]>
Commit | Line | Data |
---|---|---|
32542ee2 RN |
1 | /* |
2 | * Utility functions for x86 operand and address decoding | |
3 | * | |
4 | * Copyright (C) Intel Corporation 2017 | |
5 | */ | |
6 | #include <linux/kernel.h> | |
7 | #include <linux/string.h> | |
ed594e4b | 8 | #include <linux/ratelimit.h> |
670f928b RN |
9 | #include <linux/mmu_context.h> |
10 | #include <asm/desc_defs.h> | |
11 | #include <asm/desc.h> | |
32542ee2 RN |
12 | #include <asm/inat.h> |
13 | #include <asm/insn.h> | |
14 | #include <asm/insn-eval.h> | |
670f928b | 15 | #include <asm/ldt.h> |
32d0b953 | 16 | #include <asm/vm86.h> |
32542ee2 | 17 | |
ed594e4b RN |
18 | #undef pr_fmt |
19 | #define pr_fmt(fmt) "insn: " fmt | |
20 | ||
32542ee2 RN |
21 | enum reg_type { |
22 | REG_TYPE_RM = 0, | |
23 | REG_TYPE_INDEX, | |
24 | REG_TYPE_BASE, | |
25 | }; | |
26 | ||
536b8153 RN |
27 | /** |
28 | * is_string_insn() - Determine if instruction is a string instruction | |
29 | * @insn: Instruction containing the opcode to inspect | |
30 | * | |
31 | * Returns: | |
32 | * | |
33 | * true if the instruction, determined by the opcode, is any of the | |
34 | * string instructions as defined in the Intel Software Development manual. | |
35 | * False otherwise. | |
36 | */ | |
37 | static bool is_string_insn(struct insn *insn) | |
38 | { | |
39 | insn_get_opcode(insn); | |
40 | ||
41 | /* All string instructions have a 1-byte opcode. */ | |
42 | if (insn->opcode.nbytes != 1) | |
43 | return false; | |
44 | ||
45 | switch (insn->opcode.bytes[0]) { | |
46 | case 0x6c ... 0x6f: /* INS, OUTS */ | |
47 | case 0xa4 ... 0xa7: /* MOVS, CMPS */ | |
48 | case 0xaa ... 0xaf: /* STOS, LODS, SCAS */ | |
49 | return true; | |
50 | default: | |
51 | return false; | |
52 | } | |
53 | } | |
54 | ||
32d0b953 RN |
55 | /** |
56 | * get_seg_reg_override_idx() - obtain segment register override index | |
57 | * @insn: Valid instruction with segment override prefixes | |
58 | * | |
59 | * Inspect the instruction prefixes in @insn and find segment overrides, if any. | |
60 | * | |
61 | * Returns: | |
62 | * | |
63 | * A constant identifying the segment register to use, among CS, SS, DS, | |
64 | * ES, FS, or GS. INAT_SEG_REG_DEFAULT is returned if no segment override | |
65 | * prefixes were found. | |
66 | * | |
67 | * -EINVAL in case of error. | |
68 | */ | |
69 | static int get_seg_reg_override_idx(struct insn *insn) | |
70 | { | |
71 | int idx = INAT_SEG_REG_DEFAULT; | |
72 | int num_overrides = 0, i; | |
73 | ||
74 | insn_get_prefixes(insn); | |
75 | ||
76 | /* Look for any segment override prefixes. */ | |
77 | for (i = 0; i < insn->prefixes.nbytes; i++) { | |
78 | insn_attr_t attr; | |
79 | ||
80 | attr = inat_get_opcode_attribute(insn->prefixes.bytes[i]); | |
81 | switch (attr) { | |
82 | case INAT_MAKE_PREFIX(INAT_PFX_CS): | |
83 | idx = INAT_SEG_REG_CS; | |
84 | num_overrides++; | |
85 | break; | |
86 | case INAT_MAKE_PREFIX(INAT_PFX_SS): | |
87 | idx = INAT_SEG_REG_SS; | |
88 | num_overrides++; | |
89 | break; | |
90 | case INAT_MAKE_PREFIX(INAT_PFX_DS): | |
91 | idx = INAT_SEG_REG_DS; | |
92 | num_overrides++; | |
93 | break; | |
94 | case INAT_MAKE_PREFIX(INAT_PFX_ES): | |
95 | idx = INAT_SEG_REG_ES; | |
96 | num_overrides++; | |
97 | break; | |
98 | case INAT_MAKE_PREFIX(INAT_PFX_FS): | |
99 | idx = INAT_SEG_REG_FS; | |
100 | num_overrides++; | |
101 | break; | |
102 | case INAT_MAKE_PREFIX(INAT_PFX_GS): | |
103 | idx = INAT_SEG_REG_GS; | |
104 | num_overrides++; | |
105 | break; | |
106 | /* No default action needed. */ | |
107 | } | |
108 | } | |
109 | ||
110 | /* More than one segment override prefix leads to undefined behavior. */ | |
111 | if (num_overrides > 1) | |
112 | return -EINVAL; | |
113 | ||
114 | return idx; | |
115 | } | |
116 | ||
117 | /** | |
118 | * check_seg_overrides() - check if segment override prefixes are allowed | |
119 | * @insn: Valid instruction with segment override prefixes | |
120 | * @regoff: Operand offset, in pt_regs, for which the check is performed | |
121 | * | |
122 | * For a particular register used in register-indirect addressing, determine if | |
123 | * segment override prefixes can be used. Specifically, no overrides are allowed | |
124 | * for rDI if used with a string instruction. | |
125 | * | |
126 | * Returns: | |
127 | * | |
128 | * True if segment override prefixes can be used with the register indicated | |
129 | * in @regoff. False if otherwise. | |
130 | */ | |
131 | static bool check_seg_overrides(struct insn *insn, int regoff) | |
132 | { | |
133 | if (regoff == offsetof(struct pt_regs, di) && is_string_insn(insn)) | |
134 | return false; | |
135 | ||
136 | return true; | |
137 | } | |
138 | ||
139 | /** | |
140 | * resolve_default_seg() - resolve default segment register index for an operand | |
141 | * @insn: Instruction with opcode and address size. Must be valid. | |
142 | * @regs: Register values as seen when entering kernel mode | |
143 | * @off: Operand offset, in pt_regs, for which resolution is needed | |
144 | * | |
145 | * Resolve the default segment register index associated with the instruction | |
146 | * operand register indicated by @off. Such index is resolved based on defaults | |
147 | * described in the Intel Software Development Manual. | |
148 | * | |
149 | * Returns: | |
150 | * | |
151 | * If in protected mode, a constant identifying the segment register to use, | |
152 | * among CS, SS, ES or DS. If in long mode, INAT_SEG_REG_IGNORE. | |
153 | * | |
154 | * -EINVAL in case of error. | |
155 | */ | |
156 | static int resolve_default_seg(struct insn *insn, struct pt_regs *regs, int off) | |
157 | { | |
158 | if (user_64bit_mode(regs)) | |
159 | return INAT_SEG_REG_IGNORE; | |
160 | /* | |
161 | * Resolve the default segment register as described in Section 3.7.4 | |
162 | * of the Intel Software Development Manual Vol. 1: | |
163 | * | |
164 | * + DS for all references involving r[ABCD]X, and rSI. | |
165 | * + If used in a string instruction, ES for rDI. Otherwise, DS. | |
166 | * + AX, CX and DX are not valid register operands in 16-bit address | |
167 | * encodings but are valid for 32-bit and 64-bit encodings. | |
168 | * + -EDOM is reserved to identify for cases in which no register | |
169 | * is used (i.e., displacement-only addressing). Use DS. | |
170 | * + SS for rSP or rBP. | |
171 | * + CS for rIP. | |
172 | */ | |
173 | ||
174 | switch (off) { | |
175 | case offsetof(struct pt_regs, ax): | |
176 | case offsetof(struct pt_regs, cx): | |
177 | case offsetof(struct pt_regs, dx): | |
178 | /* Need insn to verify address size. */ | |
179 | if (insn->addr_bytes == 2) | |
180 | return -EINVAL; | |
181 | ||
182 | case -EDOM: | |
183 | case offsetof(struct pt_regs, bx): | |
184 | case offsetof(struct pt_regs, si): | |
185 | return INAT_SEG_REG_DS; | |
186 | ||
187 | case offsetof(struct pt_regs, di): | |
188 | if (is_string_insn(insn)) | |
189 | return INAT_SEG_REG_ES; | |
190 | return INAT_SEG_REG_DS; | |
191 | ||
192 | case offsetof(struct pt_regs, bp): | |
193 | case offsetof(struct pt_regs, sp): | |
194 | return INAT_SEG_REG_SS; | |
195 | ||
196 | case offsetof(struct pt_regs, ip): | |
197 | return INAT_SEG_REG_CS; | |
198 | ||
199 | default: | |
200 | return -EINVAL; | |
201 | } | |
202 | } | |
203 | ||
204 | /** | |
205 | * resolve_seg_reg() - obtain segment register index | |
206 | * @insn: Instruction with operands | |
207 | * @regs: Register values as seen when entering kernel mode | |
208 | * @regoff: Operand offset, in pt_regs, used to deterimine segment register | |
209 | * | |
210 | * Determine the segment register associated with the operands and, if | |
211 | * applicable, prefixes and the instruction pointed by @insn. | |
212 | * | |
213 | * The segment register associated to an operand used in register-indirect | |
214 | * addressing depends on: | |
215 | * | |
216 | * a) Whether running in long mode (in such a case segments are ignored, except | |
217 | * if FS or GS are used). | |
218 | * | |
219 | * b) Whether segment override prefixes can be used. Certain instructions and | |
220 | * registers do not allow override prefixes. | |
221 | * | |
222 | * c) Whether segment overrides prefixes are found in the instruction prefixes. | |
223 | * | |
224 | * d) If there are not segment override prefixes or they cannot be used, the | |
225 | * default segment register associated with the operand register is used. | |
226 | * | |
227 | * The function checks first if segment override prefixes can be used with the | |
228 | * operand indicated by @regoff. If allowed, obtain such overridden segment | |
229 | * register index. Lastly, if not prefixes were found or cannot be used, resolve | |
230 | * the segment register index to use based on the defaults described in the | |
231 | * Intel documentation. In long mode, all segment register indexes will be | |
232 | * ignored, except if overrides were found for FS or GS. All these operations | |
233 | * are done using helper functions. | |
234 | * | |
235 | * The operand register, @regoff, is represented as the offset from the base of | |
236 | * pt_regs. | |
237 | * | |
238 | * As stated, the main use of this function is to determine the segment register | |
239 | * index based on the instruction, its operands and prefixes. Hence, @insn | |
240 | * must be valid. However, if @regoff indicates rIP, we don't need to inspect | |
241 | * @insn at all as in this case CS is used in all cases. This case is checked | |
242 | * before proceeding further. | |
243 | * | |
244 | * Please note that this function does not return the value in the segment | |
245 | * register (i.e., the segment selector) but our defined index. The segment | |
246 | * selector needs to be obtained using get_segment_selector() and passing the | |
247 | * segment register index resolved by this function. | |
248 | * | |
249 | * Returns: | |
250 | * | |
251 | * An index identifying the segment register to use, among CS, SS, DS, | |
252 | * ES, FS, or GS. INAT_SEG_REG_IGNORE is returned if running in long mode. | |
253 | * | |
254 | * -EINVAL in case of error. | |
255 | */ | |
256 | static int resolve_seg_reg(struct insn *insn, struct pt_regs *regs, int regoff) | |
257 | { | |
258 | int idx; | |
259 | ||
260 | /* | |
261 | * In the unlikely event of having to resolve the segment register | |
262 | * index for rIP, do it first. Segment override prefixes should not | |
263 | * be used. Hence, it is not necessary to inspect the instruction, | |
264 | * which may be invalid at this point. | |
265 | */ | |
266 | if (regoff == offsetof(struct pt_regs, ip)) { | |
267 | if (user_64bit_mode(regs)) | |
268 | return INAT_SEG_REG_IGNORE; | |
269 | else | |
270 | return INAT_SEG_REG_CS; | |
271 | } | |
272 | ||
273 | if (!insn) | |
274 | return -EINVAL; | |
275 | ||
276 | if (!check_seg_overrides(insn, regoff)) | |
277 | return resolve_default_seg(insn, regs, regoff); | |
278 | ||
279 | idx = get_seg_reg_override_idx(insn); | |
280 | if (idx < 0) | |
281 | return idx; | |
282 | ||
283 | if (idx == INAT_SEG_REG_DEFAULT) | |
284 | return resolve_default_seg(insn, regs, regoff); | |
285 | ||
286 | /* | |
287 | * In long mode, segment override prefixes are ignored, except for | |
288 | * overrides for FS and GS. | |
289 | */ | |
290 | if (user_64bit_mode(regs)) { | |
291 | if (idx != INAT_SEG_REG_FS && | |
292 | idx != INAT_SEG_REG_GS) | |
293 | idx = INAT_SEG_REG_IGNORE; | |
294 | } | |
295 | ||
296 | return idx; | |
297 | } | |
298 | ||
299 | /** | |
300 | * get_segment_selector() - obtain segment selector | |
301 | * @regs: Register values as seen when entering kernel mode | |
302 | * @seg_reg_idx: Segment register index to use | |
303 | * | |
304 | * Obtain the segment selector from any of the CS, SS, DS, ES, FS, GS segment | |
305 | * registers. In CONFIG_X86_32, the segment is obtained from either pt_regs or | |
306 | * kernel_vm86_regs as applicable. In CONFIG_X86_64, CS and SS are obtained | |
307 | * from pt_regs. DS, ES, FS and GS are obtained by reading the actual CPU | |
308 | * registers. This done for only for completeness as in CONFIG_X86_64 segment | |
309 | * registers are ignored. | |
310 | * | |
311 | * Returns: | |
312 | * | |
313 | * Value of the segment selector, including null when running in | |
314 | * long mode. | |
315 | * | |
316 | * -EINVAL on error. | |
317 | */ | |
318 | static short get_segment_selector(struct pt_regs *regs, int seg_reg_idx) | |
319 | { | |
320 | #ifdef CONFIG_X86_64 | |
321 | unsigned short sel; | |
322 | ||
323 | switch (seg_reg_idx) { | |
324 | case INAT_SEG_REG_IGNORE: | |
325 | return 0; | |
326 | case INAT_SEG_REG_CS: | |
327 | return (unsigned short)(regs->cs & 0xffff); | |
328 | case INAT_SEG_REG_SS: | |
329 | return (unsigned short)(regs->ss & 0xffff); | |
330 | case INAT_SEG_REG_DS: | |
331 | savesegment(ds, sel); | |
332 | return sel; | |
333 | case INAT_SEG_REG_ES: | |
334 | savesegment(es, sel); | |
335 | return sel; | |
336 | case INAT_SEG_REG_FS: | |
337 | savesegment(fs, sel); | |
338 | return sel; | |
339 | case INAT_SEG_REG_GS: | |
340 | savesegment(gs, sel); | |
341 | return sel; | |
342 | default: | |
343 | return -EINVAL; | |
344 | } | |
345 | #else /* CONFIG_X86_32 */ | |
346 | struct kernel_vm86_regs *vm86regs = (struct kernel_vm86_regs *)regs; | |
347 | ||
348 | if (v8086_mode(regs)) { | |
349 | switch (seg_reg_idx) { | |
350 | case INAT_SEG_REG_CS: | |
351 | return (unsigned short)(regs->cs & 0xffff); | |
352 | case INAT_SEG_REG_SS: | |
353 | return (unsigned short)(regs->ss & 0xffff); | |
354 | case INAT_SEG_REG_DS: | |
355 | return vm86regs->ds; | |
356 | case INAT_SEG_REG_ES: | |
357 | return vm86regs->es; | |
358 | case INAT_SEG_REG_FS: | |
359 | return vm86regs->fs; | |
360 | case INAT_SEG_REG_GS: | |
361 | return vm86regs->gs; | |
362 | case INAT_SEG_REG_IGNORE: | |
363 | /* fall through */ | |
364 | default: | |
365 | return -EINVAL; | |
366 | } | |
367 | } | |
368 | ||
369 | switch (seg_reg_idx) { | |
370 | case INAT_SEG_REG_CS: | |
371 | return (unsigned short)(regs->cs & 0xffff); | |
372 | case INAT_SEG_REG_SS: | |
373 | return (unsigned short)(regs->ss & 0xffff); | |
374 | case INAT_SEG_REG_DS: | |
375 | return (unsigned short)(regs->ds & 0xffff); | |
376 | case INAT_SEG_REG_ES: | |
377 | return (unsigned short)(regs->es & 0xffff); | |
378 | case INAT_SEG_REG_FS: | |
379 | return (unsigned short)(regs->fs & 0xffff); | |
380 | case INAT_SEG_REG_GS: | |
381 | /* | |
382 | * GS may or may not be in regs as per CONFIG_X86_32_LAZY_GS. | |
383 | * The macro below takes care of both cases. | |
384 | */ | |
385 | return get_user_gs(regs); | |
386 | case INAT_SEG_REG_IGNORE: | |
387 | /* fall through */ | |
388 | default: | |
389 | return -EINVAL; | |
390 | } | |
391 | #endif /* CONFIG_X86_64 */ | |
392 | } | |
393 | ||
32542ee2 RN |
394 | static int get_reg_offset(struct insn *insn, struct pt_regs *regs, |
395 | enum reg_type type) | |
396 | { | |
397 | int regno = 0; | |
398 | ||
399 | static const int regoff[] = { | |
400 | offsetof(struct pt_regs, ax), | |
401 | offsetof(struct pt_regs, cx), | |
402 | offsetof(struct pt_regs, dx), | |
403 | offsetof(struct pt_regs, bx), | |
404 | offsetof(struct pt_regs, sp), | |
405 | offsetof(struct pt_regs, bp), | |
406 | offsetof(struct pt_regs, si), | |
407 | offsetof(struct pt_regs, di), | |
408 | #ifdef CONFIG_X86_64 | |
409 | offsetof(struct pt_regs, r8), | |
410 | offsetof(struct pt_regs, r9), | |
411 | offsetof(struct pt_regs, r10), | |
412 | offsetof(struct pt_regs, r11), | |
413 | offsetof(struct pt_regs, r12), | |
414 | offsetof(struct pt_regs, r13), | |
415 | offsetof(struct pt_regs, r14), | |
416 | offsetof(struct pt_regs, r15), | |
417 | #endif | |
418 | }; | |
419 | int nr_registers = ARRAY_SIZE(regoff); | |
420 | /* | |
421 | * Don't possibly decode a 32-bit instructions as | |
422 | * reading a 64-bit-only register. | |
423 | */ | |
424 | if (IS_ENABLED(CONFIG_X86_64) && !insn->x86_64) | |
425 | nr_registers -= 8; | |
426 | ||
427 | switch (type) { | |
428 | case REG_TYPE_RM: | |
429 | regno = X86_MODRM_RM(insn->modrm.value); | |
e526a302 RN |
430 | |
431 | /* | |
432 | * ModRM.mod == 0 and ModRM.rm == 5 means a 32-bit displacement | |
433 | * follows the ModRM byte. | |
434 | */ | |
435 | if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5) | |
436 | return -EDOM; | |
437 | ||
32542ee2 RN |
438 | if (X86_REX_B(insn->rex_prefix.value)) |
439 | regno += 8; | |
440 | break; | |
441 | ||
442 | case REG_TYPE_INDEX: | |
443 | regno = X86_SIB_INDEX(insn->sib.value); | |
444 | if (X86_REX_X(insn->rex_prefix.value)) | |
445 | regno += 8; | |
446 | ||
447 | /* | |
448 | * If ModRM.mod != 3 and SIB.index = 4 the scale*index | |
449 | * portion of the address computation is null. This is | |
450 | * true only if REX.X is 0. In such a case, the SIB index | |
451 | * is used in the address computation. | |
452 | */ | |
453 | if (X86_MODRM_MOD(insn->modrm.value) != 3 && regno == 4) | |
454 | return -EDOM; | |
455 | break; | |
456 | ||
457 | case REG_TYPE_BASE: | |
458 | regno = X86_SIB_BASE(insn->sib.value); | |
459 | /* | |
460 | * If ModRM.mod is 0 and SIB.base == 5, the base of the | |
461 | * register-indirect addressing is 0. In this case, a | |
462 | * 32-bit displacement follows the SIB byte. | |
463 | */ | |
464 | if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5) | |
465 | return -EDOM; | |
466 | ||
467 | if (X86_REX_B(insn->rex_prefix.value)) | |
468 | regno += 8; | |
469 | break; | |
470 | ||
471 | default: | |
ed594e4b RN |
472 | pr_err_ratelimited("invalid register type: %d\n", type); |
473 | return -EINVAL; | |
32542ee2 RN |
474 | } |
475 | ||
476 | if (regno >= nr_registers) { | |
477 | WARN_ONCE(1, "decoded an instruction with an invalid register"); | |
478 | return -EINVAL; | |
479 | } | |
480 | return regoff[regno]; | |
481 | } | |
482 | ||
670f928b RN |
483 | /** |
484 | * get_desc() - Obtain pointer to a segment descriptor | |
485 | * @sel: Segment selector | |
486 | * | |
487 | * Given a segment selector, obtain a pointer to the segment descriptor. | |
488 | * Both global and local descriptor tables are supported. | |
489 | * | |
490 | * Returns: | |
491 | * | |
492 | * Pointer to segment descriptor on success. | |
493 | * | |
494 | * NULL on error. | |
495 | */ | |
496 | static struct desc_struct *get_desc(unsigned short sel) | |
497 | { | |
498 | struct desc_ptr gdt_desc = {0, 0}; | |
499 | unsigned long desc_base; | |
500 | ||
501 | #ifdef CONFIG_MODIFY_LDT_SYSCALL | |
502 | if ((sel & SEGMENT_TI_MASK) == SEGMENT_LDT) { | |
503 | struct desc_struct *desc = NULL; | |
504 | struct ldt_struct *ldt; | |
505 | ||
506 | /* Bits [15:3] contain the index of the desired entry. */ | |
507 | sel >>= 3; | |
508 | ||
509 | mutex_lock(¤t->active_mm->context.lock); | |
510 | ldt = current->active_mm->context.ldt; | |
511 | if (ldt && sel < ldt->nr_entries) | |
512 | desc = &ldt->entries[sel]; | |
513 | ||
514 | mutex_unlock(¤t->active_mm->context.lock); | |
515 | ||
516 | return desc; | |
517 | } | |
518 | #endif | |
519 | native_store_gdt(&gdt_desc); | |
520 | ||
521 | /* | |
522 | * Segment descriptors have a size of 8 bytes. Thus, the index is | |
523 | * multiplied by 8 to obtain the memory offset of the desired descriptor | |
524 | * from the base of the GDT. As bits [15:3] of the segment selector | |
525 | * contain the index, it can be regarded as multiplied by 8 already. | |
526 | * All that remains is to clear bits [2:0]. | |
527 | */ | |
528 | desc_base = sel & ~(SEGMENT_RPL_MASK | SEGMENT_TI_MASK); | |
529 | ||
530 | if (desc_base > gdt_desc.size) | |
531 | return NULL; | |
532 | ||
533 | return (struct desc_struct *)(gdt_desc.address + desc_base); | |
534 | } | |
535 | ||
bd5a410a RN |
536 | /** |
537 | * insn_get_seg_base() - Obtain base address of segment descriptor. | |
538 | * @regs: Register values as seen when entering kernel mode | |
539 | * @seg_reg_idx: Index of the segment register pointing to seg descriptor | |
540 | * | |
541 | * Obtain the base address of the segment as indicated by the segment descriptor | |
542 | * pointed by the segment selector. The segment selector is obtained from the | |
543 | * input segment register index @seg_reg_idx. | |
544 | * | |
545 | * Returns: | |
546 | * | |
547 | * In protected mode, base address of the segment. Zero in long mode, | |
548 | * except when FS or GS are used. In virtual-8086 mode, the segment | |
549 | * selector shifted 4 bits to the right. | |
550 | * | |
551 | * -1L in case of error. | |
552 | */ | |
553 | unsigned long insn_get_seg_base(struct pt_regs *regs, int seg_reg_idx) | |
554 | { | |
555 | struct desc_struct *desc; | |
556 | short sel; | |
557 | ||
558 | sel = get_segment_selector(regs, seg_reg_idx); | |
559 | if (sel < 0) | |
560 | return -1L; | |
561 | ||
562 | if (v8086_mode(regs)) | |
563 | /* | |
564 | * Base is simply the segment selector shifted 4 | |
565 | * bits to the right. | |
566 | */ | |
567 | return (unsigned long)(sel << 4); | |
568 | ||
569 | if (user_64bit_mode(regs)) { | |
570 | /* | |
571 | * Only FS or GS will have a base address, the rest of | |
572 | * the segments' bases are forced to 0. | |
573 | */ | |
574 | unsigned long base; | |
575 | ||
576 | if (seg_reg_idx == INAT_SEG_REG_FS) | |
577 | rdmsrl(MSR_FS_BASE, base); | |
578 | else if (seg_reg_idx == INAT_SEG_REG_GS) | |
579 | /* | |
580 | * swapgs was called at the kernel entry point. Thus, | |
581 | * MSR_KERNEL_GS_BASE will have the user-space GS base. | |
582 | */ | |
583 | rdmsrl(MSR_KERNEL_GS_BASE, base); | |
584 | else | |
585 | base = 0; | |
586 | return base; | |
587 | } | |
588 | ||
589 | /* In protected mode the segment selector cannot be null. */ | |
590 | if (!sel) | |
591 | return -1L; | |
592 | ||
593 | desc = get_desc(sel); | |
594 | if (!desc) | |
595 | return -1L; | |
596 | ||
597 | return get_desc_base(desc); | |
598 | } | |
599 | ||
600 | /** | |
601 | * get_seg_limit() - Obtain the limit of a segment descriptor | |
602 | * @regs: Register values as seen when entering kernel mode | |
603 | * @seg_reg_idx: Index of the segment register pointing to seg descriptor | |
604 | * | |
605 | * Obtain the limit of the segment as indicated by the segment descriptor | |
606 | * pointed by the segment selector. The segment selector is obtained from the | |
607 | * input segment register index @seg_reg_idx. | |
608 | * | |
609 | * Returns: | |
610 | * | |
611 | * In protected mode, the limit of the segment descriptor in bytes. | |
612 | * In long mode and virtual-8086 mode, segment limits are not enforced. Thus, | |
613 | * limit is returned as -1L to imply a limit-less segment. | |
614 | * | |
615 | * Zero is returned on error. | |
616 | */ | |
617 | static unsigned long get_seg_limit(struct pt_regs *regs, int seg_reg_idx) | |
618 | { | |
619 | struct desc_struct *desc; | |
620 | unsigned long limit; | |
621 | short sel; | |
622 | ||
623 | sel = get_segment_selector(regs, seg_reg_idx); | |
624 | if (sel < 0) | |
625 | return 0; | |
626 | ||
627 | if (user_64bit_mode(regs) || v8086_mode(regs)) | |
628 | return -1L; | |
629 | ||
630 | if (!sel) | |
631 | return 0; | |
632 | ||
633 | desc = get_desc(sel); | |
634 | if (!desc) | |
635 | return 0; | |
636 | ||
637 | /* | |
638 | * If the granularity bit is set, the limit is given in multiples | |
639 | * of 4096. This also means that the 12 least significant bits are | |
640 | * not tested when checking the segment limits. In practice, | |
641 | * this means that the segment ends in (limit << 12) + 0xfff. | |
642 | */ | |
643 | limit = get_desc_limit(desc); | |
644 | if (desc->g) | |
645 | limit = (limit << 12) + 0xfff; | |
646 | ||
647 | return limit; | |
648 | } | |
649 | ||
4efea85f RN |
650 | /** |
651 | * insn_get_code_seg_params() - Obtain code segment parameters | |
652 | * @regs: Structure with register values as seen when entering kernel mode | |
653 | * | |
654 | * Obtain address and operand sizes of the code segment. It is obtained from the | |
655 | * selector contained in the CS register in regs. In protected mode, the default | |
656 | * address is determined by inspecting the L and D bits of the segment | |
657 | * descriptor. In virtual-8086 mode, the default is always two bytes for both | |
658 | * address and operand sizes. | |
659 | * | |
660 | * Returns: | |
661 | * | |
662 | * A signed 8-bit value containing the default parameters on success. | |
663 | * | |
664 | * -EINVAL on error. | |
665 | */ | |
666 | char insn_get_code_seg_params(struct pt_regs *regs) | |
667 | { | |
668 | struct desc_struct *desc; | |
669 | short sel; | |
670 | ||
671 | if (v8086_mode(regs)) | |
672 | /* Address and operand size are both 16-bit. */ | |
673 | return INSN_CODE_SEG_PARAMS(2, 2); | |
674 | ||
675 | sel = get_segment_selector(regs, INAT_SEG_REG_CS); | |
676 | if (sel < 0) | |
677 | return sel; | |
678 | ||
679 | desc = get_desc(sel); | |
680 | if (!desc) | |
681 | return -EINVAL; | |
682 | ||
683 | /* | |
684 | * The most significant byte of the Type field of the segment descriptor | |
685 | * determines whether a segment contains data or code. If this is a data | |
686 | * segment, return error. | |
687 | */ | |
688 | if (!(desc->type & BIT(3))) | |
689 | return -EINVAL; | |
690 | ||
691 | switch ((desc->l << 1) | desc->d) { | |
692 | case 0: /* | |
693 | * Legacy mode. CS.L=0, CS.D=0. Address and operand size are | |
694 | * both 16-bit. | |
695 | */ | |
696 | return INSN_CODE_SEG_PARAMS(2, 2); | |
697 | case 1: /* | |
698 | * Legacy mode. CS.L=0, CS.D=1. Address and operand size are | |
699 | * both 32-bit. | |
700 | */ | |
701 | return INSN_CODE_SEG_PARAMS(4, 4); | |
702 | case 2: /* | |
703 | * IA-32e 64-bit mode. CS.L=1, CS.D=0. Address size is 64-bit; | |
704 | * operand size is 32-bit. | |
705 | */ | |
706 | return INSN_CODE_SEG_PARAMS(4, 8); | |
707 | case 3: /* Invalid setting. CS.L=1, CS.D=1 */ | |
708 | /* fall through */ | |
709 | default: | |
710 | return -EINVAL; | |
711 | } | |
712 | } | |
713 | ||
e5e45f11 RN |
714 | /** |
715 | * insn_get_modrm_rm_off() - Obtain register in r/m part of the ModRM byte | |
716 | * @insn: Instruction containing the ModRM byte | |
717 | * @regs: Register values as seen when entering kernel mode | |
718 | * | |
719 | * Returns: | |
720 | * | |
721 | * The register indicated by the r/m part of the ModRM byte. The | |
722 | * register is obtained as an offset from the base of pt_regs. In specific | |
723 | * cases, the returned value can be -EDOM to indicate that the particular value | |
724 | * of ModRM does not refer to a register and shall be ignored. | |
725 | */ | |
726 | int insn_get_modrm_rm_off(struct insn *insn, struct pt_regs *regs) | |
727 | { | |
728 | return get_reg_offset(insn, regs, REG_TYPE_RM); | |
729 | } | |
730 | ||
10890444 | 731 | /** |
71271269 | 732 | * get_seg_base_limit() - obtain base address and limit of a segment |
10890444 RN |
733 | * @insn: Instruction. Must be valid. |
734 | * @regs: Register values as seen when entering kernel mode | |
735 | * @regoff: Operand offset, in pt_regs, used to resolve segment descriptor | |
736 | * @base: Obtained segment base | |
71271269 | 737 | * @limit: Obtained segment limit |
10890444 | 738 | * |
71271269 RN |
739 | * Obtain the base address and limit of the segment associated with the operand |
740 | * @regoff and, if any or allowed, override prefixes in @insn. This function is | |
10890444 | 741 | * different from insn_get_seg_base() as the latter does not resolve the segment |
71271269 RN |
742 | * associated with the instruction operand. If a limit is not needed (e.g., |
743 | * when running in long mode), @limit can be NULL. | |
10890444 RN |
744 | * |
745 | * Returns: | |
746 | * | |
71271269 RN |
747 | * 0 on success. @base and @limit will contain the base address and of the |
748 | * resolved segment, respectively. | |
10890444 RN |
749 | * |
750 | * -EINVAL on error. | |
751 | */ | |
71271269 RN |
752 | static int get_seg_base_limit(struct insn *insn, struct pt_regs *regs, |
753 | int regoff, unsigned long *base, | |
754 | unsigned long *limit) | |
10890444 RN |
755 | { |
756 | int seg_reg_idx; | |
757 | ||
758 | if (!base) | |
759 | return -EINVAL; | |
760 | ||
761 | seg_reg_idx = resolve_seg_reg(insn, regs, regoff); | |
762 | if (seg_reg_idx < 0) | |
763 | return seg_reg_idx; | |
764 | ||
765 | *base = insn_get_seg_base(regs, seg_reg_idx); | |
766 | if (*base == -1L) | |
767 | return -EINVAL; | |
768 | ||
71271269 RN |
769 | if (!limit) |
770 | return 0; | |
771 | ||
772 | *limit = get_seg_limit(regs, seg_reg_idx); | |
773 | if (!(*limit)) | |
774 | return -EINVAL; | |
775 | ||
10890444 RN |
776 | return 0; |
777 | } | |
778 | ||
70e57c0f RN |
779 | /** |
780 | * get_eff_addr_reg() - Obtain effective address from register operand | |
781 | * @insn: Instruction. Must be valid. | |
782 | * @regs: Register values as seen when entering kernel mode | |
783 | * @regoff: Obtained operand offset, in pt_regs, with the effective address | |
784 | * @eff_addr: Obtained effective address | |
785 | * | |
786 | * Obtain the effective address stored in the register operand as indicated by | |
787 | * the ModRM byte. This function is to be used only with register addressing | |
788 | * (i.e., ModRM.mod is 3). The effective address is saved in @eff_addr. The | |
789 | * register operand, as an offset from the base of pt_regs, is saved in @regoff; | |
790 | * such offset can then be used to resolve the segment associated with the | |
791 | * operand. This function can be used with any of the supported address sizes | |
792 | * in x86. | |
793 | * | |
794 | * Returns: | |
795 | * | |
796 | * 0 on success. @eff_addr will have the effective address stored in the | |
797 | * operand indicated by ModRM. @regoff will have such operand as an offset from | |
798 | * the base of pt_regs. | |
799 | * | |
800 | * -EINVAL on error. | |
801 | */ | |
802 | static int get_eff_addr_reg(struct insn *insn, struct pt_regs *regs, | |
803 | int *regoff, long *eff_addr) | |
804 | { | |
805 | insn_get_modrm(insn); | |
806 | ||
807 | if (!insn->modrm.nbytes) | |
808 | return -EINVAL; | |
809 | ||
810 | if (X86_MODRM_MOD(insn->modrm.value) != 3) | |
811 | return -EINVAL; | |
812 | ||
813 | *regoff = get_reg_offset(insn, regs, REG_TYPE_RM); | |
814 | if (*regoff < 0) | |
815 | return -EINVAL; | |
816 | ||
7a6daf79 RN |
817 | /* Ignore bytes that are outside the address size. */ |
818 | if (insn->addr_bytes == 4) | |
819 | *eff_addr = regs_get_register(regs, *regoff) & 0xffffffff; | |
820 | else /* 64-bit address */ | |
821 | *eff_addr = regs_get_register(regs, *regoff); | |
70e57c0f RN |
822 | |
823 | return 0; | |
824 | } | |
825 | ||
826 | /** | |
827 | * get_eff_addr_modrm() - Obtain referenced effective address via ModRM | |
828 | * @insn: Instruction. Must be valid. | |
829 | * @regs: Register values as seen when entering kernel mode | |
830 | * @regoff: Obtained operand offset, in pt_regs, associated with segment | |
831 | * @eff_addr: Obtained effective address | |
832 | * | |
833 | * Obtain the effective address referenced by the ModRM byte of @insn. After | |
834 | * identifying the registers involved in the register-indirect memory reference, | |
835 | * its value is obtained from the operands in @regs. The computed address is | |
836 | * stored @eff_addr. Also, the register operand that indicates the associated | |
837 | * segment is stored in @regoff, this parameter can later be used to determine | |
838 | * such segment. | |
839 | * | |
840 | * Returns: | |
841 | * | |
842 | * 0 on success. @eff_addr will have the referenced effective address. @regoff | |
843 | * will have a register, as an offset from the base of pt_regs, that can be used | |
844 | * to resolve the associated segment. | |
845 | * | |
846 | * -EINVAL on error. | |
847 | */ | |
848 | static int get_eff_addr_modrm(struct insn *insn, struct pt_regs *regs, | |
849 | int *regoff, long *eff_addr) | |
850 | { | |
851 | long tmp; | |
852 | ||
7a6daf79 | 853 | if (insn->addr_bytes != 8 && insn->addr_bytes != 4) |
70e57c0f RN |
854 | return -EINVAL; |
855 | ||
856 | insn_get_modrm(insn); | |
857 | ||
858 | if (!insn->modrm.nbytes) | |
859 | return -EINVAL; | |
860 | ||
861 | if (X86_MODRM_MOD(insn->modrm.value) > 2) | |
862 | return -EINVAL; | |
863 | ||
864 | *regoff = get_reg_offset(insn, regs, REG_TYPE_RM); | |
865 | ||
866 | /* | |
867 | * -EDOM means that we must ignore the address_offset. In such a case, | |
868 | * in 64-bit mode the effective address relative to the rIP of the | |
869 | * following instruction. | |
870 | */ | |
871 | if (*regoff == -EDOM) { | |
872 | if (user_64bit_mode(regs)) | |
873 | tmp = regs->ip + insn->length; | |
874 | else | |
875 | tmp = 0; | |
876 | } else if (*regoff < 0) { | |
877 | return -EINVAL; | |
878 | } else { | |
879 | tmp = regs_get_register(regs, *regoff); | |
880 | } | |
881 | ||
7a6daf79 RN |
882 | if (insn->addr_bytes == 4) { |
883 | int addr32 = (int)(tmp & 0xffffffff) + insn->displacement.value; | |
884 | ||
885 | *eff_addr = addr32 & 0xffffffff; | |
886 | } else { | |
887 | *eff_addr = tmp + insn->displacement.value; | |
888 | } | |
70e57c0f RN |
889 | |
890 | return 0; | |
891 | } | |
892 | ||
893 | /** | |
894 | * get_eff_addr_sib() - Obtain referenced effective address via SIB | |
895 | * @insn: Instruction. Must be valid. | |
896 | * @regs: Register values as seen when entering kernel mode | |
897 | * @regoff: Obtained operand offset, in pt_regs, associated with segment | |
898 | * @eff_addr: Obtained effective address | |
899 | * | |
900 | * Obtain the effective address referenced by the SIB byte of @insn. After | |
901 | * identifying the registers involved in the indexed, register-indirect memory | |
902 | * reference, its value is obtained from the operands in @regs. The computed | |
903 | * address is stored @eff_addr. Also, the register operand that indicates the | |
904 | * associated segment is stored in @regoff, this parameter can later be used to | |
905 | * determine such segment. | |
906 | * | |
907 | * Returns: | |
908 | * | |
909 | * 0 on success. @eff_addr will have the referenced effective address. | |
910 | * @base_offset will have a register, as an offset from the base of pt_regs, | |
911 | * that can be used to resolve the associated segment. | |
912 | * | |
913 | * -EINVAL on error. | |
914 | */ | |
915 | static int get_eff_addr_sib(struct insn *insn, struct pt_regs *regs, | |
916 | int *base_offset, long *eff_addr) | |
917 | { | |
918 | long base, indx; | |
919 | int indx_offset; | |
920 | ||
7a6daf79 | 921 | if (insn->addr_bytes != 8 && insn->addr_bytes != 4) |
70e57c0f RN |
922 | return -EINVAL; |
923 | ||
924 | insn_get_modrm(insn); | |
925 | ||
926 | if (!insn->modrm.nbytes) | |
927 | return -EINVAL; | |
928 | ||
929 | if (X86_MODRM_MOD(insn->modrm.value) > 2) | |
930 | return -EINVAL; | |
931 | ||
932 | insn_get_sib(insn); | |
933 | ||
934 | if (!insn->sib.nbytes) | |
935 | return -EINVAL; | |
936 | ||
937 | *base_offset = get_reg_offset(insn, regs, REG_TYPE_BASE); | |
938 | indx_offset = get_reg_offset(insn, regs, REG_TYPE_INDEX); | |
939 | ||
940 | /* | |
941 | * Negative values in the base and index offset means an error when | |
942 | * decoding the SIB byte. Except -EDOM, which means that the registers | |
943 | * should not be used in the address computation. | |
944 | */ | |
945 | if (*base_offset == -EDOM) | |
946 | base = 0; | |
947 | else if (*base_offset < 0) | |
948 | return -EINVAL; | |
949 | else | |
950 | base = regs_get_register(regs, *base_offset); | |
951 | ||
952 | if (indx_offset == -EDOM) | |
953 | indx = 0; | |
954 | else if (indx_offset < 0) | |
955 | return -EINVAL; | |
956 | else | |
957 | indx = regs_get_register(regs, indx_offset); | |
958 | ||
7a6daf79 RN |
959 | if (insn->addr_bytes == 4) { |
960 | int addr32, base32, idx32; | |
961 | ||
962 | base32 = base & 0xffffffff; | |
963 | idx32 = indx & 0xffffffff; | |
70e57c0f | 964 | |
7a6daf79 RN |
965 | addr32 = base32 + idx32 * (1 << X86_SIB_SCALE(insn->sib.value)); |
966 | addr32 += insn->displacement.value; | |
967 | ||
968 | *eff_addr = addr32 & 0xffffffff; | |
969 | } else { | |
970 | *eff_addr = base + indx * (1 << X86_SIB_SCALE(insn->sib.value)); | |
971 | *eff_addr += insn->displacement.value; | |
972 | } | |
70e57c0f RN |
973 | |
974 | return 0; | |
975 | } | |
7a6daf79 RN |
976 | |
977 | /** | |
978 | * get_addr_ref_32() - Obtain a 32-bit linear address | |
979 | * @insn: Instruction with ModRM, SIB bytes and displacement | |
980 | * @regs: Register values as seen when entering kernel mode | |
981 | * | |
982 | * This function is to be used with 32-bit address encodings to obtain the | |
983 | * linear memory address referred by the instruction's ModRM, SIB, | |
984 | * displacement bytes and segment base address, as applicable. If in protected | |
985 | * mode, segment limits are enforced. | |
986 | * | |
987 | * Returns: | |
988 | * | |
989 | * Linear address referenced by instruction and registers on success. | |
990 | * | |
991 | * -1L on error. | |
992 | */ | |
993 | static void __user *get_addr_ref_32(struct insn *insn, struct pt_regs *regs) | |
994 | { | |
995 | unsigned long linear_addr = -1L, seg_base, seg_limit; | |
996 | int eff_addr, regoff; | |
997 | long tmp; | |
998 | int ret; | |
999 | ||
1000 | if (insn->addr_bytes != 4) | |
1001 | goto out; | |
1002 | ||
1003 | if (X86_MODRM_MOD(insn->modrm.value) == 3) { | |
1004 | ret = get_eff_addr_reg(insn, regs, ®off, &tmp); | |
1005 | if (ret) | |
1006 | goto out; | |
1007 | ||
1008 | eff_addr = tmp; | |
1009 | ||
1010 | } else { | |
1011 | if (insn->sib.nbytes) { | |
1012 | ret = get_eff_addr_sib(insn, regs, ®off, &tmp); | |
1013 | if (ret) | |
1014 | goto out; | |
1015 | ||
1016 | eff_addr = tmp; | |
1017 | } else { | |
1018 | ret = get_eff_addr_modrm(insn, regs, ®off, &tmp); | |
1019 | if (ret) | |
1020 | goto out; | |
1021 | ||
1022 | eff_addr = tmp; | |
1023 | } | |
1024 | } | |
1025 | ||
1026 | ret = get_seg_base_limit(insn, regs, regoff, &seg_base, &seg_limit); | |
1027 | if (ret) | |
1028 | goto out; | |
1029 | ||
1030 | /* | |
1031 | * In protected mode, before computing the linear address, make sure | |
1032 | * the effective address is within the limits of the segment. | |
1033 | * 32-bit addresses can be used in long and virtual-8086 modes if an | |
1034 | * address override prefix is used. In such cases, segment limits are | |
1035 | * not enforced. When in virtual-8086 mode, the segment limit is -1L | |
1036 | * to reflect this situation. | |
1037 | * | |
1038 | * After computed, the effective address is treated as an unsigned | |
1039 | * quantity. | |
1040 | */ | |
1041 | if (!user_64bit_mode(regs) && ((unsigned int)eff_addr > seg_limit)) | |
1042 | goto out; | |
1043 | ||
1044 | /* | |
1045 | * Data type long could be 64 bits in size. Ensure that our 32-bit | |
1046 | * effective address is not sign-extended when computing the linear | |
1047 | * address. | |
1048 | */ | |
1049 | linear_addr = (unsigned long)(eff_addr & 0xffffffff) + seg_base; | |
1050 | ||
1051 | out: | |
1052 | return (void __user *)linear_addr; | |
1053 | } | |
1054 | ||
32542ee2 RN |
1055 | /* |
1056 | * return the address being referenced be instruction | |
1057 | * for rm=3 returning the content of the rm reg | |
1058 | * for rm!=3 calculates the address using SIB and Disp | |
1059 | */ | |
1060 | void __user *insn_get_addr_ref(struct insn *insn, struct pt_regs *regs) | |
1061 | { | |
10890444 | 1062 | unsigned long linear_addr = -1L, seg_base; |
70e57c0f RN |
1063 | int regoff, ret; |
1064 | long eff_addr; | |
32542ee2 RN |
1065 | |
1066 | if (X86_MODRM_MOD(insn->modrm.value) == 3) { | |
70e57c0f RN |
1067 | ret = get_eff_addr_reg(insn, regs, ®off, &eff_addr); |
1068 | if (ret) | |
32542ee2 RN |
1069 | goto out; |
1070 | ||
32542ee2 RN |
1071 | } else { |
1072 | if (insn->sib.nbytes) { | |
70e57c0f RN |
1073 | ret = get_eff_addr_sib(insn, regs, ®off, &eff_addr); |
1074 | if (ret) | |
32542ee2 | 1075 | goto out; |
32542ee2 | 1076 | } else { |
70e57c0f RN |
1077 | ret = get_eff_addr_modrm(insn, regs, ®off, &eff_addr); |
1078 | if (ret) | |
32542ee2 | 1079 | goto out; |
32542ee2 RN |
1080 | } |
1081 | ||
32542ee2 RN |
1082 | } |
1083 | ||
70e57c0f | 1084 | ret = get_seg_base_limit(insn, regs, regoff, &seg_base, NULL); |
10890444 RN |
1085 | if (ret) |
1086 | goto out; | |
1087 | ||
1088 | linear_addr = (unsigned long)eff_addr + seg_base; | |
32542ee2 RN |
1089 | |
1090 | out: | |
1091 | return (void __user *)linear_addr; | |
1092 | } |