]>
Commit | Line | Data |
---|---|---|
32542ee2 RN |
1 | /* |
2 | * Utility functions for x86 operand and address decoding | |
3 | * | |
4 | * Copyright (C) Intel Corporation 2017 | |
5 | */ | |
6 | #include <linux/kernel.h> | |
7 | #include <linux/string.h> | |
ed594e4b | 8 | #include <linux/ratelimit.h> |
670f928b RN |
9 | #include <linux/mmu_context.h> |
10 | #include <asm/desc_defs.h> | |
11 | #include <asm/desc.h> | |
32542ee2 RN |
12 | #include <asm/inat.h> |
13 | #include <asm/insn.h> | |
14 | #include <asm/insn-eval.h> | |
670f928b | 15 | #include <asm/ldt.h> |
32d0b953 | 16 | #include <asm/vm86.h> |
32542ee2 | 17 | |
ed594e4b RN |
18 | #undef pr_fmt |
19 | #define pr_fmt(fmt) "insn: " fmt | |
20 | ||
32542ee2 RN |
21 | enum reg_type { |
22 | REG_TYPE_RM = 0, | |
23 | REG_TYPE_INDEX, | |
24 | REG_TYPE_BASE, | |
25 | }; | |
26 | ||
536b8153 RN |
27 | /** |
28 | * is_string_insn() - Determine if instruction is a string instruction | |
29 | * @insn: Instruction containing the opcode to inspect | |
30 | * | |
31 | * Returns: | |
32 | * | |
33 | * true if the instruction, determined by the opcode, is any of the | |
34 | * string instructions as defined in the Intel Software Development manual. | |
35 | * False otherwise. | |
36 | */ | |
37 | static bool is_string_insn(struct insn *insn) | |
38 | { | |
39 | insn_get_opcode(insn); | |
40 | ||
41 | /* All string instructions have a 1-byte opcode. */ | |
42 | if (insn->opcode.nbytes != 1) | |
43 | return false; | |
44 | ||
45 | switch (insn->opcode.bytes[0]) { | |
46 | case 0x6c ... 0x6f: /* INS, OUTS */ | |
47 | case 0xa4 ... 0xa7: /* MOVS, CMPS */ | |
48 | case 0xaa ... 0xaf: /* STOS, LODS, SCAS */ | |
49 | return true; | |
50 | default: | |
51 | return false; | |
52 | } | |
53 | } | |
54 | ||
32d0b953 RN |
55 | /** |
56 | * get_seg_reg_override_idx() - obtain segment register override index | |
57 | * @insn: Valid instruction with segment override prefixes | |
58 | * | |
59 | * Inspect the instruction prefixes in @insn and find segment overrides, if any. | |
60 | * | |
61 | * Returns: | |
62 | * | |
63 | * A constant identifying the segment register to use, among CS, SS, DS, | |
64 | * ES, FS, or GS. INAT_SEG_REG_DEFAULT is returned if no segment override | |
65 | * prefixes were found. | |
66 | * | |
67 | * -EINVAL in case of error. | |
68 | */ | |
69 | static int get_seg_reg_override_idx(struct insn *insn) | |
70 | { | |
71 | int idx = INAT_SEG_REG_DEFAULT; | |
72 | int num_overrides = 0, i; | |
73 | ||
74 | insn_get_prefixes(insn); | |
75 | ||
76 | /* Look for any segment override prefixes. */ | |
77 | for (i = 0; i < insn->prefixes.nbytes; i++) { | |
78 | insn_attr_t attr; | |
79 | ||
80 | attr = inat_get_opcode_attribute(insn->prefixes.bytes[i]); | |
81 | switch (attr) { | |
82 | case INAT_MAKE_PREFIX(INAT_PFX_CS): | |
83 | idx = INAT_SEG_REG_CS; | |
84 | num_overrides++; | |
85 | break; | |
86 | case INAT_MAKE_PREFIX(INAT_PFX_SS): | |
87 | idx = INAT_SEG_REG_SS; | |
88 | num_overrides++; | |
89 | break; | |
90 | case INAT_MAKE_PREFIX(INAT_PFX_DS): | |
91 | idx = INAT_SEG_REG_DS; | |
92 | num_overrides++; | |
93 | break; | |
94 | case INAT_MAKE_PREFIX(INAT_PFX_ES): | |
95 | idx = INAT_SEG_REG_ES; | |
96 | num_overrides++; | |
97 | break; | |
98 | case INAT_MAKE_PREFIX(INAT_PFX_FS): | |
99 | idx = INAT_SEG_REG_FS; | |
100 | num_overrides++; | |
101 | break; | |
102 | case INAT_MAKE_PREFIX(INAT_PFX_GS): | |
103 | idx = INAT_SEG_REG_GS; | |
104 | num_overrides++; | |
105 | break; | |
106 | /* No default action needed. */ | |
107 | } | |
108 | } | |
109 | ||
110 | /* More than one segment override prefix leads to undefined behavior. */ | |
111 | if (num_overrides > 1) | |
112 | return -EINVAL; | |
113 | ||
114 | return idx; | |
115 | } | |
116 | ||
117 | /** | |
118 | * check_seg_overrides() - check if segment override prefixes are allowed | |
119 | * @insn: Valid instruction with segment override prefixes | |
120 | * @regoff: Operand offset, in pt_regs, for which the check is performed | |
121 | * | |
122 | * For a particular register used in register-indirect addressing, determine if | |
123 | * segment override prefixes can be used. Specifically, no overrides are allowed | |
124 | * for rDI if used with a string instruction. | |
125 | * | |
126 | * Returns: | |
127 | * | |
128 | * True if segment override prefixes can be used with the register indicated | |
129 | * in @regoff. False if otherwise. | |
130 | */ | |
131 | static bool check_seg_overrides(struct insn *insn, int regoff) | |
132 | { | |
133 | if (regoff == offsetof(struct pt_regs, di) && is_string_insn(insn)) | |
134 | return false; | |
135 | ||
136 | return true; | |
137 | } | |
138 | ||
139 | /** | |
140 | * resolve_default_seg() - resolve default segment register index for an operand | |
141 | * @insn: Instruction with opcode and address size. Must be valid. | |
142 | * @regs: Register values as seen when entering kernel mode | |
143 | * @off: Operand offset, in pt_regs, for which resolution is needed | |
144 | * | |
145 | * Resolve the default segment register index associated with the instruction | |
146 | * operand register indicated by @off. Such index is resolved based on defaults | |
147 | * described in the Intel Software Development Manual. | |
148 | * | |
149 | * Returns: | |
150 | * | |
151 | * If in protected mode, a constant identifying the segment register to use, | |
152 | * among CS, SS, ES or DS. If in long mode, INAT_SEG_REG_IGNORE. | |
153 | * | |
154 | * -EINVAL in case of error. | |
155 | */ | |
156 | static int resolve_default_seg(struct insn *insn, struct pt_regs *regs, int off) | |
157 | { | |
158 | if (user_64bit_mode(regs)) | |
159 | return INAT_SEG_REG_IGNORE; | |
160 | /* | |
161 | * Resolve the default segment register as described in Section 3.7.4 | |
162 | * of the Intel Software Development Manual Vol. 1: | |
163 | * | |
164 | * + DS for all references involving r[ABCD]X, and rSI. | |
165 | * + If used in a string instruction, ES for rDI. Otherwise, DS. | |
166 | * + AX, CX and DX are not valid register operands in 16-bit address | |
167 | * encodings but are valid for 32-bit and 64-bit encodings. | |
168 | * + -EDOM is reserved to identify for cases in which no register | |
169 | * is used (i.e., displacement-only addressing). Use DS. | |
170 | * + SS for rSP or rBP. | |
171 | * + CS for rIP. | |
172 | */ | |
173 | ||
174 | switch (off) { | |
175 | case offsetof(struct pt_regs, ax): | |
176 | case offsetof(struct pt_regs, cx): | |
177 | case offsetof(struct pt_regs, dx): | |
178 | /* Need insn to verify address size. */ | |
179 | if (insn->addr_bytes == 2) | |
180 | return -EINVAL; | |
181 | ||
182 | case -EDOM: | |
183 | case offsetof(struct pt_regs, bx): | |
184 | case offsetof(struct pt_regs, si): | |
185 | return INAT_SEG_REG_DS; | |
186 | ||
187 | case offsetof(struct pt_regs, di): | |
188 | if (is_string_insn(insn)) | |
189 | return INAT_SEG_REG_ES; | |
190 | return INAT_SEG_REG_DS; | |
191 | ||
192 | case offsetof(struct pt_regs, bp): | |
193 | case offsetof(struct pt_regs, sp): | |
194 | return INAT_SEG_REG_SS; | |
195 | ||
196 | case offsetof(struct pt_regs, ip): | |
197 | return INAT_SEG_REG_CS; | |
198 | ||
199 | default: | |
200 | return -EINVAL; | |
201 | } | |
202 | } | |
203 | ||
204 | /** | |
205 | * resolve_seg_reg() - obtain segment register index | |
206 | * @insn: Instruction with operands | |
207 | * @regs: Register values as seen when entering kernel mode | |
208 | * @regoff: Operand offset, in pt_regs, used to deterimine segment register | |
209 | * | |
210 | * Determine the segment register associated with the operands and, if | |
211 | * applicable, prefixes and the instruction pointed by @insn. | |
212 | * | |
213 | * The segment register associated to an operand used in register-indirect | |
214 | * addressing depends on: | |
215 | * | |
216 | * a) Whether running in long mode (in such a case segments are ignored, except | |
217 | * if FS or GS are used). | |
218 | * | |
219 | * b) Whether segment override prefixes can be used. Certain instructions and | |
220 | * registers do not allow override prefixes. | |
221 | * | |
222 | * c) Whether segment overrides prefixes are found in the instruction prefixes. | |
223 | * | |
224 | * d) If there are not segment override prefixes or they cannot be used, the | |
225 | * default segment register associated with the operand register is used. | |
226 | * | |
227 | * The function checks first if segment override prefixes can be used with the | |
228 | * operand indicated by @regoff. If allowed, obtain such overridden segment | |
229 | * register index. Lastly, if not prefixes were found or cannot be used, resolve | |
230 | * the segment register index to use based on the defaults described in the | |
231 | * Intel documentation. In long mode, all segment register indexes will be | |
232 | * ignored, except if overrides were found for FS or GS. All these operations | |
233 | * are done using helper functions. | |
234 | * | |
235 | * The operand register, @regoff, is represented as the offset from the base of | |
236 | * pt_regs. | |
237 | * | |
238 | * As stated, the main use of this function is to determine the segment register | |
239 | * index based on the instruction, its operands and prefixes. Hence, @insn | |
240 | * must be valid. However, if @regoff indicates rIP, we don't need to inspect | |
241 | * @insn at all as in this case CS is used in all cases. This case is checked | |
242 | * before proceeding further. | |
243 | * | |
244 | * Please note that this function does not return the value in the segment | |
245 | * register (i.e., the segment selector) but our defined index. The segment | |
246 | * selector needs to be obtained using get_segment_selector() and passing the | |
247 | * segment register index resolved by this function. | |
248 | * | |
249 | * Returns: | |
250 | * | |
251 | * An index identifying the segment register to use, among CS, SS, DS, | |
252 | * ES, FS, or GS. INAT_SEG_REG_IGNORE is returned if running in long mode. | |
253 | * | |
254 | * -EINVAL in case of error. | |
255 | */ | |
256 | static int resolve_seg_reg(struct insn *insn, struct pt_regs *regs, int regoff) | |
257 | { | |
258 | int idx; | |
259 | ||
260 | /* | |
261 | * In the unlikely event of having to resolve the segment register | |
262 | * index for rIP, do it first. Segment override prefixes should not | |
263 | * be used. Hence, it is not necessary to inspect the instruction, | |
264 | * which may be invalid at this point. | |
265 | */ | |
266 | if (regoff == offsetof(struct pt_regs, ip)) { | |
267 | if (user_64bit_mode(regs)) | |
268 | return INAT_SEG_REG_IGNORE; | |
269 | else | |
270 | return INAT_SEG_REG_CS; | |
271 | } | |
272 | ||
273 | if (!insn) | |
274 | return -EINVAL; | |
275 | ||
276 | if (!check_seg_overrides(insn, regoff)) | |
277 | return resolve_default_seg(insn, regs, regoff); | |
278 | ||
279 | idx = get_seg_reg_override_idx(insn); | |
280 | if (idx < 0) | |
281 | return idx; | |
282 | ||
283 | if (idx == INAT_SEG_REG_DEFAULT) | |
284 | return resolve_default_seg(insn, regs, regoff); | |
285 | ||
286 | /* | |
287 | * In long mode, segment override prefixes are ignored, except for | |
288 | * overrides for FS and GS. | |
289 | */ | |
290 | if (user_64bit_mode(regs)) { | |
291 | if (idx != INAT_SEG_REG_FS && | |
292 | idx != INAT_SEG_REG_GS) | |
293 | idx = INAT_SEG_REG_IGNORE; | |
294 | } | |
295 | ||
296 | return idx; | |
297 | } | |
298 | ||
299 | /** | |
300 | * get_segment_selector() - obtain segment selector | |
301 | * @regs: Register values as seen when entering kernel mode | |
302 | * @seg_reg_idx: Segment register index to use | |
303 | * | |
304 | * Obtain the segment selector from any of the CS, SS, DS, ES, FS, GS segment | |
305 | * registers. In CONFIG_X86_32, the segment is obtained from either pt_regs or | |
306 | * kernel_vm86_regs as applicable. In CONFIG_X86_64, CS and SS are obtained | |
307 | * from pt_regs. DS, ES, FS and GS are obtained by reading the actual CPU | |
308 | * registers. This done for only for completeness as in CONFIG_X86_64 segment | |
309 | * registers are ignored. | |
310 | * | |
311 | * Returns: | |
312 | * | |
313 | * Value of the segment selector, including null when running in | |
314 | * long mode. | |
315 | * | |
316 | * -EINVAL on error. | |
317 | */ | |
318 | static short get_segment_selector(struct pt_regs *regs, int seg_reg_idx) | |
319 | { | |
320 | #ifdef CONFIG_X86_64 | |
321 | unsigned short sel; | |
322 | ||
323 | switch (seg_reg_idx) { | |
324 | case INAT_SEG_REG_IGNORE: | |
325 | return 0; | |
326 | case INAT_SEG_REG_CS: | |
327 | return (unsigned short)(regs->cs & 0xffff); | |
328 | case INAT_SEG_REG_SS: | |
329 | return (unsigned short)(regs->ss & 0xffff); | |
330 | case INAT_SEG_REG_DS: | |
331 | savesegment(ds, sel); | |
332 | return sel; | |
333 | case INAT_SEG_REG_ES: | |
334 | savesegment(es, sel); | |
335 | return sel; | |
336 | case INAT_SEG_REG_FS: | |
337 | savesegment(fs, sel); | |
338 | return sel; | |
339 | case INAT_SEG_REG_GS: | |
340 | savesegment(gs, sel); | |
341 | return sel; | |
342 | default: | |
343 | return -EINVAL; | |
344 | } | |
345 | #else /* CONFIG_X86_32 */ | |
346 | struct kernel_vm86_regs *vm86regs = (struct kernel_vm86_regs *)regs; | |
347 | ||
348 | if (v8086_mode(regs)) { | |
349 | switch (seg_reg_idx) { | |
350 | case INAT_SEG_REG_CS: | |
351 | return (unsigned short)(regs->cs & 0xffff); | |
352 | case INAT_SEG_REG_SS: | |
353 | return (unsigned short)(regs->ss & 0xffff); | |
354 | case INAT_SEG_REG_DS: | |
355 | return vm86regs->ds; | |
356 | case INAT_SEG_REG_ES: | |
357 | return vm86regs->es; | |
358 | case INAT_SEG_REG_FS: | |
359 | return vm86regs->fs; | |
360 | case INAT_SEG_REG_GS: | |
361 | return vm86regs->gs; | |
362 | case INAT_SEG_REG_IGNORE: | |
363 | /* fall through */ | |
364 | default: | |
365 | return -EINVAL; | |
366 | } | |
367 | } | |
368 | ||
369 | switch (seg_reg_idx) { | |
370 | case INAT_SEG_REG_CS: | |
371 | return (unsigned short)(regs->cs & 0xffff); | |
372 | case INAT_SEG_REG_SS: | |
373 | return (unsigned short)(regs->ss & 0xffff); | |
374 | case INAT_SEG_REG_DS: | |
375 | return (unsigned short)(regs->ds & 0xffff); | |
376 | case INAT_SEG_REG_ES: | |
377 | return (unsigned short)(regs->es & 0xffff); | |
378 | case INAT_SEG_REG_FS: | |
379 | return (unsigned short)(regs->fs & 0xffff); | |
380 | case INAT_SEG_REG_GS: | |
381 | /* | |
382 | * GS may or may not be in regs as per CONFIG_X86_32_LAZY_GS. | |
383 | * The macro below takes care of both cases. | |
384 | */ | |
385 | return get_user_gs(regs); | |
386 | case INAT_SEG_REG_IGNORE: | |
387 | /* fall through */ | |
388 | default: | |
389 | return -EINVAL; | |
390 | } | |
391 | #endif /* CONFIG_X86_64 */ | |
392 | } | |
393 | ||
32542ee2 RN |
394 | static int get_reg_offset(struct insn *insn, struct pt_regs *regs, |
395 | enum reg_type type) | |
396 | { | |
397 | int regno = 0; | |
398 | ||
399 | static const int regoff[] = { | |
400 | offsetof(struct pt_regs, ax), | |
401 | offsetof(struct pt_regs, cx), | |
402 | offsetof(struct pt_regs, dx), | |
403 | offsetof(struct pt_regs, bx), | |
404 | offsetof(struct pt_regs, sp), | |
405 | offsetof(struct pt_regs, bp), | |
406 | offsetof(struct pt_regs, si), | |
407 | offsetof(struct pt_regs, di), | |
408 | #ifdef CONFIG_X86_64 | |
409 | offsetof(struct pt_regs, r8), | |
410 | offsetof(struct pt_regs, r9), | |
411 | offsetof(struct pt_regs, r10), | |
412 | offsetof(struct pt_regs, r11), | |
413 | offsetof(struct pt_regs, r12), | |
414 | offsetof(struct pt_regs, r13), | |
415 | offsetof(struct pt_regs, r14), | |
416 | offsetof(struct pt_regs, r15), | |
417 | #endif | |
418 | }; | |
419 | int nr_registers = ARRAY_SIZE(regoff); | |
420 | /* | |
421 | * Don't possibly decode a 32-bit instructions as | |
422 | * reading a 64-bit-only register. | |
423 | */ | |
424 | if (IS_ENABLED(CONFIG_X86_64) && !insn->x86_64) | |
425 | nr_registers -= 8; | |
426 | ||
427 | switch (type) { | |
428 | case REG_TYPE_RM: | |
429 | regno = X86_MODRM_RM(insn->modrm.value); | |
e526a302 RN |
430 | |
431 | /* | |
432 | * ModRM.mod == 0 and ModRM.rm == 5 means a 32-bit displacement | |
433 | * follows the ModRM byte. | |
434 | */ | |
435 | if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5) | |
436 | return -EDOM; | |
437 | ||
32542ee2 RN |
438 | if (X86_REX_B(insn->rex_prefix.value)) |
439 | regno += 8; | |
440 | break; | |
441 | ||
442 | case REG_TYPE_INDEX: | |
443 | regno = X86_SIB_INDEX(insn->sib.value); | |
444 | if (X86_REX_X(insn->rex_prefix.value)) | |
445 | regno += 8; | |
446 | ||
447 | /* | |
448 | * If ModRM.mod != 3 and SIB.index = 4 the scale*index | |
449 | * portion of the address computation is null. This is | |
450 | * true only if REX.X is 0. In such a case, the SIB index | |
451 | * is used in the address computation. | |
452 | */ | |
453 | if (X86_MODRM_MOD(insn->modrm.value) != 3 && regno == 4) | |
454 | return -EDOM; | |
455 | break; | |
456 | ||
457 | case REG_TYPE_BASE: | |
458 | regno = X86_SIB_BASE(insn->sib.value); | |
459 | /* | |
460 | * If ModRM.mod is 0 and SIB.base == 5, the base of the | |
461 | * register-indirect addressing is 0. In this case, a | |
462 | * 32-bit displacement follows the SIB byte. | |
463 | */ | |
464 | if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5) | |
465 | return -EDOM; | |
466 | ||
467 | if (X86_REX_B(insn->rex_prefix.value)) | |
468 | regno += 8; | |
469 | break; | |
470 | ||
471 | default: | |
ed594e4b RN |
472 | pr_err_ratelimited("invalid register type: %d\n", type); |
473 | return -EINVAL; | |
32542ee2 RN |
474 | } |
475 | ||
476 | if (regno >= nr_registers) { | |
477 | WARN_ONCE(1, "decoded an instruction with an invalid register"); | |
478 | return -EINVAL; | |
479 | } | |
480 | return regoff[regno]; | |
481 | } | |
482 | ||
9c6c799f RN |
483 | /** |
484 | * get_reg_offset_16() - Obtain offset of register indicated by instruction | |
485 | * @insn: Instruction containing ModRM byte | |
486 | * @regs: Register values as seen when entering kernel mode | |
487 | * @offs1: Offset of the first operand register | |
488 | * @offs2: Offset of the second opeand register, if applicable | |
489 | * | |
490 | * Obtain the offset, in pt_regs, of the registers indicated by the ModRM byte | |
491 | * in @insn. This function is to be used with 16-bit address encodings. The | |
492 | * @offs1 and @offs2 will be written with the offset of the two registers | |
493 | * indicated by the instruction. In cases where any of the registers is not | |
494 | * referenced by the instruction, the value will be set to -EDOM. | |
495 | * | |
496 | * Returns: | |
497 | * | |
498 | * 0 on success, -EINVAL on error. | |
499 | */ | |
500 | static int get_reg_offset_16(struct insn *insn, struct pt_regs *regs, | |
501 | int *offs1, int *offs2) | |
502 | { | |
503 | /* | |
504 | * 16-bit addressing can use one or two registers. Specifics of | |
505 | * encodings are given in Table 2-1. "16-Bit Addressing Forms with the | |
506 | * ModR/M Byte" of the Intel Software Development Manual. | |
507 | */ | |
508 | static const int regoff1[] = { | |
509 | offsetof(struct pt_regs, bx), | |
510 | offsetof(struct pt_regs, bx), | |
511 | offsetof(struct pt_regs, bp), | |
512 | offsetof(struct pt_regs, bp), | |
513 | offsetof(struct pt_regs, si), | |
514 | offsetof(struct pt_regs, di), | |
515 | offsetof(struct pt_regs, bp), | |
516 | offsetof(struct pt_regs, bx), | |
517 | }; | |
518 | ||
519 | static const int regoff2[] = { | |
520 | offsetof(struct pt_regs, si), | |
521 | offsetof(struct pt_regs, di), | |
522 | offsetof(struct pt_regs, si), | |
523 | offsetof(struct pt_regs, di), | |
524 | -EDOM, | |
525 | -EDOM, | |
526 | -EDOM, | |
527 | -EDOM, | |
528 | }; | |
529 | ||
530 | if (!offs1 || !offs2) | |
531 | return -EINVAL; | |
532 | ||
533 | /* Operand is a register, use the generic function. */ | |
534 | if (X86_MODRM_MOD(insn->modrm.value) == 3) { | |
535 | *offs1 = insn_get_modrm_rm_off(insn, regs); | |
536 | *offs2 = -EDOM; | |
537 | return 0; | |
538 | } | |
539 | ||
540 | *offs1 = regoff1[X86_MODRM_RM(insn->modrm.value)]; | |
541 | *offs2 = regoff2[X86_MODRM_RM(insn->modrm.value)]; | |
542 | ||
543 | /* | |
544 | * If ModRM.mod is 0 and ModRM.rm is 110b, then we use displacement- | |
545 | * only addressing. This means that no registers are involved in | |
546 | * computing the effective address. Thus, ensure that the first | |
547 | * register offset is invalild. The second register offset is already | |
548 | * invalid under the aforementioned conditions. | |
549 | */ | |
550 | if ((X86_MODRM_MOD(insn->modrm.value) == 0) && | |
551 | (X86_MODRM_RM(insn->modrm.value) == 6)) | |
552 | *offs1 = -EDOM; | |
553 | ||
554 | return 0; | |
555 | } | |
556 | ||
670f928b RN |
557 | /** |
558 | * get_desc() - Obtain pointer to a segment descriptor | |
559 | * @sel: Segment selector | |
560 | * | |
561 | * Given a segment selector, obtain a pointer to the segment descriptor. | |
562 | * Both global and local descriptor tables are supported. | |
563 | * | |
564 | * Returns: | |
565 | * | |
566 | * Pointer to segment descriptor on success. | |
567 | * | |
568 | * NULL on error. | |
569 | */ | |
570 | static struct desc_struct *get_desc(unsigned short sel) | |
571 | { | |
572 | struct desc_ptr gdt_desc = {0, 0}; | |
573 | unsigned long desc_base; | |
574 | ||
575 | #ifdef CONFIG_MODIFY_LDT_SYSCALL | |
576 | if ((sel & SEGMENT_TI_MASK) == SEGMENT_LDT) { | |
577 | struct desc_struct *desc = NULL; | |
578 | struct ldt_struct *ldt; | |
579 | ||
580 | /* Bits [15:3] contain the index of the desired entry. */ | |
581 | sel >>= 3; | |
582 | ||
583 | mutex_lock(¤t->active_mm->context.lock); | |
584 | ldt = current->active_mm->context.ldt; | |
585 | if (ldt && sel < ldt->nr_entries) | |
586 | desc = &ldt->entries[sel]; | |
587 | ||
588 | mutex_unlock(¤t->active_mm->context.lock); | |
589 | ||
590 | return desc; | |
591 | } | |
592 | #endif | |
593 | native_store_gdt(&gdt_desc); | |
594 | ||
595 | /* | |
596 | * Segment descriptors have a size of 8 bytes. Thus, the index is | |
597 | * multiplied by 8 to obtain the memory offset of the desired descriptor | |
598 | * from the base of the GDT. As bits [15:3] of the segment selector | |
599 | * contain the index, it can be regarded as multiplied by 8 already. | |
600 | * All that remains is to clear bits [2:0]. | |
601 | */ | |
602 | desc_base = sel & ~(SEGMENT_RPL_MASK | SEGMENT_TI_MASK); | |
603 | ||
604 | if (desc_base > gdt_desc.size) | |
605 | return NULL; | |
606 | ||
607 | return (struct desc_struct *)(gdt_desc.address + desc_base); | |
608 | } | |
609 | ||
bd5a410a RN |
610 | /** |
611 | * insn_get_seg_base() - Obtain base address of segment descriptor. | |
612 | * @regs: Register values as seen when entering kernel mode | |
613 | * @seg_reg_idx: Index of the segment register pointing to seg descriptor | |
614 | * | |
615 | * Obtain the base address of the segment as indicated by the segment descriptor | |
616 | * pointed by the segment selector. The segment selector is obtained from the | |
617 | * input segment register index @seg_reg_idx. | |
618 | * | |
619 | * Returns: | |
620 | * | |
621 | * In protected mode, base address of the segment. Zero in long mode, | |
622 | * except when FS or GS are used. In virtual-8086 mode, the segment | |
623 | * selector shifted 4 bits to the right. | |
624 | * | |
625 | * -1L in case of error. | |
626 | */ | |
627 | unsigned long insn_get_seg_base(struct pt_regs *regs, int seg_reg_idx) | |
628 | { | |
629 | struct desc_struct *desc; | |
630 | short sel; | |
631 | ||
632 | sel = get_segment_selector(regs, seg_reg_idx); | |
633 | if (sel < 0) | |
634 | return -1L; | |
635 | ||
636 | if (v8086_mode(regs)) | |
637 | /* | |
638 | * Base is simply the segment selector shifted 4 | |
639 | * bits to the right. | |
640 | */ | |
641 | return (unsigned long)(sel << 4); | |
642 | ||
643 | if (user_64bit_mode(regs)) { | |
644 | /* | |
645 | * Only FS or GS will have a base address, the rest of | |
646 | * the segments' bases are forced to 0. | |
647 | */ | |
648 | unsigned long base; | |
649 | ||
650 | if (seg_reg_idx == INAT_SEG_REG_FS) | |
651 | rdmsrl(MSR_FS_BASE, base); | |
652 | else if (seg_reg_idx == INAT_SEG_REG_GS) | |
653 | /* | |
654 | * swapgs was called at the kernel entry point. Thus, | |
655 | * MSR_KERNEL_GS_BASE will have the user-space GS base. | |
656 | */ | |
657 | rdmsrl(MSR_KERNEL_GS_BASE, base); | |
658 | else | |
659 | base = 0; | |
660 | return base; | |
661 | } | |
662 | ||
663 | /* In protected mode the segment selector cannot be null. */ | |
664 | if (!sel) | |
665 | return -1L; | |
666 | ||
667 | desc = get_desc(sel); | |
668 | if (!desc) | |
669 | return -1L; | |
670 | ||
671 | return get_desc_base(desc); | |
672 | } | |
673 | ||
674 | /** | |
675 | * get_seg_limit() - Obtain the limit of a segment descriptor | |
676 | * @regs: Register values as seen when entering kernel mode | |
677 | * @seg_reg_idx: Index of the segment register pointing to seg descriptor | |
678 | * | |
679 | * Obtain the limit of the segment as indicated by the segment descriptor | |
680 | * pointed by the segment selector. The segment selector is obtained from the | |
681 | * input segment register index @seg_reg_idx. | |
682 | * | |
683 | * Returns: | |
684 | * | |
685 | * In protected mode, the limit of the segment descriptor in bytes. | |
686 | * In long mode and virtual-8086 mode, segment limits are not enforced. Thus, | |
687 | * limit is returned as -1L to imply a limit-less segment. | |
688 | * | |
689 | * Zero is returned on error. | |
690 | */ | |
691 | static unsigned long get_seg_limit(struct pt_regs *regs, int seg_reg_idx) | |
692 | { | |
693 | struct desc_struct *desc; | |
694 | unsigned long limit; | |
695 | short sel; | |
696 | ||
697 | sel = get_segment_selector(regs, seg_reg_idx); | |
698 | if (sel < 0) | |
699 | return 0; | |
700 | ||
701 | if (user_64bit_mode(regs) || v8086_mode(regs)) | |
702 | return -1L; | |
703 | ||
704 | if (!sel) | |
705 | return 0; | |
706 | ||
707 | desc = get_desc(sel); | |
708 | if (!desc) | |
709 | return 0; | |
710 | ||
711 | /* | |
712 | * If the granularity bit is set, the limit is given in multiples | |
713 | * of 4096. This also means that the 12 least significant bits are | |
714 | * not tested when checking the segment limits. In practice, | |
715 | * this means that the segment ends in (limit << 12) + 0xfff. | |
716 | */ | |
717 | limit = get_desc_limit(desc); | |
718 | if (desc->g) | |
719 | limit = (limit << 12) + 0xfff; | |
720 | ||
721 | return limit; | |
722 | } | |
723 | ||
4efea85f RN |
724 | /** |
725 | * insn_get_code_seg_params() - Obtain code segment parameters | |
726 | * @regs: Structure with register values as seen when entering kernel mode | |
727 | * | |
728 | * Obtain address and operand sizes of the code segment. It is obtained from the | |
729 | * selector contained in the CS register in regs. In protected mode, the default | |
730 | * address is determined by inspecting the L and D bits of the segment | |
731 | * descriptor. In virtual-8086 mode, the default is always two bytes for both | |
732 | * address and operand sizes. | |
733 | * | |
734 | * Returns: | |
735 | * | |
e2a5dca7 | 736 | * An int containing ORed-in default parameters on success. |
4efea85f RN |
737 | * |
738 | * -EINVAL on error. | |
739 | */ | |
e2a5dca7 | 740 | int insn_get_code_seg_params(struct pt_regs *regs) |
4efea85f RN |
741 | { |
742 | struct desc_struct *desc; | |
743 | short sel; | |
744 | ||
745 | if (v8086_mode(regs)) | |
746 | /* Address and operand size are both 16-bit. */ | |
747 | return INSN_CODE_SEG_PARAMS(2, 2); | |
748 | ||
749 | sel = get_segment_selector(regs, INAT_SEG_REG_CS); | |
750 | if (sel < 0) | |
751 | return sel; | |
752 | ||
753 | desc = get_desc(sel); | |
754 | if (!desc) | |
755 | return -EINVAL; | |
756 | ||
757 | /* | |
758 | * The most significant byte of the Type field of the segment descriptor | |
759 | * determines whether a segment contains data or code. If this is a data | |
760 | * segment, return error. | |
761 | */ | |
762 | if (!(desc->type & BIT(3))) | |
763 | return -EINVAL; | |
764 | ||
765 | switch ((desc->l << 1) | desc->d) { | |
766 | case 0: /* | |
767 | * Legacy mode. CS.L=0, CS.D=0. Address and operand size are | |
768 | * both 16-bit. | |
769 | */ | |
770 | return INSN_CODE_SEG_PARAMS(2, 2); | |
771 | case 1: /* | |
772 | * Legacy mode. CS.L=0, CS.D=1. Address and operand size are | |
773 | * both 32-bit. | |
774 | */ | |
775 | return INSN_CODE_SEG_PARAMS(4, 4); | |
776 | case 2: /* | |
777 | * IA-32e 64-bit mode. CS.L=1, CS.D=0. Address size is 64-bit; | |
778 | * operand size is 32-bit. | |
779 | */ | |
780 | return INSN_CODE_SEG_PARAMS(4, 8); | |
781 | case 3: /* Invalid setting. CS.L=1, CS.D=1 */ | |
782 | /* fall through */ | |
783 | default: | |
784 | return -EINVAL; | |
785 | } | |
786 | } | |
787 | ||
e5e45f11 RN |
788 | /** |
789 | * insn_get_modrm_rm_off() - Obtain register in r/m part of the ModRM byte | |
790 | * @insn: Instruction containing the ModRM byte | |
791 | * @regs: Register values as seen when entering kernel mode | |
792 | * | |
793 | * Returns: | |
794 | * | |
795 | * The register indicated by the r/m part of the ModRM byte. The | |
796 | * register is obtained as an offset from the base of pt_regs. In specific | |
797 | * cases, the returned value can be -EDOM to indicate that the particular value | |
798 | * of ModRM does not refer to a register and shall be ignored. | |
799 | */ | |
800 | int insn_get_modrm_rm_off(struct insn *insn, struct pt_regs *regs) | |
801 | { | |
802 | return get_reg_offset(insn, regs, REG_TYPE_RM); | |
803 | } | |
804 | ||
10890444 | 805 | /** |
71271269 | 806 | * get_seg_base_limit() - obtain base address and limit of a segment |
10890444 RN |
807 | * @insn: Instruction. Must be valid. |
808 | * @regs: Register values as seen when entering kernel mode | |
809 | * @regoff: Operand offset, in pt_regs, used to resolve segment descriptor | |
810 | * @base: Obtained segment base | |
71271269 | 811 | * @limit: Obtained segment limit |
10890444 | 812 | * |
71271269 RN |
813 | * Obtain the base address and limit of the segment associated with the operand |
814 | * @regoff and, if any or allowed, override prefixes in @insn. This function is | |
10890444 | 815 | * different from insn_get_seg_base() as the latter does not resolve the segment |
71271269 RN |
816 | * associated with the instruction operand. If a limit is not needed (e.g., |
817 | * when running in long mode), @limit can be NULL. | |
10890444 RN |
818 | * |
819 | * Returns: | |
820 | * | |
71271269 RN |
821 | * 0 on success. @base and @limit will contain the base address and of the |
822 | * resolved segment, respectively. | |
10890444 RN |
823 | * |
824 | * -EINVAL on error. | |
825 | */ | |
71271269 RN |
826 | static int get_seg_base_limit(struct insn *insn, struct pt_regs *regs, |
827 | int regoff, unsigned long *base, | |
828 | unsigned long *limit) | |
10890444 RN |
829 | { |
830 | int seg_reg_idx; | |
831 | ||
832 | if (!base) | |
833 | return -EINVAL; | |
834 | ||
835 | seg_reg_idx = resolve_seg_reg(insn, regs, regoff); | |
836 | if (seg_reg_idx < 0) | |
837 | return seg_reg_idx; | |
838 | ||
839 | *base = insn_get_seg_base(regs, seg_reg_idx); | |
840 | if (*base == -1L) | |
841 | return -EINVAL; | |
842 | ||
71271269 RN |
843 | if (!limit) |
844 | return 0; | |
845 | ||
846 | *limit = get_seg_limit(regs, seg_reg_idx); | |
847 | if (!(*limit)) | |
848 | return -EINVAL; | |
849 | ||
10890444 RN |
850 | return 0; |
851 | } | |
852 | ||
70e57c0f RN |
853 | /** |
854 | * get_eff_addr_reg() - Obtain effective address from register operand | |
855 | * @insn: Instruction. Must be valid. | |
856 | * @regs: Register values as seen when entering kernel mode | |
857 | * @regoff: Obtained operand offset, in pt_regs, with the effective address | |
858 | * @eff_addr: Obtained effective address | |
859 | * | |
860 | * Obtain the effective address stored in the register operand as indicated by | |
861 | * the ModRM byte. This function is to be used only with register addressing | |
862 | * (i.e., ModRM.mod is 3). The effective address is saved in @eff_addr. The | |
863 | * register operand, as an offset from the base of pt_regs, is saved in @regoff; | |
864 | * such offset can then be used to resolve the segment associated with the | |
865 | * operand. This function can be used with any of the supported address sizes | |
866 | * in x86. | |
867 | * | |
868 | * Returns: | |
869 | * | |
870 | * 0 on success. @eff_addr will have the effective address stored in the | |
871 | * operand indicated by ModRM. @regoff will have such operand as an offset from | |
872 | * the base of pt_regs. | |
873 | * | |
874 | * -EINVAL on error. | |
875 | */ | |
876 | static int get_eff_addr_reg(struct insn *insn, struct pt_regs *regs, | |
877 | int *regoff, long *eff_addr) | |
878 | { | |
879 | insn_get_modrm(insn); | |
880 | ||
881 | if (!insn->modrm.nbytes) | |
882 | return -EINVAL; | |
883 | ||
884 | if (X86_MODRM_MOD(insn->modrm.value) != 3) | |
885 | return -EINVAL; | |
886 | ||
887 | *regoff = get_reg_offset(insn, regs, REG_TYPE_RM); | |
888 | if (*regoff < 0) | |
889 | return -EINVAL; | |
890 | ||
7a6daf79 | 891 | /* Ignore bytes that are outside the address size. */ |
9c6c799f RN |
892 | if (insn->addr_bytes == 2) |
893 | *eff_addr = regs_get_register(regs, *regoff) & 0xffff; | |
894 | else if (insn->addr_bytes == 4) | |
7a6daf79 RN |
895 | *eff_addr = regs_get_register(regs, *regoff) & 0xffffffff; |
896 | else /* 64-bit address */ | |
897 | *eff_addr = regs_get_register(regs, *regoff); | |
70e57c0f RN |
898 | |
899 | return 0; | |
900 | } | |
901 | ||
902 | /** | |
903 | * get_eff_addr_modrm() - Obtain referenced effective address via ModRM | |
904 | * @insn: Instruction. Must be valid. | |
905 | * @regs: Register values as seen when entering kernel mode | |
906 | * @regoff: Obtained operand offset, in pt_regs, associated with segment | |
907 | * @eff_addr: Obtained effective address | |
908 | * | |
909 | * Obtain the effective address referenced by the ModRM byte of @insn. After | |
910 | * identifying the registers involved in the register-indirect memory reference, | |
911 | * its value is obtained from the operands in @regs. The computed address is | |
912 | * stored @eff_addr. Also, the register operand that indicates the associated | |
913 | * segment is stored in @regoff, this parameter can later be used to determine | |
914 | * such segment. | |
915 | * | |
916 | * Returns: | |
917 | * | |
918 | * 0 on success. @eff_addr will have the referenced effective address. @regoff | |
919 | * will have a register, as an offset from the base of pt_regs, that can be used | |
920 | * to resolve the associated segment. | |
921 | * | |
922 | * -EINVAL on error. | |
923 | */ | |
924 | static int get_eff_addr_modrm(struct insn *insn, struct pt_regs *regs, | |
925 | int *regoff, long *eff_addr) | |
926 | { | |
927 | long tmp; | |
928 | ||
7a6daf79 | 929 | if (insn->addr_bytes != 8 && insn->addr_bytes != 4) |
70e57c0f RN |
930 | return -EINVAL; |
931 | ||
932 | insn_get_modrm(insn); | |
933 | ||
934 | if (!insn->modrm.nbytes) | |
935 | return -EINVAL; | |
936 | ||
937 | if (X86_MODRM_MOD(insn->modrm.value) > 2) | |
938 | return -EINVAL; | |
939 | ||
940 | *regoff = get_reg_offset(insn, regs, REG_TYPE_RM); | |
941 | ||
942 | /* | |
943 | * -EDOM means that we must ignore the address_offset. In such a case, | |
944 | * in 64-bit mode the effective address relative to the rIP of the | |
945 | * following instruction. | |
946 | */ | |
947 | if (*regoff == -EDOM) { | |
948 | if (user_64bit_mode(regs)) | |
949 | tmp = regs->ip + insn->length; | |
950 | else | |
951 | tmp = 0; | |
952 | } else if (*regoff < 0) { | |
953 | return -EINVAL; | |
954 | } else { | |
955 | tmp = regs_get_register(regs, *regoff); | |
956 | } | |
957 | ||
7a6daf79 RN |
958 | if (insn->addr_bytes == 4) { |
959 | int addr32 = (int)(tmp & 0xffffffff) + insn->displacement.value; | |
960 | ||
961 | *eff_addr = addr32 & 0xffffffff; | |
962 | } else { | |
963 | *eff_addr = tmp + insn->displacement.value; | |
964 | } | |
70e57c0f RN |
965 | |
966 | return 0; | |
967 | } | |
968 | ||
9c6c799f RN |
969 | /** |
970 | * get_eff_addr_modrm_16() - Obtain referenced effective address via ModRM | |
971 | * @insn: Instruction. Must be valid. | |
972 | * @regs: Register values as seen when entering kernel mode | |
973 | * @regoff: Obtained operand offset, in pt_regs, associated with segment | |
974 | * @eff_addr: Obtained effective address | |
975 | * | |
976 | * Obtain the 16-bit effective address referenced by the ModRM byte of @insn. | |
977 | * After identifying the registers involved in the register-indirect memory | |
978 | * reference, its value is obtained from the operands in @regs. The computed | |
979 | * address is stored @eff_addr. Also, the register operand that indicates | |
980 | * the associated segment is stored in @regoff, this parameter can later be used | |
981 | * to determine such segment. | |
982 | * | |
983 | * Returns: | |
984 | * | |
985 | * 0 on success. @eff_addr will have the referenced effective address. @regoff | |
986 | * will have a register, as an offset from the base of pt_regs, that can be used | |
987 | * to resolve the associated segment. | |
988 | * | |
989 | * -EINVAL on error. | |
990 | */ | |
991 | static int get_eff_addr_modrm_16(struct insn *insn, struct pt_regs *regs, | |
992 | int *regoff, short *eff_addr) | |
993 | { | |
994 | int addr_offset1, addr_offset2, ret; | |
995 | short addr1 = 0, addr2 = 0, displacement; | |
996 | ||
997 | if (insn->addr_bytes != 2) | |
998 | return -EINVAL; | |
999 | ||
1000 | insn_get_modrm(insn); | |
1001 | ||
1002 | if (!insn->modrm.nbytes) | |
1003 | return -EINVAL; | |
1004 | ||
1005 | if (X86_MODRM_MOD(insn->modrm.value) > 2) | |
1006 | return -EINVAL; | |
1007 | ||
1008 | ret = get_reg_offset_16(insn, regs, &addr_offset1, &addr_offset2); | |
1009 | if (ret < 0) | |
1010 | return -EINVAL; | |
1011 | ||
1012 | /* | |
1013 | * Don't fail on invalid offset values. They might be invalid because | |
1014 | * they cannot be used for this particular value of ModRM. Instead, use | |
1015 | * them in the computation only if they contain a valid value. | |
1016 | */ | |
1017 | if (addr_offset1 != -EDOM) | |
1018 | addr1 = regs_get_register(regs, addr_offset1) & 0xffff; | |
1019 | ||
1020 | if (addr_offset2 != -EDOM) | |
1021 | addr2 = regs_get_register(regs, addr_offset2) & 0xffff; | |
1022 | ||
1023 | displacement = insn->displacement.value & 0xffff; | |
1024 | *eff_addr = addr1 + addr2 + displacement; | |
1025 | ||
1026 | /* | |
1027 | * The first operand register could indicate to use of either SS or DS | |
1028 | * registers to obtain the segment selector. The second operand | |
1029 | * register can only indicate the use of DS. Thus, the first operand | |
1030 | * will be used to obtain the segment selector. | |
1031 | */ | |
1032 | *regoff = addr_offset1; | |
1033 | ||
1034 | return 0; | |
1035 | } | |
1036 | ||
70e57c0f RN |
1037 | /** |
1038 | * get_eff_addr_sib() - Obtain referenced effective address via SIB | |
1039 | * @insn: Instruction. Must be valid. | |
1040 | * @regs: Register values as seen when entering kernel mode | |
1041 | * @regoff: Obtained operand offset, in pt_regs, associated with segment | |
1042 | * @eff_addr: Obtained effective address | |
1043 | * | |
1044 | * Obtain the effective address referenced by the SIB byte of @insn. After | |
1045 | * identifying the registers involved in the indexed, register-indirect memory | |
1046 | * reference, its value is obtained from the operands in @regs. The computed | |
1047 | * address is stored @eff_addr. Also, the register operand that indicates the | |
1048 | * associated segment is stored in @regoff, this parameter can later be used to | |
1049 | * determine such segment. | |
1050 | * | |
1051 | * Returns: | |
1052 | * | |
1053 | * 0 on success. @eff_addr will have the referenced effective address. | |
1054 | * @base_offset will have a register, as an offset from the base of pt_regs, | |
1055 | * that can be used to resolve the associated segment. | |
1056 | * | |
1057 | * -EINVAL on error. | |
1058 | */ | |
1059 | static int get_eff_addr_sib(struct insn *insn, struct pt_regs *regs, | |
1060 | int *base_offset, long *eff_addr) | |
1061 | { | |
1062 | long base, indx; | |
1063 | int indx_offset; | |
1064 | ||
7a6daf79 | 1065 | if (insn->addr_bytes != 8 && insn->addr_bytes != 4) |
70e57c0f RN |
1066 | return -EINVAL; |
1067 | ||
1068 | insn_get_modrm(insn); | |
1069 | ||
1070 | if (!insn->modrm.nbytes) | |
1071 | return -EINVAL; | |
1072 | ||
1073 | if (X86_MODRM_MOD(insn->modrm.value) > 2) | |
1074 | return -EINVAL; | |
1075 | ||
1076 | insn_get_sib(insn); | |
1077 | ||
1078 | if (!insn->sib.nbytes) | |
1079 | return -EINVAL; | |
1080 | ||
1081 | *base_offset = get_reg_offset(insn, regs, REG_TYPE_BASE); | |
1082 | indx_offset = get_reg_offset(insn, regs, REG_TYPE_INDEX); | |
1083 | ||
1084 | /* | |
1085 | * Negative values in the base and index offset means an error when | |
1086 | * decoding the SIB byte. Except -EDOM, which means that the registers | |
1087 | * should not be used in the address computation. | |
1088 | */ | |
1089 | if (*base_offset == -EDOM) | |
1090 | base = 0; | |
1091 | else if (*base_offset < 0) | |
1092 | return -EINVAL; | |
1093 | else | |
1094 | base = regs_get_register(regs, *base_offset); | |
1095 | ||
1096 | if (indx_offset == -EDOM) | |
1097 | indx = 0; | |
1098 | else if (indx_offset < 0) | |
1099 | return -EINVAL; | |
1100 | else | |
1101 | indx = regs_get_register(regs, indx_offset); | |
1102 | ||
7a6daf79 RN |
1103 | if (insn->addr_bytes == 4) { |
1104 | int addr32, base32, idx32; | |
1105 | ||
1106 | base32 = base & 0xffffffff; | |
1107 | idx32 = indx & 0xffffffff; | |
70e57c0f | 1108 | |
7a6daf79 RN |
1109 | addr32 = base32 + idx32 * (1 << X86_SIB_SCALE(insn->sib.value)); |
1110 | addr32 += insn->displacement.value; | |
1111 | ||
1112 | *eff_addr = addr32 & 0xffffffff; | |
1113 | } else { | |
1114 | *eff_addr = base + indx * (1 << X86_SIB_SCALE(insn->sib.value)); | |
1115 | *eff_addr += insn->displacement.value; | |
1116 | } | |
70e57c0f RN |
1117 | |
1118 | return 0; | |
1119 | } | |
7a6daf79 | 1120 | |
9c6c799f RN |
1121 | /** |
1122 | * get_addr_ref_16() - Obtain the 16-bit address referred by instruction | |
1123 | * @insn: Instruction containing ModRM byte and displacement | |
1124 | * @regs: Register values as seen when entering kernel mode | |
1125 | * | |
1126 | * This function is to be used with 16-bit address encodings. Obtain the memory | |
1127 | * address referred by the instruction's ModRM and displacement bytes. Also, the | |
1128 | * segment used as base is determined by either any segment override prefixes in | |
1129 | * @insn or the default segment of the registers involved in the address | |
1130 | * computation. In protected mode, segment limits are enforced. | |
1131 | * | |
1132 | * Returns: | |
1133 | * | |
1134 | * Linear address referenced by the instruction operands on success. | |
1135 | * | |
1136 | * -1L on error. | |
1137 | */ | |
1138 | static void __user *get_addr_ref_16(struct insn *insn, struct pt_regs *regs) | |
1139 | { | |
1140 | unsigned long linear_addr = -1L, seg_base, seg_limit; | |
1141 | int ret, regoff; | |
1142 | short eff_addr; | |
1143 | long tmp; | |
1144 | ||
1145 | insn_get_modrm(insn); | |
1146 | insn_get_displacement(insn); | |
1147 | ||
1148 | if (insn->addr_bytes != 2) | |
1149 | goto out; | |
1150 | ||
1151 | if (X86_MODRM_MOD(insn->modrm.value) == 3) { | |
1152 | ret = get_eff_addr_reg(insn, regs, ®off, &tmp); | |
1153 | if (ret) | |
1154 | goto out; | |
1155 | ||
1156 | eff_addr = tmp; | |
1157 | } else { | |
1158 | ret = get_eff_addr_modrm_16(insn, regs, ®off, &eff_addr); | |
1159 | if (ret) | |
1160 | goto out; | |
1161 | } | |
1162 | ||
1163 | ret = get_seg_base_limit(insn, regs, regoff, &seg_base, &seg_limit); | |
1164 | if (ret) | |
1165 | goto out; | |
1166 | ||
1167 | /* | |
1168 | * Before computing the linear address, make sure the effective address | |
1169 | * is within the limits of the segment. In virtual-8086 mode, segment | |
1170 | * limits are not enforced. In such a case, the segment limit is -1L to | |
1171 | * reflect this fact. | |
1172 | */ | |
1173 | if ((unsigned long)(eff_addr & 0xffff) > seg_limit) | |
1174 | goto out; | |
1175 | ||
1176 | linear_addr = (unsigned long)(eff_addr & 0xffff) + seg_base; | |
1177 | ||
1178 | /* Limit linear address to 20 bits */ | |
1179 | if (v8086_mode(regs)) | |
1180 | linear_addr &= 0xfffff; | |
1181 | ||
1182 | out: | |
1183 | return (void __user *)linear_addr; | |
1184 | } | |
1185 | ||
7a6daf79 RN |
1186 | /** |
1187 | * get_addr_ref_32() - Obtain a 32-bit linear address | |
1188 | * @insn: Instruction with ModRM, SIB bytes and displacement | |
1189 | * @regs: Register values as seen when entering kernel mode | |
1190 | * | |
1191 | * This function is to be used with 32-bit address encodings to obtain the | |
1192 | * linear memory address referred by the instruction's ModRM, SIB, | |
1193 | * displacement bytes and segment base address, as applicable. If in protected | |
1194 | * mode, segment limits are enforced. | |
1195 | * | |
1196 | * Returns: | |
1197 | * | |
1198 | * Linear address referenced by instruction and registers on success. | |
1199 | * | |
1200 | * -1L on error. | |
1201 | */ | |
1202 | static void __user *get_addr_ref_32(struct insn *insn, struct pt_regs *regs) | |
1203 | { | |
1204 | unsigned long linear_addr = -1L, seg_base, seg_limit; | |
1205 | int eff_addr, regoff; | |
1206 | long tmp; | |
1207 | int ret; | |
1208 | ||
1209 | if (insn->addr_bytes != 4) | |
1210 | goto out; | |
1211 | ||
1212 | if (X86_MODRM_MOD(insn->modrm.value) == 3) { | |
1213 | ret = get_eff_addr_reg(insn, regs, ®off, &tmp); | |
1214 | if (ret) | |
1215 | goto out; | |
1216 | ||
1217 | eff_addr = tmp; | |
1218 | ||
1219 | } else { | |
1220 | if (insn->sib.nbytes) { | |
1221 | ret = get_eff_addr_sib(insn, regs, ®off, &tmp); | |
1222 | if (ret) | |
1223 | goto out; | |
1224 | ||
1225 | eff_addr = tmp; | |
1226 | } else { | |
1227 | ret = get_eff_addr_modrm(insn, regs, ®off, &tmp); | |
1228 | if (ret) | |
1229 | goto out; | |
1230 | ||
1231 | eff_addr = tmp; | |
1232 | } | |
1233 | } | |
1234 | ||
1235 | ret = get_seg_base_limit(insn, regs, regoff, &seg_base, &seg_limit); | |
1236 | if (ret) | |
1237 | goto out; | |
1238 | ||
1239 | /* | |
1240 | * In protected mode, before computing the linear address, make sure | |
1241 | * the effective address is within the limits of the segment. | |
1242 | * 32-bit addresses can be used in long and virtual-8086 modes if an | |
1243 | * address override prefix is used. In such cases, segment limits are | |
1244 | * not enforced. When in virtual-8086 mode, the segment limit is -1L | |
1245 | * to reflect this situation. | |
1246 | * | |
1247 | * After computed, the effective address is treated as an unsigned | |
1248 | * quantity. | |
1249 | */ | |
1250 | if (!user_64bit_mode(regs) && ((unsigned int)eff_addr > seg_limit)) | |
1251 | goto out; | |
1252 | ||
86cc3510 RN |
1253 | /* |
1254 | * Even though 32-bit address encodings are allowed in virtual-8086 | |
1255 | * mode, the address range is still limited to [0x-0xffff]. | |
1256 | */ | |
1257 | if (v8086_mode(regs) && (eff_addr & ~0xffff)) | |
1258 | goto out; | |
1259 | ||
7a6daf79 RN |
1260 | /* |
1261 | * Data type long could be 64 bits in size. Ensure that our 32-bit | |
1262 | * effective address is not sign-extended when computing the linear | |
1263 | * address. | |
1264 | */ | |
1265 | linear_addr = (unsigned long)(eff_addr & 0xffffffff) + seg_base; | |
1266 | ||
86cc3510 RN |
1267 | /* Limit linear address to 20 bits */ |
1268 | if (v8086_mode(regs)) | |
1269 | linear_addr &= 0xfffff; | |
1270 | ||
7a6daf79 RN |
1271 | out: |
1272 | return (void __user *)linear_addr; | |
1273 | } | |
1274 | ||
cd9b594a RN |
1275 | /** |
1276 | * get_addr_ref_64() - Obtain a 64-bit linear address | |
1277 | * @insn: Instruction struct with ModRM and SIB bytes and displacement | |
1278 | * @regs: Structure with register values as seen when entering kernel mode | |
1279 | * | |
1280 | * This function is to be used with 64-bit address encodings to obtain the | |
1281 | * linear memory address referred by the instruction's ModRM, SIB, | |
1282 | * displacement bytes and segment base address, as applicable. | |
1283 | * | |
1284 | * Returns: | |
1285 | * | |
1286 | * Linear address referenced by instruction and registers on success. | |
1287 | * | |
1288 | * -1L on error. | |
32542ee2 | 1289 | */ |
cd9b594a RN |
1290 | #ifndef CONFIG_X86_64 |
1291 | static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs) | |
1292 | { | |
1293 | return (void __user *)-1L; | |
1294 | } | |
1295 | #else | |
1296 | static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs) | |
32542ee2 | 1297 | { |
10890444 | 1298 | unsigned long linear_addr = -1L, seg_base; |
70e57c0f RN |
1299 | int regoff, ret; |
1300 | long eff_addr; | |
32542ee2 | 1301 | |
cd9b594a RN |
1302 | if (insn->addr_bytes != 8) |
1303 | goto out; | |
1304 | ||
32542ee2 | 1305 | if (X86_MODRM_MOD(insn->modrm.value) == 3) { |
70e57c0f RN |
1306 | ret = get_eff_addr_reg(insn, regs, ®off, &eff_addr); |
1307 | if (ret) | |
32542ee2 RN |
1308 | goto out; |
1309 | ||
32542ee2 RN |
1310 | } else { |
1311 | if (insn->sib.nbytes) { | |
70e57c0f RN |
1312 | ret = get_eff_addr_sib(insn, regs, ®off, &eff_addr); |
1313 | if (ret) | |
32542ee2 | 1314 | goto out; |
32542ee2 | 1315 | } else { |
70e57c0f RN |
1316 | ret = get_eff_addr_modrm(insn, regs, ®off, &eff_addr); |
1317 | if (ret) | |
32542ee2 | 1318 | goto out; |
32542ee2 RN |
1319 | } |
1320 | ||
32542ee2 RN |
1321 | } |
1322 | ||
70e57c0f | 1323 | ret = get_seg_base_limit(insn, regs, regoff, &seg_base, NULL); |
10890444 RN |
1324 | if (ret) |
1325 | goto out; | |
1326 | ||
1327 | linear_addr = (unsigned long)eff_addr + seg_base; | |
32542ee2 RN |
1328 | |
1329 | out: | |
1330 | return (void __user *)linear_addr; | |
1331 | } | |
cd9b594a RN |
1332 | #endif /* CONFIG_X86_64 */ |
1333 | ||
1334 | /** | |
1335 | * insn_get_addr_ref() - Obtain the linear address referred by instruction | |
1336 | * @insn: Instruction structure containing ModRM byte and displacement | |
1337 | * @regs: Structure with register values as seen when entering kernel mode | |
1338 | * | |
1339 | * Obtain the linear address referred by the instruction's ModRM, SIB and | |
1340 | * displacement bytes, and segment base, as applicable. In protected mode, | |
1341 | * segment limits are enforced. | |
1342 | * | |
1343 | * Returns: | |
1344 | * | |
1345 | * Linear address referenced by instruction and registers on success. | |
1346 | * | |
1347 | * -1L on error. | |
1348 | */ | |
1349 | void __user *insn_get_addr_ref(struct insn *insn, struct pt_regs *regs) | |
1350 | { | |
1351 | if (!insn || !regs) | |
1352 | return (void __user *)-1L; | |
1353 | ||
1354 | switch (insn->addr_bytes) { | |
9c6c799f RN |
1355 | case 2: |
1356 | return get_addr_ref_16(insn, regs); | |
cd9b594a RN |
1357 | case 4: |
1358 | return get_addr_ref_32(insn, regs); | |
1359 | case 8: | |
1360 | return get_addr_ref_64(insn, regs); | |
1361 | default: | |
1362 | return (void __user *)-1L; | |
1363 | } | |
1364 | } |