]>
Commit | Line | Data |
---|---|---|
32542ee2 RN |
1 | /* |
2 | * Utility functions for x86 operand and address decoding | |
3 | * | |
4 | * Copyright (C) Intel Corporation 2017 | |
5 | */ | |
6 | #include <linux/kernel.h> | |
7 | #include <linux/string.h> | |
ed594e4b | 8 | #include <linux/ratelimit.h> |
670f928b RN |
9 | #include <linux/mmu_context.h> |
10 | #include <asm/desc_defs.h> | |
11 | #include <asm/desc.h> | |
32542ee2 RN |
12 | #include <asm/inat.h> |
13 | #include <asm/insn.h> | |
14 | #include <asm/insn-eval.h> | |
670f928b | 15 | #include <asm/ldt.h> |
32d0b953 | 16 | #include <asm/vm86.h> |
32542ee2 | 17 | |
ed594e4b RN |
18 | #undef pr_fmt |
19 | #define pr_fmt(fmt) "insn: " fmt | |
20 | ||
32542ee2 RN |
21 | enum reg_type { |
22 | REG_TYPE_RM = 0, | |
7af1bd82 | 23 | REG_TYPE_REG, |
32542ee2 RN |
24 | REG_TYPE_INDEX, |
25 | REG_TYPE_BASE, | |
26 | }; | |
27 | ||
536b8153 RN |
28 | /** |
29 | * is_string_insn() - Determine if instruction is a string instruction | |
30 | * @insn: Instruction containing the opcode to inspect | |
31 | * | |
32 | * Returns: | |
33 | * | |
34 | * true if the instruction, determined by the opcode, is any of the | |
35 | * string instructions as defined in the Intel Software Development manual. | |
36 | * False otherwise. | |
37 | */ | |
38 | static bool is_string_insn(struct insn *insn) | |
39 | { | |
40 | insn_get_opcode(insn); | |
41 | ||
42 | /* All string instructions have a 1-byte opcode. */ | |
43 | if (insn->opcode.nbytes != 1) | |
44 | return false; | |
45 | ||
46 | switch (insn->opcode.bytes[0]) { | |
47 | case 0x6c ... 0x6f: /* INS, OUTS */ | |
48 | case 0xa4 ... 0xa7: /* MOVS, CMPS */ | |
49 | case 0xaa ... 0xaf: /* STOS, LODS, SCAS */ | |
50 | return true; | |
51 | default: | |
52 | return false; | |
53 | } | |
54 | } | |
55 | ||
5901781a JR |
56 | /** |
57 | * insn_has_rep_prefix() - Determine if instruction has a REP prefix | |
58 | * @insn: Instruction containing the prefix to inspect | |
59 | * | |
60 | * Returns: | |
61 | * | |
62 | * true if the instruction has a REP prefix, false if not. | |
63 | */ | |
64 | bool insn_has_rep_prefix(struct insn *insn) | |
65 | { | |
12cb908a | 66 | insn_byte_t p; |
5901781a JR |
67 | int i; |
68 | ||
69 | insn_get_prefixes(insn); | |
70 | ||
12cb908a | 71 | for_each_insn_prefix(insn, i, p) { |
5901781a JR |
72 | if (p == 0xf2 || p == 0xf3) |
73 | return true; | |
74 | } | |
75 | ||
76 | return false; | |
77 | } | |
78 | ||
32d0b953 RN |
79 | /** |
80 | * get_seg_reg_override_idx() - obtain segment register override index | |
81 | * @insn: Valid instruction with segment override prefixes | |
82 | * | |
83 | * Inspect the instruction prefixes in @insn and find segment overrides, if any. | |
84 | * | |
85 | * Returns: | |
86 | * | |
87 | * A constant identifying the segment register to use, among CS, SS, DS, | |
88 | * ES, FS, or GS. INAT_SEG_REG_DEFAULT is returned if no segment override | |
89 | * prefixes were found. | |
90 | * | |
91 | * -EINVAL in case of error. | |
92 | */ | |
93 | static int get_seg_reg_override_idx(struct insn *insn) | |
94 | { | |
95 | int idx = INAT_SEG_REG_DEFAULT; | |
96 | int num_overrides = 0, i; | |
12cb908a | 97 | insn_byte_t p; |
32d0b953 RN |
98 | |
99 | insn_get_prefixes(insn); | |
100 | ||
101 | /* Look for any segment override prefixes. */ | |
12cb908a | 102 | for_each_insn_prefix(insn, i, p) { |
32d0b953 RN |
103 | insn_attr_t attr; |
104 | ||
12cb908a | 105 | attr = inat_get_opcode_attribute(p); |
32d0b953 RN |
106 | switch (attr) { |
107 | case INAT_MAKE_PREFIX(INAT_PFX_CS): | |
108 | idx = INAT_SEG_REG_CS; | |
109 | num_overrides++; | |
110 | break; | |
111 | case INAT_MAKE_PREFIX(INAT_PFX_SS): | |
112 | idx = INAT_SEG_REG_SS; | |
113 | num_overrides++; | |
114 | break; | |
115 | case INAT_MAKE_PREFIX(INAT_PFX_DS): | |
116 | idx = INAT_SEG_REG_DS; | |
117 | num_overrides++; | |
118 | break; | |
119 | case INAT_MAKE_PREFIX(INAT_PFX_ES): | |
120 | idx = INAT_SEG_REG_ES; | |
121 | num_overrides++; | |
122 | break; | |
123 | case INAT_MAKE_PREFIX(INAT_PFX_FS): | |
124 | idx = INAT_SEG_REG_FS; | |
125 | num_overrides++; | |
126 | break; | |
127 | case INAT_MAKE_PREFIX(INAT_PFX_GS): | |
128 | idx = INAT_SEG_REG_GS; | |
129 | num_overrides++; | |
130 | break; | |
131 | /* No default action needed. */ | |
132 | } | |
133 | } | |
134 | ||
135 | /* More than one segment override prefix leads to undefined behavior. */ | |
136 | if (num_overrides > 1) | |
137 | return -EINVAL; | |
138 | ||
139 | return idx; | |
140 | } | |
141 | ||
142 | /** | |
143 | * check_seg_overrides() - check if segment override prefixes are allowed | |
144 | * @insn: Valid instruction with segment override prefixes | |
145 | * @regoff: Operand offset, in pt_regs, for which the check is performed | |
146 | * | |
147 | * For a particular register used in register-indirect addressing, determine if | |
148 | * segment override prefixes can be used. Specifically, no overrides are allowed | |
149 | * for rDI if used with a string instruction. | |
150 | * | |
151 | * Returns: | |
152 | * | |
153 | * True if segment override prefixes can be used with the register indicated | |
154 | * in @regoff. False if otherwise. | |
155 | */ | |
156 | static bool check_seg_overrides(struct insn *insn, int regoff) | |
157 | { | |
158 | if (regoff == offsetof(struct pt_regs, di) && is_string_insn(insn)) | |
159 | return false; | |
160 | ||
161 | return true; | |
162 | } | |
163 | ||
164 | /** | |
165 | * resolve_default_seg() - resolve default segment register index for an operand | |
166 | * @insn: Instruction with opcode and address size. Must be valid. | |
167 | * @regs: Register values as seen when entering kernel mode | |
168 | * @off: Operand offset, in pt_regs, for which resolution is needed | |
169 | * | |
170 | * Resolve the default segment register index associated with the instruction | |
171 | * operand register indicated by @off. Such index is resolved based on defaults | |
172 | * described in the Intel Software Development Manual. | |
173 | * | |
174 | * Returns: | |
175 | * | |
176 | * If in protected mode, a constant identifying the segment register to use, | |
177 | * among CS, SS, ES or DS. If in long mode, INAT_SEG_REG_IGNORE. | |
178 | * | |
179 | * -EINVAL in case of error. | |
180 | */ | |
181 | static int resolve_default_seg(struct insn *insn, struct pt_regs *regs, int off) | |
182 | { | |
7be44127 | 183 | if (any_64bit_mode(regs)) |
32d0b953 RN |
184 | return INAT_SEG_REG_IGNORE; |
185 | /* | |
186 | * Resolve the default segment register as described in Section 3.7.4 | |
187 | * of the Intel Software Development Manual Vol. 1: | |
188 | * | |
189 | * + DS for all references involving r[ABCD]X, and rSI. | |
190 | * + If used in a string instruction, ES for rDI. Otherwise, DS. | |
191 | * + AX, CX and DX are not valid register operands in 16-bit address | |
192 | * encodings but are valid for 32-bit and 64-bit encodings. | |
193 | * + -EDOM is reserved to identify for cases in which no register | |
194 | * is used (i.e., displacement-only addressing). Use DS. | |
195 | * + SS for rSP or rBP. | |
196 | * + CS for rIP. | |
197 | */ | |
198 | ||
199 | switch (off) { | |
200 | case offsetof(struct pt_regs, ax): | |
201 | case offsetof(struct pt_regs, cx): | |
202 | case offsetof(struct pt_regs, dx): | |
203 | /* Need insn to verify address size. */ | |
204 | if (insn->addr_bytes == 2) | |
205 | return -EINVAL; | |
206 | ||
df561f66 | 207 | fallthrough; |
89da3446 | 208 | |
32d0b953 RN |
209 | case -EDOM: |
210 | case offsetof(struct pt_regs, bx): | |
211 | case offsetof(struct pt_regs, si): | |
212 | return INAT_SEG_REG_DS; | |
213 | ||
214 | case offsetof(struct pt_regs, di): | |
215 | if (is_string_insn(insn)) | |
216 | return INAT_SEG_REG_ES; | |
217 | return INAT_SEG_REG_DS; | |
218 | ||
219 | case offsetof(struct pt_regs, bp): | |
220 | case offsetof(struct pt_regs, sp): | |
221 | return INAT_SEG_REG_SS; | |
222 | ||
223 | case offsetof(struct pt_regs, ip): | |
224 | return INAT_SEG_REG_CS; | |
225 | ||
226 | default: | |
227 | return -EINVAL; | |
228 | } | |
229 | } | |
230 | ||
231 | /** | |
232 | * resolve_seg_reg() - obtain segment register index | |
233 | * @insn: Instruction with operands | |
234 | * @regs: Register values as seen when entering kernel mode | |
235 | * @regoff: Operand offset, in pt_regs, used to deterimine segment register | |
236 | * | |
237 | * Determine the segment register associated with the operands and, if | |
238 | * applicable, prefixes and the instruction pointed by @insn. | |
239 | * | |
240 | * The segment register associated to an operand used in register-indirect | |
241 | * addressing depends on: | |
242 | * | |
243 | * a) Whether running in long mode (in such a case segments are ignored, except | |
244 | * if FS or GS are used). | |
245 | * | |
246 | * b) Whether segment override prefixes can be used. Certain instructions and | |
247 | * registers do not allow override prefixes. | |
248 | * | |
249 | * c) Whether segment overrides prefixes are found in the instruction prefixes. | |
250 | * | |
251 | * d) If there are not segment override prefixes or they cannot be used, the | |
252 | * default segment register associated with the operand register is used. | |
253 | * | |
254 | * The function checks first if segment override prefixes can be used with the | |
255 | * operand indicated by @regoff. If allowed, obtain such overridden segment | |
256 | * register index. Lastly, if not prefixes were found or cannot be used, resolve | |
257 | * the segment register index to use based on the defaults described in the | |
258 | * Intel documentation. In long mode, all segment register indexes will be | |
259 | * ignored, except if overrides were found for FS or GS. All these operations | |
260 | * are done using helper functions. | |
261 | * | |
262 | * The operand register, @regoff, is represented as the offset from the base of | |
263 | * pt_regs. | |
264 | * | |
265 | * As stated, the main use of this function is to determine the segment register | |
266 | * index based on the instruction, its operands and prefixes. Hence, @insn | |
267 | * must be valid. However, if @regoff indicates rIP, we don't need to inspect | |
268 | * @insn at all as in this case CS is used in all cases. This case is checked | |
269 | * before proceeding further. | |
270 | * | |
271 | * Please note that this function does not return the value in the segment | |
272 | * register (i.e., the segment selector) but our defined index. The segment | |
273 | * selector needs to be obtained using get_segment_selector() and passing the | |
274 | * segment register index resolved by this function. | |
275 | * | |
276 | * Returns: | |
277 | * | |
278 | * An index identifying the segment register to use, among CS, SS, DS, | |
279 | * ES, FS, or GS. INAT_SEG_REG_IGNORE is returned if running in long mode. | |
280 | * | |
281 | * -EINVAL in case of error. | |
282 | */ | |
283 | static int resolve_seg_reg(struct insn *insn, struct pt_regs *regs, int regoff) | |
284 | { | |
285 | int idx; | |
286 | ||
287 | /* | |
288 | * In the unlikely event of having to resolve the segment register | |
289 | * index for rIP, do it first. Segment override prefixes should not | |
290 | * be used. Hence, it is not necessary to inspect the instruction, | |
291 | * which may be invalid at this point. | |
292 | */ | |
293 | if (regoff == offsetof(struct pt_regs, ip)) { | |
7be44127 | 294 | if (any_64bit_mode(regs)) |
32d0b953 RN |
295 | return INAT_SEG_REG_IGNORE; |
296 | else | |
297 | return INAT_SEG_REG_CS; | |
298 | } | |
299 | ||
300 | if (!insn) | |
301 | return -EINVAL; | |
302 | ||
303 | if (!check_seg_overrides(insn, regoff)) | |
304 | return resolve_default_seg(insn, regs, regoff); | |
305 | ||
306 | idx = get_seg_reg_override_idx(insn); | |
307 | if (idx < 0) | |
308 | return idx; | |
309 | ||
310 | if (idx == INAT_SEG_REG_DEFAULT) | |
311 | return resolve_default_seg(insn, regs, regoff); | |
312 | ||
313 | /* | |
314 | * In long mode, segment override prefixes are ignored, except for | |
315 | * overrides for FS and GS. | |
316 | */ | |
7be44127 | 317 | if (any_64bit_mode(regs)) { |
32d0b953 RN |
318 | if (idx != INAT_SEG_REG_FS && |
319 | idx != INAT_SEG_REG_GS) | |
320 | idx = INAT_SEG_REG_IGNORE; | |
321 | } | |
322 | ||
323 | return idx; | |
324 | } | |
325 | ||
326 | /** | |
327 | * get_segment_selector() - obtain segment selector | |
328 | * @regs: Register values as seen when entering kernel mode | |
329 | * @seg_reg_idx: Segment register index to use | |
330 | * | |
331 | * Obtain the segment selector from any of the CS, SS, DS, ES, FS, GS segment | |
332 | * registers. In CONFIG_X86_32, the segment is obtained from either pt_regs or | |
333 | * kernel_vm86_regs as applicable. In CONFIG_X86_64, CS and SS are obtained | |
334 | * from pt_regs. DS, ES, FS and GS are obtained by reading the actual CPU | |
335 | * registers. This done for only for completeness as in CONFIG_X86_64 segment | |
336 | * registers are ignored. | |
337 | * | |
338 | * Returns: | |
339 | * | |
340 | * Value of the segment selector, including null when running in | |
341 | * long mode. | |
342 | * | |
343 | * -EINVAL on error. | |
344 | */ | |
345 | static short get_segment_selector(struct pt_regs *regs, int seg_reg_idx) | |
346 | { | |
347 | #ifdef CONFIG_X86_64 | |
348 | unsigned short sel; | |
349 | ||
350 | switch (seg_reg_idx) { | |
351 | case INAT_SEG_REG_IGNORE: | |
352 | return 0; | |
353 | case INAT_SEG_REG_CS: | |
354 | return (unsigned short)(regs->cs & 0xffff); | |
355 | case INAT_SEG_REG_SS: | |
356 | return (unsigned short)(regs->ss & 0xffff); | |
357 | case INAT_SEG_REG_DS: | |
358 | savesegment(ds, sel); | |
359 | return sel; | |
360 | case INAT_SEG_REG_ES: | |
361 | savesegment(es, sel); | |
362 | return sel; | |
363 | case INAT_SEG_REG_FS: | |
364 | savesegment(fs, sel); | |
365 | return sel; | |
366 | case INAT_SEG_REG_GS: | |
367 | savesegment(gs, sel); | |
368 | return sel; | |
369 | default: | |
370 | return -EINVAL; | |
371 | } | |
372 | #else /* CONFIG_X86_32 */ | |
373 | struct kernel_vm86_regs *vm86regs = (struct kernel_vm86_regs *)regs; | |
374 | ||
375 | if (v8086_mode(regs)) { | |
376 | switch (seg_reg_idx) { | |
377 | case INAT_SEG_REG_CS: | |
378 | return (unsigned short)(regs->cs & 0xffff); | |
379 | case INAT_SEG_REG_SS: | |
380 | return (unsigned short)(regs->ss & 0xffff); | |
381 | case INAT_SEG_REG_DS: | |
382 | return vm86regs->ds; | |
383 | case INAT_SEG_REG_ES: | |
384 | return vm86regs->es; | |
385 | case INAT_SEG_REG_FS: | |
386 | return vm86regs->fs; | |
387 | case INAT_SEG_REG_GS: | |
388 | return vm86regs->gs; | |
389 | case INAT_SEG_REG_IGNORE: | |
32d0b953 RN |
390 | default: |
391 | return -EINVAL; | |
392 | } | |
393 | } | |
394 | ||
395 | switch (seg_reg_idx) { | |
396 | case INAT_SEG_REG_CS: | |
397 | return (unsigned short)(regs->cs & 0xffff); | |
398 | case INAT_SEG_REG_SS: | |
399 | return (unsigned short)(regs->ss & 0xffff); | |
400 | case INAT_SEG_REG_DS: | |
401 | return (unsigned short)(regs->ds & 0xffff); | |
402 | case INAT_SEG_REG_ES: | |
403 | return (unsigned short)(regs->es & 0xffff); | |
404 | case INAT_SEG_REG_FS: | |
405 | return (unsigned short)(regs->fs & 0xffff); | |
406 | case INAT_SEG_REG_GS: | |
407 | /* | |
408 | * GS may or may not be in regs as per CONFIG_X86_32_LAZY_GS. | |
409 | * The macro below takes care of both cases. | |
410 | */ | |
411 | return get_user_gs(regs); | |
412 | case INAT_SEG_REG_IGNORE: | |
32d0b953 RN |
413 | default: |
414 | return -EINVAL; | |
415 | } | |
416 | #endif /* CONFIG_X86_64 */ | |
417 | } | |
418 | ||
32542ee2 RN |
419 | static int get_reg_offset(struct insn *insn, struct pt_regs *regs, |
420 | enum reg_type type) | |
421 | { | |
422 | int regno = 0; | |
423 | ||
424 | static const int regoff[] = { | |
425 | offsetof(struct pt_regs, ax), | |
426 | offsetof(struct pt_regs, cx), | |
427 | offsetof(struct pt_regs, dx), | |
428 | offsetof(struct pt_regs, bx), | |
429 | offsetof(struct pt_regs, sp), | |
430 | offsetof(struct pt_regs, bp), | |
431 | offsetof(struct pt_regs, si), | |
432 | offsetof(struct pt_regs, di), | |
433 | #ifdef CONFIG_X86_64 | |
434 | offsetof(struct pt_regs, r8), | |
435 | offsetof(struct pt_regs, r9), | |
436 | offsetof(struct pt_regs, r10), | |
437 | offsetof(struct pt_regs, r11), | |
438 | offsetof(struct pt_regs, r12), | |
439 | offsetof(struct pt_regs, r13), | |
440 | offsetof(struct pt_regs, r14), | |
441 | offsetof(struct pt_regs, r15), | |
442 | #endif | |
443 | }; | |
444 | int nr_registers = ARRAY_SIZE(regoff); | |
445 | /* | |
446 | * Don't possibly decode a 32-bit instructions as | |
447 | * reading a 64-bit-only register. | |
448 | */ | |
449 | if (IS_ENABLED(CONFIG_X86_64) && !insn->x86_64) | |
450 | nr_registers -= 8; | |
451 | ||
452 | switch (type) { | |
453 | case REG_TYPE_RM: | |
454 | regno = X86_MODRM_RM(insn->modrm.value); | |
e526a302 RN |
455 | |
456 | /* | |
457 | * ModRM.mod == 0 and ModRM.rm == 5 means a 32-bit displacement | |
458 | * follows the ModRM byte. | |
459 | */ | |
460 | if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5) | |
461 | return -EDOM; | |
462 | ||
32542ee2 RN |
463 | if (X86_REX_B(insn->rex_prefix.value)) |
464 | regno += 8; | |
465 | break; | |
466 | ||
7af1bd82 JR |
467 | case REG_TYPE_REG: |
468 | regno = X86_MODRM_REG(insn->modrm.value); | |
469 | ||
470 | if (X86_REX_R(insn->rex_prefix.value)) | |
471 | regno += 8; | |
472 | break; | |
473 | ||
32542ee2 RN |
474 | case REG_TYPE_INDEX: |
475 | regno = X86_SIB_INDEX(insn->sib.value); | |
476 | if (X86_REX_X(insn->rex_prefix.value)) | |
477 | regno += 8; | |
478 | ||
479 | /* | |
480 | * If ModRM.mod != 3 and SIB.index = 4 the scale*index | |
481 | * portion of the address computation is null. This is | |
482 | * true only if REX.X is 0. In such a case, the SIB index | |
483 | * is used in the address computation. | |
484 | */ | |
485 | if (X86_MODRM_MOD(insn->modrm.value) != 3 && regno == 4) | |
486 | return -EDOM; | |
487 | break; | |
488 | ||
489 | case REG_TYPE_BASE: | |
490 | regno = X86_SIB_BASE(insn->sib.value); | |
491 | /* | |
492 | * If ModRM.mod is 0 and SIB.base == 5, the base of the | |
493 | * register-indirect addressing is 0. In this case, a | |
494 | * 32-bit displacement follows the SIB byte. | |
495 | */ | |
496 | if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5) | |
497 | return -EDOM; | |
498 | ||
499 | if (X86_REX_B(insn->rex_prefix.value)) | |
500 | regno += 8; | |
501 | break; | |
502 | ||
503 | default: | |
ed594e4b RN |
504 | pr_err_ratelimited("invalid register type: %d\n", type); |
505 | return -EINVAL; | |
32542ee2 RN |
506 | } |
507 | ||
508 | if (regno >= nr_registers) { | |
509 | WARN_ONCE(1, "decoded an instruction with an invalid register"); | |
510 | return -EINVAL; | |
511 | } | |
512 | return regoff[regno]; | |
513 | } | |
514 | ||
9c6c799f RN |
515 | /** |
516 | * get_reg_offset_16() - Obtain offset of register indicated by instruction | |
517 | * @insn: Instruction containing ModRM byte | |
518 | * @regs: Register values as seen when entering kernel mode | |
519 | * @offs1: Offset of the first operand register | |
520 | * @offs2: Offset of the second opeand register, if applicable | |
521 | * | |
522 | * Obtain the offset, in pt_regs, of the registers indicated by the ModRM byte | |
523 | * in @insn. This function is to be used with 16-bit address encodings. The | |
524 | * @offs1 and @offs2 will be written with the offset of the two registers | |
525 | * indicated by the instruction. In cases where any of the registers is not | |
526 | * referenced by the instruction, the value will be set to -EDOM. | |
527 | * | |
528 | * Returns: | |
529 | * | |
530 | * 0 on success, -EINVAL on error. | |
531 | */ | |
532 | static int get_reg_offset_16(struct insn *insn, struct pt_regs *regs, | |
533 | int *offs1, int *offs2) | |
534 | { | |
535 | /* | |
536 | * 16-bit addressing can use one or two registers. Specifics of | |
537 | * encodings are given in Table 2-1. "16-Bit Addressing Forms with the | |
538 | * ModR/M Byte" of the Intel Software Development Manual. | |
539 | */ | |
540 | static const int regoff1[] = { | |
541 | offsetof(struct pt_regs, bx), | |
542 | offsetof(struct pt_regs, bx), | |
543 | offsetof(struct pt_regs, bp), | |
544 | offsetof(struct pt_regs, bp), | |
545 | offsetof(struct pt_regs, si), | |
546 | offsetof(struct pt_regs, di), | |
547 | offsetof(struct pt_regs, bp), | |
548 | offsetof(struct pt_regs, bx), | |
549 | }; | |
550 | ||
551 | static const int regoff2[] = { | |
552 | offsetof(struct pt_regs, si), | |
553 | offsetof(struct pt_regs, di), | |
554 | offsetof(struct pt_regs, si), | |
555 | offsetof(struct pt_regs, di), | |
556 | -EDOM, | |
557 | -EDOM, | |
558 | -EDOM, | |
559 | -EDOM, | |
560 | }; | |
561 | ||
562 | if (!offs1 || !offs2) | |
563 | return -EINVAL; | |
564 | ||
565 | /* Operand is a register, use the generic function. */ | |
566 | if (X86_MODRM_MOD(insn->modrm.value) == 3) { | |
567 | *offs1 = insn_get_modrm_rm_off(insn, regs); | |
568 | *offs2 = -EDOM; | |
569 | return 0; | |
570 | } | |
571 | ||
572 | *offs1 = regoff1[X86_MODRM_RM(insn->modrm.value)]; | |
573 | *offs2 = regoff2[X86_MODRM_RM(insn->modrm.value)]; | |
574 | ||
575 | /* | |
576 | * If ModRM.mod is 0 and ModRM.rm is 110b, then we use displacement- | |
577 | * only addressing. This means that no registers are involved in | |
578 | * computing the effective address. Thus, ensure that the first | |
579 | * register offset is invalild. The second register offset is already | |
580 | * invalid under the aforementioned conditions. | |
581 | */ | |
582 | if ((X86_MODRM_MOD(insn->modrm.value) == 0) && | |
583 | (X86_MODRM_RM(insn->modrm.value) == 6)) | |
584 | *offs1 = -EDOM; | |
585 | ||
586 | return 0; | |
587 | } | |
588 | ||
670f928b | 589 | /** |
de9f8696 JH |
590 | * get_desc() - Obtain contents of a segment descriptor |
591 | * @out: Segment descriptor contents on success | |
670f928b RN |
592 | * @sel: Segment selector |
593 | * | |
594 | * Given a segment selector, obtain a pointer to the segment descriptor. | |
595 | * Both global and local descriptor tables are supported. | |
596 | * | |
597 | * Returns: | |
598 | * | |
de9f8696 | 599 | * True on success, false on failure. |
670f928b RN |
600 | * |
601 | * NULL on error. | |
602 | */ | |
de9f8696 | 603 | static bool get_desc(struct desc_struct *out, unsigned short sel) |
670f928b RN |
604 | { |
605 | struct desc_ptr gdt_desc = {0, 0}; | |
606 | unsigned long desc_base; | |
607 | ||
608 | #ifdef CONFIG_MODIFY_LDT_SYSCALL | |
609 | if ((sel & SEGMENT_TI_MASK) == SEGMENT_LDT) { | |
de9f8696 | 610 | bool success = false; |
670f928b RN |
611 | struct ldt_struct *ldt; |
612 | ||
613 | /* Bits [15:3] contain the index of the desired entry. */ | |
614 | sel >>= 3; | |
615 | ||
616 | mutex_lock(¤t->active_mm->context.lock); | |
617 | ldt = current->active_mm->context.ldt; | |
de9f8696 JH |
618 | if (ldt && sel < ldt->nr_entries) { |
619 | *out = ldt->entries[sel]; | |
620 | success = true; | |
621 | } | |
670f928b RN |
622 | |
623 | mutex_unlock(¤t->active_mm->context.lock); | |
624 | ||
de9f8696 | 625 | return success; |
670f928b RN |
626 | } |
627 | #endif | |
628 | native_store_gdt(&gdt_desc); | |
629 | ||
630 | /* | |
631 | * Segment descriptors have a size of 8 bytes. Thus, the index is | |
632 | * multiplied by 8 to obtain the memory offset of the desired descriptor | |
633 | * from the base of the GDT. As bits [15:3] of the segment selector | |
634 | * contain the index, it can be regarded as multiplied by 8 already. | |
635 | * All that remains is to clear bits [2:0]. | |
636 | */ | |
637 | desc_base = sel & ~(SEGMENT_RPL_MASK | SEGMENT_TI_MASK); | |
638 | ||
639 | if (desc_base > gdt_desc.size) | |
de9f8696 | 640 | return false; |
670f928b | 641 | |
de9f8696 JH |
642 | *out = *(struct desc_struct *)(gdt_desc.address + desc_base); |
643 | return true; | |
670f928b RN |
644 | } |
645 | ||
bd5a410a RN |
646 | /** |
647 | * insn_get_seg_base() - Obtain base address of segment descriptor. | |
648 | * @regs: Register values as seen when entering kernel mode | |
649 | * @seg_reg_idx: Index of the segment register pointing to seg descriptor | |
650 | * | |
651 | * Obtain the base address of the segment as indicated by the segment descriptor | |
652 | * pointed by the segment selector. The segment selector is obtained from the | |
653 | * input segment register index @seg_reg_idx. | |
654 | * | |
655 | * Returns: | |
656 | * | |
657 | * In protected mode, base address of the segment. Zero in long mode, | |
658 | * except when FS or GS are used. In virtual-8086 mode, the segment | |
659 | * selector shifted 4 bits to the right. | |
660 | * | |
661 | * -1L in case of error. | |
662 | */ | |
663 | unsigned long insn_get_seg_base(struct pt_regs *regs, int seg_reg_idx) | |
664 | { | |
de9f8696 | 665 | struct desc_struct desc; |
bd5a410a RN |
666 | short sel; |
667 | ||
668 | sel = get_segment_selector(regs, seg_reg_idx); | |
669 | if (sel < 0) | |
670 | return -1L; | |
671 | ||
672 | if (v8086_mode(regs)) | |
673 | /* | |
674 | * Base is simply the segment selector shifted 4 | |
675 | * bits to the right. | |
676 | */ | |
677 | return (unsigned long)(sel << 4); | |
678 | ||
7be44127 | 679 | if (any_64bit_mode(regs)) { |
bd5a410a RN |
680 | /* |
681 | * Only FS or GS will have a base address, the rest of | |
682 | * the segments' bases are forced to 0. | |
683 | */ | |
684 | unsigned long base; | |
685 | ||
7be44127 | 686 | if (seg_reg_idx == INAT_SEG_REG_FS) { |
bd5a410a | 687 | rdmsrl(MSR_FS_BASE, base); |
7be44127 | 688 | } else if (seg_reg_idx == INAT_SEG_REG_GS) { |
bd5a410a RN |
689 | /* |
690 | * swapgs was called at the kernel entry point. Thus, | |
691 | * MSR_KERNEL_GS_BASE will have the user-space GS base. | |
692 | */ | |
7be44127 JH |
693 | if (user_mode(regs)) |
694 | rdmsrl(MSR_KERNEL_GS_BASE, base); | |
695 | else | |
696 | rdmsrl(MSR_GS_BASE, base); | |
697 | } else { | |
bd5a410a | 698 | base = 0; |
7be44127 | 699 | } |
bd5a410a RN |
700 | return base; |
701 | } | |
702 | ||
703 | /* In protected mode the segment selector cannot be null. */ | |
704 | if (!sel) | |
705 | return -1L; | |
706 | ||
de9f8696 | 707 | if (!get_desc(&desc, sel)) |
bd5a410a RN |
708 | return -1L; |
709 | ||
de9f8696 | 710 | return get_desc_base(&desc); |
bd5a410a RN |
711 | } |
712 | ||
713 | /** | |
714 | * get_seg_limit() - Obtain the limit of a segment descriptor | |
715 | * @regs: Register values as seen when entering kernel mode | |
716 | * @seg_reg_idx: Index of the segment register pointing to seg descriptor | |
717 | * | |
718 | * Obtain the limit of the segment as indicated by the segment descriptor | |
719 | * pointed by the segment selector. The segment selector is obtained from the | |
720 | * input segment register index @seg_reg_idx. | |
721 | * | |
722 | * Returns: | |
723 | * | |
724 | * In protected mode, the limit of the segment descriptor in bytes. | |
725 | * In long mode and virtual-8086 mode, segment limits are not enforced. Thus, | |
726 | * limit is returned as -1L to imply a limit-less segment. | |
727 | * | |
728 | * Zero is returned on error. | |
729 | */ | |
730 | static unsigned long get_seg_limit(struct pt_regs *regs, int seg_reg_idx) | |
731 | { | |
de9f8696 | 732 | struct desc_struct desc; |
bd5a410a RN |
733 | unsigned long limit; |
734 | short sel; | |
735 | ||
736 | sel = get_segment_selector(regs, seg_reg_idx); | |
737 | if (sel < 0) | |
738 | return 0; | |
739 | ||
7be44127 | 740 | if (any_64bit_mode(regs) || v8086_mode(regs)) |
bd5a410a RN |
741 | return -1L; |
742 | ||
743 | if (!sel) | |
744 | return 0; | |
745 | ||
de9f8696 | 746 | if (!get_desc(&desc, sel)) |
bd5a410a RN |
747 | return 0; |
748 | ||
749 | /* | |
750 | * If the granularity bit is set, the limit is given in multiples | |
751 | * of 4096. This also means that the 12 least significant bits are | |
752 | * not tested when checking the segment limits. In practice, | |
753 | * this means that the segment ends in (limit << 12) + 0xfff. | |
754 | */ | |
de9f8696 JH |
755 | limit = get_desc_limit(&desc); |
756 | if (desc.g) | |
bd5a410a RN |
757 | limit = (limit << 12) + 0xfff; |
758 | ||
759 | return limit; | |
760 | } | |
761 | ||
4efea85f RN |
762 | /** |
763 | * insn_get_code_seg_params() - Obtain code segment parameters | |
764 | * @regs: Structure with register values as seen when entering kernel mode | |
765 | * | |
766 | * Obtain address and operand sizes of the code segment. It is obtained from the | |
767 | * selector contained in the CS register in regs. In protected mode, the default | |
768 | * address is determined by inspecting the L and D bits of the segment | |
769 | * descriptor. In virtual-8086 mode, the default is always two bytes for both | |
770 | * address and operand sizes. | |
771 | * | |
772 | * Returns: | |
773 | * | |
e2a5dca7 | 774 | * An int containing ORed-in default parameters on success. |
4efea85f RN |
775 | * |
776 | * -EINVAL on error. | |
777 | */ | |
e2a5dca7 | 778 | int insn_get_code_seg_params(struct pt_regs *regs) |
4efea85f | 779 | { |
de9f8696 | 780 | struct desc_struct desc; |
4efea85f RN |
781 | short sel; |
782 | ||
783 | if (v8086_mode(regs)) | |
784 | /* Address and operand size are both 16-bit. */ | |
785 | return INSN_CODE_SEG_PARAMS(2, 2); | |
786 | ||
787 | sel = get_segment_selector(regs, INAT_SEG_REG_CS); | |
788 | if (sel < 0) | |
789 | return sel; | |
790 | ||
de9f8696 | 791 | if (!get_desc(&desc, sel)) |
4efea85f RN |
792 | return -EINVAL; |
793 | ||
794 | /* | |
795 | * The most significant byte of the Type field of the segment descriptor | |
796 | * determines whether a segment contains data or code. If this is a data | |
797 | * segment, return error. | |
798 | */ | |
de9f8696 | 799 | if (!(desc.type & BIT(3))) |
4efea85f RN |
800 | return -EINVAL; |
801 | ||
de9f8696 | 802 | switch ((desc.l << 1) | desc.d) { |
4efea85f RN |
803 | case 0: /* |
804 | * Legacy mode. CS.L=0, CS.D=0. Address and operand size are | |
805 | * both 16-bit. | |
806 | */ | |
807 | return INSN_CODE_SEG_PARAMS(2, 2); | |
808 | case 1: /* | |
809 | * Legacy mode. CS.L=0, CS.D=1. Address and operand size are | |
810 | * both 32-bit. | |
811 | */ | |
812 | return INSN_CODE_SEG_PARAMS(4, 4); | |
813 | case 2: /* | |
814 | * IA-32e 64-bit mode. CS.L=1, CS.D=0. Address size is 64-bit; | |
815 | * operand size is 32-bit. | |
816 | */ | |
817 | return INSN_CODE_SEG_PARAMS(4, 8); | |
818 | case 3: /* Invalid setting. CS.L=1, CS.D=1 */ | |
df561f66 | 819 | fallthrough; |
4efea85f RN |
820 | default: |
821 | return -EINVAL; | |
822 | } | |
823 | } | |
824 | ||
e5e45f11 RN |
825 | /** |
826 | * insn_get_modrm_rm_off() - Obtain register in r/m part of the ModRM byte | |
827 | * @insn: Instruction containing the ModRM byte | |
828 | * @regs: Register values as seen when entering kernel mode | |
829 | * | |
830 | * Returns: | |
831 | * | |
832 | * The register indicated by the r/m part of the ModRM byte. The | |
833 | * register is obtained as an offset from the base of pt_regs. In specific | |
834 | * cases, the returned value can be -EDOM to indicate that the particular value | |
835 | * of ModRM does not refer to a register and shall be ignored. | |
836 | */ | |
837 | int insn_get_modrm_rm_off(struct insn *insn, struct pt_regs *regs) | |
838 | { | |
839 | return get_reg_offset(insn, regs, REG_TYPE_RM); | |
840 | } | |
841 | ||
7af1bd82 JR |
842 | /** |
843 | * insn_get_modrm_reg_off() - Obtain register in reg part of the ModRM byte | |
844 | * @insn: Instruction containing the ModRM byte | |
845 | * @regs: Register values as seen when entering kernel mode | |
846 | * | |
847 | * Returns: | |
848 | * | |
849 | * The register indicated by the reg part of the ModRM byte. The | |
850 | * register is obtained as an offset from the base of pt_regs. | |
851 | */ | |
852 | int insn_get_modrm_reg_off(struct insn *insn, struct pt_regs *regs) | |
853 | { | |
854 | return get_reg_offset(insn, regs, REG_TYPE_REG); | |
855 | } | |
856 | ||
10890444 | 857 | /** |
71271269 | 858 | * get_seg_base_limit() - obtain base address and limit of a segment |
10890444 RN |
859 | * @insn: Instruction. Must be valid. |
860 | * @regs: Register values as seen when entering kernel mode | |
861 | * @regoff: Operand offset, in pt_regs, used to resolve segment descriptor | |
862 | * @base: Obtained segment base | |
71271269 | 863 | * @limit: Obtained segment limit |
10890444 | 864 | * |
71271269 RN |
865 | * Obtain the base address and limit of the segment associated with the operand |
866 | * @regoff and, if any or allowed, override prefixes in @insn. This function is | |
10890444 | 867 | * different from insn_get_seg_base() as the latter does not resolve the segment |
71271269 RN |
868 | * associated with the instruction operand. If a limit is not needed (e.g., |
869 | * when running in long mode), @limit can be NULL. | |
10890444 RN |
870 | * |
871 | * Returns: | |
872 | * | |
71271269 RN |
873 | * 0 on success. @base and @limit will contain the base address and of the |
874 | * resolved segment, respectively. | |
10890444 RN |
875 | * |
876 | * -EINVAL on error. | |
877 | */ | |
71271269 RN |
878 | static int get_seg_base_limit(struct insn *insn, struct pt_regs *regs, |
879 | int regoff, unsigned long *base, | |
880 | unsigned long *limit) | |
10890444 RN |
881 | { |
882 | int seg_reg_idx; | |
883 | ||
884 | if (!base) | |
885 | return -EINVAL; | |
886 | ||
887 | seg_reg_idx = resolve_seg_reg(insn, regs, regoff); | |
888 | if (seg_reg_idx < 0) | |
889 | return seg_reg_idx; | |
890 | ||
891 | *base = insn_get_seg_base(regs, seg_reg_idx); | |
892 | if (*base == -1L) | |
893 | return -EINVAL; | |
894 | ||
71271269 RN |
895 | if (!limit) |
896 | return 0; | |
897 | ||
898 | *limit = get_seg_limit(regs, seg_reg_idx); | |
899 | if (!(*limit)) | |
900 | return -EINVAL; | |
901 | ||
10890444 RN |
902 | return 0; |
903 | } | |
904 | ||
70e57c0f RN |
905 | /** |
906 | * get_eff_addr_reg() - Obtain effective address from register operand | |
907 | * @insn: Instruction. Must be valid. | |
908 | * @regs: Register values as seen when entering kernel mode | |
909 | * @regoff: Obtained operand offset, in pt_regs, with the effective address | |
910 | * @eff_addr: Obtained effective address | |
911 | * | |
912 | * Obtain the effective address stored in the register operand as indicated by | |
913 | * the ModRM byte. This function is to be used only with register addressing | |
914 | * (i.e., ModRM.mod is 3). The effective address is saved in @eff_addr. The | |
915 | * register operand, as an offset from the base of pt_regs, is saved in @regoff; | |
916 | * such offset can then be used to resolve the segment associated with the | |
917 | * operand. This function can be used with any of the supported address sizes | |
918 | * in x86. | |
919 | * | |
920 | * Returns: | |
921 | * | |
922 | * 0 on success. @eff_addr will have the effective address stored in the | |
923 | * operand indicated by ModRM. @regoff will have such operand as an offset from | |
924 | * the base of pt_regs. | |
925 | * | |
926 | * -EINVAL on error. | |
927 | */ | |
928 | static int get_eff_addr_reg(struct insn *insn, struct pt_regs *regs, | |
929 | int *regoff, long *eff_addr) | |
930 | { | |
931 | insn_get_modrm(insn); | |
932 | ||
933 | if (!insn->modrm.nbytes) | |
934 | return -EINVAL; | |
935 | ||
936 | if (X86_MODRM_MOD(insn->modrm.value) != 3) | |
937 | return -EINVAL; | |
938 | ||
939 | *regoff = get_reg_offset(insn, regs, REG_TYPE_RM); | |
940 | if (*regoff < 0) | |
941 | return -EINVAL; | |
942 | ||
7a6daf79 | 943 | /* Ignore bytes that are outside the address size. */ |
9c6c799f RN |
944 | if (insn->addr_bytes == 2) |
945 | *eff_addr = regs_get_register(regs, *regoff) & 0xffff; | |
946 | else if (insn->addr_bytes == 4) | |
7a6daf79 RN |
947 | *eff_addr = regs_get_register(regs, *regoff) & 0xffffffff; |
948 | else /* 64-bit address */ | |
949 | *eff_addr = regs_get_register(regs, *regoff); | |
70e57c0f RN |
950 | |
951 | return 0; | |
952 | } | |
953 | ||
954 | /** | |
955 | * get_eff_addr_modrm() - Obtain referenced effective address via ModRM | |
956 | * @insn: Instruction. Must be valid. | |
957 | * @regs: Register values as seen when entering kernel mode | |
958 | * @regoff: Obtained operand offset, in pt_regs, associated with segment | |
959 | * @eff_addr: Obtained effective address | |
960 | * | |
961 | * Obtain the effective address referenced by the ModRM byte of @insn. After | |
962 | * identifying the registers involved in the register-indirect memory reference, | |
963 | * its value is obtained from the operands in @regs. The computed address is | |
964 | * stored @eff_addr. Also, the register operand that indicates the associated | |
965 | * segment is stored in @regoff, this parameter can later be used to determine | |
966 | * such segment. | |
967 | * | |
968 | * Returns: | |
969 | * | |
970 | * 0 on success. @eff_addr will have the referenced effective address. @regoff | |
971 | * will have a register, as an offset from the base of pt_regs, that can be used | |
972 | * to resolve the associated segment. | |
973 | * | |
974 | * -EINVAL on error. | |
975 | */ | |
976 | static int get_eff_addr_modrm(struct insn *insn, struct pt_regs *regs, | |
977 | int *regoff, long *eff_addr) | |
978 | { | |
979 | long tmp; | |
980 | ||
7a6daf79 | 981 | if (insn->addr_bytes != 8 && insn->addr_bytes != 4) |
70e57c0f RN |
982 | return -EINVAL; |
983 | ||
984 | insn_get_modrm(insn); | |
985 | ||
986 | if (!insn->modrm.nbytes) | |
987 | return -EINVAL; | |
988 | ||
989 | if (X86_MODRM_MOD(insn->modrm.value) > 2) | |
990 | return -EINVAL; | |
991 | ||
992 | *regoff = get_reg_offset(insn, regs, REG_TYPE_RM); | |
993 | ||
994 | /* | |
995 | * -EDOM means that we must ignore the address_offset. In such a case, | |
996 | * in 64-bit mode the effective address relative to the rIP of the | |
997 | * following instruction. | |
998 | */ | |
999 | if (*regoff == -EDOM) { | |
7be44127 | 1000 | if (any_64bit_mode(regs)) |
70e57c0f RN |
1001 | tmp = regs->ip + insn->length; |
1002 | else | |
1003 | tmp = 0; | |
1004 | } else if (*regoff < 0) { | |
1005 | return -EINVAL; | |
1006 | } else { | |
1007 | tmp = regs_get_register(regs, *regoff); | |
1008 | } | |
1009 | ||
7a6daf79 RN |
1010 | if (insn->addr_bytes == 4) { |
1011 | int addr32 = (int)(tmp & 0xffffffff) + insn->displacement.value; | |
1012 | ||
1013 | *eff_addr = addr32 & 0xffffffff; | |
1014 | } else { | |
1015 | *eff_addr = tmp + insn->displacement.value; | |
1016 | } | |
70e57c0f RN |
1017 | |
1018 | return 0; | |
1019 | } | |
1020 | ||
9c6c799f RN |
1021 | /** |
1022 | * get_eff_addr_modrm_16() - Obtain referenced effective address via ModRM | |
1023 | * @insn: Instruction. Must be valid. | |
1024 | * @regs: Register values as seen when entering kernel mode | |
1025 | * @regoff: Obtained operand offset, in pt_regs, associated with segment | |
1026 | * @eff_addr: Obtained effective address | |
1027 | * | |
1028 | * Obtain the 16-bit effective address referenced by the ModRM byte of @insn. | |
1029 | * After identifying the registers involved in the register-indirect memory | |
1030 | * reference, its value is obtained from the operands in @regs. The computed | |
1031 | * address is stored @eff_addr. Also, the register operand that indicates | |
1032 | * the associated segment is stored in @regoff, this parameter can later be used | |
1033 | * to determine such segment. | |
1034 | * | |
1035 | * Returns: | |
1036 | * | |
1037 | * 0 on success. @eff_addr will have the referenced effective address. @regoff | |
1038 | * will have a register, as an offset from the base of pt_regs, that can be used | |
1039 | * to resolve the associated segment. | |
1040 | * | |
1041 | * -EINVAL on error. | |
1042 | */ | |
1043 | static int get_eff_addr_modrm_16(struct insn *insn, struct pt_regs *regs, | |
1044 | int *regoff, short *eff_addr) | |
1045 | { | |
1046 | int addr_offset1, addr_offset2, ret; | |
1047 | short addr1 = 0, addr2 = 0, displacement; | |
1048 | ||
1049 | if (insn->addr_bytes != 2) | |
1050 | return -EINVAL; | |
1051 | ||
1052 | insn_get_modrm(insn); | |
1053 | ||
1054 | if (!insn->modrm.nbytes) | |
1055 | return -EINVAL; | |
1056 | ||
1057 | if (X86_MODRM_MOD(insn->modrm.value) > 2) | |
1058 | return -EINVAL; | |
1059 | ||
1060 | ret = get_reg_offset_16(insn, regs, &addr_offset1, &addr_offset2); | |
1061 | if (ret < 0) | |
1062 | return -EINVAL; | |
1063 | ||
1064 | /* | |
1065 | * Don't fail on invalid offset values. They might be invalid because | |
1066 | * they cannot be used for this particular value of ModRM. Instead, use | |
1067 | * them in the computation only if they contain a valid value. | |
1068 | */ | |
1069 | if (addr_offset1 != -EDOM) | |
1070 | addr1 = regs_get_register(regs, addr_offset1) & 0xffff; | |
1071 | ||
1072 | if (addr_offset2 != -EDOM) | |
1073 | addr2 = regs_get_register(regs, addr_offset2) & 0xffff; | |
1074 | ||
1075 | displacement = insn->displacement.value & 0xffff; | |
1076 | *eff_addr = addr1 + addr2 + displacement; | |
1077 | ||
1078 | /* | |
1079 | * The first operand register could indicate to use of either SS or DS | |
1080 | * registers to obtain the segment selector. The second operand | |
1081 | * register can only indicate the use of DS. Thus, the first operand | |
1082 | * will be used to obtain the segment selector. | |
1083 | */ | |
1084 | *regoff = addr_offset1; | |
1085 | ||
1086 | return 0; | |
1087 | } | |
1088 | ||
70e57c0f RN |
1089 | /** |
1090 | * get_eff_addr_sib() - Obtain referenced effective address via SIB | |
1091 | * @insn: Instruction. Must be valid. | |
1092 | * @regs: Register values as seen when entering kernel mode | |
1093 | * @regoff: Obtained operand offset, in pt_regs, associated with segment | |
1094 | * @eff_addr: Obtained effective address | |
1095 | * | |
1096 | * Obtain the effective address referenced by the SIB byte of @insn. After | |
1097 | * identifying the registers involved in the indexed, register-indirect memory | |
1098 | * reference, its value is obtained from the operands in @regs. The computed | |
1099 | * address is stored @eff_addr. Also, the register operand that indicates the | |
1100 | * associated segment is stored in @regoff, this parameter can later be used to | |
1101 | * determine such segment. | |
1102 | * | |
1103 | * Returns: | |
1104 | * | |
1105 | * 0 on success. @eff_addr will have the referenced effective address. | |
1106 | * @base_offset will have a register, as an offset from the base of pt_regs, | |
1107 | * that can be used to resolve the associated segment. | |
1108 | * | |
1109 | * -EINVAL on error. | |
1110 | */ | |
1111 | static int get_eff_addr_sib(struct insn *insn, struct pt_regs *regs, | |
1112 | int *base_offset, long *eff_addr) | |
1113 | { | |
1114 | long base, indx; | |
1115 | int indx_offset; | |
1116 | ||
7a6daf79 | 1117 | if (insn->addr_bytes != 8 && insn->addr_bytes != 4) |
70e57c0f RN |
1118 | return -EINVAL; |
1119 | ||
1120 | insn_get_modrm(insn); | |
1121 | ||
1122 | if (!insn->modrm.nbytes) | |
1123 | return -EINVAL; | |
1124 | ||
1125 | if (X86_MODRM_MOD(insn->modrm.value) > 2) | |
1126 | return -EINVAL; | |
1127 | ||
1128 | insn_get_sib(insn); | |
1129 | ||
1130 | if (!insn->sib.nbytes) | |
1131 | return -EINVAL; | |
1132 | ||
1133 | *base_offset = get_reg_offset(insn, regs, REG_TYPE_BASE); | |
1134 | indx_offset = get_reg_offset(insn, regs, REG_TYPE_INDEX); | |
1135 | ||
1136 | /* | |
1137 | * Negative values in the base and index offset means an error when | |
1138 | * decoding the SIB byte. Except -EDOM, which means that the registers | |
1139 | * should not be used in the address computation. | |
1140 | */ | |
1141 | if (*base_offset == -EDOM) | |
1142 | base = 0; | |
1143 | else if (*base_offset < 0) | |
1144 | return -EINVAL; | |
1145 | else | |
1146 | base = regs_get_register(regs, *base_offset); | |
1147 | ||
1148 | if (indx_offset == -EDOM) | |
1149 | indx = 0; | |
1150 | else if (indx_offset < 0) | |
1151 | return -EINVAL; | |
1152 | else | |
1153 | indx = regs_get_register(regs, indx_offset); | |
1154 | ||
7a6daf79 RN |
1155 | if (insn->addr_bytes == 4) { |
1156 | int addr32, base32, idx32; | |
1157 | ||
1158 | base32 = base & 0xffffffff; | |
1159 | idx32 = indx & 0xffffffff; | |
70e57c0f | 1160 | |
7a6daf79 RN |
1161 | addr32 = base32 + idx32 * (1 << X86_SIB_SCALE(insn->sib.value)); |
1162 | addr32 += insn->displacement.value; | |
1163 | ||
1164 | *eff_addr = addr32 & 0xffffffff; | |
1165 | } else { | |
1166 | *eff_addr = base + indx * (1 << X86_SIB_SCALE(insn->sib.value)); | |
1167 | *eff_addr += insn->displacement.value; | |
1168 | } | |
70e57c0f RN |
1169 | |
1170 | return 0; | |
1171 | } | |
7a6daf79 | 1172 | |
9c6c799f RN |
1173 | /** |
1174 | * get_addr_ref_16() - Obtain the 16-bit address referred by instruction | |
1175 | * @insn: Instruction containing ModRM byte and displacement | |
1176 | * @regs: Register values as seen when entering kernel mode | |
1177 | * | |
1178 | * This function is to be used with 16-bit address encodings. Obtain the memory | |
1179 | * address referred by the instruction's ModRM and displacement bytes. Also, the | |
1180 | * segment used as base is determined by either any segment override prefixes in | |
1181 | * @insn or the default segment of the registers involved in the address | |
1182 | * computation. In protected mode, segment limits are enforced. | |
1183 | * | |
1184 | * Returns: | |
1185 | * | |
1186 | * Linear address referenced by the instruction operands on success. | |
1187 | * | |
1188 | * -1L on error. | |
1189 | */ | |
1190 | static void __user *get_addr_ref_16(struct insn *insn, struct pt_regs *regs) | |
1191 | { | |
1192 | unsigned long linear_addr = -1L, seg_base, seg_limit; | |
1193 | int ret, regoff; | |
1194 | short eff_addr; | |
1195 | long tmp; | |
1196 | ||
1197 | insn_get_modrm(insn); | |
1198 | insn_get_displacement(insn); | |
1199 | ||
1200 | if (insn->addr_bytes != 2) | |
1201 | goto out; | |
1202 | ||
1203 | if (X86_MODRM_MOD(insn->modrm.value) == 3) { | |
1204 | ret = get_eff_addr_reg(insn, regs, ®off, &tmp); | |
1205 | if (ret) | |
1206 | goto out; | |
1207 | ||
1208 | eff_addr = tmp; | |
1209 | } else { | |
1210 | ret = get_eff_addr_modrm_16(insn, regs, ®off, &eff_addr); | |
1211 | if (ret) | |
1212 | goto out; | |
1213 | } | |
1214 | ||
1215 | ret = get_seg_base_limit(insn, regs, regoff, &seg_base, &seg_limit); | |
1216 | if (ret) | |
1217 | goto out; | |
1218 | ||
1219 | /* | |
1220 | * Before computing the linear address, make sure the effective address | |
1221 | * is within the limits of the segment. In virtual-8086 mode, segment | |
1222 | * limits are not enforced. In such a case, the segment limit is -1L to | |
1223 | * reflect this fact. | |
1224 | */ | |
1225 | if ((unsigned long)(eff_addr & 0xffff) > seg_limit) | |
1226 | goto out; | |
1227 | ||
1228 | linear_addr = (unsigned long)(eff_addr & 0xffff) + seg_base; | |
1229 | ||
1230 | /* Limit linear address to 20 bits */ | |
1231 | if (v8086_mode(regs)) | |
1232 | linear_addr &= 0xfffff; | |
1233 | ||
1234 | out: | |
1235 | return (void __user *)linear_addr; | |
1236 | } | |
1237 | ||
7a6daf79 RN |
1238 | /** |
1239 | * get_addr_ref_32() - Obtain a 32-bit linear address | |
1240 | * @insn: Instruction with ModRM, SIB bytes and displacement | |
1241 | * @regs: Register values as seen when entering kernel mode | |
1242 | * | |
1243 | * This function is to be used with 32-bit address encodings to obtain the | |
1244 | * linear memory address referred by the instruction's ModRM, SIB, | |
1245 | * displacement bytes and segment base address, as applicable. If in protected | |
1246 | * mode, segment limits are enforced. | |
1247 | * | |
1248 | * Returns: | |
1249 | * | |
1250 | * Linear address referenced by instruction and registers on success. | |
1251 | * | |
1252 | * -1L on error. | |
1253 | */ | |
1254 | static void __user *get_addr_ref_32(struct insn *insn, struct pt_regs *regs) | |
1255 | { | |
1256 | unsigned long linear_addr = -1L, seg_base, seg_limit; | |
1257 | int eff_addr, regoff; | |
1258 | long tmp; | |
1259 | int ret; | |
1260 | ||
1261 | if (insn->addr_bytes != 4) | |
1262 | goto out; | |
1263 | ||
1264 | if (X86_MODRM_MOD(insn->modrm.value) == 3) { | |
1265 | ret = get_eff_addr_reg(insn, regs, ®off, &tmp); | |
1266 | if (ret) | |
1267 | goto out; | |
1268 | ||
1269 | eff_addr = tmp; | |
1270 | ||
1271 | } else { | |
1272 | if (insn->sib.nbytes) { | |
1273 | ret = get_eff_addr_sib(insn, regs, ®off, &tmp); | |
1274 | if (ret) | |
1275 | goto out; | |
1276 | ||
1277 | eff_addr = tmp; | |
1278 | } else { | |
1279 | ret = get_eff_addr_modrm(insn, regs, ®off, &tmp); | |
1280 | if (ret) | |
1281 | goto out; | |
1282 | ||
1283 | eff_addr = tmp; | |
1284 | } | |
1285 | } | |
1286 | ||
1287 | ret = get_seg_base_limit(insn, regs, regoff, &seg_base, &seg_limit); | |
1288 | if (ret) | |
1289 | goto out; | |
1290 | ||
1291 | /* | |
1292 | * In protected mode, before computing the linear address, make sure | |
1293 | * the effective address is within the limits of the segment. | |
1294 | * 32-bit addresses can be used in long and virtual-8086 modes if an | |
1295 | * address override prefix is used. In such cases, segment limits are | |
1296 | * not enforced. When in virtual-8086 mode, the segment limit is -1L | |
1297 | * to reflect this situation. | |
1298 | * | |
1299 | * After computed, the effective address is treated as an unsigned | |
1300 | * quantity. | |
1301 | */ | |
7be44127 | 1302 | if (!any_64bit_mode(regs) && ((unsigned int)eff_addr > seg_limit)) |
7a6daf79 RN |
1303 | goto out; |
1304 | ||
86cc3510 RN |
1305 | /* |
1306 | * Even though 32-bit address encodings are allowed in virtual-8086 | |
1307 | * mode, the address range is still limited to [0x-0xffff]. | |
1308 | */ | |
1309 | if (v8086_mode(regs) && (eff_addr & ~0xffff)) | |
1310 | goto out; | |
1311 | ||
7a6daf79 RN |
1312 | /* |
1313 | * Data type long could be 64 bits in size. Ensure that our 32-bit | |
1314 | * effective address is not sign-extended when computing the linear | |
1315 | * address. | |
1316 | */ | |
1317 | linear_addr = (unsigned long)(eff_addr & 0xffffffff) + seg_base; | |
1318 | ||
86cc3510 RN |
1319 | /* Limit linear address to 20 bits */ |
1320 | if (v8086_mode(regs)) | |
1321 | linear_addr &= 0xfffff; | |
1322 | ||
7a6daf79 RN |
1323 | out: |
1324 | return (void __user *)linear_addr; | |
1325 | } | |
1326 | ||
cd9b594a RN |
1327 | /** |
1328 | * get_addr_ref_64() - Obtain a 64-bit linear address | |
1329 | * @insn: Instruction struct with ModRM and SIB bytes and displacement | |
1330 | * @regs: Structure with register values as seen when entering kernel mode | |
1331 | * | |
1332 | * This function is to be used with 64-bit address encodings to obtain the | |
1333 | * linear memory address referred by the instruction's ModRM, SIB, | |
1334 | * displacement bytes and segment base address, as applicable. | |
1335 | * | |
1336 | * Returns: | |
1337 | * | |
1338 | * Linear address referenced by instruction and registers on success. | |
1339 | * | |
1340 | * -1L on error. | |
32542ee2 | 1341 | */ |
cd9b594a RN |
1342 | #ifndef CONFIG_X86_64 |
1343 | static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs) | |
1344 | { | |
1345 | return (void __user *)-1L; | |
1346 | } | |
1347 | #else | |
1348 | static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs) | |
32542ee2 | 1349 | { |
10890444 | 1350 | unsigned long linear_addr = -1L, seg_base; |
70e57c0f RN |
1351 | int regoff, ret; |
1352 | long eff_addr; | |
32542ee2 | 1353 | |
cd9b594a RN |
1354 | if (insn->addr_bytes != 8) |
1355 | goto out; | |
1356 | ||
32542ee2 | 1357 | if (X86_MODRM_MOD(insn->modrm.value) == 3) { |
70e57c0f RN |
1358 | ret = get_eff_addr_reg(insn, regs, ®off, &eff_addr); |
1359 | if (ret) | |
32542ee2 RN |
1360 | goto out; |
1361 | ||
32542ee2 RN |
1362 | } else { |
1363 | if (insn->sib.nbytes) { | |
70e57c0f RN |
1364 | ret = get_eff_addr_sib(insn, regs, ®off, &eff_addr); |
1365 | if (ret) | |
32542ee2 | 1366 | goto out; |
32542ee2 | 1367 | } else { |
70e57c0f RN |
1368 | ret = get_eff_addr_modrm(insn, regs, ®off, &eff_addr); |
1369 | if (ret) | |
32542ee2 | 1370 | goto out; |
32542ee2 RN |
1371 | } |
1372 | ||
32542ee2 RN |
1373 | } |
1374 | ||
70e57c0f | 1375 | ret = get_seg_base_limit(insn, regs, regoff, &seg_base, NULL); |
10890444 RN |
1376 | if (ret) |
1377 | goto out; | |
1378 | ||
1379 | linear_addr = (unsigned long)eff_addr + seg_base; | |
32542ee2 RN |
1380 | |
1381 | out: | |
1382 | return (void __user *)linear_addr; | |
1383 | } | |
cd9b594a RN |
1384 | #endif /* CONFIG_X86_64 */ |
1385 | ||
1386 | /** | |
1387 | * insn_get_addr_ref() - Obtain the linear address referred by instruction | |
1388 | * @insn: Instruction structure containing ModRM byte and displacement | |
1389 | * @regs: Structure with register values as seen when entering kernel mode | |
1390 | * | |
1391 | * Obtain the linear address referred by the instruction's ModRM, SIB and | |
1392 | * displacement bytes, and segment base, as applicable. In protected mode, | |
1393 | * segment limits are enforced. | |
1394 | * | |
1395 | * Returns: | |
1396 | * | |
1397 | * Linear address referenced by instruction and registers on success. | |
1398 | * | |
1399 | * -1L on error. | |
1400 | */ | |
1401 | void __user *insn_get_addr_ref(struct insn *insn, struct pt_regs *regs) | |
1402 | { | |
1403 | if (!insn || !regs) | |
1404 | return (void __user *)-1L; | |
1405 | ||
1406 | switch (insn->addr_bytes) { | |
9c6c799f RN |
1407 | case 2: |
1408 | return get_addr_ref_16(insn, regs); | |
cd9b594a RN |
1409 | case 4: |
1410 | return get_addr_ref_32(insn, regs); | |
1411 | case 8: | |
1412 | return get_addr_ref_64(insn, regs); | |
1413 | default: | |
1414 | return (void __user *)-1L; | |
1415 | } | |
1416 | } | |
172b75e5 | 1417 | |
63a1d08c JR |
1418 | static unsigned long insn_get_effective_ip(struct pt_regs *regs) |
1419 | { | |
1420 | unsigned long seg_base = 0; | |
1421 | ||
1422 | /* | |
1423 | * If not in user-space long mode, a custom code segment could be in | |
1424 | * use. This is true in protected mode (if the process defined a local | |
1425 | * descriptor table), or virtual-8086 mode. In most of the cases | |
1426 | * seg_base will be zero as in USER_CS. | |
1427 | */ | |
1428 | if (!user_64bit_mode(regs)) { | |
1429 | seg_base = insn_get_seg_base(regs, INAT_SEG_REG_CS); | |
1430 | if (seg_base == -1L) | |
1431 | return 0; | |
1432 | } | |
1433 | ||
1434 | return seg_base + regs->ip; | |
1435 | } | |
1436 | ||
172b75e5 JR |
1437 | /** |
1438 | * insn_fetch_from_user() - Copy instruction bytes from user-space memory | |
1439 | * @regs: Structure with register values as seen when entering kernel mode | |
1440 | * @buf: Array to store the fetched instruction | |
1441 | * | |
1442 | * Gets the linear address of the instruction and copies the instruction bytes | |
1443 | * to the buf. | |
1444 | * | |
1445 | * Returns: | |
1446 | * | |
1447 | * Number of instruction bytes copied. | |
1448 | * | |
1449 | * 0 if nothing was copied. | |
1450 | */ | |
1451 | int insn_fetch_from_user(struct pt_regs *regs, unsigned char buf[MAX_INSN_SIZE]) | |
1452 | { | |
63a1d08c | 1453 | unsigned long ip; |
172b75e5 JR |
1454 | int not_copied; |
1455 | ||
63a1d08c JR |
1456 | ip = insn_get_effective_ip(regs); |
1457 | if (!ip) | |
1458 | return 0; | |
1459 | ||
1460 | not_copied = copy_from_user(buf, (void __user *)ip, MAX_INSN_SIZE); | |
172b75e5 | 1461 | |
63a1d08c JR |
1462 | return MAX_INSN_SIZE - not_copied; |
1463 | } | |
1464 | ||
1465 | /** | |
1466 | * insn_fetch_from_user_inatomic() - Copy instruction bytes from user-space memory | |
1467 | * while in atomic code | |
1468 | * @regs: Structure with register values as seen when entering kernel mode | |
1469 | * @buf: Array to store the fetched instruction | |
1470 | * | |
1471 | * Gets the linear address of the instruction and copies the instruction bytes | |
1472 | * to the buf. This function must be used in atomic context. | |
1473 | * | |
1474 | * Returns: | |
1475 | * | |
1476 | * Number of instruction bytes copied. | |
1477 | * | |
1478 | * 0 if nothing was copied. | |
1479 | */ | |
1480 | int insn_fetch_from_user_inatomic(struct pt_regs *regs, unsigned char buf[MAX_INSN_SIZE]) | |
1481 | { | |
1482 | unsigned long ip; | |
1483 | int not_copied; | |
1484 | ||
1485 | ip = insn_get_effective_ip(regs); | |
1486 | if (!ip) | |
1487 | return 0; | |
172b75e5 | 1488 | |
63a1d08c | 1489 | not_copied = __copy_from_user_inatomic(buf, (void __user *)ip, MAX_INSN_SIZE); |
172b75e5 JR |
1490 | |
1491 | return MAX_INSN_SIZE - not_copied; | |
1492 | } | |
172639d7 JR |
1493 | |
1494 | /** | |
1495 | * insn_decode() - Decode an instruction | |
1496 | * @insn: Structure to store decoded instruction | |
1497 | * @regs: Structure with register values as seen when entering kernel mode | |
1498 | * @buf: Buffer containing the instruction bytes | |
1499 | * @buf_size: Number of instruction bytes available in buf | |
1500 | * | |
1501 | * Decodes the instruction provided in buf and stores the decoding results in | |
1502 | * insn. Also determines the correct address and operand sizes. | |
1503 | * | |
1504 | * Returns: | |
1505 | * | |
1506 | * True if instruction was decoded, False otherwise. | |
1507 | */ | |
1508 | bool insn_decode(struct insn *insn, struct pt_regs *regs, | |
1509 | unsigned char buf[MAX_INSN_SIZE], int buf_size) | |
1510 | { | |
1511 | int seg_defs; | |
1512 | ||
1513 | insn_init(insn, buf, buf_size, user_64bit_mode(regs)); | |
1514 | ||
1515 | /* | |
1516 | * Override the default operand and address sizes with what is specified | |
1517 | * in the code segment descriptor. The instruction decoder only sets | |
1518 | * the address size it to either 4 or 8 address bytes and does nothing | |
1519 | * for the operand bytes. This OK for most of the cases, but we could | |
1520 | * have special cases where, for instance, a 16-bit code segment | |
1521 | * descriptor is used. | |
1522 | * If there is an address override prefix, the instruction decoder | |
1523 | * correctly updates these values, even for 16-bit defaults. | |
1524 | */ | |
1525 | seg_defs = insn_get_code_seg_params(regs); | |
1526 | if (seg_defs == -EINVAL) | |
1527 | return false; | |
1528 | ||
1529 | insn->addr_bytes = INSN_CODE_SEG_ADDR_SZ(seg_defs); | |
1530 | insn->opnd_bytes = INSN_CODE_SEG_OPND_SZ(seg_defs); | |
1531 | ||
1532 | insn_get_length(insn); | |
1533 | if (buf_size < insn->length) | |
1534 | return false; | |
1535 | ||
1536 | return true; | |
1537 | } |