value)) |
507 | regno += 8; |
508 | break; |
509 | |
510 | default: |
511 | pr_err_ratelimited("invalid register type: %d\n" , type); |
512 | return -EINVAL; |
513 | } |
514 | |
515 | if (regno >= nr_registers) { |
516 | WARN_ONCE(1, "decoded an instruction with an invalid register" ); |
517 | return -EINVAL; |
518 | } |
519 | return regno; |
520 | } |
521 | |
522 | static int get_reg_offset(struct insn *insn, struct pt_regs *regs, |
523 | enum reg_type type) |
524 | { |
525 | int regno = get_regno(insn, type); |
526 | |
527 | if (regno < 0) |
528 | return regno; |
529 | |
530 | return pt_regs_offset(regs, regno); |
531 | } |
532 | |
533 | /** |
534 | * get_reg_offset_16() - Obtain offset of register indicated by instruction |
535 | * @insn: Instruction containing ModRM byte |
536 | * @regs: Register values as seen when entering kernel mode |
537 | * @offs1: Offset of the first operand register |
538 | * @offs2: Offset of the second operand register, if applicable |
539 | * |
540 | * Obtain the offset, in pt_regs, of the registers indicated by the ModRM byte |
541 | * in @insn. This function is to be used with 16-bit address encodings. The |
542 | * @offs1 and @offs2 will be written with the offset of the two registers |
543 | * indicated by the instruction. In cases where any of the registers is not |
544 | * referenced by the instruction, the value will be set to -EDOM. |
545 | * |
546 | * Returns: |
547 | * |
548 | * 0 on success, -EINVAL on error. |
549 | */ |
550 | static int get_reg_offset_16(struct insn *insn, struct pt_regs *regs, |
551 | int *offs1, int *offs2) |
552 | { |
553 | /* |
554 | * 16-bit addressing can use one or two registers. Specifics of |
555 | * encodings are given in Table 2-1. "16-Bit Addressing Forms with the |
556 | * ModR/M Byte" of the Intel Software Development Manual. |
557 | */ |
558 | static const int regoff1[] = { |
559 | offsetof(struct pt_regs, bx), |
560 | offsetof(struct pt_regs, bx), |
561 | offsetof(struct pt_regs, bp), |
562 | offsetof(struct pt_regs, bp), |
563 | offsetof(struct pt_regs, si), |
564 | offsetof(struct pt_regs, di), |
565 | offsetof(struct pt_regs, bp), |
566 | offsetof(struct pt_regs, bx), |
567 | }; |
568 | |
569 | static const int regoff2[] = { |
570 | offsetof(struct pt_regs, si), |
571 | offsetof(struct pt_regs, di), |
572 | offsetof(struct pt_regs, si), |
573 | offsetof(struct pt_regs, di), |
574 | -EDOM, |
575 | -EDOM, |
576 | -EDOM, |
577 | -EDOM, |
578 | }; |
579 | |
580 | if (!offs1 || !offs2) |
581 | return -EINVAL; |
582 | |
583 | /* Operand is a register, use the generic function. */ |
584 | if (X86_MODRM_MOD(insn->modrm.value) == 3) { |
585 | *offs1 = insn_get_modrm_rm_off(insn, regs); |
586 | *offs2 = -EDOM; |
587 | return 0; |
588 | } |
589 | |
590 | *offs1 = regoff1[X86_MODRM_RM(insn->modrm.value)]; |
591 | *offs2 = regoff2[X86_MODRM_RM(insn->modrm.value)]; |
592 | |
593 | /* |
594 | * If ModRM.mod is 0 and ModRM.rm is 110b, then we use displacement- |
595 | * only addressing. This means that no registers are involved in |
596 | * computing the effective address. Thus, ensure that the first |
597 | * register offset is invalid. The second register offset is already |
598 | * invalid under the aforementioned conditions. |
599 | */ |
600 | if ((X86_MODRM_MOD(insn->modrm.value) == 0) && |
601 | (X86_MODRM_RM(insn->modrm.value) == 6)) |
602 | *offs1 = -EDOM; |
603 | |
604 | return 0; |
605 | } |
606 | |
607 | /** |
608 | * get_desc() - Obtain contents of a segment descriptor |
609 | * @out: Segment descriptor contents on success |
610 | * @sel: Segment selector |
611 | * |
612 | * Given a segment selector, obtain a pointer to the segment descriptor. |
613 | * Both global and local descriptor tables are supported. |
614 | * |
615 | * Returns: |
616 | * |
617 | * True on success, false on failure. |
618 | * |
619 | * NULL on error. |
620 | */ |
621 | static bool get_desc(struct desc_struct *out, unsigned short sel) |
622 | { |
623 | struct desc_ptr gdt_desc = {0, 0}; |
624 | unsigned long desc_base; |
625 | |
626 | #ifdef CONFIG_MODIFY_LDT_SYSCALL |
627 | if ((sel & SEGMENT_TI_MASK) == SEGMENT_LDT) { |
628 | bool success = false; |
629 | struct ldt_struct *ldt; |
630 | |
631 | /* Bits [15:3] contain the index of the desired entry. */ |
632 | sel >>= 3; |
633 | |
634 | mutex_lock(¤t->active_mm->context.lock); |
635 | ldt = current->active_mm->context.ldt; |
636 | if (ldt && sel < ldt->nr_entries) { |
637 | *out = ldt->entries[sel]; |
638 | success = true; |
639 | } |
640 | |
641 | mutex_unlock(lock: ¤t->active_mm->context.lock); |
642 | |
643 | return success; |
644 | } |
645 | #endif |
646 | native_store_gdt(dtr: &gdt_desc); |
647 | |
648 | /* |
649 | * Segment descriptors have a size of 8 bytes. Thus, the index is |
650 | * multiplied by 8 to obtain the memory offset of the desired descriptor |
651 | * from the base of the GDT. As bits [15:3] of the segment selector |
652 | * contain the index, it can be regarded as multiplied by 8 already. |
653 | * All that remains is to clear bits [2:0]. |
654 | */ |
655 | desc_base = sel & ~(SEGMENT_RPL_MASK | SEGMENT_TI_MASK); |
656 | |
657 | if (desc_base > gdt_desc.size) |
658 | return false; |
659 | |
660 | *out = *(struct desc_struct *)(gdt_desc.address + desc_base); |
661 | return true; |
662 | } |
663 | |
664 | /** |
665 | * insn_get_seg_base() - Obtain base address of segment descriptor. |
666 | * @regs: Register values as seen when entering kernel mode |
667 | * @seg_reg_idx: Index of the segment register pointing to seg descriptor |
668 | * |
669 | * Obtain the base address of the segment as indicated by the segment descriptor |
670 | * pointed by the segment selector. The segment selector is obtained from the |
671 | * input segment register index @seg_reg_idx. |
672 | * |
673 | * Returns: |
674 | * |
675 | * In protected mode, base address of the segment. Zero in long mode, |
676 | * except when FS or GS are used. In virtual-8086 mode, the segment |
677 | * selector shifted 4 bits to the right. |
678 | * |
679 | * -1L in case of error. |
680 | */ |
681 | unsigned long insn_get_seg_base(struct pt_regs *regs, int seg_reg_idx) |
682 | { |
683 | struct desc_struct desc; |
684 | short sel; |
685 | |
686 | sel = get_segment_selector(regs, seg_reg_idx); |
687 | if (sel < 0) |
688 | return -1L; |
689 | |
690 | if (v8086_mode(regs)) |
691 | /* |
692 | * Base is simply the segment selector shifted 4 |
693 | * bits to the right. |
694 | */ |
695 | return (unsigned long)(sel << 4); |
696 | |
697 | if (any_64bit_mode(regs)) { |
698 | /* |
699 | * Only FS or GS will have a base address, the rest of |
700 | * the segments' bases are forced to 0. |
701 | */ |
702 | unsigned long base; |
703 | |
704 | if (seg_reg_idx == INAT_SEG_REG_FS) { |
705 | rdmsrl(MSR_FS_BASE, base); |
706 | } else if (seg_reg_idx == INAT_SEG_REG_GS) { |
707 | /* |
708 | * swapgs was called at the kernel entry point. Thus, |
709 | * MSR_KERNEL_GS_BASE will have the user-space GS base. |
710 | */ |
711 | if (user_mode(regs)) |
712 | rdmsrl(MSR_KERNEL_GS_BASE, base); |
713 | else |
714 | rdmsrl(MSR_GS_BASE, base); |
715 | } else { |
716 | base = 0; |
717 | } |
718 | return base; |
719 | } |
720 | |
721 | /* In protected mode the segment selector cannot be null. */ |
722 | if (!sel) |
723 | return -1L; |
724 | |
725 | if (!get_desc(out: &desc, sel)) |
726 | return -1L; |
727 | |
728 | return get_desc_base(desc: &desc); |
729 | } |
730 | |
731 | /** |
732 | * get_seg_limit() - Obtain the limit of a segment descriptor |
733 | * @regs: Register values as seen when entering kernel mode |
734 | * @seg_reg_idx: Index of the segment register pointing to seg descriptor |
735 | * |
736 | * Obtain the limit of the segment as indicated by the segment descriptor |
737 | * pointed by the segment selector. The segment selector is obtained from the |
738 | * input segment register index @seg_reg_idx. |
739 | * |
740 | * Returns: |
741 | * |
742 | * In protected mode, the limit of the segment descriptor in bytes. |
743 | * In long mode and virtual-8086 mode, segment limits are not enforced. Thus, |
744 | * limit is returned as -1L to imply a limit-less segment. |
745 | * |
746 | * Zero is returned on error. |
747 | */ |
748 | static unsigned long get_seg_limit(struct pt_regs *regs, int seg_reg_idx) |
749 | { |
750 | struct desc_struct desc; |
751 | unsigned long limit; |
752 | short sel; |
753 | |
754 | sel = get_segment_selector(regs, seg_reg_idx); |
755 | if (sel < 0) |
756 | return 0; |
757 | |
758 | if (any_64bit_mode(regs) || v8086_mode(regs)) |
759 | return -1L; |
760 | |
761 | if (!sel) |
762 | return 0; |
763 | |
764 | if (!get_desc(out: &desc, sel)) |
765 | return 0; |
766 | |
767 | /* |
768 | * If the granularity bit is set, the limit is given in multiples |
769 | * of 4096. This also means that the 12 least significant bits are |
770 | * not tested when checking the segment limits. In practice, |
771 | * this means that the segment ends in (limit << 12) + 0xfff. |
772 | */ |
773 | limit = get_desc_limit(desc: &desc); |
774 | if (desc.g) |
775 | limit = (limit << 12) + 0xfff; |
776 | |
777 | return limit; |
778 | } |
779 | |
780 | /** |
781 | * insn_get_code_seg_params() - Obtain code segment parameters |
782 | * @regs: Structure with register values as seen when entering kernel mode |
783 | * |
784 | * Obtain address and operand sizes of the code segment. It is obtained from the |
785 | * selector contained in the CS register in regs. In protected mode, the default |
786 | * address is determined by inspecting the L and D bits of the segment |
787 | * descriptor. In virtual-8086 mode, the default is always two bytes for both |
788 | * address and operand sizes. |
789 | * |
790 | * Returns: |
791 | * |
792 | * An int containing ORed-in default parameters on success. |
793 | * |
794 | * -EINVAL on error. |
795 | */ |
796 | int insn_get_code_seg_params(struct pt_regs *regs) |
797 | { |
798 | struct desc_struct desc; |
799 | short sel; |
800 | |
801 | if (v8086_mode(regs)) |
802 | /* Address and operand size are both 16-bit. */ |
803 | return INSN_CODE_SEG_PARAMS(2, 2); |
804 | |
805 | sel = get_segment_selector(regs, INAT_SEG_REG_CS); |
806 | if (sel < 0) |
807 | return sel; |
808 | |
809 | if (!get_desc(out: &desc, sel)) |
810 | return -EINVAL; |
811 | |
812 | /* |
813 | * The most significant byte of the Type field of the segment descriptor |
814 | * determines whether a segment contains data or code. If this is a data |
815 | * segment, return error. |
816 | */ |
817 | if (!(desc.type & BIT(3))) |
818 | return -EINVAL; |
819 | |
820 | switch ((desc.l << 1) | desc.d) { |
821 | case 0: /* |
822 | * Legacy mode. CS.L=0, CS.D=0. Address and operand size are |
823 | * both 16-bit. |
824 | */ |
825 | return INSN_CODE_SEG_PARAMS(2, 2); |
826 | case 1: /* |
827 | * Legacy mode. CS.L=0, CS.D=1. Address and operand size are |
828 | * both 32-bit. |
829 | */ |
830 | return INSN_CODE_SEG_PARAMS(4, 4); |
831 | case 2: /* |
832 | * IA-32e 64-bit mode. CS.L=1, CS.D=0. Address size is 64-bit; |
833 | * operand size is 32-bit. |
834 | */ |
835 | return INSN_CODE_SEG_PARAMS(4, 8); |
836 | case 3: /* Invalid setting. CS.L=1, CS.D=1 */ |
837 | fallthrough; |
838 | default: |
839 | return -EINVAL; |
840 | } |
841 | } |
842 | |
843 | /** |
844 | * insn_get_modrm_rm_off() - Obtain register in r/m part of the ModRM byte |
845 | * @insn: Instruction containing the ModRM byte |
846 | * @regs: Register values as seen when entering kernel mode |
847 | * |
848 | * Returns: |
849 | * |
850 | * The register indicated by the r/m part of the ModRM byte. The |
851 | * register is obtained as an offset from the base of pt_regs. In specific |
852 | * cases, the returned value can be -EDOM to indicate that the particular value |
853 | * of ModRM does not refer to a register and shall be ignored. |
854 | */ |
855 | int insn_get_modrm_rm_off(struct insn *insn, struct pt_regs *regs) |
856 | { |
857 | return get_reg_offset(insn, regs, type: REG_TYPE_RM); |
858 | } |
859 | |
860 | /** |
861 | * insn_get_modrm_reg_off() - Obtain register in reg part of the ModRM byte |
862 | * @insn: Instruction containing the ModRM byte |
863 | * @regs: Register values as seen when entering kernel mode |
864 | * |
865 | * Returns: |
866 | * |
867 | * The register indicated by the reg part of the ModRM byte. The |
868 | * register is obtained as an offset from the base of pt_regs. |
869 | */ |
870 | int insn_get_modrm_reg_off(struct insn *insn, struct pt_regs *regs) |
871 | { |
872 | return get_reg_offset(insn, regs, type: REG_TYPE_REG); |
873 | } |
874 | |
875 | /** |
876 | * insn_get_modrm_reg_ptr() - Obtain register pointer based on ModRM byte |
877 | * @insn: Instruction containing the ModRM byte |
878 | * @regs: Register values as seen when entering kernel mode |
879 | * |
880 | * Returns: |
881 | * |
882 | * The register indicated by the reg part of the ModRM byte. |
883 | * The register is obtained as a pointer within pt_regs. |
884 | */ |
885 | unsigned long *insn_get_modrm_reg_ptr(struct insn *insn, struct pt_regs *regs) |
886 | { |
887 | int offset; |
888 | |
889 | offset = insn_get_modrm_reg_off(insn, regs); |
890 | if (offset < 0) |
891 | return NULL; |
892 | return (void *)regs + offset; |
893 | } |
894 | |
895 | /** |
896 | * get_seg_base_limit() - obtain base address and limit of a segment |
897 | * @insn: Instruction. Must be valid. |
898 | * @regs: Register values as seen when entering kernel mode |
899 | * @regoff: Operand offset, in pt_regs, used to resolve segment descriptor |
900 | * @base: Obtained segment base |
901 | * @limit: Obtained segment limit |
902 | * |
903 | * Obtain the base address and limit of the segment associated with the operand |
904 | * @regoff and, if any or allowed, override prefixes in @insn. This function is |
905 | * different from insn_get_seg_base() as the latter does not resolve the segment |
906 | * associated with the instruction operand. If a limit is not needed (e.g., |
907 | * when running in long mode), @limit can be NULL. |
908 | * |
909 | * Returns: |
910 | * |
911 | * 0 on success. @base and @limit will contain the base address and of the |
912 | * resolved segment, respectively. |
913 | * |
914 | * -EINVAL on error. |
915 | */ |
916 | static int get_seg_base_limit(struct insn *insn, struct pt_regs *regs, |
917 | int regoff, unsigned long *base, |
918 | unsigned long *limit) |
919 | { |
920 | int seg_reg_idx; |
921 | |
922 | if (!base) |
923 | return -EINVAL; |
924 | |
925 | seg_reg_idx = resolve_seg_reg(insn, regs, regoff); |
926 | if (seg_reg_idx < 0) |
927 | return seg_reg_idx; |
928 | |
929 | *base = insn_get_seg_base(regs, seg_reg_idx); |
930 | if (*base == -1L) |
931 | return -EINVAL; |
932 | |
933 | if (!limit) |
934 | return 0; |
935 | |
936 | *limit = get_seg_limit(regs, seg_reg_idx); |
937 | if (!(*limit)) |
938 | return -EINVAL; |
939 | |
940 | return 0; |
941 | } |
942 | |
943 | /** |
944 | * get_eff_addr_reg() - Obtain effective address from register operand |
945 | * @insn: Instruction. Must be valid. |
946 | * @regs: Register values as seen when entering kernel mode |
947 | * @regoff: Obtained operand offset, in pt_regs, with the effective address |
948 | * @eff_addr: Obtained effective address |
949 | * |
950 | * Obtain the effective address stored in the register operand as indicated by |
951 | * the ModRM byte. This function is to be used only with register addressing |
952 | * (i.e., ModRM.mod is 3). The effective address is saved in @eff_addr. The |
953 | * register operand, as an offset from the base of pt_regs, is saved in @regoff; |
954 | * such offset can then be used to resolve the segment associated with the |
955 | * operand. This function can be used with any of the supported address sizes |
956 | * in x86. |
957 | * |
958 | * Returns: |
959 | * |
960 | * 0 on success. @eff_addr will have the effective address stored in the |
961 | * operand indicated by ModRM. @regoff will have such operand as an offset from |
962 | * the base of pt_regs. |
963 | * |
964 | * -EINVAL on error. |
965 | */ |
966 | static int get_eff_addr_reg(struct insn *insn, struct pt_regs *regs, |
967 | int *regoff, long *eff_addr) |
968 | { |
969 | int ret; |
970 | |
971 | ret = insn_get_modrm(insn); |
972 | if (ret) |
973 | return ret; |
974 | |
975 | if (X86_MODRM_MOD(insn->modrm.value) != 3) |
976 | return -EINVAL; |
977 | |
978 | *regoff = get_reg_offset(insn, regs, type: REG_TYPE_RM); |
979 | if (*regoff < 0) |
980 | return -EINVAL; |
981 | |
982 | /* Ignore bytes that are outside the address size. */ |
983 | if (insn->addr_bytes == 2) |
984 | *eff_addr = regs_get_register(regs, offset: *regoff) & 0xffff; |
985 | else if (insn->addr_bytes == 4) |
986 | *eff_addr = regs_get_register(regs, offset: *regoff) & 0xffffffff; |
987 | else /* 64-bit address */ |
988 | *eff_addr = regs_get_register(regs, offset: *regoff); |
989 | |
990 | return 0; |
991 | } |
992 | |
993 | /** |
994 | * get_eff_addr_modrm() - Obtain referenced effective address via ModRM |
995 | * @insn: Instruction. Must be valid. |
996 | * @regs: Register values as seen when entering kernel mode |
997 | * @regoff: Obtained operand offset, in pt_regs, associated with segment |
998 | * @eff_addr: Obtained effective address |
999 | * |
1000 | * Obtain the effective address referenced by the ModRM byte of @insn. After |
1001 | * identifying the registers involved in the register-indirect memory reference, |
1002 | * its value is obtained from the operands in @regs. The computed address is |
1003 | * stored @eff_addr. Also, the register operand that indicates the associated |
1004 | * segment is stored in @regoff, this parameter can later be used to determine |
1005 | * such segment. |
1006 | * |
1007 | * Returns: |
1008 | * |
1009 | * 0 on success. @eff_addr will have the referenced effective address. @regoff |
1010 | * will have a register, as an offset from the base of pt_regs, that can be used |
1011 | * to resolve the associated segment. |
1012 | * |
1013 | * -EINVAL on error. |
1014 | */ |
1015 | static int get_eff_addr_modrm(struct insn *insn, struct pt_regs *regs, |
1016 | int *regoff, long *eff_addr) |
1017 | { |
1018 | long tmp; |
1019 | int ret; |
1020 | |
1021 | if (insn->addr_bytes != 8 && insn->addr_bytes != 4) |
1022 | return -EINVAL; |
1023 | |
1024 | ret = insn_get_modrm(insn); |
1025 | if (ret) |
1026 | return ret; |
1027 | |
1028 | if (X86_MODRM_MOD(insn->modrm.value) > 2) |
1029 | return -EINVAL; |
1030 | |
1031 | *regoff = get_reg_offset(insn, regs, type: REG_TYPE_RM); |
1032 | |
1033 | /* |
1034 | * -EDOM means that we must ignore the address_offset. In such a case, |
1035 | * in 64-bit mode the effective address relative to the rIP of the |
1036 | * following instruction. |
1037 | */ |
1038 | if (*regoff == -EDOM) { |
1039 | if (any_64bit_mode(regs)) |
1040 | tmp = regs->ip + insn->length; |
1041 | else |
1042 | tmp = 0; |
1043 | } else if (*regoff < 0) { |
1044 | return -EINVAL; |
1045 | } else { |
1046 | tmp = regs_get_register(regs, offset: *regoff); |
1047 | } |
1048 | |
1049 | if (insn->addr_bytes == 4) { |
1050 | int addr32 = (int)(tmp & 0xffffffff) + insn->displacement.value; |
1051 | |
1052 | *eff_addr = addr32 & 0xffffffff; |
1053 | } else { |
1054 | *eff_addr = tmp + insn->displacement.value; |
1055 | } |
1056 | |
1057 | return 0; |
1058 | } |
1059 | |
1060 | /** |
1061 | * get_eff_addr_modrm_16() - Obtain referenced effective address via ModRM |
1062 | * @insn: Instruction. Must be valid. |
1063 | * @regs: Register values as seen when entering kernel mode |
1064 | * @regoff: Obtained operand offset, in pt_regs, associated with segment |
1065 | * @eff_addr: Obtained effective address |
1066 | * |
1067 | * Obtain the 16-bit effective address referenced by the ModRM byte of @insn. |
1068 | * After identifying the registers involved in the register-indirect memory |
1069 | * reference, its value is obtained from the operands in @regs. The computed |
1070 | * address is stored @eff_addr. Also, the register operand that indicates |
1071 | * the associated segment is stored in @regoff, this parameter can later be used |
1072 | * to determine such segment. |
1073 | * |
1074 | * Returns: |
1075 | * |
1076 | * 0 on success. @eff_addr will have the referenced effective address. @regoff |
1077 | * will have a register, as an offset from the base of pt_regs, that can be used |
1078 | * to resolve the associated segment. |
1079 | * |
1080 | * -EINVAL on error. |
1081 | */ |
1082 | static int get_eff_addr_modrm_16(struct insn *insn, struct pt_regs *regs, |
1083 | int *regoff, short *eff_addr) |
1084 | { |
1085 | int addr_offset1, addr_offset2, ret; |
1086 | short addr1 = 0, addr2 = 0, displacement; |
1087 | |
1088 | if (insn->addr_bytes != 2) |
1089 | return -EINVAL; |
1090 | |
1091 | insn_get_modrm(insn); |
1092 | |
1093 | if (!insn->modrm.nbytes) |
1094 | return -EINVAL; |
1095 | |
1096 | if (X86_MODRM_MOD(insn->modrm.value) > 2) |
1097 | return -EINVAL; |
1098 | |
1099 | ret = get_reg_offset_16(insn, regs, offs1: &addr_offset1, offs2: &addr_offset2); |
1100 | if (ret < 0) |
1101 | return -EINVAL; |
1102 | |
1103 | /* |
1104 | * Don't fail on invalid offset values. They might be invalid because |
1105 | * they cannot be used for this particular value of ModRM. Instead, use |
1106 | * them in the computation only if they contain a valid value. |
1107 | */ |
1108 | if (addr_offset1 != -EDOM) |
1109 | addr1 = regs_get_register(regs, offset: addr_offset1) & 0xffff; |
1110 | |
1111 | if (addr_offset2 != -EDOM) |
1112 | addr2 = regs_get_register(regs, offset: addr_offset2) & 0xffff; |
1113 | |
1114 | displacement = insn->displacement.value & 0xffff; |
1115 | *eff_addr = addr1 + addr2 + displacement; |
1116 | |
1117 | /* |
1118 | * The first operand register could indicate to use of either SS or DS |
1119 | * registers to obtain the segment selector. The second operand |
1120 | * register can only indicate the use of DS. Thus, the first operand |
1121 | * will be used to obtain the segment selector. |
1122 | */ |
1123 | *regoff = addr_offset1; |
1124 | |
1125 | return 0; |
1126 | } |
1127 | |
1128 | /** |
1129 | * get_eff_addr_sib() - Obtain referenced effective address via SIB |
1130 | * @insn: Instruction. Must be valid. |
1131 | * @regs: Register values as seen when entering kernel mode |
1132 | * @regoff: Obtained operand offset, in pt_regs, associated with segment |
1133 | * @eff_addr: Obtained effective address |
1134 | * |
1135 | * Obtain the effective address referenced by the SIB byte of @insn. After |
1136 | * identifying the registers involved in the indexed, register-indirect memory |
1137 | * reference, its value is obtained from the operands in @regs. The computed |
1138 | * address is stored @eff_addr. Also, the register operand that indicates the |
1139 | * associated segment is stored in @regoff, this parameter can later be used to |
1140 | * determine such segment. |
1141 | * |
1142 | * Returns: |
1143 | * |
1144 | * 0 on success. @eff_addr will have the referenced effective address. |
1145 | * @base_offset will have a register, as an offset from the base of pt_regs, |
1146 | * that can be used to resolve the associated segment. |
1147 | * |
1148 | * Negative value on error. |
1149 | */ |
1150 | static int get_eff_addr_sib(struct insn *insn, struct pt_regs *regs, |
1151 | int *base_offset, long *eff_addr) |
1152 | { |
1153 | long base, indx; |
1154 | int indx_offset; |
1155 | int ret; |
1156 | |
1157 | if (insn->addr_bytes != 8 && insn->addr_bytes != 4) |
1158 | return -EINVAL; |
1159 | |
1160 | ret = insn_get_modrm(insn); |
1161 | if (ret) |
1162 | return ret; |
1163 | |
1164 | if (!insn->modrm.nbytes) |
1165 | return -EINVAL; |
1166 | |
1167 | if (X86_MODRM_MOD(insn->modrm.value) > 2) |
1168 | return -EINVAL; |
1169 | |
1170 | ret = insn_get_sib(insn); |
1171 | if (ret) |
1172 | return ret; |
1173 | |
1174 | if (!insn->sib.nbytes) |
1175 | return -EINVAL; |
1176 | |
1177 | *base_offset = get_reg_offset(insn, regs, type: REG_TYPE_BASE); |
1178 | indx_offset = get_reg_offset(insn, regs, type: REG_TYPE_INDEX); |
1179 | |
1180 | /* |
1181 | * Negative values in the base and index offset means an error when |
1182 | * decoding the SIB byte. Except -EDOM, which means that the registers |
1183 | * should not be used in the address computation. |
1184 | */ |
1185 | if (*base_offset == -EDOM) |
1186 | base = 0; |
1187 | else if (*base_offset < 0) |
1188 | return -EINVAL; |
1189 | else |
1190 | base = regs_get_register(regs, offset: *base_offset); |
1191 | |
1192 | if (indx_offset == -EDOM) |
1193 | indx = 0; |
1194 | else if (indx_offset < 0) |
1195 | return -EINVAL; |
1196 | else |
1197 | indx = regs_get_register(regs, offset: indx_offset); |
1198 | |
1199 | if (insn->addr_bytes == 4) { |
1200 | int addr32, base32, idx32; |
1201 | |
1202 | base32 = base & 0xffffffff; |
1203 | idx32 = indx & 0xffffffff; |
1204 | |
1205 | addr32 = base32 + idx32 * (1 << X86_SIB_SCALE(insn->sib.value)); |
1206 | addr32 += insn->displacement.value; |
1207 | |
1208 | *eff_addr = addr32 & 0xffffffff; |
1209 | } else { |
1210 | *eff_addr = base + indx * (1 << X86_SIB_SCALE(insn->sib.value)); |
1211 | *eff_addr += insn->displacement.value; |
1212 | } |
1213 | |
1214 | return 0; |
1215 | } |
1216 | |
1217 | /** |
1218 | * get_addr_ref_16() - Obtain the 16-bit address referred by instruction |
1219 | * @insn: Instruction containing ModRM byte and displacement |
1220 | * @regs: Register values as seen when entering kernel mode |
1221 | * |
1222 | * This function is to be used with 16-bit address encodings. Obtain the memory |
1223 | * address referred by the instruction's ModRM and displacement bytes. Also, the |
1224 | * segment used as base is determined by either any segment override prefixes in |
1225 | * @insn or the default segment of the registers involved in the address |
1226 | * computation. In protected mode, segment limits are enforced. |
1227 | * |
1228 | * Returns: |
1229 | * |
1230 | * Linear address referenced by the instruction operands on success. |
1231 | * |
1232 | * -1L on error. |
1233 | */ |
1234 | static void __user *get_addr_ref_16(struct insn *insn, struct pt_regs *regs) |
1235 | { |
1236 | unsigned long linear_addr = -1L, seg_base, seg_limit; |
1237 | int ret, regoff; |
1238 | short eff_addr; |
1239 | long tmp; |
1240 | |
1241 | if (insn_get_displacement(insn)) |
1242 | goto out; |
1243 | |
1244 | if (insn->addr_bytes != 2) |
1245 | goto out; |
1246 | |
1247 | if (X86_MODRM_MOD(insn->modrm.value) == 3) { |
1248 | ret = get_eff_addr_reg(insn, regs, regoff: ®off, eff_addr: &tmp); |
1249 | if (ret) |
1250 | goto out; |
1251 | |
1252 | eff_addr = tmp; |
1253 | } else { |
1254 | ret = get_eff_addr_modrm_16(insn, regs, regoff: ®off, eff_addr: &eff_addr); |
1255 | if (ret) |
1256 | goto out; |
1257 | } |
1258 | |
1259 | ret = get_seg_base_limit(insn, regs, regoff, base: &seg_base, limit: &seg_limit); |
1260 | if (ret) |
1261 | goto out; |
1262 | |
1263 | /* |
1264 | * Before computing the linear address, make sure the effective address |
1265 | * is within the limits of the segment. In virtual-8086 mode, segment |
1266 | * limits are not enforced. In such a case, the segment limit is -1L to |
1267 | * reflect this fact. |
1268 | */ |
1269 | if ((unsigned long)(eff_addr & 0xffff) > seg_limit) |
1270 | goto out; |
1271 | |
1272 | linear_addr = (unsigned long)(eff_addr & 0xffff) + seg_base; |
1273 | |
1274 | /* Limit linear address to 20 bits */ |
1275 | if (v8086_mode(regs)) |
1276 | linear_addr &= 0xfffff; |
1277 | |
1278 | out: |
1279 | return (void __user *)linear_addr; |
1280 | } |
1281 | |
1282 | /** |
1283 | * get_addr_ref_32() - Obtain a 32-bit linear address |
1284 | * @insn: Instruction with ModRM, SIB bytes and displacement |
1285 | * @regs: Register values as seen when entering kernel mode |
1286 | * |
1287 | * This function is to be used with 32-bit address encodings to obtain the |
1288 | * linear memory address referred by the instruction's ModRM, SIB, |
1289 | * displacement bytes and segment base address, as applicable. If in protected |
1290 | * mode, segment limits are enforced. |
1291 | * |
1292 | * Returns: |
1293 | * |
1294 | * Linear address referenced by instruction and registers on success. |
1295 | * |
1296 | * -1L on error. |
1297 | */ |
1298 | static void __user *get_addr_ref_32(struct insn *insn, struct pt_regs *regs) |
1299 | { |
1300 | unsigned long linear_addr = -1L, seg_base, seg_limit; |
1301 | int eff_addr, regoff; |
1302 | long tmp; |
1303 | int ret; |
1304 | |
1305 | if (insn->addr_bytes != 4) |
1306 | goto out; |
1307 | |
1308 | if (X86_MODRM_MOD(insn->modrm.value) == 3) { |
1309 | ret = get_eff_addr_reg(insn, regs, regoff: ®off, eff_addr: &tmp); |
1310 | if (ret) |
1311 | goto out; |
1312 | |
1313 | eff_addr = tmp; |
1314 | |
1315 | } else { |
1316 | if (insn->sib.nbytes) { |
1317 | ret = get_eff_addr_sib(insn, regs, base_offset: ®off, eff_addr: &tmp); |
1318 | if (ret) |
1319 | goto out; |
1320 | |
1321 | eff_addr = tmp; |
1322 | } else { |
1323 | ret = get_eff_addr_modrm(insn, regs, regoff: ®off, eff_addr: &tmp); |
1324 | if (ret) |
1325 | goto out; |
1326 | |
1327 | eff_addr = tmp; |
1328 | } |
1329 | } |
1330 | |
1331 | ret = get_seg_base_limit(insn, regs, regoff, base: &seg_base, limit: &seg_limit); |
1332 | if (ret) |
1333 | goto out; |
1334 | |
1335 | /* |
1336 | * In protected mode, before computing the linear address, make sure |
1337 | * the effective address is within the limits of the segment. |
1338 | * 32-bit addresses can be used in long and virtual-8086 modes if an |
1339 | * address override prefix is used. In such cases, segment limits are |
1340 | * not enforced. When in virtual-8086 mode, the segment limit is -1L |
1341 | * to reflect this situation. |
1342 | * |
1343 | * After computed, the effective address is treated as an unsigned |
1344 | * quantity. |
1345 | */ |
1346 | if (!any_64bit_mode(regs) && ((unsigned int)eff_addr > seg_limit)) |
1347 | goto out; |
1348 | |
1349 | /* |
1350 | * Even though 32-bit address encodings are allowed in virtual-8086 |
1351 | * mode, the address range is still limited to [0x-0xffff]. |
1352 | */ |
1353 | if (v8086_mode(regs) && (eff_addr & ~0xffff)) |
1354 | goto out; |
1355 | |
1356 | /* |
1357 | * Data type long could be 64 bits in size. Ensure that our 32-bit |
1358 | * effective address is not sign-extended when computing the linear |
1359 | * address. |
1360 | */ |
1361 | linear_addr = (unsigned long)(eff_addr & 0xffffffff) + seg_base; |
1362 | |
1363 | /* Limit linear address to 20 bits */ |
1364 | if (v8086_mode(regs)) |
1365 | linear_addr &= 0xfffff; |
1366 | |
1367 | out: |
1368 | return (void __user *)linear_addr; |
1369 | } |
1370 | |
1371 | /** |
1372 | * get_addr_ref_64() - Obtain a 64-bit linear address |
1373 | * @insn: Instruction struct with ModRM and SIB bytes and displacement |
1374 | * @regs: Structure with register values as seen when entering kernel mode |
1375 | * |
1376 | * This function is to be used with 64-bit address encodings to obtain the |
1377 | * linear memory address referred by the instruction's ModRM, SIB, |
1378 | * displacement bytes and segment base address, as applicable. |
1379 | * |
1380 | * Returns: |
1381 | * |
1382 | * Linear address referenced by instruction and registers on success. |
1383 | * |
1384 | * -1L on error. |
1385 | */ |
1386 | #ifndef CONFIG_X86_64 |
1387 | static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs) |
1388 | { |
1389 | return (void __user *)-1L; |
1390 | } |
1391 | #else |
1392 | static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs) |
1393 | { |
1394 | unsigned long linear_addr = -1L, seg_base; |
1395 | int regoff, ret; |
1396 | long eff_addr; |
1397 | |
1398 | if (insn->addr_bytes != 8) |
1399 | goto out; |
1400 | |
1401 | if (X86_MODRM_MOD(insn->modrm.value) == 3) { |
1402 | ret = get_eff_addr_reg(insn, regs, regoff: ®off, eff_addr: &eff_addr); |
1403 | if (ret) |
1404 | goto out; |
1405 | |
1406 | } else { |
1407 | if (insn->sib.nbytes) { |
1408 | ret = get_eff_addr_sib(insn, regs, base_offset: ®off, eff_addr: &eff_addr); |
1409 | if (ret) |
1410 | goto out; |
1411 | } else { |
1412 | ret = get_eff_addr_modrm(insn, regs, regoff: ®off, eff_addr: &eff_addr); |
1413 | if (ret) |
1414 | goto out; |
1415 | } |
1416 | |
1417 | } |
1418 | |
1419 | ret = get_seg_base_limit(insn, regs, regoff, base: &seg_base, NULL); |
1420 | if (ret) |
1421 | goto out; |
1422 | |
1423 | linear_addr = (unsigned long)eff_addr + seg_base; |
1424 | |
1425 | out: |
1426 | return (void __user *)linear_addr; |
1427 | } |
1428 | #endif /* CONFIG_X86_64 */ |
1429 | |
1430 | /** |
1431 | * insn_get_addr_ref() - Obtain the linear address referred by instruction |
1432 | * @insn: Instruction structure containing ModRM byte and displacement |
1433 | * @regs: Structure with register values as seen when entering kernel mode |
1434 | * |
1435 | * Obtain the linear address referred by the instruction's ModRM, SIB and |
1436 | * displacement bytes, and segment base, as applicable. In protected mode, |
1437 | * segment limits are enforced. |
1438 | * |
1439 | * Returns: |
1440 | * |
1441 | * Linear address referenced by instruction and registers on success. |
1442 | * |
1443 | * -1L on error. |
1444 | */ |
1445 | void __user *insn_get_addr_ref(struct insn *insn, struct pt_regs *regs) |
1446 | { |
1447 | if (!insn || !regs) |
1448 | return (void __user *)-1L; |
1449 | |
1450 | if (insn_get_opcode(insn)) |
1451 | return (void __user *)-1L; |
1452 | |
1453 | switch (insn->addr_bytes) { |
1454 | case 2: |
1455 | return get_addr_ref_16(insn, regs); |
1456 | case 4: |
1457 | return get_addr_ref_32(insn, regs); |
1458 | case 8: |
1459 | return get_addr_ref_64(insn, regs); |
1460 | default: |
1461 | return (void __user *)-1L; |
1462 | } |
1463 | } |
1464 | |
1465 | int insn_get_effective_ip(struct pt_regs *regs, unsigned long *ip) |
1466 | { |
1467 | unsigned long seg_base = 0; |
1468 | |
1469 | /* |
1470 | * If not in user-space long mode, a custom code segment could be in |
1471 | * use. This is true in protected mode (if the process defined a local |
1472 | * descriptor table), or virtual-8086 mode. In most of the cases |
1473 | * seg_base will be zero as in USER_CS. |
1474 | */ |
1475 | if (!user_64bit_mode(regs)) { |
1476 | seg_base = insn_get_seg_base(regs, INAT_SEG_REG_CS); |
1477 | if (seg_base == -1L) |
1478 | return -EINVAL; |
1479 | } |
1480 | |
1481 | *ip = seg_base + regs->ip; |
1482 | |
1483 | return 0; |
1484 | } |
1485 | |
1486 | /** |
1487 | * insn_fetch_from_user() - Copy instruction bytes from user-space memory |
1488 | * @regs: Structure with register values as seen when entering kernel mode |
1489 | * @buf: Array to store the fetched instruction |
1490 | * |
1491 | * Gets the linear address of the instruction and copies the instruction bytes |
1492 | * to the buf. |
1493 | * |
1494 | * Returns: |
1495 | * |
1496 | * - number of instruction bytes copied. |
1497 | * - 0 if nothing was copied. |
1498 | * - -EINVAL if the linear address of the instruction could not be calculated |
1499 | */ |
1500 | int insn_fetch_from_user(struct pt_regs *regs, unsigned char buf[MAX_INSN_SIZE]) |
1501 | { |
1502 | unsigned long ip; |
1503 | int not_copied; |
1504 | |
1505 | if (insn_get_effective_ip(regs, ip: &ip)) |
1506 | return -EINVAL; |
1507 | |
1508 | not_copied = copy_from_user(to: buf, from: (void __user *)ip, MAX_INSN_SIZE); |
1509 | |
1510 | return MAX_INSN_SIZE - not_copied; |
1511 | } |
1512 | |
1513 | /** |
1514 | * insn_fetch_from_user_inatomic() - Copy instruction bytes from user-space memory |
1515 | * while in atomic code |
1516 | * @regs: Structure with register values as seen when entering kernel mode |
1517 | * @buf: Array to store the fetched instruction |
1518 | * |
1519 | * Gets the linear address of the instruction and copies the instruction bytes |
1520 | * to the buf. This function must be used in atomic context. |
1521 | * |
1522 | * Returns: |
1523 | * |
1524 | * - number of instruction bytes copied. |
1525 | * - 0 if nothing was copied. |
1526 | * - -EINVAL if the linear address of the instruction could not be calculated. |
1527 | */ |
1528 | int insn_fetch_from_user_inatomic(struct pt_regs *regs, unsigned char buf[MAX_INSN_SIZE]) |
1529 | { |
1530 | unsigned long ip; |
1531 | int not_copied; |
1532 | |
1533 | if (insn_get_effective_ip(regs, ip: &ip)) |
1534 | return -EINVAL; |
1535 | |
1536 | not_copied = __copy_from_user_inatomic(to: buf, from: (void __user *)ip, MAX_INSN_SIZE); |
1537 | |
1538 | return MAX_INSN_SIZE - not_copied; |
1539 | } |
1540 | |
1541 | /** |
1542 | * insn_decode_from_regs() - Decode an instruction |
1543 | * @insn: Structure to store decoded instruction |
1544 | * @regs: Structure with register values as seen when entering kernel mode |
1545 | * @buf: Buffer containing the instruction bytes |
1546 | * @buf_size: Number of instruction bytes available in buf |
1547 | * |
1548 | * Decodes the instruction provided in buf and stores the decoding results in |
1549 | * insn. Also determines the correct address and operand sizes. |
1550 | * |
1551 | * Returns: |
1552 | * |
1553 | * True if instruction was decoded, False otherwise. |
1554 | */ |
1555 | bool insn_decode_from_regs(struct insn *insn, struct pt_regs *regs, |
1556 | unsigned char buf[MAX_INSN_SIZE], int buf_size) |
1557 | { |
1558 | int seg_defs; |
1559 | |
1560 | insn_init(insn, kaddr: buf, buf_len: buf_size, x86_64: user_64bit_mode(regs)); |
1561 | |
1562 | /* |
1563 | * Override the default operand and address sizes with what is specified |
1564 | * in the code segment descriptor. The instruction decoder only sets |
1565 | * the address size it to either 4 or 8 address bytes and does nothing |
1566 | * for the operand bytes. This OK for most of the cases, but we could |
1567 | * have special cases where, for instance, a 16-bit code segment |
1568 | * descriptor is used. |
1569 | * If there is an address override prefix, the instruction decoder |
1570 | * correctly updates these values, even for 16-bit defaults. |
1571 | */ |
1572 | seg_defs = insn_get_code_seg_params(regs); |
1573 | if (seg_defs == -EINVAL) |
1574 | return false; |
1575 | |
1576 | insn->addr_bytes = INSN_CODE_SEG_ADDR_SZ(seg_defs); |
1577 | insn->opnd_bytes = INSN_CODE_SEG_OPND_SZ(seg_defs); |
1578 | |
1579 | if (insn_get_length(insn)) |
1580 | return false; |
1581 | |
1582 | if (buf_size < insn->length) |
1583 | return false; |
1584 | |
1585 | return true; |
1586 | } |
1587 | |
1588 | /** |
1589 | * insn_decode_mmio() - Decode a MMIO instruction |
1590 | * @insn: Structure to store decoded instruction |
1591 | * @bytes: Returns size of memory operand |
1592 | * |
1593 | * Decodes instruction that used for Memory-mapped I/O. |
1594 | * |
1595 | * Returns: |
1596 | * |
1597 | * Type of the instruction. Size of the memory operand is stored in |
1598 | * @bytes. If decode failed, INSN_MMIO_DECODE_FAILED returned. |
1599 | */ |
1600 | enum insn_mmio_type insn_decode_mmio(struct insn *insn, int *bytes) |
1601 | { |
1602 | enum insn_mmio_type type = INSN_MMIO_DECODE_FAILED; |
1603 | |
1604 | *bytes = 0; |
1605 | |
1606 | if (insn_get_opcode(insn)) |
1607 | return INSN_MMIO_DECODE_FAILED; |
1608 | |
1609 | switch (insn->opcode.bytes[0]) { |
1610 | case 0x88: /* MOV m8,r8 */ |
1611 | *bytes = 1; |
1612 | fallthrough; |
1613 | case 0x89: /* MOV m16/m32/m64, r16/m32/m64 */ |
1614 | if (!*bytes) |
1615 | *bytes = insn->opnd_bytes; |
1616 | type = INSN_MMIO_WRITE; |
1617 | break; |
1618 | |
1619 | case 0xc6: /* MOV m8, imm8 */ |
1620 | *bytes = 1; |
1621 | fallthrough; |
1622 | case 0xc7: /* MOV m16/m32/m64, imm16/imm32/imm64 */ |
1623 | if (!*bytes) |
1624 | *bytes = insn->opnd_bytes; |
1625 | type = INSN_MMIO_WRITE_IMM; |
1626 | break; |
1627 | |
1628 | case 0x8a: /* MOV r8, m8 */ |
1629 | *bytes = 1; |
1630 | fallthrough; |
1631 | case 0x8b: /* MOV r16/r32/r64, m16/m32/m64 */ |
1632 | if (!*bytes) |
1633 | *bytes = insn->opnd_bytes; |
1634 | type = INSN_MMIO_READ; |
1635 | break; |
1636 | |
1637 | case 0xa4: /* MOVS m8, m8 */ |
1638 | *bytes = 1; |
1639 | fallthrough; |
1640 | case 0xa5: /* MOVS m16/m32/m64, m16/m32/m64 */ |
1641 | if (!*bytes) |
1642 | *bytes = insn->opnd_bytes; |
1643 | type = INSN_MMIO_MOVS; |
1644 | break; |
1645 | |
1646 | case 0x0f: /* Two-byte instruction */ |
1647 | switch (insn->opcode.bytes[1]) { |
1648 | case 0xb6: /* MOVZX r16/r32/r64, m8 */ |
1649 | *bytes = 1; |
1650 | fallthrough; |
1651 | case 0xb7: /* MOVZX r32/r64, m16 */ |
1652 | if (!*bytes) |
1653 | *bytes = 2; |
1654 | type = INSN_MMIO_READ_ZERO_EXTEND; |
1655 | break; |
1656 | |
1657 | case 0xbe: /* MOVSX r16/r32/r64, m8 */ |
1658 | *bytes = 1; |
1659 | fallthrough; |
1660 | case 0xbf: /* MOVSX r32/r64, m16 */ |
1661 | if (!*bytes) |
1662 | *bytes = 2; |
1663 | type = INSN_MMIO_READ_SIGN_EXTEND; |
1664 | break; |
1665 | } |
1666 | break; |
1667 | } |
1668 | |
1669 | return type; |
1670 | } |
1671 | |