]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/blame - arch/x86/lib/insn-eval.c
projects / mirror_ubuntu-bionic-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
x86/insn-eval: Add support to resolve 32-bit address encodings
[mirror_ubuntu-bionic-kernel.git] / arch / x86 / lib / insn-eval.c
CommitLineData
32542ee2
RN		 1/*
2 * Utility functions for x86 operand and address decoding
3 *
4 * Copyright (C) Intel Corporation 2017
5 */
6#include <linux/kernel.h>
7#include <linux/string.h>
ed594e4b 8#include <linux/ratelimit.h>
670f928b
RN		 9#include <linux/mmu_context.h>
10#include <asm/desc_defs.h>
11#include <asm/desc.h>
32542ee2
RN		 12#include <asm/inat.h>
13#include <asm/insn.h>
14#include <asm/insn-eval.h>
670f928b 15#include <asm/ldt.h>
32d0b953 16#include <asm/vm86.h>
32542ee2 17
ed594e4b
RN		 18#undef pr_fmt
19#define pr_fmt(fmt) "insn: " fmt
20
32542ee2
RN		 21enum reg_type {
22 REG_TYPE_RM = 0,
23 REG_TYPE_INDEX,
24 REG_TYPE_BASE,
25};
26
536b8153
RN		 27/**
28 * is_string_insn() - Determine if instruction is a string instruction
29 * @insn: Instruction containing the opcode to inspect
30 *
31 * Returns:
32 *
33 * true if the instruction, determined by the opcode, is any of the
34 * string instructions as defined in the Intel Software Development manual.
35 * False otherwise.
36 */
37static bool is_string_insn(struct insn *insn)
38{
39 insn_get_opcode(insn);
40
41 /* All string instructions have a 1-byte opcode. */
42 if (insn->opcode.nbytes != 1)
43 return false;
44
45 switch (insn->opcode.bytes[0]) {
46 case 0x6c ... 0x6f: /* INS, OUTS */
47 case 0xa4 ... 0xa7: /* MOVS, CMPS */
48 case 0xaa ... 0xaf: /* STOS, LODS, SCAS */
49 return true;
50 default:
51 return false;
52 }
53}
54
32d0b953
RN		 55/**
56 * get_seg_reg_override_idx() - obtain segment register override index
57 * @insn: Valid instruction with segment override prefixes
58 *
59 * Inspect the instruction prefixes in @insn and find segment overrides, if any.
60 *
61 * Returns:
62 *
63 * A constant identifying the segment register to use, among CS, SS, DS,
64 * ES, FS, or GS. INAT_SEG_REG_DEFAULT is returned if no segment override
65 * prefixes were found.
66 *
67 * -EINVAL in case of error.
68 */
69static int get_seg_reg_override_idx(struct insn *insn)
70{
71 int idx = INAT_SEG_REG_DEFAULT;
72 int num_overrides = 0, i;
73
74 insn_get_prefixes(insn);
75
76 /* Look for any segment override prefixes. */
77 for (i = 0; i < insn->prefixes.nbytes; i++) {
78 insn_attr_t attr;
79
80 attr = inat_get_opcode_attribute(insn->prefixes.bytes[i]);
81 switch (attr) {
82 case INAT_MAKE_PREFIX(INAT_PFX_CS):
83 idx = INAT_SEG_REG_CS;
84 num_overrides++;
85 break;
86 case INAT_MAKE_PREFIX(INAT_PFX_SS):
87 idx = INAT_SEG_REG_SS;
88 num_overrides++;
89 break;
90 case INAT_MAKE_PREFIX(INAT_PFX_DS):
91 idx = INAT_SEG_REG_DS;
92 num_overrides++;
93 break;
94 case INAT_MAKE_PREFIX(INAT_PFX_ES):
95 idx = INAT_SEG_REG_ES;
96 num_overrides++;
97 break;
98 case INAT_MAKE_PREFIX(INAT_PFX_FS):
99 idx = INAT_SEG_REG_FS;
100 num_overrides++;
101 break;
102 case INAT_MAKE_PREFIX(INAT_PFX_GS):
103 idx = INAT_SEG_REG_GS;
104 num_overrides++;
105 break;
106 /* No default action needed. */
107 }
108 }
109
110 /* More than one segment override prefix leads to undefined behavior. */
111 if (num_overrides > 1)
112 return -EINVAL;
113
114 return idx;
115}
116
117/**
118 * check_seg_overrides() - check if segment override prefixes are allowed
119 * @insn: Valid instruction with segment override prefixes
120 * @regoff: Operand offset, in pt_regs, for which the check is performed
121 *
122 * For a particular register used in register-indirect addressing, determine if
123 * segment override prefixes can be used. Specifically, no overrides are allowed
124 * for rDI if used with a string instruction.
125 *
126 * Returns:
127 *
128 * True if segment override prefixes can be used with the register indicated
129 * in @regoff. False if otherwise.
130 */
131static bool check_seg_overrides(struct insn *insn, int regoff)
132{
133 if (regoff == offsetof(struct pt_regs, di) && is_string_insn(insn))
134 return false;
135
136 return true;
137}
138
139/**
140 * resolve_default_seg() - resolve default segment register index for an operand
141 * @insn: Instruction with opcode and address size. Must be valid.
142 * @regs: Register values as seen when entering kernel mode
143 * @off: Operand offset, in pt_regs, for which resolution is needed
144 *
145 * Resolve the default segment register index associated with the instruction
146 * operand register indicated by @off. Such index is resolved based on defaults
147 * described in the Intel Software Development Manual.
148 *
149 * Returns:
150 *
151 * If in protected mode, a constant identifying the segment register to use,
152 * among CS, SS, ES or DS. If in long mode, INAT_SEG_REG_IGNORE.
153 *
154 * -EINVAL in case of error.
155 */
156static int resolve_default_seg(struct insn *insn, struct pt_regs *regs, int off)
157{
158 if (user_64bit_mode(regs))
159 return INAT_SEG_REG_IGNORE;
160 /*
161 * Resolve the default segment register as described in Section 3.7.4
162 * of the Intel Software Development Manual Vol. 1:
163 *
164 * + DS for all references involving r[ABCD]X, and rSI.
165 * + If used in a string instruction, ES for rDI. Otherwise, DS.
166 * + AX, CX and DX are not valid register operands in 16-bit address
167 * encodings but are valid for 32-bit and 64-bit encodings.
168 * + -EDOM is reserved to identify for cases in which no register
169 * is used (i.e., displacement-only addressing). Use DS.
170 * + SS for rSP or rBP.
171 * + CS for rIP.
172 */
173
174 switch (off) {
175 case offsetof(struct pt_regs, ax):
176 case offsetof(struct pt_regs, cx):
177 case offsetof(struct pt_regs, dx):
178 /* Need insn to verify address size. */
179 if (insn->addr_bytes == 2)
180 return -EINVAL;
181
182 case -EDOM:
183 case offsetof(struct pt_regs, bx):
184 case offsetof(struct pt_regs, si):
185 return INAT_SEG_REG_DS;
186
187 case offsetof(struct pt_regs, di):
188 if (is_string_insn(insn))
189 return INAT_SEG_REG_ES;
190 return INAT_SEG_REG_DS;
191
192 case offsetof(struct pt_regs, bp):
193 case offsetof(struct pt_regs, sp):
194 return INAT_SEG_REG_SS;
195
196 case offsetof(struct pt_regs, ip):
197 return INAT_SEG_REG_CS;
198
199 default:
200 return -EINVAL;
201 }
202}
203
204/**
205 * resolve_seg_reg() - obtain segment register index
206 * @insn: Instruction with operands
207 * @regs: Register values as seen when entering kernel mode
208 * @regoff: Operand offset, in pt_regs, used to deterimine segment register
209 *
210 * Determine the segment register associated with the operands and, if
211 * applicable, prefixes and the instruction pointed by @insn.
212 *
213 * The segment register associated to an operand used in register-indirect
214 * addressing depends on:
215 *
216 * a) Whether running in long mode (in such a case segments are ignored, except
217 * if FS or GS are used).
218 *
219 * b) Whether segment override prefixes can be used. Certain instructions and
220 * registers do not allow override prefixes.
221 *
222 * c) Whether segment overrides prefixes are found in the instruction prefixes.
223 *
224 * d) If there are not segment override prefixes or they cannot be used, the
225 * default segment register associated with the operand register is used.
226 *
227 * The function checks first if segment override prefixes can be used with the
228 * operand indicated by @regoff. If allowed, obtain such overridden segment
229 * register index. Lastly, if not prefixes were found or cannot be used, resolve
230 * the segment register index to use based on the defaults described in the
231 * Intel documentation. In long mode, all segment register indexes will be
232 * ignored, except if overrides were found for FS or GS. All these operations
233 * are done using helper functions.
234 *
235 * The operand register, @regoff, is represented as the offset from the base of
236 * pt_regs.
237 *
238 * As stated, the main use of this function is to determine the segment register
239 * index based on the instruction, its operands and prefixes. Hence, @insn
240 * must be valid. However, if @regoff indicates rIP, we don't need to inspect
241 * @insn at all as in this case CS is used in all cases. This case is checked
242 * before proceeding further.
243 *
244 * Please note that this function does not return the value in the segment
245 * register (i.e., the segment selector) but our defined index. The segment
246 * selector needs to be obtained using get_segment_selector() and passing the
247 * segment register index resolved by this function.
248 *
249 * Returns:
250 *
251 * An index identifying the segment register to use, among CS, SS, DS,
252 * ES, FS, or GS. INAT_SEG_REG_IGNORE is returned if running in long mode.
253 *
254 * -EINVAL in case of error.
255 */
256static int resolve_seg_reg(struct insn *insn, struct pt_regs *regs, int regoff)
257{
258 int idx;
259
260 /*
261 * In the unlikely event of having to resolve the segment register
262 * index for rIP, do it first. Segment override prefixes should not
263 * be used. Hence, it is not necessary to inspect the instruction,
264 * which may be invalid at this point.
265 */
266 if (regoff == offsetof(struct pt_regs, ip)) {
267 if (user_64bit_mode(regs))
268 return INAT_SEG_REG_IGNORE;
269 else
270 return INAT_SEG_REG_CS;
271 }
272
273 if (!insn)
274 return -EINVAL;
275
276 if (!check_seg_overrides(insn, regoff))
277 return resolve_default_seg(insn, regs, regoff);
278
279 idx = get_seg_reg_override_idx(insn);
280 if (idx < 0)
281 return idx;
282
283 if (idx == INAT_SEG_REG_DEFAULT)
284 return resolve_default_seg(insn, regs, regoff);
285
286 /*
287 * In long mode, segment override prefixes are ignored, except for
288 * overrides for FS and GS.
289 */
290 if (user_64bit_mode(regs)) {
291 if (idx != INAT_SEG_REG_FS &&
292 idx != INAT_SEG_REG_GS)
293 idx = INAT_SEG_REG_IGNORE;
294 }
295
296 return idx;
297}
298
299/**
300 * get_segment_selector() - obtain segment selector
301 * @regs: Register values as seen when entering kernel mode
302 * @seg_reg_idx: Segment register index to use
303 *
304 * Obtain the segment selector from any of the CS, SS, DS, ES, FS, GS segment
305 * registers. In CONFIG_X86_32, the segment is obtained from either pt_regs or
306 * kernel_vm86_regs as applicable. In CONFIG_X86_64, CS and SS are obtained
307 * from pt_regs. DS, ES, FS and GS are obtained by reading the actual CPU
308 * registers. This done for only for completeness as in CONFIG_X86_64 segment
309 * registers are ignored.
310 *
311 * Returns:
312 *
313 * Value of the segment selector, including null when running in
314 * long mode.
315 *
316 * -EINVAL on error.
317 */
318static short get_segment_selector(struct pt_regs *regs, int seg_reg_idx)
319{
320#ifdef CONFIG_X86_64
321 unsigned short sel;
322
323 switch (seg_reg_idx) {
324 case INAT_SEG_REG_IGNORE:
325 return 0;
326 case INAT_SEG_REG_CS:
327 return (unsigned short)(regs->cs & 0xffff);
328 case INAT_SEG_REG_SS:
329 return (unsigned short)(regs->ss & 0xffff);
330 case INAT_SEG_REG_DS:
331 savesegment(ds, sel);
332 return sel;
333 case INAT_SEG_REG_ES:
334 savesegment(es, sel);
335 return sel;
336 case INAT_SEG_REG_FS:
337 savesegment(fs, sel);
338 return sel;
339 case INAT_SEG_REG_GS:
340 savesegment(gs, sel);
341 return sel;
342 default:
343 return -EINVAL;
344 }
345#else /* CONFIG_X86_32 */
346 struct kernel_vm86_regs *vm86regs = (struct kernel_vm86_regs *)regs;
347
348 if (v8086_mode(regs)) {
349 switch (seg_reg_idx) {
350 case INAT_SEG_REG_CS:
351 return (unsigned short)(regs->cs & 0xffff);
352 case INAT_SEG_REG_SS:
353 return (unsigned short)(regs->ss & 0xffff);
354 case INAT_SEG_REG_DS:
355 return vm86regs->ds;
356 case INAT_SEG_REG_ES:
357 return vm86regs->es;
358 case INAT_SEG_REG_FS:
359 return vm86regs->fs;
360 case INAT_SEG_REG_GS:
361 return vm86regs->gs;
362 case INAT_SEG_REG_IGNORE:
363 /* fall through */
364 default:
365 return -EINVAL;
366 }
367 }
368
369 switch (seg_reg_idx) {
370 case INAT_SEG_REG_CS:
371 return (unsigned short)(regs->cs & 0xffff);
372 case INAT_SEG_REG_SS:
373 return (unsigned short)(regs->ss & 0xffff);
374 case INAT_SEG_REG_DS:
375 return (unsigned short)(regs->ds & 0xffff);
376 case INAT_SEG_REG_ES:
377 return (unsigned short)(regs->es & 0xffff);
378 case INAT_SEG_REG_FS:
379 return (unsigned short)(regs->fs & 0xffff);
380 case INAT_SEG_REG_GS:
381 /*
382 * GS may or may not be in regs as per CONFIG_X86_32_LAZY_GS.
383 * The macro below takes care of both cases.
384 */
385 return get_user_gs(regs);
386 case INAT_SEG_REG_IGNORE:
387 /* fall through */
388 default:
389 return -EINVAL;
390 }
391#endif /* CONFIG_X86_64 */
392}
393
32542ee2
RN		 394static int get_reg_offset(struct insn *insn, struct pt_regs *regs,
395 enum reg_type type)
396{
397 int regno = 0;
398
399 static const int regoff[] = {
400 offsetof(struct pt_regs, ax),
401 offsetof(struct pt_regs, cx),
402 offsetof(struct pt_regs, dx),
403 offsetof(struct pt_regs, bx),
404 offsetof(struct pt_regs, sp),
405 offsetof(struct pt_regs, bp),
406 offsetof(struct pt_regs, si),
407 offsetof(struct pt_regs, di),
408#ifdef CONFIG_X86_64
409 offsetof(struct pt_regs, r8),
410 offsetof(struct pt_regs, r9),
411 offsetof(struct pt_regs, r10),
412 offsetof(struct pt_regs, r11),
413 offsetof(struct pt_regs, r12),
414 offsetof(struct pt_regs, r13),
415 offsetof(struct pt_regs, r14),
416 offsetof(struct pt_regs, r15),
417#endif
418 };
419 int nr_registers = ARRAY_SIZE(regoff);
420 /*
421 * Don't possibly decode a 32-bit instructions as
422 * reading a 64-bit-only register.
423 */
424 if (IS_ENABLED(CONFIG_X86_64) && !insn->x86_64)
425 nr_registers -= 8;
426
427 switch (type) {
428 case REG_TYPE_RM:
429 regno = X86_MODRM_RM(insn->modrm.value);
e526a302
RN		 430
431 /*
432 * ModRM.mod == 0 and ModRM.rm == 5 means a 32-bit displacement
433 * follows the ModRM byte.
434 */
435 if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5)
436 return -EDOM;
437
32542ee2
RN		 438 if (X86_REX_B(insn->rex_prefix.value))
439 regno += 8;
440 break;
441
442 case REG_TYPE_INDEX:
443 regno = X86_SIB_INDEX(insn->sib.value);
444 if (X86_REX_X(insn->rex_prefix.value))
445 regno += 8;
446
447 /*
448 * If ModRM.mod != 3 and SIB.index = 4 the scale*index
449 * portion of the address computation is null. This is
450 * true only if REX.X is 0. In such a case, the SIB index
451 * is used in the address computation.
452 */
453 if (X86_MODRM_MOD(insn->modrm.value) != 3 && regno == 4)
454 return -EDOM;
455 break;
456
457 case REG_TYPE_BASE:
458 regno = X86_SIB_BASE(insn->sib.value);
459 /*
460 * If ModRM.mod is 0 and SIB.base == 5, the base of the
461 * register-indirect addressing is 0. In this case, a
462 * 32-bit displacement follows the SIB byte.
463 */
464 if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5)
465 return -EDOM;
466
467 if (X86_REX_B(insn->rex_prefix.value))
468 regno += 8;
469 break;
470
471 default:
ed594e4b
RN		 472 pr_err_ratelimited("invalid register type: %d\n", type);
473 return -EINVAL;
32542ee2
RN		 474 }
475
476 if (regno >= nr_registers) {
477 WARN_ONCE(1, "decoded an instruction with an invalid register");
478 return -EINVAL;
479 }
480 return regoff[regno];
481}
482
670f928b
RN		 483/**
484 * get_desc() - Obtain pointer to a segment descriptor
485 * @sel: Segment selector
486 *
487 * Given a segment selector, obtain a pointer to the segment descriptor.
488 * Both global and local descriptor tables are supported.
489 *
490 * Returns:
491 *
492 * Pointer to segment descriptor on success.
493 *
494 * NULL on error.
495 */
496static struct desc_struct *get_desc(unsigned short sel)
497{
498 struct desc_ptr gdt_desc = {0, 0};
499 unsigned long desc_base;
500
501#ifdef CONFIG_MODIFY_LDT_SYSCALL
502 if ((sel & SEGMENT_TI_MASK) == SEGMENT_LDT) {
503 struct desc_struct *desc = NULL;
504 struct ldt_struct *ldt;
505
506 /* Bits [15:3] contain the index of the desired entry. */
507 sel >>= 3;
508
509 mutex_lock(&current->active_mm->context.lock);
510 ldt = current->active_mm->context.ldt;
511 if (ldt && sel < ldt->nr_entries)
512 desc = &ldt->entries[sel];
513
514 mutex_unlock(&current->active_mm->context.lock);
515
516 return desc;
517 }
518#endif
519 native_store_gdt(&gdt_desc);
520
521 /*
522 * Segment descriptors have a size of 8 bytes. Thus, the index is
523 * multiplied by 8 to obtain the memory offset of the desired descriptor
524 * from the base of the GDT. As bits [15:3] of the segment selector
525 * contain the index, it can be regarded as multiplied by 8 already.
526 * All that remains is to clear bits [2:0].
527 */
528 desc_base = sel & ~(SEGMENT_RPL_MASK | SEGMENT_TI_MASK);
529
530 if (desc_base > gdt_desc.size)
531 return NULL;
532
533 return (struct desc_struct *)(gdt_desc.address + desc_base);
534}
535
bd5a410a
RN		 536/**
537 * insn_get_seg_base() - Obtain base address of segment descriptor.
538 * @regs: Register values as seen when entering kernel mode
539 * @seg_reg_idx: Index of the segment register pointing to seg descriptor
540 *
541 * Obtain the base address of the segment as indicated by the segment descriptor
542 * pointed by the segment selector. The segment selector is obtained from the
543 * input segment register index @seg_reg_idx.
544 *
545 * Returns:
546 *
547 * In protected mode, base address of the segment. Zero in long mode,
548 * except when FS or GS are used. In virtual-8086 mode, the segment
549 * selector shifted 4 bits to the right.
550 *
551 * -1L in case of error.
552 */
553unsigned long insn_get_seg_base(struct pt_regs *regs, int seg_reg_idx)
554{
555 struct desc_struct *desc;
556 short sel;
557
558 sel = get_segment_selector(regs, seg_reg_idx);
559 if (sel < 0)
560 return -1L;
561
562 if (v8086_mode(regs))
563 /*
564 * Base is simply the segment selector shifted 4
565 * bits to the right.
566 */
567 return (unsigned long)(sel << 4);
568
569 if (user_64bit_mode(regs)) {
570 /*
571 * Only FS or GS will have a base address, the rest of
572 * the segments' bases are forced to 0.
573 */
574 unsigned long base;
575
576 if (seg_reg_idx == INAT_SEG_REG_FS)
577 rdmsrl(MSR_FS_BASE, base);
578 else if (seg_reg_idx == INAT_SEG_REG_GS)
579 /*
580 * swapgs was called at the kernel entry point. Thus,
581 * MSR_KERNEL_GS_BASE will have the user-space GS base.
582 */
583 rdmsrl(MSR_KERNEL_GS_BASE, base);
584 else
585 base = 0;
586 return base;
587 }
588
589 /* In protected mode the segment selector cannot be null. */
590 if (!sel)
591 return -1L;
592
593 desc = get_desc(sel);
594 if (!desc)
595 return -1L;
596
597 return get_desc_base(desc);
598}
599
600/**
601 * get_seg_limit() - Obtain the limit of a segment descriptor
602 * @regs: Register values as seen when entering kernel mode
603 * @seg_reg_idx: Index of the segment register pointing to seg descriptor
604 *
605 * Obtain the limit of the segment as indicated by the segment descriptor
606 * pointed by the segment selector. The segment selector is obtained from the
607 * input segment register index @seg_reg_idx.
608 *
609 * Returns:
610 *
611 * In protected mode, the limit of the segment descriptor in bytes.
612 * In long mode and virtual-8086 mode, segment limits are not enforced. Thus,
613 * limit is returned as -1L to imply a limit-less segment.
614 *
615 * Zero is returned on error.
616 */
617static unsigned long get_seg_limit(struct pt_regs *regs, int seg_reg_idx)
618{
619 struct desc_struct *desc;
620 unsigned long limit;
621 short sel;
622
623 sel = get_segment_selector(regs, seg_reg_idx);
624 if (sel < 0)
625 return 0;
626
627 if (user_64bit_mode(regs) || v8086_mode(regs))
628 return -1L;
629
630 if (!sel)
631 return 0;
632
633 desc = get_desc(sel);
634 if (!desc)
635 return 0;
636
637 /*
638 * If the granularity bit is set, the limit is given in multiples
639 * of 4096. This also means that the 12 least significant bits are
640 * not tested when checking the segment limits. In practice,
641 * this means that the segment ends in (limit << 12) + 0xfff.
642 */
643 limit = get_desc_limit(desc);
644 if (desc->g)
645 limit = (limit << 12) + 0xfff;
646
647 return limit;
648}
649
4efea85f
RN		 650/**
651 * insn_get_code_seg_params() - Obtain code segment parameters
652 * @regs: Structure with register values as seen when entering kernel mode
653 *
654 * Obtain address and operand sizes of the code segment. It is obtained from the
655 * selector contained in the CS register in regs. In protected mode, the default
656 * address is determined by inspecting the L and D bits of the segment
657 * descriptor. In virtual-8086 mode, the default is always two bytes for both
658 * address and operand sizes.
659 *
660 * Returns:
661 *
662 * A signed 8-bit value containing the default parameters on success.
663 *
664 * -EINVAL on error.
665 */
666char insn_get_code_seg_params(struct pt_regs *regs)
667{
668 struct desc_struct *desc;
669 short sel;
670
671 if (v8086_mode(regs))
672 /* Address and operand size are both 16-bit. */
673 return INSN_CODE_SEG_PARAMS(2, 2);
674
675 sel = get_segment_selector(regs, INAT_SEG_REG_CS);
676 if (sel < 0)
677 return sel;
678
679 desc = get_desc(sel);
680 if (!desc)
681 return -EINVAL;
682
683 /*
684 * The most significant byte of the Type field of the segment descriptor
685 * determines whether a segment contains data or code. If this is a data
686 * segment, return error.
687 */
688 if (!(desc->type & BIT(3)))
689 return -EINVAL;
690
691 switch ((desc->l << 1) | desc->d) {
692 case 0: /*
693 * Legacy mode. CS.L=0, CS.D=0. Address and operand size are
694 * both 16-bit.
695 */
696 return INSN_CODE_SEG_PARAMS(2, 2);
697 case 1: /*
698 * Legacy mode. CS.L=0, CS.D=1. Address and operand size are
699 * both 32-bit.
700 */
701 return INSN_CODE_SEG_PARAMS(4, 4);
702 case 2: /*
703 * IA-32e 64-bit mode. CS.L=1, CS.D=0. Address size is 64-bit;
704 * operand size is 32-bit.
705 */
706 return INSN_CODE_SEG_PARAMS(4, 8);
707 case 3: /* Invalid setting. CS.L=1, CS.D=1 */
708 /* fall through */
709 default:
710 return -EINVAL;
711 }
712}
713
e5e45f11
RN		 714/**
715 * insn_get_modrm_rm_off() - Obtain register in r/m part of the ModRM byte
716 * @insn: Instruction containing the ModRM byte
717 * @regs: Register values as seen when entering kernel mode
718 *
719 * Returns:
720 *
721 * The register indicated by the r/m part of the ModRM byte. The
722 * register is obtained as an offset from the base of pt_regs. In specific
723 * cases, the returned value can be -EDOM to indicate that the particular value
724 * of ModRM does not refer to a register and shall be ignored.
725 */
726int insn_get_modrm_rm_off(struct insn *insn, struct pt_regs *regs)
727{
728 return get_reg_offset(insn, regs, REG_TYPE_RM);
729}
730
10890444 731/**
71271269 732 * get_seg_base_limit() - obtain base address and limit of a segment
10890444
RN		 733 * @insn: Instruction. Must be valid.
734 * @regs: Register values as seen when entering kernel mode
735 * @regoff: Operand offset, in pt_regs, used to resolve segment descriptor
736 * @base: Obtained segment base
71271269 737 * @limit: Obtained segment limit
10890444 738 *
71271269
RN		 739 * Obtain the base address and limit of the segment associated with the operand
740 * @regoff and, if any or allowed, override prefixes in @insn. This function is
10890444 741 * different from insn_get_seg_base() as the latter does not resolve the segment
71271269
RN		 742 * associated with the instruction operand. If a limit is not needed (e.g.,
743 * when running in long mode), @limit can be NULL.
10890444
RN		 744 *
745 * Returns:
746 *
71271269
RN		 747 * 0 on success. @base and @limit will contain the base address and of the
748 * resolved segment, respectively.
10890444
RN		 749 *
750 * -EINVAL on error.
751 */
71271269
RN		 752static int get_seg_base_limit(struct insn *insn, struct pt_regs *regs,
753 int regoff, unsigned long *base,
754 unsigned long *limit)
10890444
RN		 755{
756 int seg_reg_idx;
757
758 if (!base)
759 return -EINVAL;
760
761 seg_reg_idx = resolve_seg_reg(insn, regs, regoff);
762 if (seg_reg_idx < 0)
763 return seg_reg_idx;
764
765 *base = insn_get_seg_base(regs, seg_reg_idx);
766 if (*base == -1L)
767 return -EINVAL;
768
71271269
RN		 769 if (!limit)
770 return 0;
771
772 *limit = get_seg_limit(regs, seg_reg_idx);
773 if (!(*limit))
774 return -EINVAL;
775
10890444
RN		 776 return 0;
777}
778
70e57c0f
RN		 779/**
780 * get_eff_addr_reg() - Obtain effective address from register operand
781 * @insn: Instruction. Must be valid.
782 * @regs: Register values as seen when entering kernel mode
783 * @regoff: Obtained operand offset, in pt_regs, with the effective address
784 * @eff_addr: Obtained effective address
785 *
786 * Obtain the effective address stored in the register operand as indicated by
787 * the ModRM byte. This function is to be used only with register addressing
788 * (i.e., ModRM.mod is 3). The effective address is saved in @eff_addr. The
789 * register operand, as an offset from the base of pt_regs, is saved in @regoff;
790 * such offset can then be used to resolve the segment associated with the
791 * operand. This function can be used with any of the supported address sizes
792 * in x86.
793 *
794 * Returns:
795 *
796 * 0 on success. @eff_addr will have the effective address stored in the
797 * operand indicated by ModRM. @regoff will have such operand as an offset from
798 * the base of pt_regs.
799 *
800 * -EINVAL on error.
801 */
802static int get_eff_addr_reg(struct insn *insn, struct pt_regs *regs,
803 int *regoff, long *eff_addr)
804{
805 insn_get_modrm(insn);
806
807 if (!insn->modrm.nbytes)
808 return -EINVAL;
809
810 if (X86_MODRM_MOD(insn->modrm.value) != 3)
811 return -EINVAL;
812
813 *regoff = get_reg_offset(insn, regs, REG_TYPE_RM);
814 if (*regoff < 0)
815 return -EINVAL;
816
7a6daf79
RN		 817 /* Ignore bytes that are outside the address size. */
818 if (insn->addr_bytes == 4)
819 *eff_addr = regs_get_register(regs, *regoff) & 0xffffffff;
820 else /* 64-bit address */
821 *eff_addr = regs_get_register(regs, *regoff);
70e57c0f
RN		 822
823 return 0;
824}
825
826/**
827 * get_eff_addr_modrm() - Obtain referenced effective address via ModRM
828 * @insn: Instruction. Must be valid.
829 * @regs: Register values as seen when entering kernel mode
830 * @regoff: Obtained operand offset, in pt_regs, associated with segment
831 * @eff_addr: Obtained effective address
832 *
833 * Obtain the effective address referenced by the ModRM byte of @insn. After
834 * identifying the registers involved in the register-indirect memory reference,
835 * its value is obtained from the operands in @regs. The computed address is
836 * stored @eff_addr. Also, the register operand that indicates the associated
837 * segment is stored in @regoff, this parameter can later be used to determine
838 * such segment.
839 *
840 * Returns:
841 *
842 * 0 on success. @eff_addr will have the referenced effective address. @regoff
843 * will have a register, as an offset from the base of pt_regs, that can be used
844 * to resolve the associated segment.
845 *
846 * -EINVAL on error.
847 */
848static int get_eff_addr_modrm(struct insn *insn, struct pt_regs *regs,
849 int *regoff, long *eff_addr)
850{
851 long tmp;
852
7a6daf79 853 if (insn->addr_bytes != 8 && insn->addr_bytes != 4)
70e57c0f
RN		 854 return -EINVAL;
855
856 insn_get_modrm(insn);
857
858 if (!insn->modrm.nbytes)
859 return -EINVAL;
860
861 if (X86_MODRM_MOD(insn->modrm.value) > 2)
862 return -EINVAL;
863
864 *regoff = get_reg_offset(insn, regs, REG_TYPE_RM);
865
866 /*
867 * -EDOM means that we must ignore the address_offset. In such a case,
868 * in 64-bit mode the effective address relative to the rIP of the
869 * following instruction.
870 */
871 if (*regoff == -EDOM) {
872 if (user_64bit_mode(regs))
873 tmp = regs->ip + insn->length;
874 else
875 tmp = 0;
876 } else if (*regoff < 0) {
877 return -EINVAL;
878 } else {
879 tmp = regs_get_register(regs, *regoff);
880 }
881
7a6daf79
RN		 882 if (insn->addr_bytes == 4) {
883 int addr32 = (int)(tmp & 0xffffffff) + insn->displacement.value;
884
885 *eff_addr = addr32 & 0xffffffff;
886 } else {
887 *eff_addr = tmp + insn->displacement.value;
888 }
70e57c0f
RN		 889
890 return 0;
891}
892
893/**
894 * get_eff_addr_sib() - Obtain referenced effective address via SIB
895 * @insn: Instruction. Must be valid.
896 * @regs: Register values as seen when entering kernel mode
897 * @regoff: Obtained operand offset, in pt_regs, associated with segment
898 * @eff_addr: Obtained effective address
899 *
900 * Obtain the effective address referenced by the SIB byte of @insn. After
901 * identifying the registers involved in the indexed, register-indirect memory
902 * reference, its value is obtained from the operands in @regs. The computed
903 * address is stored @eff_addr. Also, the register operand that indicates the
904 * associated segment is stored in @regoff, this parameter can later be used to
905 * determine such segment.
906 *
907 * Returns:
908 *
909 * 0 on success. @eff_addr will have the referenced effective address.
910 * @base_offset will have a register, as an offset from the base of pt_regs,
911 * that can be used to resolve the associated segment.
912 *
913 * -EINVAL on error.
914 */
915static int get_eff_addr_sib(struct insn *insn, struct pt_regs *regs,
916 int *base_offset, long *eff_addr)
917{
918 long base, indx;
919 int indx_offset;
920
7a6daf79 921 if (insn->addr_bytes != 8 && insn->addr_bytes != 4)
70e57c0f
RN		 922 return -EINVAL;
923
924 insn_get_modrm(insn);
925
926 if (!insn->modrm.nbytes)
927 return -EINVAL;
928
929 if (X86_MODRM_MOD(insn->modrm.value) > 2)
930 return -EINVAL;
931
932 insn_get_sib(insn);
933
934 if (!insn->sib.nbytes)
935 return -EINVAL;
936
937 *base_offset = get_reg_offset(insn, regs, REG_TYPE_BASE);
938 indx_offset = get_reg_offset(insn, regs, REG_TYPE_INDEX);
939
940 /*
941 * Negative values in the base and index offset means an error when
942 * decoding the SIB byte. Except -EDOM, which means that the registers
943 * should not be used in the address computation.
944 */
945 if (*base_offset == -EDOM)
946 base = 0;
947 else if (*base_offset < 0)
948 return -EINVAL;
949 else
950 base = regs_get_register(regs, *base_offset);
951
952 if (indx_offset == -EDOM)
953 indx = 0;
954 else if (indx_offset < 0)
955 return -EINVAL;
956 else
957 indx = regs_get_register(regs, indx_offset);
958
7a6daf79
RN		 959 if (insn->addr_bytes == 4) {
960 int addr32, base32, idx32;
961
962 base32 = base & 0xffffffff;
963 idx32 = indx & 0xffffffff;
70e57c0f 964
7a6daf79
RN		 965 addr32 = base32 + idx32 * (1 << X86_SIB_SCALE(insn->sib.value));
966 addr32 += insn->displacement.value;
967
968 *eff_addr = addr32 & 0xffffffff;
969 } else {
970 *eff_addr = base + indx * (1 << X86_SIB_SCALE(insn->sib.value));
971 *eff_addr += insn->displacement.value;
972 }
70e57c0f
RN		 973
974 return 0;
975}
7a6daf79
RN		 976
977/**
978 * get_addr_ref_32() - Obtain a 32-bit linear address
979 * @insn: Instruction with ModRM, SIB bytes and displacement
980 * @regs: Register values as seen when entering kernel mode
981 *
982 * This function is to be used with 32-bit address encodings to obtain the
983 * linear memory address referred by the instruction's ModRM, SIB,
984 * displacement bytes and segment base address, as applicable. If in protected
985 * mode, segment limits are enforced.
986 *
987 * Returns:
988 *
989 * Linear address referenced by instruction and registers on success.
990 *
991 * -1L on error.
992 */
993static void __user *get_addr_ref_32(struct insn *insn, struct pt_regs *regs)
994{
995 unsigned long linear_addr = -1L, seg_base, seg_limit;
996 int eff_addr, regoff;
997 long tmp;
998 int ret;
999
1000 if (insn->addr_bytes != 4)
1001 goto out;
1002
1003 if (X86_MODRM_MOD(insn->modrm.value) == 3) {
1004 ret = get_eff_addr_reg(insn, regs, &regoff, &tmp);
1005 if (ret)
1006 goto out;
1007
1008 eff_addr = tmp;
1009
1010 } else {
1011 if (insn->sib.nbytes) {
1012 ret = get_eff_addr_sib(insn, regs, &regoff, &tmp);
1013 if (ret)
1014 goto out;
1015
1016 eff_addr = tmp;
1017 } else {
1018 ret = get_eff_addr_modrm(insn, regs, &regoff, &tmp);
1019 if (ret)
1020 goto out;
1021
1022 eff_addr = tmp;
1023 }
1024 }
1025
1026 ret = get_seg_base_limit(insn, regs, regoff, &seg_base, &seg_limit);
1027 if (ret)
1028 goto out;
1029
1030 /*
1031 * In protected mode, before computing the linear address, make sure
1032 * the effective address is within the limits of the segment.
1033 * 32-bit addresses can be used in long and virtual-8086 modes if an
1034 * address override prefix is used. In such cases, segment limits are
1035 * not enforced. When in virtual-8086 mode, the segment limit is -1L
1036 * to reflect this situation.
1037 *
1038 * After computed, the effective address is treated as an unsigned
1039 * quantity.
1040 */
1041 if (!user_64bit_mode(regs) && ((unsigned int)eff_addr > seg_limit))
1042 goto out;
1043
1044 /*
1045 * Data type long could be 64 bits in size. Ensure that our 32-bit
1046 * effective address is not sign-extended when computing the linear
1047 * address.
1048 */
1049 linear_addr = (unsigned long)(eff_addr & 0xffffffff) + seg_base;
1050
1051out:
1052 return (void __user *)linear_addr;
1053}
1054
32542ee2
RN		 1055/*
1056 * return the address being referenced be instruction
1057 * for rm=3 returning the content of the rm reg
1058 * for rm!=3 calculates the address using SIB and Disp
1059 */
1060void __user *insn_get_addr_ref(struct insn *insn, struct pt_regs *regs)
1061{
10890444 1062 unsigned long linear_addr = -1L, seg_base;
70e57c0f
RN		 1063 int regoff, ret;
1064 long eff_addr;
32542ee2
RN		 1065
1066 if (X86_MODRM_MOD(insn->modrm.value) == 3) {
70e57c0f
RN		 1067 ret = get_eff_addr_reg(insn, regs, &regoff, &eff_addr);
1068 if (ret)
32542ee2
RN		 1069 goto out;
1070
32542ee2
RN		 1071 } else {
1072 if (insn->sib.nbytes) {
70e57c0f
RN		 1073 ret = get_eff_addr_sib(insn, regs, &regoff, &eff_addr);
1074 if (ret)
32542ee2 1075 goto out;
32542ee2 1076 } else {
70e57c0f
RN		 1077 ret = get_eff_addr_modrm(insn, regs, &regoff, &eff_addr);
1078 if (ret)
32542ee2 1079 goto out;
32542ee2
RN		 1080 }
1081
32542ee2
RN		 1082 }
1083
70e57c0f 1084 ret = get_seg_base_limit(insn, regs, regoff, &seg_base, NULL);
10890444
RN		 1085 if (ret)
1086 goto out;
1087
1088 linear_addr = (unsigned long)eff_addr + seg_base;
32542ee2
RN		 1089
1090out:
1091 return (void __user *)linear_addr;
1092}
ubuntu-bionic-kernel mirror