insn-eval.c (46208B)
1/* 2 * Utility functions for x86 operand and address decoding 3 * 4 * Copyright (C) Intel Corporation 2017 5 */ 6#include <linux/kernel.h> 7#include <linux/string.h> 8#include <linux/ratelimit.h> 9#include <linux/mmu_context.h> 10#include <asm/desc_defs.h> 11#include <asm/desc.h> 12#include <asm/inat.h> 13#include <asm/insn.h> 14#include <asm/insn-eval.h> 15#include <asm/ldt.h> 16#include <asm/vm86.h> 17 18#undef pr_fmt 19#define pr_fmt(fmt) "insn: " fmt 20 21enum reg_type { 22 REG_TYPE_RM = 0, 23 REG_TYPE_REG, 24 REG_TYPE_INDEX, 25 REG_TYPE_BASE, 26}; 27 28/** 29 * is_string_insn() - Determine if instruction is a string instruction 30 * @insn: Instruction containing the opcode to inspect 31 * 32 * Returns: 33 * 34 * true if the instruction, determined by the opcode, is any of the 35 * string instructions as defined in the Intel Software Development manual. 36 * False otherwise. 37 */ 38static bool is_string_insn(struct insn *insn) 39{ 40 /* All string instructions have a 1-byte opcode. */ 41 if (insn->opcode.nbytes != 1) 42 return false; 43 44 switch (insn->opcode.bytes[0]) { 45 case 0x6c ... 0x6f: /* INS, OUTS */ 46 case 0xa4 ... 0xa7: /* MOVS, CMPS */ 47 case 0xaa ... 0xaf: /* STOS, LODS, SCAS */ 48 return true; 49 default: 50 return false; 51 } 52} 53 54/** 55 * insn_has_rep_prefix() - Determine if instruction has a REP prefix 56 * @insn: Instruction containing the prefix to inspect 57 * 58 * Returns: 59 * 60 * true if the instruction has a REP prefix, false if not. 61 */ 62bool insn_has_rep_prefix(struct insn *insn) 63{ 64 insn_byte_t p; 65 int i; 66 67 insn_get_prefixes(insn); 68 69 for_each_insn_prefix(insn, i, p) { 70 if (p == 0xf2 || p == 0xf3) 71 return true; 72 } 73 74 return false; 75} 76 77/** 78 * get_seg_reg_override_idx() - obtain segment register override index 79 * @insn: Valid instruction with segment override prefixes 80 * 81 * Inspect the instruction prefixes in @insn and find segment overrides, if any. 82 * 83 * Returns: 84 * 85 * A constant identifying the segment register to use, among CS, SS, DS, 86 * ES, FS, or GS. INAT_SEG_REG_DEFAULT is returned if no segment override 87 * prefixes were found. 88 * 89 * -EINVAL in case of error. 90 */ 91static int get_seg_reg_override_idx(struct insn *insn) 92{ 93 int idx = INAT_SEG_REG_DEFAULT; 94 int num_overrides = 0, i; 95 insn_byte_t p; 96 97 insn_get_prefixes(insn); 98 99 /* Look for any segment override prefixes. */ 100 for_each_insn_prefix(insn, i, p) { 101 insn_attr_t attr; 102 103 attr = inat_get_opcode_attribute(p); 104 switch (attr) { 105 case INAT_MAKE_PREFIX(INAT_PFX_CS): 106 idx = INAT_SEG_REG_CS; 107 num_overrides++; 108 break; 109 case INAT_MAKE_PREFIX(INAT_PFX_SS): 110 idx = INAT_SEG_REG_SS; 111 num_overrides++; 112 break; 113 case INAT_MAKE_PREFIX(INAT_PFX_DS): 114 idx = INAT_SEG_REG_DS; 115 num_overrides++; 116 break; 117 case INAT_MAKE_PREFIX(INAT_PFX_ES): 118 idx = INAT_SEG_REG_ES; 119 num_overrides++; 120 break; 121 case INAT_MAKE_PREFIX(INAT_PFX_FS): 122 idx = INAT_SEG_REG_FS; 123 num_overrides++; 124 break; 125 case INAT_MAKE_PREFIX(INAT_PFX_GS): 126 idx = INAT_SEG_REG_GS; 127 num_overrides++; 128 break; 129 /* No default action needed. */ 130 } 131 } 132 133 /* More than one segment override prefix leads to undefined behavior. */ 134 if (num_overrides > 1) 135 return -EINVAL; 136 137 return idx; 138} 139 140/** 141 * check_seg_overrides() - check if segment override prefixes are allowed 142 * @insn: Valid instruction with segment override prefixes 143 * @regoff: Operand offset, in pt_regs, for which the check is performed 144 * 145 * For a particular register used in register-indirect addressing, determine if 146 * segment override prefixes can be used. Specifically, no overrides are allowed 147 * for rDI if used with a string instruction. 148 * 149 * Returns: 150 * 151 * True if segment override prefixes can be used with the register indicated 152 * in @regoff. False if otherwise. 153 */ 154static bool check_seg_overrides(struct insn *insn, int regoff) 155{ 156 if (regoff == offsetof(struct pt_regs, di) && is_string_insn(insn)) 157 return false; 158 159 return true; 160} 161 162/** 163 * resolve_default_seg() - resolve default segment register index for an operand 164 * @insn: Instruction with opcode and address size. Must be valid. 165 * @regs: Register values as seen when entering kernel mode 166 * @off: Operand offset, in pt_regs, for which resolution is needed 167 * 168 * Resolve the default segment register index associated with the instruction 169 * operand register indicated by @off. Such index is resolved based on defaults 170 * described in the Intel Software Development Manual. 171 * 172 * Returns: 173 * 174 * If in protected mode, a constant identifying the segment register to use, 175 * among CS, SS, ES or DS. If in long mode, INAT_SEG_REG_IGNORE. 176 * 177 * -EINVAL in case of error. 178 */ 179static int resolve_default_seg(struct insn *insn, struct pt_regs *regs, int off) 180{ 181 if (any_64bit_mode(regs)) 182 return INAT_SEG_REG_IGNORE; 183 /* 184 * Resolve the default segment register as described in Section 3.7.4 185 * of the Intel Software Development Manual Vol. 1: 186 * 187 * + DS for all references involving r[ABCD]X, and rSI. 188 * + If used in a string instruction, ES for rDI. Otherwise, DS. 189 * + AX, CX and DX are not valid register operands in 16-bit address 190 * encodings but are valid for 32-bit and 64-bit encodings. 191 * + -EDOM is reserved to identify for cases in which no register 192 * is used (i.e., displacement-only addressing). Use DS. 193 * + SS for rSP or rBP. 194 * + CS for rIP. 195 */ 196 197 switch (off) { 198 case offsetof(struct pt_regs, ax): 199 case offsetof(struct pt_regs, cx): 200 case offsetof(struct pt_regs, dx): 201 /* Need insn to verify address size. */ 202 if (insn->addr_bytes == 2) 203 return -EINVAL; 204 205 fallthrough; 206 207 case -EDOM: 208 case offsetof(struct pt_regs, bx): 209 case offsetof(struct pt_regs, si): 210 return INAT_SEG_REG_DS; 211 212 case offsetof(struct pt_regs, di): 213 if (is_string_insn(insn)) 214 return INAT_SEG_REG_ES; 215 return INAT_SEG_REG_DS; 216 217 case offsetof(struct pt_regs, bp): 218 case offsetof(struct pt_regs, sp): 219 return INAT_SEG_REG_SS; 220 221 case offsetof(struct pt_regs, ip): 222 return INAT_SEG_REG_CS; 223 224 default: 225 return -EINVAL; 226 } 227} 228 229/** 230 * resolve_seg_reg() - obtain segment register index 231 * @insn: Instruction with operands 232 * @regs: Register values as seen when entering kernel mode 233 * @regoff: Operand offset, in pt_regs, used to determine segment register 234 * 235 * Determine the segment register associated with the operands and, if 236 * applicable, prefixes and the instruction pointed by @insn. 237 * 238 * The segment register associated to an operand used in register-indirect 239 * addressing depends on: 240 * 241 * a) Whether running in long mode (in such a case segments are ignored, except 242 * if FS or GS are used). 243 * 244 * b) Whether segment override prefixes can be used. Certain instructions and 245 * registers do not allow override prefixes. 246 * 247 * c) Whether segment overrides prefixes are found in the instruction prefixes. 248 * 249 * d) If there are not segment override prefixes or they cannot be used, the 250 * default segment register associated with the operand register is used. 251 * 252 * The function checks first if segment override prefixes can be used with the 253 * operand indicated by @regoff. If allowed, obtain such overridden segment 254 * register index. Lastly, if not prefixes were found or cannot be used, resolve 255 * the segment register index to use based on the defaults described in the 256 * Intel documentation. In long mode, all segment register indexes will be 257 * ignored, except if overrides were found for FS or GS. All these operations 258 * are done using helper functions. 259 * 260 * The operand register, @regoff, is represented as the offset from the base of 261 * pt_regs. 262 * 263 * As stated, the main use of this function is to determine the segment register 264 * index based on the instruction, its operands and prefixes. Hence, @insn 265 * must be valid. However, if @regoff indicates rIP, we don't need to inspect 266 * @insn at all as in this case CS is used in all cases. This case is checked 267 * before proceeding further. 268 * 269 * Please note that this function does not return the value in the segment 270 * register (i.e., the segment selector) but our defined index. The segment 271 * selector needs to be obtained using get_segment_selector() and passing the 272 * segment register index resolved by this function. 273 * 274 * Returns: 275 * 276 * An index identifying the segment register to use, among CS, SS, DS, 277 * ES, FS, or GS. INAT_SEG_REG_IGNORE is returned if running in long mode. 278 * 279 * -EINVAL in case of error. 280 */ 281static int resolve_seg_reg(struct insn *insn, struct pt_regs *regs, int regoff) 282{ 283 int idx; 284 285 /* 286 * In the unlikely event of having to resolve the segment register 287 * index for rIP, do it first. Segment override prefixes should not 288 * be used. Hence, it is not necessary to inspect the instruction, 289 * which may be invalid at this point. 290 */ 291 if (regoff == offsetof(struct pt_regs, ip)) { 292 if (any_64bit_mode(regs)) 293 return INAT_SEG_REG_IGNORE; 294 else 295 return INAT_SEG_REG_CS; 296 } 297 298 if (!insn) 299 return -EINVAL; 300 301 if (!check_seg_overrides(insn, regoff)) 302 return resolve_default_seg(insn, regs, regoff); 303 304 idx = get_seg_reg_override_idx(insn); 305 if (idx < 0) 306 return idx; 307 308 if (idx == INAT_SEG_REG_DEFAULT) 309 return resolve_default_seg(insn, regs, regoff); 310 311 /* 312 * In long mode, segment override prefixes are ignored, except for 313 * overrides for FS and GS. 314 */ 315 if (any_64bit_mode(regs)) { 316 if (idx != INAT_SEG_REG_FS && 317 idx != INAT_SEG_REG_GS) 318 idx = INAT_SEG_REG_IGNORE; 319 } 320 321 return idx; 322} 323 324/** 325 * get_segment_selector() - obtain segment selector 326 * @regs: Register values as seen when entering kernel mode 327 * @seg_reg_idx: Segment register index to use 328 * 329 * Obtain the segment selector from any of the CS, SS, DS, ES, FS, GS segment 330 * registers. In CONFIG_X86_32, the segment is obtained from either pt_regs or 331 * kernel_vm86_regs as applicable. In CONFIG_X86_64, CS and SS are obtained 332 * from pt_regs. DS, ES, FS and GS are obtained by reading the actual CPU 333 * registers. This done for only for completeness as in CONFIG_X86_64 segment 334 * registers are ignored. 335 * 336 * Returns: 337 * 338 * Value of the segment selector, including null when running in 339 * long mode. 340 * 341 * -EINVAL on error. 342 */ 343static short get_segment_selector(struct pt_regs *regs, int seg_reg_idx) 344{ 345 unsigned short sel; 346 347#ifdef CONFIG_X86_64 348 switch (seg_reg_idx) { 349 case INAT_SEG_REG_IGNORE: 350 return 0; 351 case INAT_SEG_REG_CS: 352 return (unsigned short)(regs->cs & 0xffff); 353 case INAT_SEG_REG_SS: 354 return (unsigned short)(regs->ss & 0xffff); 355 case INAT_SEG_REG_DS: 356 savesegment(ds, sel); 357 return sel; 358 case INAT_SEG_REG_ES: 359 savesegment(es, sel); 360 return sel; 361 case INAT_SEG_REG_FS: 362 savesegment(fs, sel); 363 return sel; 364 case INAT_SEG_REG_GS: 365 savesegment(gs, sel); 366 return sel; 367 default: 368 return -EINVAL; 369 } 370#else /* CONFIG_X86_32 */ 371 struct kernel_vm86_regs *vm86regs = (struct kernel_vm86_regs *)regs; 372 373 if (v8086_mode(regs)) { 374 switch (seg_reg_idx) { 375 case INAT_SEG_REG_CS: 376 return (unsigned short)(regs->cs & 0xffff); 377 case INAT_SEG_REG_SS: 378 return (unsigned short)(regs->ss & 0xffff); 379 case INAT_SEG_REG_DS: 380 return vm86regs->ds; 381 case INAT_SEG_REG_ES: 382 return vm86regs->es; 383 case INAT_SEG_REG_FS: 384 return vm86regs->fs; 385 case INAT_SEG_REG_GS: 386 return vm86regs->gs; 387 case INAT_SEG_REG_IGNORE: 388 default: 389 return -EINVAL; 390 } 391 } 392 393 switch (seg_reg_idx) { 394 case INAT_SEG_REG_CS: 395 return (unsigned short)(regs->cs & 0xffff); 396 case INAT_SEG_REG_SS: 397 return (unsigned short)(regs->ss & 0xffff); 398 case INAT_SEG_REG_DS: 399 return (unsigned short)(regs->ds & 0xffff); 400 case INAT_SEG_REG_ES: 401 return (unsigned short)(regs->es & 0xffff); 402 case INAT_SEG_REG_FS: 403 return (unsigned short)(regs->fs & 0xffff); 404 case INAT_SEG_REG_GS: 405 savesegment(gs, sel); 406 return sel; 407 case INAT_SEG_REG_IGNORE: 408 default: 409 return -EINVAL; 410 } 411#endif /* CONFIG_X86_64 */ 412} 413 414static const int pt_regoff[] = { 415 offsetof(struct pt_regs, ax), 416 offsetof(struct pt_regs, cx), 417 offsetof(struct pt_regs, dx), 418 offsetof(struct pt_regs, bx), 419 offsetof(struct pt_regs, sp), 420 offsetof(struct pt_regs, bp), 421 offsetof(struct pt_regs, si), 422 offsetof(struct pt_regs, di), 423#ifdef CONFIG_X86_64 424 offsetof(struct pt_regs, r8), 425 offsetof(struct pt_regs, r9), 426 offsetof(struct pt_regs, r10), 427 offsetof(struct pt_regs, r11), 428 offsetof(struct pt_regs, r12), 429 offsetof(struct pt_regs, r13), 430 offsetof(struct pt_regs, r14), 431 offsetof(struct pt_regs, r15), 432#else 433 offsetof(struct pt_regs, ds), 434 offsetof(struct pt_regs, es), 435 offsetof(struct pt_regs, fs), 436 offsetof(struct pt_regs, gs), 437#endif 438}; 439 440int pt_regs_offset(struct pt_regs *regs, int regno) 441{ 442 if ((unsigned)regno < ARRAY_SIZE(pt_regoff)) 443 return pt_regoff[regno]; 444 return -EDOM; 445} 446 447static int get_regno(struct insn *insn, enum reg_type type) 448{ 449 int nr_registers = ARRAY_SIZE(pt_regoff); 450 int regno = 0; 451 452 /* 453 * Don't possibly decode a 32-bit instructions as 454 * reading a 64-bit-only register. 455 */ 456 if (IS_ENABLED(CONFIG_X86_64) && !insn->x86_64) 457 nr_registers -= 8; 458 459 switch (type) { 460 case REG_TYPE_RM: 461 regno = X86_MODRM_RM(insn->modrm.value); 462 463 /* 464 * ModRM.mod == 0 and ModRM.rm == 5 means a 32-bit displacement 465 * follows the ModRM byte. 466 */ 467 if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5) 468 return -EDOM; 469 470 if (X86_REX_B(insn->rex_prefix.value)) 471 regno += 8; 472 break; 473 474 case REG_TYPE_REG: 475 regno = X86_MODRM_REG(insn->modrm.value); 476 477 if (X86_REX_R(insn->rex_prefix.value)) 478 regno += 8; 479 break; 480 481 case REG_TYPE_INDEX: 482 regno = X86_SIB_INDEX(insn->sib.value); 483 if (X86_REX_X(insn->rex_prefix.value)) 484 regno += 8; 485 486 /* 487 * If ModRM.mod != 3 and SIB.index = 4 the scale*index 488 * portion of the address computation is null. This is 489 * true only if REX.X is 0. In such a case, the SIB index 490 * is used in the address computation. 491 */ 492 if (X86_MODRM_MOD(insn->modrm.value) != 3 && regno == 4) 493 return -EDOM; 494 break; 495 496 case REG_TYPE_BASE: 497 regno = X86_SIB_BASE(insn->sib.value); 498 /* 499 * If ModRM.mod is 0 and SIB.base == 5, the base of the 500 * register-indirect addressing is 0. In this case, a 501 * 32-bit displacement follows the SIB byte. 502 */ 503 if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5) 504 return -EDOM; 505 506 if (X86_REX_B(insn->rex_prefix.value)) 507 regno += 8; 508 break; 509 510 default: 511 pr_err_ratelimited("invalid register type: %d\n", type); 512 return -EINVAL; 513 } 514 515 if (regno >= nr_registers) { 516 WARN_ONCE(1, "decoded an instruction with an invalid register"); 517 return -EINVAL; 518 } 519 return regno; 520} 521 522static int get_reg_offset(struct insn *insn, struct pt_regs *regs, 523 enum reg_type type) 524{ 525 int regno = get_regno(insn, type); 526 527 if (regno < 0) 528 return regno; 529 530 return pt_regs_offset(regs, regno); 531} 532 533/** 534 * get_reg_offset_16() - Obtain offset of register indicated by instruction 535 * @insn: Instruction containing ModRM byte 536 * @regs: Register values as seen when entering kernel mode 537 * @offs1: Offset of the first operand register 538 * @offs2: Offset of the second operand register, if applicable 539 * 540 * Obtain the offset, in pt_regs, of the registers indicated by the ModRM byte 541 * in @insn. This function is to be used with 16-bit address encodings. The 542 * @offs1 and @offs2 will be written with the offset of the two registers 543 * indicated by the instruction. In cases where any of the registers is not 544 * referenced by the instruction, the value will be set to -EDOM. 545 * 546 * Returns: 547 * 548 * 0 on success, -EINVAL on error. 549 */ 550static int get_reg_offset_16(struct insn *insn, struct pt_regs *regs, 551 int *offs1, int *offs2) 552{ 553 /* 554 * 16-bit addressing can use one or two registers. Specifics of 555 * encodings are given in Table 2-1. "16-Bit Addressing Forms with the 556 * ModR/M Byte" of the Intel Software Development Manual. 557 */ 558 static const int regoff1[] = { 559 offsetof(struct pt_regs, bx), 560 offsetof(struct pt_regs, bx), 561 offsetof(struct pt_regs, bp), 562 offsetof(struct pt_regs, bp), 563 offsetof(struct pt_regs, si), 564 offsetof(struct pt_regs, di), 565 offsetof(struct pt_regs, bp), 566 offsetof(struct pt_regs, bx), 567 }; 568 569 static const int regoff2[] = { 570 offsetof(struct pt_regs, si), 571 offsetof(struct pt_regs, di), 572 offsetof(struct pt_regs, si), 573 offsetof(struct pt_regs, di), 574 -EDOM, 575 -EDOM, 576 -EDOM, 577 -EDOM, 578 }; 579 580 if (!offs1 || !offs2) 581 return -EINVAL; 582 583 /* Operand is a register, use the generic function. */ 584 if (X86_MODRM_MOD(insn->modrm.value) == 3) { 585 *offs1 = insn_get_modrm_rm_off(insn, regs); 586 *offs2 = -EDOM; 587 return 0; 588 } 589 590 *offs1 = regoff1[X86_MODRM_RM(insn->modrm.value)]; 591 *offs2 = regoff2[X86_MODRM_RM(insn->modrm.value)]; 592 593 /* 594 * If ModRM.mod is 0 and ModRM.rm is 110b, then we use displacement- 595 * only addressing. This means that no registers are involved in 596 * computing the effective address. Thus, ensure that the first 597 * register offset is invalid. The second register offset is already 598 * invalid under the aforementioned conditions. 599 */ 600 if ((X86_MODRM_MOD(insn->modrm.value) == 0) && 601 (X86_MODRM_RM(insn->modrm.value) == 6)) 602 *offs1 = -EDOM; 603 604 return 0; 605} 606 607/** 608 * get_desc() - Obtain contents of a segment descriptor 609 * @out: Segment descriptor contents on success 610 * @sel: Segment selector 611 * 612 * Given a segment selector, obtain a pointer to the segment descriptor. 613 * Both global and local descriptor tables are supported. 614 * 615 * Returns: 616 * 617 * True on success, false on failure. 618 * 619 * NULL on error. 620 */ 621static bool get_desc(struct desc_struct *out, unsigned short sel) 622{ 623 struct desc_ptr gdt_desc = {0, 0}; 624 unsigned long desc_base; 625 626#ifdef CONFIG_MODIFY_LDT_SYSCALL 627 if ((sel & SEGMENT_TI_MASK) == SEGMENT_LDT) { 628 bool success = false; 629 struct ldt_struct *ldt; 630 631 /* Bits [15:3] contain the index of the desired entry. */ 632 sel >>= 3; 633 634 mutex_lock(¤t->active_mm->context.lock); 635 ldt = current->active_mm->context.ldt; 636 if (ldt && sel < ldt->nr_entries) { 637 *out = ldt->entries[sel]; 638 success = true; 639 } 640 641 mutex_unlock(¤t->active_mm->context.lock); 642 643 return success; 644 } 645#endif 646 native_store_gdt(&gdt_desc); 647 648 /* 649 * Segment descriptors have a size of 8 bytes. Thus, the index is 650 * multiplied by 8 to obtain the memory offset of the desired descriptor 651 * from the base of the GDT. As bits [15:3] of the segment selector 652 * contain the index, it can be regarded as multiplied by 8 already. 653 * All that remains is to clear bits [2:0]. 654 */ 655 desc_base = sel & ~(SEGMENT_RPL_MASK | SEGMENT_TI_MASK); 656 657 if (desc_base > gdt_desc.size) 658 return false; 659 660 *out = *(struct desc_struct *)(gdt_desc.address + desc_base); 661 return true; 662} 663 664/** 665 * insn_get_seg_base() - Obtain base address of segment descriptor. 666 * @regs: Register values as seen when entering kernel mode 667 * @seg_reg_idx: Index of the segment register pointing to seg descriptor 668 * 669 * Obtain the base address of the segment as indicated by the segment descriptor 670 * pointed by the segment selector. The segment selector is obtained from the 671 * input segment register index @seg_reg_idx. 672 * 673 * Returns: 674 * 675 * In protected mode, base address of the segment. Zero in long mode, 676 * except when FS or GS are used. In virtual-8086 mode, the segment 677 * selector shifted 4 bits to the right. 678 * 679 * -1L in case of error. 680 */ 681unsigned long insn_get_seg_base(struct pt_regs *regs, int seg_reg_idx) 682{ 683 struct desc_struct desc; 684 short sel; 685 686 sel = get_segment_selector(regs, seg_reg_idx); 687 if (sel < 0) 688 return -1L; 689 690 if (v8086_mode(regs)) 691 /* 692 * Base is simply the segment selector shifted 4 693 * bits to the right. 694 */ 695 return (unsigned long)(sel << 4); 696 697 if (any_64bit_mode(regs)) { 698 /* 699 * Only FS or GS will have a base address, the rest of 700 * the segments' bases are forced to 0. 701 */ 702 unsigned long base; 703 704 if (seg_reg_idx == INAT_SEG_REG_FS) { 705 rdmsrl(MSR_FS_BASE, base); 706 } else if (seg_reg_idx == INAT_SEG_REG_GS) { 707 /* 708 * swapgs was called at the kernel entry point. Thus, 709 * MSR_KERNEL_GS_BASE will have the user-space GS base. 710 */ 711 if (user_mode(regs)) 712 rdmsrl(MSR_KERNEL_GS_BASE, base); 713 else 714 rdmsrl(MSR_GS_BASE, base); 715 } else { 716 base = 0; 717 } 718 return base; 719 } 720 721 /* In protected mode the segment selector cannot be null. */ 722 if (!sel) 723 return -1L; 724 725 if (!get_desc(&desc, sel)) 726 return -1L; 727 728 return get_desc_base(&desc); 729} 730 731/** 732 * get_seg_limit() - Obtain the limit of a segment descriptor 733 * @regs: Register values as seen when entering kernel mode 734 * @seg_reg_idx: Index of the segment register pointing to seg descriptor 735 * 736 * Obtain the limit of the segment as indicated by the segment descriptor 737 * pointed by the segment selector. The segment selector is obtained from the 738 * input segment register index @seg_reg_idx. 739 * 740 * Returns: 741 * 742 * In protected mode, the limit of the segment descriptor in bytes. 743 * In long mode and virtual-8086 mode, segment limits are not enforced. Thus, 744 * limit is returned as -1L to imply a limit-less segment. 745 * 746 * Zero is returned on error. 747 */ 748static unsigned long get_seg_limit(struct pt_regs *regs, int seg_reg_idx) 749{ 750 struct desc_struct desc; 751 unsigned long limit; 752 short sel; 753 754 sel = get_segment_selector(regs, seg_reg_idx); 755 if (sel < 0) 756 return 0; 757 758 if (any_64bit_mode(regs) || v8086_mode(regs)) 759 return -1L; 760 761 if (!sel) 762 return 0; 763 764 if (!get_desc(&desc, sel)) 765 return 0; 766 767 /* 768 * If the granularity bit is set, the limit is given in multiples 769 * of 4096. This also means that the 12 least significant bits are 770 * not tested when checking the segment limits. In practice, 771 * this means that the segment ends in (limit << 12) + 0xfff. 772 */ 773 limit = get_desc_limit(&desc); 774 if (desc.g) 775 limit = (limit << 12) + 0xfff; 776 777 return limit; 778} 779 780/** 781 * insn_get_code_seg_params() - Obtain code segment parameters 782 * @regs: Structure with register values as seen when entering kernel mode 783 * 784 * Obtain address and operand sizes of the code segment. It is obtained from the 785 * selector contained in the CS register in regs. In protected mode, the default 786 * address is determined by inspecting the L and D bits of the segment 787 * descriptor. In virtual-8086 mode, the default is always two bytes for both 788 * address and operand sizes. 789 * 790 * Returns: 791 * 792 * An int containing ORed-in default parameters on success. 793 * 794 * -EINVAL on error. 795 */ 796int insn_get_code_seg_params(struct pt_regs *regs) 797{ 798 struct desc_struct desc; 799 short sel; 800 801 if (v8086_mode(regs)) 802 /* Address and operand size are both 16-bit. */ 803 return INSN_CODE_SEG_PARAMS(2, 2); 804 805 sel = get_segment_selector(regs, INAT_SEG_REG_CS); 806 if (sel < 0) 807 return sel; 808 809 if (!get_desc(&desc, sel)) 810 return -EINVAL; 811 812 /* 813 * The most significant byte of the Type field of the segment descriptor 814 * determines whether a segment contains data or code. If this is a data 815 * segment, return error. 816 */ 817 if (!(desc.type & BIT(3))) 818 return -EINVAL; 819 820 switch ((desc.l << 1) | desc.d) { 821 case 0: /* 822 * Legacy mode. CS.L=0, CS.D=0. Address and operand size are 823 * both 16-bit. 824 */ 825 return INSN_CODE_SEG_PARAMS(2, 2); 826 case 1: /* 827 * Legacy mode. CS.L=0, CS.D=1. Address and operand size are 828 * both 32-bit. 829 */ 830 return INSN_CODE_SEG_PARAMS(4, 4); 831 case 2: /* 832 * IA-32e 64-bit mode. CS.L=1, CS.D=0. Address size is 64-bit; 833 * operand size is 32-bit. 834 */ 835 return INSN_CODE_SEG_PARAMS(4, 8); 836 case 3: /* Invalid setting. CS.L=1, CS.D=1 */ 837 fallthrough; 838 default: 839 return -EINVAL; 840 } 841} 842 843/** 844 * insn_get_modrm_rm_off() - Obtain register in r/m part of the ModRM byte 845 * @insn: Instruction containing the ModRM byte 846 * @regs: Register values as seen when entering kernel mode 847 * 848 * Returns: 849 * 850 * The register indicated by the r/m part of the ModRM byte. The 851 * register is obtained as an offset from the base of pt_regs. In specific 852 * cases, the returned value can be -EDOM to indicate that the particular value 853 * of ModRM does not refer to a register and shall be ignored. 854 */ 855int insn_get_modrm_rm_off(struct insn *insn, struct pt_regs *regs) 856{ 857 return get_reg_offset(insn, regs, REG_TYPE_RM); 858} 859 860/** 861 * insn_get_modrm_reg_off() - Obtain register in reg part of the ModRM byte 862 * @insn: Instruction containing the ModRM byte 863 * @regs: Register values as seen when entering kernel mode 864 * 865 * Returns: 866 * 867 * The register indicated by the reg part of the ModRM byte. The 868 * register is obtained as an offset from the base of pt_regs. 869 */ 870int insn_get_modrm_reg_off(struct insn *insn, struct pt_regs *regs) 871{ 872 return get_reg_offset(insn, regs, REG_TYPE_REG); 873} 874 875/** 876 * insn_get_modrm_reg_ptr() - Obtain register pointer based on ModRM byte 877 * @insn: Instruction containing the ModRM byte 878 * @regs: Register values as seen when entering kernel mode 879 * 880 * Returns: 881 * 882 * The register indicated by the reg part of the ModRM byte. 883 * The register is obtained as a pointer within pt_regs. 884 */ 885unsigned long *insn_get_modrm_reg_ptr(struct insn *insn, struct pt_regs *regs) 886{ 887 int offset; 888 889 offset = insn_get_modrm_reg_off(insn, regs); 890 if (offset < 0) 891 return NULL; 892 return (void *)regs + offset; 893} 894 895/** 896 * get_seg_base_limit() - obtain base address and limit of a segment 897 * @insn: Instruction. Must be valid. 898 * @regs: Register values as seen when entering kernel mode 899 * @regoff: Operand offset, in pt_regs, used to resolve segment descriptor 900 * @base: Obtained segment base 901 * @limit: Obtained segment limit 902 * 903 * Obtain the base address and limit of the segment associated with the operand 904 * @regoff and, if any or allowed, override prefixes in @insn. This function is 905 * different from insn_get_seg_base() as the latter does not resolve the segment 906 * associated with the instruction operand. If a limit is not needed (e.g., 907 * when running in long mode), @limit can be NULL. 908 * 909 * Returns: 910 * 911 * 0 on success. @base and @limit will contain the base address and of the 912 * resolved segment, respectively. 913 * 914 * -EINVAL on error. 915 */ 916static int get_seg_base_limit(struct insn *insn, struct pt_regs *regs, 917 int regoff, unsigned long *base, 918 unsigned long *limit) 919{ 920 int seg_reg_idx; 921 922 if (!base) 923 return -EINVAL; 924 925 seg_reg_idx = resolve_seg_reg(insn, regs, regoff); 926 if (seg_reg_idx < 0) 927 return seg_reg_idx; 928 929 *base = insn_get_seg_base(regs, seg_reg_idx); 930 if (*base == -1L) 931 return -EINVAL; 932 933 if (!limit) 934 return 0; 935 936 *limit = get_seg_limit(regs, seg_reg_idx); 937 if (!(*limit)) 938 return -EINVAL; 939 940 return 0; 941} 942 943/** 944 * get_eff_addr_reg() - Obtain effective address from register operand 945 * @insn: Instruction. Must be valid. 946 * @regs: Register values as seen when entering kernel mode 947 * @regoff: Obtained operand offset, in pt_regs, with the effective address 948 * @eff_addr: Obtained effective address 949 * 950 * Obtain the effective address stored in the register operand as indicated by 951 * the ModRM byte. This function is to be used only with register addressing 952 * (i.e., ModRM.mod is 3). The effective address is saved in @eff_addr. The 953 * register operand, as an offset from the base of pt_regs, is saved in @regoff; 954 * such offset can then be used to resolve the segment associated with the 955 * operand. This function can be used with any of the supported address sizes 956 * in x86. 957 * 958 * Returns: 959 * 960 * 0 on success. @eff_addr will have the effective address stored in the 961 * operand indicated by ModRM. @regoff will have such operand as an offset from 962 * the base of pt_regs. 963 * 964 * -EINVAL on error. 965 */ 966static int get_eff_addr_reg(struct insn *insn, struct pt_regs *regs, 967 int *regoff, long *eff_addr) 968{ 969 int ret; 970 971 ret = insn_get_modrm(insn); 972 if (ret) 973 return ret; 974 975 if (X86_MODRM_MOD(insn->modrm.value) != 3) 976 return -EINVAL; 977 978 *regoff = get_reg_offset(insn, regs, REG_TYPE_RM); 979 if (*regoff < 0) 980 return -EINVAL; 981 982 /* Ignore bytes that are outside the address size. */ 983 if (insn->addr_bytes == 2) 984 *eff_addr = regs_get_register(regs, *regoff) & 0xffff; 985 else if (insn->addr_bytes == 4) 986 *eff_addr = regs_get_register(regs, *regoff) & 0xffffffff; 987 else /* 64-bit address */ 988 *eff_addr = regs_get_register(regs, *regoff); 989 990 return 0; 991} 992 993/** 994 * get_eff_addr_modrm() - Obtain referenced effective address via ModRM 995 * @insn: Instruction. Must be valid. 996 * @regs: Register values as seen when entering kernel mode 997 * @regoff: Obtained operand offset, in pt_regs, associated with segment 998 * @eff_addr: Obtained effective address 999 * 1000 * Obtain the effective address referenced by the ModRM byte of @insn. After 1001 * identifying the registers involved in the register-indirect memory reference, 1002 * its value is obtained from the operands in @regs. The computed address is 1003 * stored @eff_addr. Also, the register operand that indicates the associated 1004 * segment is stored in @regoff, this parameter can later be used to determine 1005 * such segment. 1006 * 1007 * Returns: 1008 * 1009 * 0 on success. @eff_addr will have the referenced effective address. @regoff 1010 * will have a register, as an offset from the base of pt_regs, that can be used 1011 * to resolve the associated segment. 1012 * 1013 * -EINVAL on error. 1014 */ 1015static int get_eff_addr_modrm(struct insn *insn, struct pt_regs *regs, 1016 int *regoff, long *eff_addr) 1017{ 1018 long tmp; 1019 int ret; 1020 1021 if (insn->addr_bytes != 8 && insn->addr_bytes != 4) 1022 return -EINVAL; 1023 1024 ret = insn_get_modrm(insn); 1025 if (ret) 1026 return ret; 1027 1028 if (X86_MODRM_MOD(insn->modrm.value) > 2) 1029 return -EINVAL; 1030 1031 *regoff = get_reg_offset(insn, regs, REG_TYPE_RM); 1032 1033 /* 1034 * -EDOM means that we must ignore the address_offset. In such a case, 1035 * in 64-bit mode the effective address relative to the rIP of the 1036 * following instruction. 1037 */ 1038 if (*regoff == -EDOM) { 1039 if (any_64bit_mode(regs)) 1040 tmp = regs->ip + insn->length; 1041 else 1042 tmp = 0; 1043 } else if (*regoff < 0) { 1044 return -EINVAL; 1045 } else { 1046 tmp = regs_get_register(regs, *regoff); 1047 } 1048 1049 if (insn->addr_bytes == 4) { 1050 int addr32 = (int)(tmp & 0xffffffff) + insn->displacement.value; 1051 1052 *eff_addr = addr32 & 0xffffffff; 1053 } else { 1054 *eff_addr = tmp + insn->displacement.value; 1055 } 1056 1057 return 0; 1058} 1059 1060/** 1061 * get_eff_addr_modrm_16() - Obtain referenced effective address via ModRM 1062 * @insn: Instruction. Must be valid. 1063 * @regs: Register values as seen when entering kernel mode 1064 * @regoff: Obtained operand offset, in pt_regs, associated with segment 1065 * @eff_addr: Obtained effective address 1066 * 1067 * Obtain the 16-bit effective address referenced by the ModRM byte of @insn. 1068 * After identifying the registers involved in the register-indirect memory 1069 * reference, its value is obtained from the operands in @regs. The computed 1070 * address is stored @eff_addr. Also, the register operand that indicates 1071 * the associated segment is stored in @regoff, this parameter can later be used 1072 * to determine such segment. 1073 * 1074 * Returns: 1075 * 1076 * 0 on success. @eff_addr will have the referenced effective address. @regoff 1077 * will have a register, as an offset from the base of pt_regs, that can be used 1078 * to resolve the associated segment. 1079 * 1080 * -EINVAL on error. 1081 */ 1082static int get_eff_addr_modrm_16(struct insn *insn, struct pt_regs *regs, 1083 int *regoff, short *eff_addr) 1084{ 1085 int addr_offset1, addr_offset2, ret; 1086 short addr1 = 0, addr2 = 0, displacement; 1087 1088 if (insn->addr_bytes != 2) 1089 return -EINVAL; 1090 1091 insn_get_modrm(insn); 1092 1093 if (!insn->modrm.nbytes) 1094 return -EINVAL; 1095 1096 if (X86_MODRM_MOD(insn->modrm.value) > 2) 1097 return -EINVAL; 1098 1099 ret = get_reg_offset_16(insn, regs, &addr_offset1, &addr_offset2); 1100 if (ret < 0) 1101 return -EINVAL; 1102 1103 /* 1104 * Don't fail on invalid offset values. They might be invalid because 1105 * they cannot be used for this particular value of ModRM. Instead, use 1106 * them in the computation only if they contain a valid value. 1107 */ 1108 if (addr_offset1 != -EDOM) 1109 addr1 = regs_get_register(regs, addr_offset1) & 0xffff; 1110 1111 if (addr_offset2 != -EDOM) 1112 addr2 = regs_get_register(regs, addr_offset2) & 0xffff; 1113 1114 displacement = insn->displacement.value & 0xffff; 1115 *eff_addr = addr1 + addr2 + displacement; 1116 1117 /* 1118 * The first operand register could indicate to use of either SS or DS 1119 * registers to obtain the segment selector. The second operand 1120 * register can only indicate the use of DS. Thus, the first operand 1121 * will be used to obtain the segment selector. 1122 */ 1123 *regoff = addr_offset1; 1124 1125 return 0; 1126} 1127 1128/** 1129 * get_eff_addr_sib() - Obtain referenced effective address via SIB 1130 * @insn: Instruction. Must be valid. 1131 * @regs: Register values as seen when entering kernel mode 1132 * @regoff: Obtained operand offset, in pt_regs, associated with segment 1133 * @eff_addr: Obtained effective address 1134 * 1135 * Obtain the effective address referenced by the SIB byte of @insn. After 1136 * identifying the registers involved in the indexed, register-indirect memory 1137 * reference, its value is obtained from the operands in @regs. The computed 1138 * address is stored @eff_addr. Also, the register operand that indicates the 1139 * associated segment is stored in @regoff, this parameter can later be used to 1140 * determine such segment. 1141 * 1142 * Returns: 1143 * 1144 * 0 on success. @eff_addr will have the referenced effective address. 1145 * @base_offset will have a register, as an offset from the base of pt_regs, 1146 * that can be used to resolve the associated segment. 1147 * 1148 * Negative value on error. 1149 */ 1150static int get_eff_addr_sib(struct insn *insn, struct pt_regs *regs, 1151 int *base_offset, long *eff_addr) 1152{ 1153 long base, indx; 1154 int indx_offset; 1155 int ret; 1156 1157 if (insn->addr_bytes != 8 && insn->addr_bytes != 4) 1158 return -EINVAL; 1159 1160 ret = insn_get_modrm(insn); 1161 if (ret) 1162 return ret; 1163 1164 if (!insn->modrm.nbytes) 1165 return -EINVAL; 1166 1167 if (X86_MODRM_MOD(insn->modrm.value) > 2) 1168 return -EINVAL; 1169 1170 ret = insn_get_sib(insn); 1171 if (ret) 1172 return ret; 1173 1174 if (!insn->sib.nbytes) 1175 return -EINVAL; 1176 1177 *base_offset = get_reg_offset(insn, regs, REG_TYPE_BASE); 1178 indx_offset = get_reg_offset(insn, regs, REG_TYPE_INDEX); 1179 1180 /* 1181 * Negative values in the base and index offset means an error when 1182 * decoding the SIB byte. Except -EDOM, which means that the registers 1183 * should not be used in the address computation. 1184 */ 1185 if (*base_offset == -EDOM) 1186 base = 0; 1187 else if (*base_offset < 0) 1188 return -EINVAL; 1189 else 1190 base = regs_get_register(regs, *base_offset); 1191 1192 if (indx_offset == -EDOM) 1193 indx = 0; 1194 else if (indx_offset < 0) 1195 return -EINVAL; 1196 else 1197 indx = regs_get_register(regs, indx_offset); 1198 1199 if (insn->addr_bytes == 4) { 1200 int addr32, base32, idx32; 1201 1202 base32 = base & 0xffffffff; 1203 idx32 = indx & 0xffffffff; 1204 1205 addr32 = base32 + idx32 * (1 << X86_SIB_SCALE(insn->sib.value)); 1206 addr32 += insn->displacement.value; 1207 1208 *eff_addr = addr32 & 0xffffffff; 1209 } else { 1210 *eff_addr = base + indx * (1 << X86_SIB_SCALE(insn->sib.value)); 1211 *eff_addr += insn->displacement.value; 1212 } 1213 1214 return 0; 1215} 1216 1217/** 1218 * get_addr_ref_16() - Obtain the 16-bit address referred by instruction 1219 * @insn: Instruction containing ModRM byte and displacement 1220 * @regs: Register values as seen when entering kernel mode 1221 * 1222 * This function is to be used with 16-bit address encodings. Obtain the memory 1223 * address referred by the instruction's ModRM and displacement bytes. Also, the 1224 * segment used as base is determined by either any segment override prefixes in 1225 * @insn or the default segment of the registers involved in the address 1226 * computation. In protected mode, segment limits are enforced. 1227 * 1228 * Returns: 1229 * 1230 * Linear address referenced by the instruction operands on success. 1231 * 1232 * -1L on error. 1233 */ 1234static void __user *get_addr_ref_16(struct insn *insn, struct pt_regs *regs) 1235{ 1236 unsigned long linear_addr = -1L, seg_base, seg_limit; 1237 int ret, regoff; 1238 short eff_addr; 1239 long tmp; 1240 1241 if (insn_get_displacement(insn)) 1242 goto out; 1243 1244 if (insn->addr_bytes != 2) 1245 goto out; 1246 1247 if (X86_MODRM_MOD(insn->modrm.value) == 3) { 1248 ret = get_eff_addr_reg(insn, regs, ®off, &tmp); 1249 if (ret) 1250 goto out; 1251 1252 eff_addr = tmp; 1253 } else { 1254 ret = get_eff_addr_modrm_16(insn, regs, ®off, &eff_addr); 1255 if (ret) 1256 goto out; 1257 } 1258 1259 ret = get_seg_base_limit(insn, regs, regoff, &seg_base, &seg_limit); 1260 if (ret) 1261 goto out; 1262 1263 /* 1264 * Before computing the linear address, make sure the effective address 1265 * is within the limits of the segment. In virtual-8086 mode, segment 1266 * limits are not enforced. In such a case, the segment limit is -1L to 1267 * reflect this fact. 1268 */ 1269 if ((unsigned long)(eff_addr & 0xffff) > seg_limit) 1270 goto out; 1271 1272 linear_addr = (unsigned long)(eff_addr & 0xffff) + seg_base; 1273 1274 /* Limit linear address to 20 bits */ 1275 if (v8086_mode(regs)) 1276 linear_addr &= 0xfffff; 1277 1278out: 1279 return (void __user *)linear_addr; 1280} 1281 1282/** 1283 * get_addr_ref_32() - Obtain a 32-bit linear address 1284 * @insn: Instruction with ModRM, SIB bytes and displacement 1285 * @regs: Register values as seen when entering kernel mode 1286 * 1287 * This function is to be used with 32-bit address encodings to obtain the 1288 * linear memory address referred by the instruction's ModRM, SIB, 1289 * displacement bytes and segment base address, as applicable. If in protected 1290 * mode, segment limits are enforced. 1291 * 1292 * Returns: 1293 * 1294 * Linear address referenced by instruction and registers on success. 1295 * 1296 * -1L on error. 1297 */ 1298static void __user *get_addr_ref_32(struct insn *insn, struct pt_regs *regs) 1299{ 1300 unsigned long linear_addr = -1L, seg_base, seg_limit; 1301 int eff_addr, regoff; 1302 long tmp; 1303 int ret; 1304 1305 if (insn->addr_bytes != 4) 1306 goto out; 1307 1308 if (X86_MODRM_MOD(insn->modrm.value) == 3) { 1309 ret = get_eff_addr_reg(insn, regs, ®off, &tmp); 1310 if (ret) 1311 goto out; 1312 1313 eff_addr = tmp; 1314 1315 } else { 1316 if (insn->sib.nbytes) { 1317 ret = get_eff_addr_sib(insn, regs, ®off, &tmp); 1318 if (ret) 1319 goto out; 1320 1321 eff_addr = tmp; 1322 } else { 1323 ret = get_eff_addr_modrm(insn, regs, ®off, &tmp); 1324 if (ret) 1325 goto out; 1326 1327 eff_addr = tmp; 1328 } 1329 } 1330 1331 ret = get_seg_base_limit(insn, regs, regoff, &seg_base, &seg_limit); 1332 if (ret) 1333 goto out; 1334 1335 /* 1336 * In protected mode, before computing the linear address, make sure 1337 * the effective address is within the limits of the segment. 1338 * 32-bit addresses can be used in long and virtual-8086 modes if an 1339 * address override prefix is used. In such cases, segment limits are 1340 * not enforced. When in virtual-8086 mode, the segment limit is -1L 1341 * to reflect this situation. 1342 * 1343 * After computed, the effective address is treated as an unsigned 1344 * quantity. 1345 */ 1346 if (!any_64bit_mode(regs) && ((unsigned int)eff_addr > seg_limit)) 1347 goto out; 1348 1349 /* 1350 * Even though 32-bit address encodings are allowed in virtual-8086 1351 * mode, the address range is still limited to [0x-0xffff]. 1352 */ 1353 if (v8086_mode(regs) && (eff_addr & ~0xffff)) 1354 goto out; 1355 1356 /* 1357 * Data type long could be 64 bits in size. Ensure that our 32-bit 1358 * effective address is not sign-extended when computing the linear 1359 * address. 1360 */ 1361 linear_addr = (unsigned long)(eff_addr & 0xffffffff) + seg_base; 1362 1363 /* Limit linear address to 20 bits */ 1364 if (v8086_mode(regs)) 1365 linear_addr &= 0xfffff; 1366 1367out: 1368 return (void __user *)linear_addr; 1369} 1370 1371/** 1372 * get_addr_ref_64() - Obtain a 64-bit linear address 1373 * @insn: Instruction struct with ModRM and SIB bytes and displacement 1374 * @regs: Structure with register values as seen when entering kernel mode 1375 * 1376 * This function is to be used with 64-bit address encodings to obtain the 1377 * linear memory address referred by the instruction's ModRM, SIB, 1378 * displacement bytes and segment base address, as applicable. 1379 * 1380 * Returns: 1381 * 1382 * Linear address referenced by instruction and registers on success. 1383 * 1384 * -1L on error. 1385 */ 1386#ifndef CONFIG_X86_64 1387static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs) 1388{ 1389 return (void __user *)-1L; 1390} 1391#else 1392static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs) 1393{ 1394 unsigned long linear_addr = -1L, seg_base; 1395 int regoff, ret; 1396 long eff_addr; 1397 1398 if (insn->addr_bytes != 8) 1399 goto out; 1400 1401 if (X86_MODRM_MOD(insn->modrm.value) == 3) { 1402 ret = get_eff_addr_reg(insn, regs, ®off, &eff_addr); 1403 if (ret) 1404 goto out; 1405 1406 } else { 1407 if (insn->sib.nbytes) { 1408 ret = get_eff_addr_sib(insn, regs, ®off, &eff_addr); 1409 if (ret) 1410 goto out; 1411 } else { 1412 ret = get_eff_addr_modrm(insn, regs, ®off, &eff_addr); 1413 if (ret) 1414 goto out; 1415 } 1416 1417 } 1418 1419 ret = get_seg_base_limit(insn, regs, regoff, &seg_base, NULL); 1420 if (ret) 1421 goto out; 1422 1423 linear_addr = (unsigned long)eff_addr + seg_base; 1424 1425out: 1426 return (void __user *)linear_addr; 1427} 1428#endif /* CONFIG_X86_64 */ 1429 1430/** 1431 * insn_get_addr_ref() - Obtain the linear address referred by instruction 1432 * @insn: Instruction structure containing ModRM byte and displacement 1433 * @regs: Structure with register values as seen when entering kernel mode 1434 * 1435 * Obtain the linear address referred by the instruction's ModRM, SIB and 1436 * displacement bytes, and segment base, as applicable. In protected mode, 1437 * segment limits are enforced. 1438 * 1439 * Returns: 1440 * 1441 * Linear address referenced by instruction and registers on success. 1442 * 1443 * -1L on error. 1444 */ 1445void __user *insn_get_addr_ref(struct insn *insn, struct pt_regs *regs) 1446{ 1447 if (!insn || !regs) 1448 return (void __user *)-1L; 1449 1450 if (insn_get_opcode(insn)) 1451 return (void __user *)-1L; 1452 1453 switch (insn->addr_bytes) { 1454 case 2: 1455 return get_addr_ref_16(insn, regs); 1456 case 4: 1457 return get_addr_ref_32(insn, regs); 1458 case 8: 1459 return get_addr_ref_64(insn, regs); 1460 default: 1461 return (void __user *)-1L; 1462 } 1463} 1464 1465int insn_get_effective_ip(struct pt_regs *regs, unsigned long *ip) 1466{ 1467 unsigned long seg_base = 0; 1468 1469 /* 1470 * If not in user-space long mode, a custom code segment could be in 1471 * use. This is true in protected mode (if the process defined a local 1472 * descriptor table), or virtual-8086 mode. In most of the cases 1473 * seg_base will be zero as in USER_CS. 1474 */ 1475 if (!user_64bit_mode(regs)) { 1476 seg_base = insn_get_seg_base(regs, INAT_SEG_REG_CS); 1477 if (seg_base == -1L) 1478 return -EINVAL; 1479 } 1480 1481 *ip = seg_base + regs->ip; 1482 1483 return 0; 1484} 1485 1486/** 1487 * insn_fetch_from_user() - Copy instruction bytes from user-space memory 1488 * @regs: Structure with register values as seen when entering kernel mode 1489 * @buf: Array to store the fetched instruction 1490 * 1491 * Gets the linear address of the instruction and copies the instruction bytes 1492 * to the buf. 1493 * 1494 * Returns: 1495 * 1496 * - number of instruction bytes copied. 1497 * - 0 if nothing was copied. 1498 * - -EINVAL if the linear address of the instruction could not be calculated 1499 */ 1500int insn_fetch_from_user(struct pt_regs *regs, unsigned char buf[MAX_INSN_SIZE]) 1501{ 1502 unsigned long ip; 1503 int not_copied; 1504 1505 if (insn_get_effective_ip(regs, &ip)) 1506 return -EINVAL; 1507 1508 not_copied = copy_from_user(buf, (void __user *)ip, MAX_INSN_SIZE); 1509 1510 return MAX_INSN_SIZE - not_copied; 1511} 1512 1513/** 1514 * insn_fetch_from_user_inatomic() - Copy instruction bytes from user-space memory 1515 * while in atomic code 1516 * @regs: Structure with register values as seen when entering kernel mode 1517 * @buf: Array to store the fetched instruction 1518 * 1519 * Gets the linear address of the instruction and copies the instruction bytes 1520 * to the buf. This function must be used in atomic context. 1521 * 1522 * Returns: 1523 * 1524 * - number of instruction bytes copied. 1525 * - 0 if nothing was copied. 1526 * - -EINVAL if the linear address of the instruction could not be calculated. 1527 */ 1528int insn_fetch_from_user_inatomic(struct pt_regs *regs, unsigned char buf[MAX_INSN_SIZE]) 1529{ 1530 unsigned long ip; 1531 int not_copied; 1532 1533 if (insn_get_effective_ip(regs, &ip)) 1534 return -EINVAL; 1535 1536 not_copied = __copy_from_user_inatomic(buf, (void __user *)ip, MAX_INSN_SIZE); 1537 1538 return MAX_INSN_SIZE - not_copied; 1539} 1540 1541/** 1542 * insn_decode_from_regs() - Decode an instruction 1543 * @insn: Structure to store decoded instruction 1544 * @regs: Structure with register values as seen when entering kernel mode 1545 * @buf: Buffer containing the instruction bytes 1546 * @buf_size: Number of instruction bytes available in buf 1547 * 1548 * Decodes the instruction provided in buf and stores the decoding results in 1549 * insn. Also determines the correct address and operand sizes. 1550 * 1551 * Returns: 1552 * 1553 * True if instruction was decoded, False otherwise. 1554 */ 1555bool insn_decode_from_regs(struct insn *insn, struct pt_regs *regs, 1556 unsigned char buf[MAX_INSN_SIZE], int buf_size) 1557{ 1558 int seg_defs; 1559 1560 insn_init(insn, buf, buf_size, user_64bit_mode(regs)); 1561 1562 /* 1563 * Override the default operand and address sizes with what is specified 1564 * in the code segment descriptor. The instruction decoder only sets 1565 * the address size it to either 4 or 8 address bytes and does nothing 1566 * for the operand bytes. This OK for most of the cases, but we could 1567 * have special cases where, for instance, a 16-bit code segment 1568 * descriptor is used. 1569 * If there is an address override prefix, the instruction decoder 1570 * correctly updates these values, even for 16-bit defaults. 1571 */ 1572 seg_defs = insn_get_code_seg_params(regs); 1573 if (seg_defs == -EINVAL) 1574 return false; 1575 1576 insn->addr_bytes = INSN_CODE_SEG_ADDR_SZ(seg_defs); 1577 insn->opnd_bytes = INSN_CODE_SEG_OPND_SZ(seg_defs); 1578 1579 if (insn_get_length(insn)) 1580 return false; 1581 1582 if (buf_size < insn->length) 1583 return false; 1584 1585 return true; 1586} 1587 1588/** 1589 * insn_decode_mmio() - Decode a MMIO instruction 1590 * @insn: Structure to store decoded instruction 1591 * @bytes: Returns size of memory operand 1592 * 1593 * Decodes instruction that used for Memory-mapped I/O. 1594 * 1595 * Returns: 1596 * 1597 * Type of the instruction. Size of the memory operand is stored in 1598 * @bytes. If decode failed, MMIO_DECODE_FAILED returned. 1599 */ 1600enum mmio_type insn_decode_mmio(struct insn *insn, int *bytes) 1601{ 1602 enum mmio_type type = MMIO_DECODE_FAILED; 1603 1604 *bytes = 0; 1605 1606 if (insn_get_opcode(insn)) 1607 return MMIO_DECODE_FAILED; 1608 1609 switch (insn->opcode.bytes[0]) { 1610 case 0x88: /* MOV m8,r8 */ 1611 *bytes = 1; 1612 fallthrough; 1613 case 0x89: /* MOV m16/m32/m64, r16/m32/m64 */ 1614 if (!*bytes) 1615 *bytes = insn->opnd_bytes; 1616 type = MMIO_WRITE; 1617 break; 1618 1619 case 0xc6: /* MOV m8, imm8 */ 1620 *bytes = 1; 1621 fallthrough; 1622 case 0xc7: /* MOV m16/m32/m64, imm16/imm32/imm64 */ 1623 if (!*bytes) 1624 *bytes = insn->opnd_bytes; 1625 type = MMIO_WRITE_IMM; 1626 break; 1627 1628 case 0x8a: /* MOV r8, m8 */ 1629 *bytes = 1; 1630 fallthrough; 1631 case 0x8b: /* MOV r16/r32/r64, m16/m32/m64 */ 1632 if (!*bytes) 1633 *bytes = insn->opnd_bytes; 1634 type = MMIO_READ; 1635 break; 1636 1637 case 0xa4: /* MOVS m8, m8 */ 1638 *bytes = 1; 1639 fallthrough; 1640 case 0xa5: /* MOVS m16/m32/m64, m16/m32/m64 */ 1641 if (!*bytes) 1642 *bytes = insn->opnd_bytes; 1643 type = MMIO_MOVS; 1644 break; 1645 1646 case 0x0f: /* Two-byte instruction */ 1647 switch (insn->opcode.bytes[1]) { 1648 case 0xb6: /* MOVZX r16/r32/r64, m8 */ 1649 *bytes = 1; 1650 fallthrough; 1651 case 0xb7: /* MOVZX r32/r64, m16 */ 1652 if (!*bytes) 1653 *bytes = 2; 1654 type = MMIO_READ_ZERO_EXTEND; 1655 break; 1656 1657 case 0xbe: /* MOVSX r16/r32/r64, m8 */ 1658 *bytes = 1; 1659 fallthrough; 1660 case 0xbf: /* MOVSX r32/r64, m16 */ 1661 if (!*bytes) 1662 *bytes = 2; 1663 type = MMIO_READ_SIGN_EXTEND; 1664 break; 1665 } 1666 break; 1667 } 1668 1669 return type; 1670}