]> git.proxmox.com Git - mirror_ubuntu-hirsute-kernel.git/blame - arch/x86/lib/insn-eval.c
projects / mirror_ubuntu-hirsute-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
x86/sev-es: Use __copy_from_user_inatomic()
[mirror_ubuntu-hirsute-kernel.git] / arch / x86 / lib / insn-eval.c
CommitLineData
32542ee2
RN		 1/*
2 * Utility functions for x86 operand and address decoding
3 *
4 * Copyright (C) Intel Corporation 2017
5 */
6#include <linux/kernel.h>
7#include <linux/string.h>
ed594e4b 8#include <linux/ratelimit.h>
670f928b
RN		 9#include <linux/mmu_context.h>
10#include <asm/desc_defs.h>
11#include <asm/desc.h>
32542ee2
RN		 12#include <asm/inat.h>
13#include <asm/insn.h>
14#include <asm/insn-eval.h>
670f928b 15#include <asm/ldt.h>
32d0b953 16#include <asm/vm86.h>
32542ee2 17
ed594e4b
RN		 18#undef pr_fmt
19#define pr_fmt(fmt) "insn: " fmt
20
32542ee2
RN		 21enum reg_type {
22 REG_TYPE_RM = 0,
7af1bd82 23 REG_TYPE_REG,
32542ee2
RN		 24 REG_TYPE_INDEX,
25 REG_TYPE_BASE,
26};
27
536b8153
RN		 28/**
29 * is_string_insn() - Determine if instruction is a string instruction
30 * @insn: Instruction containing the opcode to inspect
31 *
32 * Returns:
33 *
34 * true if the instruction, determined by the opcode, is any of the
35 * string instructions as defined in the Intel Software Development manual.
36 * False otherwise.
37 */
38static bool is_string_insn(struct insn *insn)
39{
40 insn_get_opcode(insn);
41
42 /* All string instructions have a 1-byte opcode. */
43 if (insn->opcode.nbytes != 1)
44 return false;
45
46 switch (insn->opcode.bytes[0]) {
47 case 0x6c ... 0x6f: /* INS, OUTS */
48 case 0xa4 ... 0xa7: /* MOVS, CMPS */
49 case 0xaa ... 0xaf: /* STOS, LODS, SCAS */
50 return true;
51 default:
52 return false;
53 }
54}
55
5901781a
JR		 56/**
57 * insn_has_rep_prefix() - Determine if instruction has a REP prefix
58 * @insn: Instruction containing the prefix to inspect
59 *
60 * Returns:
61 *
62 * true if the instruction has a REP prefix, false if not.
63 */
64bool insn_has_rep_prefix(struct insn *insn)
65{
12cb908a 66 insn_byte_t p;
5901781a
JR		 67 int i;
68
69 insn_get_prefixes(insn);
70
12cb908a 71 for_each_insn_prefix(insn, i, p) {
5901781a
JR		 72 if (p == 0xf2 || p == 0xf3)
73 return true;
74 }
75
76 return false;
77}
78
32d0b953
RN		 79/**
80 * get_seg_reg_override_idx() - obtain segment register override index
81 * @insn: Valid instruction with segment override prefixes
82 *
83 * Inspect the instruction prefixes in @insn and find segment overrides, if any.
84 *
85 * Returns:
86 *
87 * A constant identifying the segment register to use, among CS, SS, DS,
88 * ES, FS, or GS. INAT_SEG_REG_DEFAULT is returned if no segment override
89 * prefixes were found.
90 *
91 * -EINVAL in case of error.
92 */
93static int get_seg_reg_override_idx(struct insn *insn)
94{
95 int idx = INAT_SEG_REG_DEFAULT;
96 int num_overrides = 0, i;
12cb908a 97 insn_byte_t p;
32d0b953
RN		 98
99 insn_get_prefixes(insn);
100
101 /* Look for any segment override prefixes. */
12cb908a 102 for_each_insn_prefix(insn, i, p) {
32d0b953
RN		 103 insn_attr_t attr;
104
12cb908a 105 attr = inat_get_opcode_attribute(p);
32d0b953
RN		 106 switch (attr) {
107 case INAT_MAKE_PREFIX(INAT_PFX_CS):
108 idx = INAT_SEG_REG_CS;
109 num_overrides++;
110 break;
111 case INAT_MAKE_PREFIX(INAT_PFX_SS):
112 idx = INAT_SEG_REG_SS;
113 num_overrides++;
114 break;
115 case INAT_MAKE_PREFIX(INAT_PFX_DS):
116 idx = INAT_SEG_REG_DS;
117 num_overrides++;
118 break;
119 case INAT_MAKE_PREFIX(INAT_PFX_ES):
120 idx = INAT_SEG_REG_ES;
121 num_overrides++;
122 break;
123 case INAT_MAKE_PREFIX(INAT_PFX_FS):
124 idx = INAT_SEG_REG_FS;
125 num_overrides++;
126 break;
127 case INAT_MAKE_PREFIX(INAT_PFX_GS):
128 idx = INAT_SEG_REG_GS;
129 num_overrides++;
130 break;
131 /* No default action needed. */
132 }
133 }
134
135 /* More than one segment override prefix leads to undefined behavior. */
136 if (num_overrides > 1)
137 return -EINVAL;
138
139 return idx;
140}
141
142/**
143 * check_seg_overrides() - check if segment override prefixes are allowed
144 * @insn: Valid instruction with segment override prefixes
145 * @regoff: Operand offset, in pt_regs, for which the check is performed
146 *
147 * For a particular register used in register-indirect addressing, determine if
148 * segment override prefixes can be used. Specifically, no overrides are allowed
149 * for rDI if used with a string instruction.
150 *
151 * Returns:
152 *
153 * True if segment override prefixes can be used with the register indicated
154 * in @regoff. False if otherwise.
155 */
156static bool check_seg_overrides(struct insn *insn, int regoff)
157{
158 if (regoff == offsetof(struct pt_regs, di) && is_string_insn(insn))
159 return false;
160
161 return true;
162}
163
164/**
165 * resolve_default_seg() - resolve default segment register index for an operand
166 * @insn: Instruction with opcode and address size. Must be valid.
167 * @regs: Register values as seen when entering kernel mode
168 * @off: Operand offset, in pt_regs, for which resolution is needed
169 *
170 * Resolve the default segment register index associated with the instruction
171 * operand register indicated by @off. Such index is resolved based on defaults
172 * described in the Intel Software Development Manual.
173 *
174 * Returns:
175 *
176 * If in protected mode, a constant identifying the segment register to use,
177 * among CS, SS, ES or DS. If in long mode, INAT_SEG_REG_IGNORE.
178 *
179 * -EINVAL in case of error.
180 */
181static int resolve_default_seg(struct insn *insn, struct pt_regs *regs, int off)
182{
7be44127 183 if (any_64bit_mode(regs))
32d0b953
RN		 184 return INAT_SEG_REG_IGNORE;
185 /*
186 * Resolve the default segment register as described in Section 3.7.4
187 * of the Intel Software Development Manual Vol. 1:
188 *
189 * + DS for all references involving r[ABCD]X, and rSI.
190 * + If used in a string instruction, ES for rDI. Otherwise, DS.
191 * + AX, CX and DX are not valid register operands in 16-bit address
192 * encodings but are valid for 32-bit and 64-bit encodings.
193 * + -EDOM is reserved to identify for cases in which no register
194 * is used (i.e., displacement-only addressing). Use DS.
195 * + SS for rSP or rBP.
196 * + CS for rIP.
197 */
198
199 switch (off) {
200 case offsetof(struct pt_regs, ax):
201 case offsetof(struct pt_regs, cx):
202 case offsetof(struct pt_regs, dx):
203 /* Need insn to verify address size. */
204 if (insn->addr_bytes == 2)
205 return -EINVAL;
206
df561f66 207 fallthrough;
89da3446 208
32d0b953
RN		 209 case -EDOM:
210 case offsetof(struct pt_regs, bx):
211 case offsetof(struct pt_regs, si):
212 return INAT_SEG_REG_DS;
213
214 case offsetof(struct pt_regs, di):
215 if (is_string_insn(insn))
216 return INAT_SEG_REG_ES;
217 return INAT_SEG_REG_DS;
218
219 case offsetof(struct pt_regs, bp):
220 case offsetof(struct pt_regs, sp):
221 return INAT_SEG_REG_SS;
222
223 case offsetof(struct pt_regs, ip):
224 return INAT_SEG_REG_CS;
225
226 default:
227 return -EINVAL;
228 }
229}
230
231/**
232 * resolve_seg_reg() - obtain segment register index
233 * @insn: Instruction with operands
234 * @regs: Register values as seen when entering kernel mode
235 * @regoff: Operand offset, in pt_regs, used to deterimine segment register
236 *
237 * Determine the segment register associated with the operands and, if
238 * applicable, prefixes and the instruction pointed by @insn.
239 *
240 * The segment register associated to an operand used in register-indirect
241 * addressing depends on:
242 *
243 * a) Whether running in long mode (in such a case segments are ignored, except
244 * if FS or GS are used).
245 *
246 * b) Whether segment override prefixes can be used. Certain instructions and
247 * registers do not allow override prefixes.
248 *
249 * c) Whether segment overrides prefixes are found in the instruction prefixes.
250 *
251 * d) If there are not segment override prefixes or they cannot be used, the
252 * default segment register associated with the operand register is used.
253 *
254 * The function checks first if segment override prefixes can be used with the
255 * operand indicated by @regoff. If allowed, obtain such overridden segment
256 * register index. Lastly, if not prefixes were found or cannot be used, resolve
257 * the segment register index to use based on the defaults described in the
258 * Intel documentation. In long mode, all segment register indexes will be
259 * ignored, except if overrides were found for FS or GS. All these operations
260 * are done using helper functions.
261 *
262 * The operand register, @regoff, is represented as the offset from the base of
263 * pt_regs.
264 *
265 * As stated, the main use of this function is to determine the segment register
266 * index based on the instruction, its operands and prefixes. Hence, @insn
267 * must be valid. However, if @regoff indicates rIP, we don't need to inspect
268 * @insn at all as in this case CS is used in all cases. This case is checked
269 * before proceeding further.
270 *
271 * Please note that this function does not return the value in the segment
272 * register (i.e., the segment selector) but our defined index. The segment
273 * selector needs to be obtained using get_segment_selector() and passing the
274 * segment register index resolved by this function.
275 *
276 * Returns:
277 *
278 * An index identifying the segment register to use, among CS, SS, DS,
279 * ES, FS, or GS. INAT_SEG_REG_IGNORE is returned if running in long mode.
280 *
281 * -EINVAL in case of error.
282 */
283static int resolve_seg_reg(struct insn *insn, struct pt_regs *regs, int regoff)
284{
285 int idx;
286
287 /*
288 * In the unlikely event of having to resolve the segment register
289 * index for rIP, do it first. Segment override prefixes should not
290 * be used. Hence, it is not necessary to inspect the instruction,
291 * which may be invalid at this point.
292 */
293 if (regoff == offsetof(struct pt_regs, ip)) {
7be44127 294 if (any_64bit_mode(regs))
32d0b953
RN		 295 return INAT_SEG_REG_IGNORE;
296 else
297 return INAT_SEG_REG_CS;
298 }
299
300 if (!insn)
301 return -EINVAL;
302
303 if (!check_seg_overrides(insn, regoff))
304 return resolve_default_seg(insn, regs, regoff);
305
306 idx = get_seg_reg_override_idx(insn);
307 if (idx < 0)
308 return idx;
309
310 if (idx == INAT_SEG_REG_DEFAULT)
311 return resolve_default_seg(insn, regs, regoff);
312
313 /*
314 * In long mode, segment override prefixes are ignored, except for
315 * overrides for FS and GS.
316 */
7be44127 317 if (any_64bit_mode(regs)) {
32d0b953
RN		 318 if (idx != INAT_SEG_REG_FS &&
319 idx != INAT_SEG_REG_GS)
320 idx = INAT_SEG_REG_IGNORE;
321 }
322
323 return idx;
324}
325
326/**
327 * get_segment_selector() - obtain segment selector
328 * @regs: Register values as seen when entering kernel mode
329 * @seg_reg_idx: Segment register index to use
330 *
331 * Obtain the segment selector from any of the CS, SS, DS, ES, FS, GS segment
332 * registers. In CONFIG_X86_32, the segment is obtained from either pt_regs or
333 * kernel_vm86_regs as applicable. In CONFIG_X86_64, CS and SS are obtained
334 * from pt_regs. DS, ES, FS and GS are obtained by reading the actual CPU
335 * registers. This done for only for completeness as in CONFIG_X86_64 segment
336 * registers are ignored.
337 *
338 * Returns:
339 *
340 * Value of the segment selector, including null when running in
341 * long mode.
342 *
343 * -EINVAL on error.
344 */
345static short get_segment_selector(struct pt_regs *regs, int seg_reg_idx)
346{
347#ifdef CONFIG_X86_64
348 unsigned short sel;
349
350 switch (seg_reg_idx) {
351 case INAT_SEG_REG_IGNORE:
352 return 0;
353 case INAT_SEG_REG_CS:
354 return (unsigned short)(regs->cs & 0xffff);
355 case INAT_SEG_REG_SS:
356 return (unsigned short)(regs->ss & 0xffff);
357 case INAT_SEG_REG_DS:
358 savesegment(ds, sel);
359 return sel;
360 case INAT_SEG_REG_ES:
361 savesegment(es, sel);
362 return sel;
363 case INAT_SEG_REG_FS:
364 savesegment(fs, sel);
365 return sel;
366 case INAT_SEG_REG_GS:
367 savesegment(gs, sel);
368 return sel;
369 default:
370 return -EINVAL;
371 }
372#else /* CONFIG_X86_32 */
373 struct kernel_vm86_regs *vm86regs = (struct kernel_vm86_regs *)regs;
374
375 if (v8086_mode(regs)) {
376 switch (seg_reg_idx) {
377 case INAT_SEG_REG_CS:
378 return (unsigned short)(regs->cs & 0xffff);
379 case INAT_SEG_REG_SS:
380 return (unsigned short)(regs->ss & 0xffff);
381 case INAT_SEG_REG_DS:
382 return vm86regs->ds;
383 case INAT_SEG_REG_ES:
384 return vm86regs->es;
385 case INAT_SEG_REG_FS:
386 return vm86regs->fs;
387 case INAT_SEG_REG_GS:
388 return vm86regs->gs;
389 case INAT_SEG_REG_IGNORE:
32d0b953
RN		 390 default:
391 return -EINVAL;
392 }
393 }
394
395 switch (seg_reg_idx) {
396 case INAT_SEG_REG_CS:
397 return (unsigned short)(regs->cs & 0xffff);
398 case INAT_SEG_REG_SS:
399 return (unsigned short)(regs->ss & 0xffff);
400 case INAT_SEG_REG_DS:
401 return (unsigned short)(regs->ds & 0xffff);
402 case INAT_SEG_REG_ES:
403 return (unsigned short)(regs->es & 0xffff);
404 case INAT_SEG_REG_FS:
405 return (unsigned short)(regs->fs & 0xffff);
406 case INAT_SEG_REG_GS:
407 /*
408 * GS may or may not be in regs as per CONFIG_X86_32_LAZY_GS.
409 * The macro below takes care of both cases.
410 */
411 return get_user_gs(regs);
412 case INAT_SEG_REG_IGNORE:
32d0b953
RN		 413 default:
414 return -EINVAL;
415 }
416#endif /* CONFIG_X86_64 */
417}
418
32542ee2
RN		 419static int get_reg_offset(struct insn *insn, struct pt_regs *regs,
420 enum reg_type type)
421{
422 int regno = 0;
423
424 static const int regoff[] = {
425 offsetof(struct pt_regs, ax),
426 offsetof(struct pt_regs, cx),
427 offsetof(struct pt_regs, dx),
428 offsetof(struct pt_regs, bx),
429 offsetof(struct pt_regs, sp),
430 offsetof(struct pt_regs, bp),
431 offsetof(struct pt_regs, si),
432 offsetof(struct pt_regs, di),
433#ifdef CONFIG_X86_64
434 offsetof(struct pt_regs, r8),
435 offsetof(struct pt_regs, r9),
436 offsetof(struct pt_regs, r10),
437 offsetof(struct pt_regs, r11),
438 offsetof(struct pt_regs, r12),
439 offsetof(struct pt_regs, r13),
440 offsetof(struct pt_regs, r14),
441 offsetof(struct pt_regs, r15),
442#endif
443 };
444 int nr_registers = ARRAY_SIZE(regoff);
445 /*
446 * Don't possibly decode a 32-bit instructions as
447 * reading a 64-bit-only register.
448 */
449 if (IS_ENABLED(CONFIG_X86_64) && !insn->x86_64)
450 nr_registers -= 8;
451
452 switch (type) {
453 case REG_TYPE_RM:
454 regno = X86_MODRM_RM(insn->modrm.value);
e526a302
RN		 455
456 /*
457 * ModRM.mod == 0 and ModRM.rm == 5 means a 32-bit displacement
458 * follows the ModRM byte.
459 */
460 if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5)
461 return -EDOM;
462
32542ee2
RN		 463 if (X86_REX_B(insn->rex_prefix.value))
464 regno += 8;
465 break;
466
7af1bd82
JR		 467 case REG_TYPE_REG:
468 regno = X86_MODRM_REG(insn->modrm.value);
469
470 if (X86_REX_R(insn->rex_prefix.value))
471 regno += 8;
472 break;
473
32542ee2
RN		 474 case REG_TYPE_INDEX:
475 regno = X86_SIB_INDEX(insn->sib.value);
476 if (X86_REX_X(insn->rex_prefix.value))
477 regno += 8;
478
479 /*
480 * If ModRM.mod != 3 and SIB.index = 4 the scale*index
481 * portion of the address computation is null. This is
482 * true only if REX.X is 0. In such a case, the SIB index
483 * is used in the address computation.
484 */
485 if (X86_MODRM_MOD(insn->modrm.value) != 3 && regno == 4)
486 return -EDOM;
487 break;
488
489 case REG_TYPE_BASE:
490 regno = X86_SIB_BASE(insn->sib.value);
491 /*
492 * If ModRM.mod is 0 and SIB.base == 5, the base of the
493 * register-indirect addressing is 0. In this case, a
494 * 32-bit displacement follows the SIB byte.
495 */
496 if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5)
497 return -EDOM;
498
499 if (X86_REX_B(insn->rex_prefix.value))
500 regno += 8;
501 break;
502
503 default:
ed594e4b
RN		 504 pr_err_ratelimited("invalid register type: %d\n", type);
505 return -EINVAL;
32542ee2
RN		 506 }
507
508 if (regno >= nr_registers) {
509 WARN_ONCE(1, "decoded an instruction with an invalid register");
510 return -EINVAL;
511 }
512 return regoff[regno];
513}
514
9c6c799f
RN		 515/**
516 * get_reg_offset_16() - Obtain offset of register indicated by instruction
517 * @insn: Instruction containing ModRM byte
518 * @regs: Register values as seen when entering kernel mode
519 * @offs1: Offset of the first operand register
520 * @offs2: Offset of the second opeand register, if applicable
521 *
522 * Obtain the offset, in pt_regs, of the registers indicated by the ModRM byte
523 * in @insn. This function is to be used with 16-bit address encodings. The
524 * @offs1 and @offs2 will be written with the offset of the two registers
525 * indicated by the instruction. In cases where any of the registers is not
526 * referenced by the instruction, the value will be set to -EDOM.
527 *
528 * Returns:
529 *
530 * 0 on success, -EINVAL on error.
531 */
532static int get_reg_offset_16(struct insn *insn, struct pt_regs *regs,
533 int *offs1, int *offs2)
534{
535 /*
536 * 16-bit addressing can use one or two registers. Specifics of
537 * encodings are given in Table 2-1. "16-Bit Addressing Forms with the
538 * ModR/M Byte" of the Intel Software Development Manual.
539 */
540 static const int regoff1[] = {
541 offsetof(struct pt_regs, bx),
542 offsetof(struct pt_regs, bx),
543 offsetof(struct pt_regs, bp),
544 offsetof(struct pt_regs, bp),
545 offsetof(struct pt_regs, si),
546 offsetof(struct pt_regs, di),
547 offsetof(struct pt_regs, bp),
548 offsetof(struct pt_regs, bx),
549 };
550
551 static const int regoff2[] = {
552 offsetof(struct pt_regs, si),
553 offsetof(struct pt_regs, di),
554 offsetof(struct pt_regs, si),
555 offsetof(struct pt_regs, di),
556 -EDOM,
557 -EDOM,
558 -EDOM,
559 -EDOM,
560 };
561
562 if (!offs1 || !offs2)
563 return -EINVAL;
564
565 /* Operand is a register, use the generic function. */
566 if (X86_MODRM_MOD(insn->modrm.value) == 3) {
567 *offs1 = insn_get_modrm_rm_off(insn, regs);
568 *offs2 = -EDOM;
569 return 0;
570 }
571
572 *offs1 = regoff1[X86_MODRM_RM(insn->modrm.value)];
573 *offs2 = regoff2[X86_MODRM_RM(insn->modrm.value)];
574
575 /*
576 * If ModRM.mod is 0 and ModRM.rm is 110b, then we use displacement-
577 * only addressing. This means that no registers are involved in
578 * computing the effective address. Thus, ensure that the first
579 * register offset is invalild. The second register offset is already
580 * invalid under the aforementioned conditions.
581 */
582 if ((X86_MODRM_MOD(insn->modrm.value) == 0) &&
583 (X86_MODRM_RM(insn->modrm.value) == 6))
584 *offs1 = -EDOM;
585
586 return 0;
587}
588
670f928b 589/**
de9f8696
JH		 590 * get_desc() - Obtain contents of a segment descriptor
591 * @out: Segment descriptor contents on success
670f928b
RN		 592 * @sel: Segment selector
593 *
594 * Given a segment selector, obtain a pointer to the segment descriptor.
595 * Both global and local descriptor tables are supported.
596 *
597 * Returns:
598 *
de9f8696 599 * True on success, false on failure.
670f928b
RN		 600 *
601 * NULL on error.
602 */
de9f8696 603static bool get_desc(struct desc_struct *out, unsigned short sel)
670f928b
RN		 604{
605 struct desc_ptr gdt_desc = {0, 0};
606 unsigned long desc_base;
607
608#ifdef CONFIG_MODIFY_LDT_SYSCALL
609 if ((sel & SEGMENT_TI_MASK) == SEGMENT_LDT) {
de9f8696 610 bool success = false;
670f928b
RN		 611 struct ldt_struct *ldt;
612
613 /* Bits [15:3] contain the index of the desired entry. */
614 sel >>= 3;
615
616 mutex_lock(&current->active_mm->context.lock);
617 ldt = current->active_mm->context.ldt;
de9f8696
JH		 618 if (ldt && sel < ldt->nr_entries) {
619 *out = ldt->entries[sel];
620 success = true;
621 }
670f928b
RN		 622
623 mutex_unlock(&current->active_mm->context.lock);
624
de9f8696 625 return success;
670f928b
RN		 626 }
627#endif
628 native_store_gdt(&gdt_desc);
629
630 /*
631 * Segment descriptors have a size of 8 bytes. Thus, the index is
632 * multiplied by 8 to obtain the memory offset of the desired descriptor
633 * from the base of the GDT. As bits [15:3] of the segment selector
634 * contain the index, it can be regarded as multiplied by 8 already.
635 * All that remains is to clear bits [2:0].
636 */
637 desc_base = sel & ~(SEGMENT_RPL_MASK | SEGMENT_TI_MASK);
638
639 if (desc_base > gdt_desc.size)
de9f8696 640 return false;
670f928b 641
de9f8696
JH		 642 *out = *(struct desc_struct *)(gdt_desc.address + desc_base);
643 return true;
670f928b
RN		 644}
645
bd5a410a
RN		 646/**
647 * insn_get_seg_base() - Obtain base address of segment descriptor.
648 * @regs: Register values as seen when entering kernel mode
649 * @seg_reg_idx: Index of the segment register pointing to seg descriptor
650 *
651 * Obtain the base address of the segment as indicated by the segment descriptor
652 * pointed by the segment selector. The segment selector is obtained from the
653 * input segment register index @seg_reg_idx.
654 *
655 * Returns:
656 *
657 * In protected mode, base address of the segment. Zero in long mode,
658 * except when FS or GS are used. In virtual-8086 mode, the segment
659 * selector shifted 4 bits to the right.
660 *
661 * -1L in case of error.
662 */
663unsigned long insn_get_seg_base(struct pt_regs *regs, int seg_reg_idx)
664{
de9f8696 665 struct desc_struct desc;
bd5a410a
RN		 666 short sel;
667
668 sel = get_segment_selector(regs, seg_reg_idx);
669 if (sel < 0)
670 return -1L;
671
672 if (v8086_mode(regs))
673 /*
674 * Base is simply the segment selector shifted 4
675 * bits to the right.
676 */
677 return (unsigned long)(sel << 4);
678
7be44127 679 if (any_64bit_mode(regs)) {
bd5a410a
RN		 680 /*
681 * Only FS or GS will have a base address, the rest of
682 * the segments' bases are forced to 0.
683 */
684 unsigned long base;
685
7be44127 686 if (seg_reg_idx == INAT_SEG_REG_FS) {
bd5a410a 687 rdmsrl(MSR_FS_BASE, base);
7be44127 688 } else if (seg_reg_idx == INAT_SEG_REG_GS) {
bd5a410a
RN		 689 /*
690 * swapgs was called at the kernel entry point. Thus,
691 * MSR_KERNEL_GS_BASE will have the user-space GS base.
692 */
7be44127
JH		 693 if (user_mode(regs))
694 rdmsrl(MSR_KERNEL_GS_BASE, base);
695 else
696 rdmsrl(MSR_GS_BASE, base);
697 } else {
bd5a410a 698 base = 0;
7be44127 699 }
bd5a410a
RN		 700 return base;
701 }
702
703 /* In protected mode the segment selector cannot be null. */
704 if (!sel)
705 return -1L;
706
de9f8696 707 if (!get_desc(&desc, sel))
bd5a410a
RN		 708 return -1L;
709
de9f8696 710 return get_desc_base(&desc);
bd5a410a
RN		 711}
712
713/**
714 * get_seg_limit() - Obtain the limit of a segment descriptor
715 * @regs: Register values as seen when entering kernel mode
716 * @seg_reg_idx: Index of the segment register pointing to seg descriptor
717 *
718 * Obtain the limit of the segment as indicated by the segment descriptor
719 * pointed by the segment selector. The segment selector is obtained from the
720 * input segment register index @seg_reg_idx.
721 *
722 * Returns:
723 *
724 * In protected mode, the limit of the segment descriptor in bytes.
725 * In long mode and virtual-8086 mode, segment limits are not enforced. Thus,
726 * limit is returned as -1L to imply a limit-less segment.
727 *
728 * Zero is returned on error.
729 */
730static unsigned long get_seg_limit(struct pt_regs *regs, int seg_reg_idx)
731{
de9f8696 732 struct desc_struct desc;
bd5a410a
RN		 733 unsigned long limit;
734 short sel;
735
736 sel = get_segment_selector(regs, seg_reg_idx);
737 if (sel < 0)
738 return 0;
739
7be44127 740 if (any_64bit_mode(regs) || v8086_mode(regs))
bd5a410a
RN		 741 return -1L;
742
743 if (!sel)
744 return 0;
745
de9f8696 746 if (!get_desc(&desc, sel))
bd5a410a
RN		 747 return 0;
748
749 /*
750 * If the granularity bit is set, the limit is given in multiples
751 * of 4096. This also means that the 12 least significant bits are
752 * not tested when checking the segment limits. In practice,
753 * this means that the segment ends in (limit << 12) + 0xfff.
754 */
de9f8696
JH		 755 limit = get_desc_limit(&desc);
756 if (desc.g)
bd5a410a
RN		 757 limit = (limit << 12) + 0xfff;
758
759 return limit;
760}
761
4efea85f
RN		 762/**
763 * insn_get_code_seg_params() - Obtain code segment parameters
764 * @regs: Structure with register values as seen when entering kernel mode
765 *
766 * Obtain address and operand sizes of the code segment. It is obtained from the
767 * selector contained in the CS register in regs. In protected mode, the default
768 * address is determined by inspecting the L and D bits of the segment
769 * descriptor. In virtual-8086 mode, the default is always two bytes for both
770 * address and operand sizes.
771 *
772 * Returns:
773 *
e2a5dca7 774 * An int containing ORed-in default parameters on success.
4efea85f
RN		 775 *
776 * -EINVAL on error.
777 */
e2a5dca7 778int insn_get_code_seg_params(struct pt_regs *regs)
4efea85f 779{
de9f8696 780 struct desc_struct desc;
4efea85f
RN		 781 short sel;
782
783 if (v8086_mode(regs))
784 /* Address and operand size are both 16-bit. */
785 return INSN_CODE_SEG_PARAMS(2, 2);
786
787 sel = get_segment_selector(regs, INAT_SEG_REG_CS);
788 if (sel < 0)
789 return sel;
790
de9f8696 791 if (!get_desc(&desc, sel))
4efea85f
RN		 792 return -EINVAL;
793
794 /*
795 * The most significant byte of the Type field of the segment descriptor
796 * determines whether a segment contains data or code. If this is a data
797 * segment, return error.
798 */
de9f8696 799 if (!(desc.type & BIT(3)))
4efea85f
RN		 800 return -EINVAL;
801
de9f8696 802 switch ((desc.l << 1) | desc.d) {
4efea85f
RN		 803 case 0: /*
804 * Legacy mode. CS.L=0, CS.D=0. Address and operand size are
805 * both 16-bit.
806 */
807 return INSN_CODE_SEG_PARAMS(2, 2);
808 case 1: /*
809 * Legacy mode. CS.L=0, CS.D=1. Address and operand size are
810 * both 32-bit.
811 */
812 return INSN_CODE_SEG_PARAMS(4, 4);
813 case 2: /*
814 * IA-32e 64-bit mode. CS.L=1, CS.D=0. Address size is 64-bit;
815 * operand size is 32-bit.
816 */
817 return INSN_CODE_SEG_PARAMS(4, 8);
818 case 3: /* Invalid setting. CS.L=1, CS.D=1 */
df561f66 819 fallthrough;
4efea85f
RN		 820 default:
821 return -EINVAL;
822 }
823}
824
e5e45f11
RN		 825/**
826 * insn_get_modrm_rm_off() - Obtain register in r/m part of the ModRM byte
827 * @insn: Instruction containing the ModRM byte
828 * @regs: Register values as seen when entering kernel mode
829 *
830 * Returns:
831 *
832 * The register indicated by the r/m part of the ModRM byte. The
833 * register is obtained as an offset from the base of pt_regs. In specific
834 * cases, the returned value can be -EDOM to indicate that the particular value
835 * of ModRM does not refer to a register and shall be ignored.
836 */
837int insn_get_modrm_rm_off(struct insn *insn, struct pt_regs *regs)
838{
839 return get_reg_offset(insn, regs, REG_TYPE_RM);
840}
841
7af1bd82
JR		 842/**
843 * insn_get_modrm_reg_off() - Obtain register in reg part of the ModRM byte
844 * @insn: Instruction containing the ModRM byte
845 * @regs: Register values as seen when entering kernel mode
846 *
847 * Returns:
848 *
849 * The register indicated by the reg part of the ModRM byte. The
850 * register is obtained as an offset from the base of pt_regs.
851 */
852int insn_get_modrm_reg_off(struct insn *insn, struct pt_regs *regs)
853{
854 return get_reg_offset(insn, regs, REG_TYPE_REG);
855}
856
10890444 857/**
71271269 858 * get_seg_base_limit() - obtain base address and limit of a segment
10890444
RN		 859 * @insn: Instruction. Must be valid.
860 * @regs: Register values as seen when entering kernel mode
861 * @regoff: Operand offset, in pt_regs, used to resolve segment descriptor
862 * @base: Obtained segment base
71271269 863 * @limit: Obtained segment limit
10890444 864 *
71271269
RN		 865 * Obtain the base address and limit of the segment associated with the operand
866 * @regoff and, if any or allowed, override prefixes in @insn. This function is
10890444 867 * different from insn_get_seg_base() as the latter does not resolve the segment
71271269
RN		 868 * associated with the instruction operand. If a limit is not needed (e.g.,
869 * when running in long mode), @limit can be NULL.
10890444
RN		 870 *
871 * Returns:
872 *
71271269
RN		 873 * 0 on success. @base and @limit will contain the base address and of the
874 * resolved segment, respectively.
10890444
RN		 875 *
876 * -EINVAL on error.
877 */
71271269
RN		 878static int get_seg_base_limit(struct insn *insn, struct pt_regs *regs,
879 int regoff, unsigned long *base,
880 unsigned long *limit)
10890444
RN		 881{
882 int seg_reg_idx;
883
884 if (!base)
885 return -EINVAL;
886
887 seg_reg_idx = resolve_seg_reg(insn, regs, regoff);
888 if (seg_reg_idx < 0)
889 return seg_reg_idx;
890
891 *base = insn_get_seg_base(regs, seg_reg_idx);
892 if (*base == -1L)
893 return -EINVAL;
894
71271269
RN		 895 if (!limit)
896 return 0;
897
898 *limit = get_seg_limit(regs, seg_reg_idx);
899 if (!(*limit))
900 return -EINVAL;
901
10890444
RN		 902 return 0;
903}
904
70e57c0f
RN		 905/**
906 * get_eff_addr_reg() - Obtain effective address from register operand
907 * @insn: Instruction. Must be valid.
908 * @regs: Register values as seen when entering kernel mode
909 * @regoff: Obtained operand offset, in pt_regs, with the effective address
910 * @eff_addr: Obtained effective address
911 *
912 * Obtain the effective address stored in the register operand as indicated by
913 * the ModRM byte. This function is to be used only with register addressing
914 * (i.e., ModRM.mod is 3). The effective address is saved in @eff_addr. The
915 * register operand, as an offset from the base of pt_regs, is saved in @regoff;
916 * such offset can then be used to resolve the segment associated with the
917 * operand. This function can be used with any of the supported address sizes
918 * in x86.
919 *
920 * Returns:
921 *
922 * 0 on success. @eff_addr will have the effective address stored in the
923 * operand indicated by ModRM. @regoff will have such operand as an offset from
924 * the base of pt_regs.
925 *
926 * -EINVAL on error.
927 */
928static int get_eff_addr_reg(struct insn *insn, struct pt_regs *regs,
929 int *regoff, long *eff_addr)
930{
931 insn_get_modrm(insn);
932
933 if (!insn->modrm.nbytes)
934 return -EINVAL;
935
936 if (X86_MODRM_MOD(insn->modrm.value) != 3)
937 return -EINVAL;
938
939 *regoff = get_reg_offset(insn, regs, REG_TYPE_RM);
940 if (*regoff < 0)
941 return -EINVAL;
942
7a6daf79 943 /* Ignore bytes that are outside the address size. */
9c6c799f
RN		 944 if (insn->addr_bytes == 2)
945 *eff_addr = regs_get_register(regs, *regoff) & 0xffff;
946 else if (insn->addr_bytes == 4)
7a6daf79
RN		 947 *eff_addr = regs_get_register(regs, *regoff) & 0xffffffff;
948 else /* 64-bit address */
949 *eff_addr = regs_get_register(regs, *regoff);
70e57c0f
RN		 950
951 return 0;
952}
953
954/**
955 * get_eff_addr_modrm() - Obtain referenced effective address via ModRM
956 * @insn: Instruction. Must be valid.
957 * @regs: Register values as seen when entering kernel mode
958 * @regoff: Obtained operand offset, in pt_regs, associated with segment
959 * @eff_addr: Obtained effective address
960 *
961 * Obtain the effective address referenced by the ModRM byte of @insn. After
962 * identifying the registers involved in the register-indirect memory reference,
963 * its value is obtained from the operands in @regs. The computed address is
964 * stored @eff_addr. Also, the register operand that indicates the associated
965 * segment is stored in @regoff, this parameter can later be used to determine
966 * such segment.
967 *
968 * Returns:
969 *
970 * 0 on success. @eff_addr will have the referenced effective address. @regoff
971 * will have a register, as an offset from the base of pt_regs, that can be used
972 * to resolve the associated segment.
973 *
974 * -EINVAL on error.
975 */
976static int get_eff_addr_modrm(struct insn *insn, struct pt_regs *regs,
977 int *regoff, long *eff_addr)
978{
979 long tmp;
980
7a6daf79 981 if (insn->addr_bytes != 8 && insn->addr_bytes != 4)
70e57c0f
RN		 982 return -EINVAL;
983
984 insn_get_modrm(insn);
985
986 if (!insn->modrm.nbytes)
987 return -EINVAL;
988
989 if (X86_MODRM_MOD(insn->modrm.value) > 2)
990 return -EINVAL;
991
992 *regoff = get_reg_offset(insn, regs, REG_TYPE_RM);
993
994 /*
995 * -EDOM means that we must ignore the address_offset. In such a case,
996 * in 64-bit mode the effective address relative to the rIP of the
997 * following instruction.
998 */
999 if (*regoff == -EDOM) {
7be44127 1000 if (any_64bit_mode(regs))
70e57c0f
RN		 1001 tmp = regs->ip + insn->length;
1002 else
1003 tmp = 0;
1004 } else if (*regoff < 0) {
1005 return -EINVAL;
1006 } else {
1007 tmp = regs_get_register(regs, *regoff);
1008 }
1009
7a6daf79
RN		 1010 if (insn->addr_bytes == 4) {
1011 int addr32 = (int)(tmp & 0xffffffff) + insn->displacement.value;
1012
1013 *eff_addr = addr32 & 0xffffffff;
1014 } else {
1015 *eff_addr = tmp + insn->displacement.value;
1016 }
70e57c0f
RN		 1017
1018 return 0;
1019}
1020
9c6c799f
RN		 1021/**
1022 * get_eff_addr_modrm_16() - Obtain referenced effective address via ModRM
1023 * @insn: Instruction. Must be valid.
1024 * @regs: Register values as seen when entering kernel mode
1025 * @regoff: Obtained operand offset, in pt_regs, associated with segment
1026 * @eff_addr: Obtained effective address
1027 *
1028 * Obtain the 16-bit effective address referenced by the ModRM byte of @insn.
1029 * After identifying the registers involved in the register-indirect memory
1030 * reference, its value is obtained from the operands in @regs. The computed
1031 * address is stored @eff_addr. Also, the register operand that indicates
1032 * the associated segment is stored in @regoff, this parameter can later be used
1033 * to determine such segment.
1034 *
1035 * Returns:
1036 *
1037 * 0 on success. @eff_addr will have the referenced effective address. @regoff
1038 * will have a register, as an offset from the base of pt_regs, that can be used
1039 * to resolve the associated segment.
1040 *
1041 * -EINVAL on error.
1042 */
1043static int get_eff_addr_modrm_16(struct insn *insn, struct pt_regs *regs,
1044 int *regoff, short *eff_addr)
1045{
1046 int addr_offset1, addr_offset2, ret;
1047 short addr1 = 0, addr2 = 0, displacement;
1048
1049 if (insn->addr_bytes != 2)
1050 return -EINVAL;
1051
1052 insn_get_modrm(insn);
1053
1054 if (!insn->modrm.nbytes)
1055 return -EINVAL;
1056
1057 if (X86_MODRM_MOD(insn->modrm.value) > 2)
1058 return -EINVAL;
1059
1060 ret = get_reg_offset_16(insn, regs, &addr_offset1, &addr_offset2);
1061 if (ret < 0)
1062 return -EINVAL;
1063
1064 /*
1065 * Don't fail on invalid offset values. They might be invalid because
1066 * they cannot be used for this particular value of ModRM. Instead, use
1067 * them in the computation only if they contain a valid value.
1068 */
1069 if (addr_offset1 != -EDOM)
1070 addr1 = regs_get_register(regs, addr_offset1) & 0xffff;
1071
1072 if (addr_offset2 != -EDOM)
1073 addr2 = regs_get_register(regs, addr_offset2) & 0xffff;
1074
1075 displacement = insn->displacement.value & 0xffff;
1076 *eff_addr = addr1 + addr2 + displacement;
1077
1078 /*
1079 * The first operand register could indicate to use of either SS or DS
1080 * registers to obtain the segment selector. The second operand
1081 * register can only indicate the use of DS. Thus, the first operand
1082 * will be used to obtain the segment selector.
1083 */
1084 *regoff = addr_offset1;
1085
1086 return 0;
1087}
1088
70e57c0f
RN		 1089/**
1090 * get_eff_addr_sib() - Obtain referenced effective address via SIB
1091 * @insn: Instruction. Must be valid.
1092 * @regs: Register values as seen when entering kernel mode
1093 * @regoff: Obtained operand offset, in pt_regs, associated with segment
1094 * @eff_addr: Obtained effective address
1095 *
1096 * Obtain the effective address referenced by the SIB byte of @insn. After
1097 * identifying the registers involved in the indexed, register-indirect memory
1098 * reference, its value is obtained from the operands in @regs. The computed
1099 * address is stored @eff_addr. Also, the register operand that indicates the
1100 * associated segment is stored in @regoff, this parameter can later be used to
1101 * determine such segment.
1102 *
1103 * Returns:
1104 *
1105 * 0 on success. @eff_addr will have the referenced effective address.
1106 * @base_offset will have a register, as an offset from the base of pt_regs,
1107 * that can be used to resolve the associated segment.
1108 *
1109 * -EINVAL on error.
1110 */
1111static int get_eff_addr_sib(struct insn *insn, struct pt_regs *regs,
1112 int *base_offset, long *eff_addr)
1113{
1114 long base, indx;
1115 int indx_offset;
1116
7a6daf79 1117 if (insn->addr_bytes != 8 && insn->addr_bytes != 4)
70e57c0f
RN		 1118 return -EINVAL;
1119
1120 insn_get_modrm(insn);
1121
1122 if (!insn->modrm.nbytes)
1123 return -EINVAL;
1124
1125 if (X86_MODRM_MOD(insn->modrm.value) > 2)
1126 return -EINVAL;
1127
1128 insn_get_sib(insn);
1129
1130 if (!insn->sib.nbytes)
1131 return -EINVAL;
1132
1133 *base_offset = get_reg_offset(insn, regs, REG_TYPE_BASE);
1134 indx_offset = get_reg_offset(insn, regs, REG_TYPE_INDEX);
1135
1136 /*
1137 * Negative values in the base and index offset means an error when
1138 * decoding the SIB byte. Except -EDOM, which means that the registers
1139 * should not be used in the address computation.
1140 */
1141 if (*base_offset == -EDOM)
1142 base = 0;
1143 else if (*base_offset < 0)
1144 return -EINVAL;
1145 else
1146 base = regs_get_register(regs, *base_offset);
1147
1148 if (indx_offset == -EDOM)
1149 indx = 0;
1150 else if (indx_offset < 0)
1151 return -EINVAL;
1152 else
1153 indx = regs_get_register(regs, indx_offset);
1154
7a6daf79
RN		 1155 if (insn->addr_bytes == 4) {
1156 int addr32, base32, idx32;
1157
1158 base32 = base & 0xffffffff;
1159 idx32 = indx & 0xffffffff;
70e57c0f 1160
7a6daf79
RN		 1161 addr32 = base32 + idx32 * (1 << X86_SIB_SCALE(insn->sib.value));
1162 addr32 += insn->displacement.value;
1163
1164 *eff_addr = addr32 & 0xffffffff;
1165 } else {
1166 *eff_addr = base + indx * (1 << X86_SIB_SCALE(insn->sib.value));
1167 *eff_addr += insn->displacement.value;
1168 }
70e57c0f
RN		 1169
1170 return 0;
1171}
7a6daf79 1172
9c6c799f
RN		 1173/**
1174 * get_addr_ref_16() - Obtain the 16-bit address referred by instruction
1175 * @insn: Instruction containing ModRM byte and displacement
1176 * @regs: Register values as seen when entering kernel mode
1177 *
1178 * This function is to be used with 16-bit address encodings. Obtain the memory
1179 * address referred by the instruction's ModRM and displacement bytes. Also, the
1180 * segment used as base is determined by either any segment override prefixes in
1181 * @insn or the default segment of the registers involved in the address
1182 * computation. In protected mode, segment limits are enforced.
1183 *
1184 * Returns:
1185 *
1186 * Linear address referenced by the instruction operands on success.
1187 *
1188 * -1L on error.
1189 */
1190static void __user *get_addr_ref_16(struct insn *insn, struct pt_regs *regs)
1191{
1192 unsigned long linear_addr = -1L, seg_base, seg_limit;
1193 int ret, regoff;
1194 short eff_addr;
1195 long tmp;
1196
1197 insn_get_modrm(insn);
1198 insn_get_displacement(insn);
1199
1200 if (insn->addr_bytes != 2)
1201 goto out;
1202
1203 if (X86_MODRM_MOD(insn->modrm.value) == 3) {
1204 ret = get_eff_addr_reg(insn, regs, &regoff, &tmp);
1205 if (ret)
1206 goto out;
1207
1208 eff_addr = tmp;
1209 } else {
1210 ret = get_eff_addr_modrm_16(insn, regs, &regoff, &eff_addr);
1211 if (ret)
1212 goto out;
1213 }
1214
1215 ret = get_seg_base_limit(insn, regs, regoff, &seg_base, &seg_limit);
1216 if (ret)
1217 goto out;
1218
1219 /*
1220 * Before computing the linear address, make sure the effective address
1221 * is within the limits of the segment. In virtual-8086 mode, segment
1222 * limits are not enforced. In such a case, the segment limit is -1L to
1223 * reflect this fact.
1224 */
1225 if ((unsigned long)(eff_addr & 0xffff) > seg_limit)
1226 goto out;
1227
1228 linear_addr = (unsigned long)(eff_addr & 0xffff) + seg_base;
1229
1230 /* Limit linear address to 20 bits */
1231 if (v8086_mode(regs))
1232 linear_addr &= 0xfffff;
1233
1234out:
1235 return (void __user *)linear_addr;
1236}
1237
7a6daf79
RN		 1238/**
1239 * get_addr_ref_32() - Obtain a 32-bit linear address
1240 * @insn: Instruction with ModRM, SIB bytes and displacement
1241 * @regs: Register values as seen when entering kernel mode
1242 *
1243 * This function is to be used with 32-bit address encodings to obtain the
1244 * linear memory address referred by the instruction's ModRM, SIB,
1245 * displacement bytes and segment base address, as applicable. If in protected
1246 * mode, segment limits are enforced.
1247 *
1248 * Returns:
1249 *
1250 * Linear address referenced by instruction and registers on success.
1251 *
1252 * -1L on error.
1253 */
1254static void __user *get_addr_ref_32(struct insn *insn, struct pt_regs *regs)
1255{
1256 unsigned long linear_addr = -1L, seg_base, seg_limit;
1257 int eff_addr, regoff;
1258 long tmp;
1259 int ret;
1260
1261 if (insn->addr_bytes != 4)
1262 goto out;
1263
1264 if (X86_MODRM_MOD(insn->modrm.value) == 3) {
1265 ret = get_eff_addr_reg(insn, regs, &regoff, &tmp);
1266 if (ret)
1267 goto out;
1268
1269 eff_addr = tmp;
1270
1271 } else {
1272 if (insn->sib.nbytes) {
1273 ret = get_eff_addr_sib(insn, regs, &regoff, &tmp);
1274 if (ret)
1275 goto out;
1276
1277 eff_addr = tmp;
1278 } else {
1279 ret = get_eff_addr_modrm(insn, regs, &regoff, &tmp);
1280 if (ret)
1281 goto out;
1282
1283 eff_addr = tmp;
1284 }
1285 }
1286
1287 ret = get_seg_base_limit(insn, regs, regoff, &seg_base, &seg_limit);
1288 if (ret)
1289 goto out;
1290
1291 /*
1292 * In protected mode, before computing the linear address, make sure
1293 * the effective address is within the limits of the segment.
1294 * 32-bit addresses can be used in long and virtual-8086 modes if an
1295 * address override prefix is used. In such cases, segment limits are
1296 * not enforced. When in virtual-8086 mode, the segment limit is -1L
1297 * to reflect this situation.
1298 *
1299 * After computed, the effective address is treated as an unsigned
1300 * quantity.
1301 */
7be44127 1302 if (!any_64bit_mode(regs) && ((unsigned int)eff_addr > seg_limit))
7a6daf79
RN		 1303 goto out;
1304
86cc3510
RN		 1305 /*
1306 * Even though 32-bit address encodings are allowed in virtual-8086
1307 * mode, the address range is still limited to [0x-0xffff].
1308 */
1309 if (v8086_mode(regs) && (eff_addr & ~0xffff))
1310 goto out;
1311
7a6daf79
RN		 1312 /*
1313 * Data type long could be 64 bits in size. Ensure that our 32-bit
1314 * effective address is not sign-extended when computing the linear
1315 * address.
1316 */
1317 linear_addr = (unsigned long)(eff_addr & 0xffffffff) + seg_base;
1318
86cc3510
RN		 1319 /* Limit linear address to 20 bits */
1320 if (v8086_mode(regs))
1321 linear_addr &= 0xfffff;
1322
7a6daf79
RN		 1323out:
1324 return (void __user *)linear_addr;
1325}
1326
cd9b594a
RN		 1327/**
1328 * get_addr_ref_64() - Obtain a 64-bit linear address
1329 * @insn: Instruction struct with ModRM and SIB bytes and displacement
1330 * @regs: Structure with register values as seen when entering kernel mode
1331 *
1332 * This function is to be used with 64-bit address encodings to obtain the
1333 * linear memory address referred by the instruction's ModRM, SIB,
1334 * displacement bytes and segment base address, as applicable.
1335 *
1336 * Returns:
1337 *
1338 * Linear address referenced by instruction and registers on success.
1339 *
1340 * -1L on error.
32542ee2 1341 */
cd9b594a
RN		 1342#ifndef CONFIG_X86_64
1343static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs)
1344{
1345 return (void __user *)-1L;
1346}
1347#else
1348static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs)
32542ee2 1349{
10890444 1350 unsigned long linear_addr = -1L, seg_base;
70e57c0f
RN		 1351 int regoff, ret;
1352 long eff_addr;
32542ee2 1353
cd9b594a
RN		 1354 if (insn->addr_bytes != 8)
1355 goto out;
1356
32542ee2 1357 if (X86_MODRM_MOD(insn->modrm.value) == 3) {
70e57c0f
RN		 1358 ret = get_eff_addr_reg(insn, regs, &regoff, &eff_addr);
1359 if (ret)
32542ee2
RN		 1360 goto out;
1361
32542ee2
RN		 1362 } else {
1363 if (insn->sib.nbytes) {
70e57c0f
RN		 1364 ret = get_eff_addr_sib(insn, regs, &regoff, &eff_addr);
1365 if (ret)
32542ee2 1366 goto out;
32542ee2 1367 } else {
70e57c0f
RN		 1368 ret = get_eff_addr_modrm(insn, regs, &regoff, &eff_addr);
1369 if (ret)
32542ee2 1370 goto out;
32542ee2
RN		 1371 }
1372
32542ee2
RN		 1373 }
1374
70e57c0f 1375 ret = get_seg_base_limit(insn, regs, regoff, &seg_base, NULL);
10890444
RN		 1376 if (ret)
1377 goto out;
1378
1379 linear_addr = (unsigned long)eff_addr + seg_base;
32542ee2
RN		 1380
1381out:
1382 return (void __user *)linear_addr;
1383}
cd9b594a
RN		 1384#endif /* CONFIG_X86_64 */
1385
1386/**
1387 * insn_get_addr_ref() - Obtain the linear address referred by instruction
1388 * @insn: Instruction structure containing ModRM byte and displacement
1389 * @regs: Structure with register values as seen when entering kernel mode
1390 *
1391 * Obtain the linear address referred by the instruction's ModRM, SIB and
1392 * displacement bytes, and segment base, as applicable. In protected mode,
1393 * segment limits are enforced.
1394 *
1395 * Returns:
1396 *
1397 * Linear address referenced by instruction and registers on success.
1398 *
1399 * -1L on error.
1400 */
1401void __user *insn_get_addr_ref(struct insn *insn, struct pt_regs *regs)
1402{
1403 if (!insn || !regs)
1404 return (void __user *)-1L;
1405
1406 switch (insn->addr_bytes) {
9c6c799f
RN		 1407 case 2:
1408 return get_addr_ref_16(insn, regs);
cd9b594a
RN		 1409 case 4:
1410 return get_addr_ref_32(insn, regs);
1411 case 8:
1412 return get_addr_ref_64(insn, regs);
1413 default:
1414 return (void __user *)-1L;
1415 }
1416}
172b75e5 1417
63a1d08c
JR		 1418static unsigned long insn_get_effective_ip(struct pt_regs *regs)
1419{
1420 unsigned long seg_base = 0;
1421
1422 /*
1423 * If not in user-space long mode, a custom code segment could be in
1424 * use. This is true in protected mode (if the process defined a local
1425 * descriptor table), or virtual-8086 mode. In most of the cases
1426 * seg_base will be zero as in USER_CS.
1427 */
1428 if (!user_64bit_mode(regs)) {
1429 seg_base = insn_get_seg_base(regs, INAT_SEG_REG_CS);
1430 if (seg_base == -1L)
1431 return 0;
1432 }
1433
1434 return seg_base + regs->ip;
1435}
1436
172b75e5
JR		 1437/**
1438 * insn_fetch_from_user() - Copy instruction bytes from user-space memory
1439 * @regs: Structure with register values as seen when entering kernel mode
1440 * @buf: Array to store the fetched instruction
1441 *
1442 * Gets the linear address of the instruction and copies the instruction bytes
1443 * to the buf.
1444 *
1445 * Returns:
1446 *
1447 * Number of instruction bytes copied.
1448 *
1449 * 0 if nothing was copied.
1450 */
1451int insn_fetch_from_user(struct pt_regs *regs, unsigned char buf[MAX_INSN_SIZE])
1452{
63a1d08c 1453 unsigned long ip;
172b75e5
JR		 1454 int not_copied;
1455
63a1d08c
JR		 1456 ip = insn_get_effective_ip(regs);
1457 if (!ip)
1458 return 0;
1459
1460 not_copied = copy_from_user(buf, (void __user *)ip, MAX_INSN_SIZE);
172b75e5 1461
63a1d08c
JR		 1462 return MAX_INSN_SIZE - not_copied;
1463}
1464
1465/**
1466 * insn_fetch_from_user_inatomic() - Copy instruction bytes from user-space memory
1467 * while in atomic code
1468 * @regs: Structure with register values as seen when entering kernel mode
1469 * @buf: Array to store the fetched instruction
1470 *
1471 * Gets the linear address of the instruction and copies the instruction bytes
1472 * to the buf. This function must be used in atomic context.
1473 *
1474 * Returns:
1475 *
1476 * Number of instruction bytes copied.
1477 *
1478 * 0 if nothing was copied.
1479 */
1480int insn_fetch_from_user_inatomic(struct pt_regs *regs, unsigned char buf[MAX_INSN_SIZE])
1481{
1482 unsigned long ip;
1483 int not_copied;
1484
1485 ip = insn_get_effective_ip(regs);
1486 if (!ip)
1487 return 0;
172b75e5 1488
63a1d08c 1489 not_copied = __copy_from_user_inatomic(buf, (void __user *)ip, MAX_INSN_SIZE);
172b75e5
JR		 1490
1491 return MAX_INSN_SIZE - not_copied;
1492}
172639d7
JR		 1493
1494/**
1495 * insn_decode() - Decode an instruction
1496 * @insn: Structure to store decoded instruction
1497 * @regs: Structure with register values as seen when entering kernel mode
1498 * @buf: Buffer containing the instruction bytes
1499 * @buf_size: Number of instruction bytes available in buf
1500 *
1501 * Decodes the instruction provided in buf and stores the decoding results in
1502 * insn. Also determines the correct address and operand sizes.
1503 *
1504 * Returns:
1505 *
1506 * True if instruction was decoded, False otherwise.
1507 */
1508bool insn_decode(struct insn *insn, struct pt_regs *regs,
1509 unsigned char buf[MAX_INSN_SIZE], int buf_size)
1510{
1511 int seg_defs;
1512
1513 insn_init(insn, buf, buf_size, user_64bit_mode(regs));
1514
1515 /*
1516 * Override the default operand and address sizes with what is specified
1517 * in the code segment descriptor. The instruction decoder only sets
1518 * the address size it to either 4 or 8 address bytes and does nothing
1519 * for the operand bytes. This OK for most of the cases, but we could
1520 * have special cases where, for instance, a 16-bit code segment
1521 * descriptor is used.
1522 * If there is an address override prefix, the instruction decoder
1523 * correctly updates these values, even for 16-bit defaults.
1524 */
1525 seg_defs = insn_get_code_seg_params(regs);
1526 if (seg_defs == -EINVAL)
1527 return false;
1528
1529 insn->addr_bytes = INSN_CODE_SEG_ADDR_SZ(seg_defs);
1530 insn->opnd_bytes = INSN_CODE_SEG_OPND_SZ(seg_defs);
1531
1532 insn_get_length(insn);
1533 if (buf_size < insn->length)
1534 return false;
1535
1536 return true;
1537}
Ubuntu Hirsute Linux kernel mirror