insn-eval.c 45 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670
  1. /*
  2. * Utility functions for x86 operand and address decoding
  3. *
  4. * Copyright (C) Intel Corporation 2017
  5. */
  6. #include <linux/kernel.h>
  7. #include <linux/string.h>
  8. #include <linux/ratelimit.h>
  9. #include <linux/mmu_context.h>
  10. #include <asm/desc_defs.h>
  11. #include <asm/desc.h>
  12. #include <asm/inat.h>
  13. #include <asm/insn.h>
  14. #include <asm/insn-eval.h>
  15. #include <asm/ldt.h>
  16. #include <asm/vm86.h>
  17. #undef pr_fmt
  18. #define pr_fmt(fmt) "insn: " fmt
  19. enum reg_type {
  20. REG_TYPE_RM = 0,
  21. REG_TYPE_REG,
  22. REG_TYPE_INDEX,
  23. REG_TYPE_BASE,
  24. };
  25. /**
  26. * is_string_insn() - Determine if instruction is a string instruction
  27. * @insn: Instruction containing the opcode to inspect
  28. *
  29. * Returns:
  30. *
  31. * true if the instruction, determined by the opcode, is any of the
  32. * string instructions as defined in the Intel Software Development manual.
  33. * False otherwise.
  34. */
  35. static bool is_string_insn(struct insn *insn)
  36. {
  37. /* All string instructions have a 1-byte opcode. */
  38. if (insn->opcode.nbytes != 1)
  39. return false;
  40. switch (insn->opcode.bytes[0]) {
  41. case 0x6c ... 0x6f: /* INS, OUTS */
  42. case 0xa4 ... 0xa7: /* MOVS, CMPS */
  43. case 0xaa ... 0xaf: /* STOS, LODS, SCAS */
  44. return true;
  45. default:
  46. return false;
  47. }
  48. }
  49. /**
  50. * insn_has_rep_prefix() - Determine if instruction has a REP prefix
  51. * @insn: Instruction containing the prefix to inspect
  52. *
  53. * Returns:
  54. *
  55. * true if the instruction has a REP prefix, false if not.
  56. */
  57. bool insn_has_rep_prefix(struct insn *insn)
  58. {
  59. insn_byte_t p;
  60. int i;
  61. insn_get_prefixes(insn);
  62. for_each_insn_prefix(insn, i, p) {
  63. if (p == 0xf2 || p == 0xf3)
  64. return true;
  65. }
  66. return false;
  67. }
  68. /**
  69. * get_seg_reg_override_idx() - obtain segment register override index
  70. * @insn: Valid instruction with segment override prefixes
  71. *
  72. * Inspect the instruction prefixes in @insn and find segment overrides, if any.
  73. *
  74. * Returns:
  75. *
  76. * A constant identifying the segment register to use, among CS, SS, DS,
  77. * ES, FS, or GS. INAT_SEG_REG_DEFAULT is returned if no segment override
  78. * prefixes were found.
  79. *
  80. * -EINVAL in case of error.
  81. */
  82. static int get_seg_reg_override_idx(struct insn *insn)
  83. {
  84. int idx = INAT_SEG_REG_DEFAULT;
  85. int num_overrides = 0, i;
  86. insn_byte_t p;
  87. insn_get_prefixes(insn);
  88. /* Look for any segment override prefixes. */
  89. for_each_insn_prefix(insn, i, p) {
  90. insn_attr_t attr;
  91. attr = inat_get_opcode_attribute(p);
  92. switch (attr) {
  93. case INAT_MAKE_PREFIX(INAT_PFX_CS):
  94. idx = INAT_SEG_REG_CS;
  95. num_overrides++;
  96. break;
  97. case INAT_MAKE_PREFIX(INAT_PFX_SS):
  98. idx = INAT_SEG_REG_SS;
  99. num_overrides++;
  100. break;
  101. case INAT_MAKE_PREFIX(INAT_PFX_DS):
  102. idx = INAT_SEG_REG_DS;
  103. num_overrides++;
  104. break;
  105. case INAT_MAKE_PREFIX(INAT_PFX_ES):
  106. idx = INAT_SEG_REG_ES;
  107. num_overrides++;
  108. break;
  109. case INAT_MAKE_PREFIX(INAT_PFX_FS):
  110. idx = INAT_SEG_REG_FS;
  111. num_overrides++;
  112. break;
  113. case INAT_MAKE_PREFIX(INAT_PFX_GS):
  114. idx = INAT_SEG_REG_GS;
  115. num_overrides++;
  116. break;
  117. /* No default action needed. */
  118. }
  119. }
  120. /* More than one segment override prefix leads to undefined behavior. */
  121. if (num_overrides > 1)
  122. return -EINVAL;
  123. return idx;
  124. }
  125. /**
  126. * check_seg_overrides() - check if segment override prefixes are allowed
  127. * @insn: Valid instruction with segment override prefixes
  128. * @regoff: Operand offset, in pt_regs, for which the check is performed
  129. *
  130. * For a particular register used in register-indirect addressing, determine if
  131. * segment override prefixes can be used. Specifically, no overrides are allowed
  132. * for rDI if used with a string instruction.
  133. *
  134. * Returns:
  135. *
  136. * True if segment override prefixes can be used with the register indicated
  137. * in @regoff. False if otherwise.
  138. */
  139. static bool check_seg_overrides(struct insn *insn, int regoff)
  140. {
  141. if (regoff == offsetof(struct pt_regs, di) && is_string_insn(insn))
  142. return false;
  143. return true;
  144. }
  145. /**
  146. * resolve_default_seg() - resolve default segment register index for an operand
  147. * @insn: Instruction with opcode and address size. Must be valid.
  148. * @regs: Register values as seen when entering kernel mode
  149. * @off: Operand offset, in pt_regs, for which resolution is needed
  150. *
  151. * Resolve the default segment register index associated with the instruction
  152. * operand register indicated by @off. Such index is resolved based on defaults
  153. * described in the Intel Software Development Manual.
  154. *
  155. * Returns:
  156. *
  157. * If in protected mode, a constant identifying the segment register to use,
  158. * among CS, SS, ES or DS. If in long mode, INAT_SEG_REG_IGNORE.
  159. *
  160. * -EINVAL in case of error.
  161. */
  162. static int resolve_default_seg(struct insn *insn, struct pt_regs *regs, int off)
  163. {
  164. if (any_64bit_mode(regs))
  165. return INAT_SEG_REG_IGNORE;
  166. /*
  167. * Resolve the default segment register as described in Section 3.7.4
  168. * of the Intel Software Development Manual Vol. 1:
  169. *
  170. * + DS for all references involving r[ABCD]X, and rSI.
  171. * + If used in a string instruction, ES for rDI. Otherwise, DS.
  172. * + AX, CX and DX are not valid register operands in 16-bit address
  173. * encodings but are valid for 32-bit and 64-bit encodings.
  174. * + -EDOM is reserved to identify for cases in which no register
  175. * is used (i.e., displacement-only addressing). Use DS.
  176. * + SS for rSP or rBP.
  177. * + CS for rIP.
  178. */
  179. switch (off) {
  180. case offsetof(struct pt_regs, ax):
  181. case offsetof(struct pt_regs, cx):
  182. case offsetof(struct pt_regs, dx):
  183. /* Need insn to verify address size. */
  184. if (insn->addr_bytes == 2)
  185. return -EINVAL;
  186. fallthrough;
  187. case -EDOM:
  188. case offsetof(struct pt_regs, bx):
  189. case offsetof(struct pt_regs, si):
  190. return INAT_SEG_REG_DS;
  191. case offsetof(struct pt_regs, di):
  192. if (is_string_insn(insn))
  193. return INAT_SEG_REG_ES;
  194. return INAT_SEG_REG_DS;
  195. case offsetof(struct pt_regs, bp):
  196. case offsetof(struct pt_regs, sp):
  197. return INAT_SEG_REG_SS;
  198. case offsetof(struct pt_regs, ip):
  199. return INAT_SEG_REG_CS;
  200. default:
  201. return -EINVAL;
  202. }
  203. }
  204. /**
  205. * resolve_seg_reg() - obtain segment register index
  206. * @insn: Instruction with operands
  207. * @regs: Register values as seen when entering kernel mode
  208. * @regoff: Operand offset, in pt_regs, used to determine segment register
  209. *
  210. * Determine the segment register associated with the operands and, if
  211. * applicable, prefixes and the instruction pointed by @insn.
  212. *
  213. * The segment register associated to an operand used in register-indirect
  214. * addressing depends on:
  215. *
  216. * a) Whether running in long mode (in such a case segments are ignored, except
  217. * if FS or GS are used).
  218. *
  219. * b) Whether segment override prefixes can be used. Certain instructions and
  220. * registers do not allow override prefixes.
  221. *
  222. * c) Whether segment overrides prefixes are found in the instruction prefixes.
  223. *
  224. * d) If there are not segment override prefixes or they cannot be used, the
  225. * default segment register associated with the operand register is used.
  226. *
  227. * The function checks first if segment override prefixes can be used with the
  228. * operand indicated by @regoff. If allowed, obtain such overridden segment
  229. * register index. Lastly, if not prefixes were found or cannot be used, resolve
  230. * the segment register index to use based on the defaults described in the
  231. * Intel documentation. In long mode, all segment register indexes will be
  232. * ignored, except if overrides were found for FS or GS. All these operations
  233. * are done using helper functions.
  234. *
  235. * The operand register, @regoff, is represented as the offset from the base of
  236. * pt_regs.
  237. *
  238. * As stated, the main use of this function is to determine the segment register
  239. * index based on the instruction, its operands and prefixes. Hence, @insn
  240. * must be valid. However, if @regoff indicates rIP, we don't need to inspect
  241. * @insn at all as in this case CS is used in all cases. This case is checked
  242. * before proceeding further.
  243. *
  244. * Please note that this function does not return the value in the segment
  245. * register (i.e., the segment selector) but our defined index. The segment
  246. * selector needs to be obtained using get_segment_selector() and passing the
  247. * segment register index resolved by this function.
  248. *
  249. * Returns:
  250. *
  251. * An index identifying the segment register to use, among CS, SS, DS,
  252. * ES, FS, or GS. INAT_SEG_REG_IGNORE is returned if running in long mode.
  253. *
  254. * -EINVAL in case of error.
  255. */
  256. static int resolve_seg_reg(struct insn *insn, struct pt_regs *regs, int regoff)
  257. {
  258. int idx;
  259. /*
  260. * In the unlikely event of having to resolve the segment register
  261. * index for rIP, do it first. Segment override prefixes should not
  262. * be used. Hence, it is not necessary to inspect the instruction,
  263. * which may be invalid at this point.
  264. */
  265. if (regoff == offsetof(struct pt_regs, ip)) {
  266. if (any_64bit_mode(regs))
  267. return INAT_SEG_REG_IGNORE;
  268. else
  269. return INAT_SEG_REG_CS;
  270. }
  271. if (!insn)
  272. return -EINVAL;
  273. if (!check_seg_overrides(insn, regoff))
  274. return resolve_default_seg(insn, regs, regoff);
  275. idx = get_seg_reg_override_idx(insn);
  276. if (idx < 0)
  277. return idx;
  278. if (idx == INAT_SEG_REG_DEFAULT)
  279. return resolve_default_seg(insn, regs, regoff);
  280. /*
  281. * In long mode, segment override prefixes are ignored, except for
  282. * overrides for FS and GS.
  283. */
  284. if (any_64bit_mode(regs)) {
  285. if (idx != INAT_SEG_REG_FS &&
  286. idx != INAT_SEG_REG_GS)
  287. idx = INAT_SEG_REG_IGNORE;
  288. }
  289. return idx;
  290. }
  291. /**
  292. * get_segment_selector() - obtain segment selector
  293. * @regs: Register values as seen when entering kernel mode
  294. * @seg_reg_idx: Segment register index to use
  295. *
  296. * Obtain the segment selector from any of the CS, SS, DS, ES, FS, GS segment
  297. * registers. In CONFIG_X86_32, the segment is obtained from either pt_regs or
  298. * kernel_vm86_regs as applicable. In CONFIG_X86_64, CS and SS are obtained
  299. * from pt_regs. DS, ES, FS and GS are obtained by reading the actual CPU
  300. * registers. This done for only for completeness as in CONFIG_X86_64 segment
  301. * registers are ignored.
  302. *
  303. * Returns:
  304. *
  305. * Value of the segment selector, including null when running in
  306. * long mode.
  307. *
  308. * -EINVAL on error.
  309. */
  310. static short get_segment_selector(struct pt_regs *regs, int seg_reg_idx)
  311. {
  312. unsigned short sel;
  313. #ifdef CONFIG_X86_64
  314. switch (seg_reg_idx) {
  315. case INAT_SEG_REG_IGNORE:
  316. return 0;
  317. case INAT_SEG_REG_CS:
  318. return (unsigned short)(regs->cs & 0xffff);
  319. case INAT_SEG_REG_SS:
  320. return (unsigned short)(regs->ss & 0xffff);
  321. case INAT_SEG_REG_DS:
  322. savesegment(ds, sel);
  323. return sel;
  324. case INAT_SEG_REG_ES:
  325. savesegment(es, sel);
  326. return sel;
  327. case INAT_SEG_REG_FS:
  328. savesegment(fs, sel);
  329. return sel;
  330. case INAT_SEG_REG_GS:
  331. savesegment(gs, sel);
  332. return sel;
  333. default:
  334. return -EINVAL;
  335. }
  336. #else /* CONFIG_X86_32 */
  337. struct kernel_vm86_regs *vm86regs = (struct kernel_vm86_regs *)regs;
  338. if (v8086_mode(regs)) {
  339. switch (seg_reg_idx) {
  340. case INAT_SEG_REG_CS:
  341. return (unsigned short)(regs->cs & 0xffff);
  342. case INAT_SEG_REG_SS:
  343. return (unsigned short)(regs->ss & 0xffff);
  344. case INAT_SEG_REG_DS:
  345. return vm86regs->ds;
  346. case INAT_SEG_REG_ES:
  347. return vm86regs->es;
  348. case INAT_SEG_REG_FS:
  349. return vm86regs->fs;
  350. case INAT_SEG_REG_GS:
  351. return vm86regs->gs;
  352. case INAT_SEG_REG_IGNORE:
  353. default:
  354. return -EINVAL;
  355. }
  356. }
  357. switch (seg_reg_idx) {
  358. case INAT_SEG_REG_CS:
  359. return (unsigned short)(regs->cs & 0xffff);
  360. case INAT_SEG_REG_SS:
  361. return (unsigned short)(regs->ss & 0xffff);
  362. case INAT_SEG_REG_DS:
  363. return (unsigned short)(regs->ds & 0xffff);
  364. case INAT_SEG_REG_ES:
  365. return (unsigned short)(regs->es & 0xffff);
  366. case INAT_SEG_REG_FS:
  367. return (unsigned short)(regs->fs & 0xffff);
  368. case INAT_SEG_REG_GS:
  369. savesegment(gs, sel);
  370. return sel;
  371. case INAT_SEG_REG_IGNORE:
  372. default:
  373. return -EINVAL;
  374. }
  375. #endif /* CONFIG_X86_64 */
  376. }
  377. static const int pt_regoff[] = {
  378. offsetof(struct pt_regs, ax),
  379. offsetof(struct pt_regs, cx),
  380. offsetof(struct pt_regs, dx),
  381. offsetof(struct pt_regs, bx),
  382. offsetof(struct pt_regs, sp),
  383. offsetof(struct pt_regs, bp),
  384. offsetof(struct pt_regs, si),
  385. offsetof(struct pt_regs, di),
  386. #ifdef CONFIG_X86_64
  387. offsetof(struct pt_regs, r8),
  388. offsetof(struct pt_regs, r9),
  389. offsetof(struct pt_regs, r10),
  390. offsetof(struct pt_regs, r11),
  391. offsetof(struct pt_regs, r12),
  392. offsetof(struct pt_regs, r13),
  393. offsetof(struct pt_regs, r14),
  394. offsetof(struct pt_regs, r15),
  395. #else
  396. offsetof(struct pt_regs, ds),
  397. offsetof(struct pt_regs, es),
  398. offsetof(struct pt_regs, fs),
  399. offsetof(struct pt_regs, gs),
  400. #endif
  401. };
  402. int pt_regs_offset(struct pt_regs *regs, int regno)
  403. {
  404. if ((unsigned)regno < ARRAY_SIZE(pt_regoff))
  405. return pt_regoff[regno];
  406. return -EDOM;
  407. }
  408. static int get_regno(struct insn *insn, enum reg_type type)
  409. {
  410. int nr_registers = ARRAY_SIZE(pt_regoff);
  411. int regno = 0;
  412. /*
  413. * Don't possibly decode a 32-bit instructions as
  414. * reading a 64-bit-only register.
  415. */
  416. if (IS_ENABLED(CONFIG_X86_64) && !insn->x86_64)
  417. nr_registers -= 8;
  418. switch (type) {
  419. case REG_TYPE_RM:
  420. regno = X86_MODRM_RM(insn->modrm.value);
  421. /*
  422. * ModRM.mod == 0 and ModRM.rm == 5 means a 32-bit displacement
  423. * follows the ModRM byte.
  424. */
  425. if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5)
  426. return -EDOM;
  427. if (X86_REX_B(insn->rex_prefix.value))
  428. regno += 8;
  429. break;
  430. case REG_TYPE_REG:
  431. regno = X86_MODRM_REG(insn->modrm.value);
  432. if (X86_REX_R(insn->rex_prefix.value))
  433. regno += 8;
  434. break;
  435. case REG_TYPE_INDEX:
  436. regno = X86_SIB_INDEX(insn->sib.value);
  437. if (X86_REX_X(insn->rex_prefix.value))
  438. regno += 8;
  439. /*
  440. * If ModRM.mod != 3 and SIB.index = 4 the scale*index
  441. * portion of the address computation is null. This is
  442. * true only if REX.X is 0. In such a case, the SIB index
  443. * is used in the address computation.
  444. */
  445. if (X86_MODRM_MOD(insn->modrm.value) != 3 && regno == 4)
  446. return -EDOM;
  447. break;
  448. case REG_TYPE_BASE:
  449. regno = X86_SIB_BASE(insn->sib.value);
  450. /*
  451. * If ModRM.mod is 0 and SIB.base == 5, the base of the
  452. * register-indirect addressing is 0. In this case, a
  453. * 32-bit displacement follows the SIB byte.
  454. */
  455. if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5)
  456. return -EDOM;
  457. if (X86_REX_B(insn->rex_prefix.value))
  458. regno += 8;
  459. break;
  460. default:
  461. pr_err_ratelimited("invalid register type: %d\n", type);
  462. return -EINVAL;
  463. }
  464. if (regno >= nr_registers) {
  465. WARN_ONCE(1, "decoded an instruction with an invalid register");
  466. return -EINVAL;
  467. }
  468. return regno;
  469. }
  470. static int get_reg_offset(struct insn *insn, struct pt_regs *regs,
  471. enum reg_type type)
  472. {
  473. int regno = get_regno(insn, type);
  474. if (regno < 0)
  475. return regno;
  476. return pt_regs_offset(regs, regno);
  477. }
  478. /**
  479. * get_reg_offset_16() - Obtain offset of register indicated by instruction
  480. * @insn: Instruction containing ModRM byte
  481. * @regs: Register values as seen when entering kernel mode
  482. * @offs1: Offset of the first operand register
  483. * @offs2: Offset of the second operand register, if applicable
  484. *
  485. * Obtain the offset, in pt_regs, of the registers indicated by the ModRM byte
  486. * in @insn. This function is to be used with 16-bit address encodings. The
  487. * @offs1 and @offs2 will be written with the offset of the two registers
  488. * indicated by the instruction. In cases where any of the registers is not
  489. * referenced by the instruction, the value will be set to -EDOM.
  490. *
  491. * Returns:
  492. *
  493. * 0 on success, -EINVAL on error.
  494. */
  495. static int get_reg_offset_16(struct insn *insn, struct pt_regs *regs,
  496. int *offs1, int *offs2)
  497. {
  498. /*
  499. * 16-bit addressing can use one or two registers. Specifics of
  500. * encodings are given in Table 2-1. "16-Bit Addressing Forms with the
  501. * ModR/M Byte" of the Intel Software Development Manual.
  502. */
  503. static const int regoff1[] = {
  504. offsetof(struct pt_regs, bx),
  505. offsetof(struct pt_regs, bx),
  506. offsetof(struct pt_regs, bp),
  507. offsetof(struct pt_regs, bp),
  508. offsetof(struct pt_regs, si),
  509. offsetof(struct pt_regs, di),
  510. offsetof(struct pt_regs, bp),
  511. offsetof(struct pt_regs, bx),
  512. };
  513. static const int regoff2[] = {
  514. offsetof(struct pt_regs, si),
  515. offsetof(struct pt_regs, di),
  516. offsetof(struct pt_regs, si),
  517. offsetof(struct pt_regs, di),
  518. -EDOM,
  519. -EDOM,
  520. -EDOM,
  521. -EDOM,
  522. };
  523. if (!offs1 || !offs2)
  524. return -EINVAL;
  525. /* Operand is a register, use the generic function. */
  526. if (X86_MODRM_MOD(insn->modrm.value) == 3) {
  527. *offs1 = insn_get_modrm_rm_off(insn, regs);
  528. *offs2 = -EDOM;
  529. return 0;
  530. }
  531. *offs1 = regoff1[X86_MODRM_RM(insn->modrm.value)];
  532. *offs2 = regoff2[X86_MODRM_RM(insn->modrm.value)];
  533. /*
  534. * If ModRM.mod is 0 and ModRM.rm is 110b, then we use displacement-
  535. * only addressing. This means that no registers are involved in
  536. * computing the effective address. Thus, ensure that the first
  537. * register offset is invalid. The second register offset is already
  538. * invalid under the aforementioned conditions.
  539. */
  540. if ((X86_MODRM_MOD(insn->modrm.value) == 0) &&
  541. (X86_MODRM_RM(insn->modrm.value) == 6))
  542. *offs1 = -EDOM;
  543. return 0;
  544. }
  545. /**
  546. * get_desc() - Obtain contents of a segment descriptor
  547. * @out: Segment descriptor contents on success
  548. * @sel: Segment selector
  549. *
  550. * Given a segment selector, obtain a pointer to the segment descriptor.
  551. * Both global and local descriptor tables are supported.
  552. *
  553. * Returns:
  554. *
  555. * True on success, false on failure.
  556. *
  557. * NULL on error.
  558. */
  559. static bool get_desc(struct desc_struct *out, unsigned short sel)
  560. {
  561. struct desc_ptr gdt_desc = {0, 0};
  562. unsigned long desc_base;
  563. #ifdef CONFIG_MODIFY_LDT_SYSCALL
  564. if ((sel & SEGMENT_TI_MASK) == SEGMENT_LDT) {
  565. bool success = false;
  566. struct ldt_struct *ldt;
  567. /* Bits [15:3] contain the index of the desired entry. */
  568. sel >>= 3;
  569. mutex_lock(&current->active_mm->context.lock);
  570. ldt = current->active_mm->context.ldt;
  571. if (ldt && sel < ldt->nr_entries) {
  572. *out = ldt->entries[sel];
  573. success = true;
  574. }
  575. mutex_unlock(&current->active_mm->context.lock);
  576. return success;
  577. }
  578. #endif
  579. native_store_gdt(&gdt_desc);
  580. /*
  581. * Segment descriptors have a size of 8 bytes. Thus, the index is
  582. * multiplied by 8 to obtain the memory offset of the desired descriptor
  583. * from the base of the GDT. As bits [15:3] of the segment selector
  584. * contain the index, it can be regarded as multiplied by 8 already.
  585. * All that remains is to clear bits [2:0].
  586. */
  587. desc_base = sel & ~(SEGMENT_RPL_MASK | SEGMENT_TI_MASK);
  588. if (desc_base > gdt_desc.size)
  589. return false;
  590. *out = *(struct desc_struct *)(gdt_desc.address + desc_base);
  591. return true;
  592. }
  593. /**
  594. * insn_get_seg_base() - Obtain base address of segment descriptor.
  595. * @regs: Register values as seen when entering kernel mode
  596. * @seg_reg_idx: Index of the segment register pointing to seg descriptor
  597. *
  598. * Obtain the base address of the segment as indicated by the segment descriptor
  599. * pointed by the segment selector. The segment selector is obtained from the
  600. * input segment register index @seg_reg_idx.
  601. *
  602. * Returns:
  603. *
  604. * In protected mode, base address of the segment. Zero in long mode,
  605. * except when FS or GS are used. In virtual-8086 mode, the segment
  606. * selector shifted 4 bits to the right.
  607. *
  608. * -1L in case of error.
  609. */
  610. unsigned long insn_get_seg_base(struct pt_regs *regs, int seg_reg_idx)
  611. {
  612. struct desc_struct desc;
  613. short sel;
  614. sel = get_segment_selector(regs, seg_reg_idx);
  615. if (sel < 0)
  616. return -1L;
  617. if (v8086_mode(regs))
  618. /*
  619. * Base is simply the segment selector shifted 4
  620. * bits to the right.
  621. */
  622. return (unsigned long)(sel << 4);
  623. if (any_64bit_mode(regs)) {
  624. /*
  625. * Only FS or GS will have a base address, the rest of
  626. * the segments' bases are forced to 0.
  627. */
  628. unsigned long base;
  629. if (seg_reg_idx == INAT_SEG_REG_FS) {
  630. rdmsrl(MSR_FS_BASE, base);
  631. } else if (seg_reg_idx == INAT_SEG_REG_GS) {
  632. /*
  633. * swapgs was called at the kernel entry point. Thus,
  634. * MSR_KERNEL_GS_BASE will have the user-space GS base.
  635. */
  636. if (user_mode(regs))
  637. rdmsrl(MSR_KERNEL_GS_BASE, base);
  638. else
  639. rdmsrl(MSR_GS_BASE, base);
  640. } else {
  641. base = 0;
  642. }
  643. return base;
  644. }
  645. /* In protected mode the segment selector cannot be null. */
  646. if (!sel)
  647. return -1L;
  648. if (!get_desc(&desc, sel))
  649. return -1L;
  650. return get_desc_base(&desc);
  651. }
  652. /**
  653. * get_seg_limit() - Obtain the limit of a segment descriptor
  654. * @regs: Register values as seen when entering kernel mode
  655. * @seg_reg_idx: Index of the segment register pointing to seg descriptor
  656. *
  657. * Obtain the limit of the segment as indicated by the segment descriptor
  658. * pointed by the segment selector. The segment selector is obtained from the
  659. * input segment register index @seg_reg_idx.
  660. *
  661. * Returns:
  662. *
  663. * In protected mode, the limit of the segment descriptor in bytes.
  664. * In long mode and virtual-8086 mode, segment limits are not enforced. Thus,
  665. * limit is returned as -1L to imply a limit-less segment.
  666. *
  667. * Zero is returned on error.
  668. */
  669. static unsigned long get_seg_limit(struct pt_regs *regs, int seg_reg_idx)
  670. {
  671. struct desc_struct desc;
  672. unsigned long limit;
  673. short sel;
  674. sel = get_segment_selector(regs, seg_reg_idx);
  675. if (sel < 0)
  676. return 0;
  677. if (any_64bit_mode(regs) || v8086_mode(regs))
  678. return -1L;
  679. if (!sel)
  680. return 0;
  681. if (!get_desc(&desc, sel))
  682. return 0;
  683. /*
  684. * If the granularity bit is set, the limit is given in multiples
  685. * of 4096. This also means that the 12 least significant bits are
  686. * not tested when checking the segment limits. In practice,
  687. * this means that the segment ends in (limit << 12) + 0xfff.
  688. */
  689. limit = get_desc_limit(&desc);
  690. if (desc.g)
  691. limit = (limit << 12) + 0xfff;
  692. return limit;
  693. }
  694. /**
  695. * insn_get_code_seg_params() - Obtain code segment parameters
  696. * @regs: Structure with register values as seen when entering kernel mode
  697. *
  698. * Obtain address and operand sizes of the code segment. It is obtained from the
  699. * selector contained in the CS register in regs. In protected mode, the default
  700. * address is determined by inspecting the L and D bits of the segment
  701. * descriptor. In virtual-8086 mode, the default is always two bytes for both
  702. * address and operand sizes.
  703. *
  704. * Returns:
  705. *
  706. * An int containing ORed-in default parameters on success.
  707. *
  708. * -EINVAL on error.
  709. */
  710. int insn_get_code_seg_params(struct pt_regs *regs)
  711. {
  712. struct desc_struct desc;
  713. short sel;
  714. if (v8086_mode(regs))
  715. /* Address and operand size are both 16-bit. */
  716. return INSN_CODE_SEG_PARAMS(2, 2);
  717. sel = get_segment_selector(regs, INAT_SEG_REG_CS);
  718. if (sel < 0)
  719. return sel;
  720. if (!get_desc(&desc, sel))
  721. return -EINVAL;
  722. /*
  723. * The most significant byte of the Type field of the segment descriptor
  724. * determines whether a segment contains data or code. If this is a data
  725. * segment, return error.
  726. */
  727. if (!(desc.type & BIT(3)))
  728. return -EINVAL;
  729. switch ((desc.l << 1) | desc.d) {
  730. case 0: /*
  731. * Legacy mode. CS.L=0, CS.D=0. Address and operand size are
  732. * both 16-bit.
  733. */
  734. return INSN_CODE_SEG_PARAMS(2, 2);
  735. case 1: /*
  736. * Legacy mode. CS.L=0, CS.D=1. Address and operand size are
  737. * both 32-bit.
  738. */
  739. return INSN_CODE_SEG_PARAMS(4, 4);
  740. case 2: /*
  741. * IA-32e 64-bit mode. CS.L=1, CS.D=0. Address size is 64-bit;
  742. * operand size is 32-bit.
  743. */
  744. return INSN_CODE_SEG_PARAMS(4, 8);
  745. case 3: /* Invalid setting. CS.L=1, CS.D=1 */
  746. fallthrough;
  747. default:
  748. return -EINVAL;
  749. }
  750. }
  751. /**
  752. * insn_get_modrm_rm_off() - Obtain register in r/m part of the ModRM byte
  753. * @insn: Instruction containing the ModRM byte
  754. * @regs: Register values as seen when entering kernel mode
  755. *
  756. * Returns:
  757. *
  758. * The register indicated by the r/m part of the ModRM byte. The
  759. * register is obtained as an offset from the base of pt_regs. In specific
  760. * cases, the returned value can be -EDOM to indicate that the particular value
  761. * of ModRM does not refer to a register and shall be ignored.
  762. */
  763. int insn_get_modrm_rm_off(struct insn *insn, struct pt_regs *regs)
  764. {
  765. return get_reg_offset(insn, regs, REG_TYPE_RM);
  766. }
  767. /**
  768. * insn_get_modrm_reg_off() - Obtain register in reg part of the ModRM byte
  769. * @insn: Instruction containing the ModRM byte
  770. * @regs: Register values as seen when entering kernel mode
  771. *
  772. * Returns:
  773. *
  774. * The register indicated by the reg part of the ModRM byte. The
  775. * register is obtained as an offset from the base of pt_regs.
  776. */
  777. int insn_get_modrm_reg_off(struct insn *insn, struct pt_regs *regs)
  778. {
  779. return get_reg_offset(insn, regs, REG_TYPE_REG);
  780. }
  781. /**
  782. * insn_get_modrm_reg_ptr() - Obtain register pointer based on ModRM byte
  783. * @insn: Instruction containing the ModRM byte
  784. * @regs: Register values as seen when entering kernel mode
  785. *
  786. * Returns:
  787. *
  788. * The register indicated by the reg part of the ModRM byte.
  789. * The register is obtained as a pointer within pt_regs.
  790. */
  791. unsigned long *insn_get_modrm_reg_ptr(struct insn *insn, struct pt_regs *regs)
  792. {
  793. int offset;
  794. offset = insn_get_modrm_reg_off(insn, regs);
  795. if (offset < 0)
  796. return NULL;
  797. return (void *)regs + offset;
  798. }
  799. /**
  800. * get_seg_base_limit() - obtain base address and limit of a segment
  801. * @insn: Instruction. Must be valid.
  802. * @regs: Register values as seen when entering kernel mode
  803. * @regoff: Operand offset, in pt_regs, used to resolve segment descriptor
  804. * @base: Obtained segment base
  805. * @limit: Obtained segment limit
  806. *
  807. * Obtain the base address and limit of the segment associated with the operand
  808. * @regoff and, if any or allowed, override prefixes in @insn. This function is
  809. * different from insn_get_seg_base() as the latter does not resolve the segment
  810. * associated with the instruction operand. If a limit is not needed (e.g.,
  811. * when running in long mode), @limit can be NULL.
  812. *
  813. * Returns:
  814. *
  815. * 0 on success. @base and @limit will contain the base address and of the
  816. * resolved segment, respectively.
  817. *
  818. * -EINVAL on error.
  819. */
  820. static int get_seg_base_limit(struct insn *insn, struct pt_regs *regs,
  821. int regoff, unsigned long *base,
  822. unsigned long *limit)
  823. {
  824. int seg_reg_idx;
  825. if (!base)
  826. return -EINVAL;
  827. seg_reg_idx = resolve_seg_reg(insn, regs, regoff);
  828. if (seg_reg_idx < 0)
  829. return seg_reg_idx;
  830. *base = insn_get_seg_base(regs, seg_reg_idx);
  831. if (*base == -1L)
  832. return -EINVAL;
  833. if (!limit)
  834. return 0;
  835. *limit = get_seg_limit(regs, seg_reg_idx);
  836. if (!(*limit))
  837. return -EINVAL;
  838. return 0;
  839. }
  840. /**
  841. * get_eff_addr_reg() - Obtain effective address from register operand
  842. * @insn: Instruction. Must be valid.
  843. * @regs: Register values as seen when entering kernel mode
  844. * @regoff: Obtained operand offset, in pt_regs, with the effective address
  845. * @eff_addr: Obtained effective address
  846. *
  847. * Obtain the effective address stored in the register operand as indicated by
  848. * the ModRM byte. This function is to be used only with register addressing
  849. * (i.e., ModRM.mod is 3). The effective address is saved in @eff_addr. The
  850. * register operand, as an offset from the base of pt_regs, is saved in @regoff;
  851. * such offset can then be used to resolve the segment associated with the
  852. * operand. This function can be used with any of the supported address sizes
  853. * in x86.
  854. *
  855. * Returns:
  856. *
  857. * 0 on success. @eff_addr will have the effective address stored in the
  858. * operand indicated by ModRM. @regoff will have such operand as an offset from
  859. * the base of pt_regs.
  860. *
  861. * -EINVAL on error.
  862. */
  863. static int get_eff_addr_reg(struct insn *insn, struct pt_regs *regs,
  864. int *regoff, long *eff_addr)
  865. {
  866. int ret;
  867. ret = insn_get_modrm(insn);
  868. if (ret)
  869. return ret;
  870. if (X86_MODRM_MOD(insn->modrm.value) != 3)
  871. return -EINVAL;
  872. *regoff = get_reg_offset(insn, regs, REG_TYPE_RM);
  873. if (*regoff < 0)
  874. return -EINVAL;
  875. /* Ignore bytes that are outside the address size. */
  876. if (insn->addr_bytes == 2)
  877. *eff_addr = regs_get_register(regs, *regoff) & 0xffff;
  878. else if (insn->addr_bytes == 4)
  879. *eff_addr = regs_get_register(regs, *regoff) & 0xffffffff;
  880. else /* 64-bit address */
  881. *eff_addr = regs_get_register(regs, *regoff);
  882. return 0;
  883. }
  884. /**
  885. * get_eff_addr_modrm() - Obtain referenced effective address via ModRM
  886. * @insn: Instruction. Must be valid.
  887. * @regs: Register values as seen when entering kernel mode
  888. * @regoff: Obtained operand offset, in pt_regs, associated with segment
  889. * @eff_addr: Obtained effective address
  890. *
  891. * Obtain the effective address referenced by the ModRM byte of @insn. After
  892. * identifying the registers involved in the register-indirect memory reference,
  893. * its value is obtained from the operands in @regs. The computed address is
  894. * stored @eff_addr. Also, the register operand that indicates the associated
  895. * segment is stored in @regoff, this parameter can later be used to determine
  896. * such segment.
  897. *
  898. * Returns:
  899. *
  900. * 0 on success. @eff_addr will have the referenced effective address. @regoff
  901. * will have a register, as an offset from the base of pt_regs, that can be used
  902. * to resolve the associated segment.
  903. *
  904. * -EINVAL on error.
  905. */
  906. static int get_eff_addr_modrm(struct insn *insn, struct pt_regs *regs,
  907. int *regoff, long *eff_addr)
  908. {
  909. long tmp;
  910. int ret;
  911. if (insn->addr_bytes != 8 && insn->addr_bytes != 4)
  912. return -EINVAL;
  913. ret = insn_get_modrm(insn);
  914. if (ret)
  915. return ret;
  916. if (X86_MODRM_MOD(insn->modrm.value) > 2)
  917. return -EINVAL;
  918. *regoff = get_reg_offset(insn, regs, REG_TYPE_RM);
  919. /*
  920. * -EDOM means that we must ignore the address_offset. In such a case,
  921. * in 64-bit mode the effective address relative to the rIP of the
  922. * following instruction.
  923. */
  924. if (*regoff == -EDOM) {
  925. if (any_64bit_mode(regs))
  926. tmp = regs->ip + insn->length;
  927. else
  928. tmp = 0;
  929. } else if (*regoff < 0) {
  930. return -EINVAL;
  931. } else {
  932. tmp = regs_get_register(regs, *regoff);
  933. }
  934. if (insn->addr_bytes == 4) {
  935. int addr32 = (int)(tmp & 0xffffffff) + insn->displacement.value;
  936. *eff_addr = addr32 & 0xffffffff;
  937. } else {
  938. *eff_addr = tmp + insn->displacement.value;
  939. }
  940. return 0;
  941. }
  942. /**
  943. * get_eff_addr_modrm_16() - Obtain referenced effective address via ModRM
  944. * @insn: Instruction. Must be valid.
  945. * @regs: Register values as seen when entering kernel mode
  946. * @regoff: Obtained operand offset, in pt_regs, associated with segment
  947. * @eff_addr: Obtained effective address
  948. *
  949. * Obtain the 16-bit effective address referenced by the ModRM byte of @insn.
  950. * After identifying the registers involved in the register-indirect memory
  951. * reference, its value is obtained from the operands in @regs. The computed
  952. * address is stored @eff_addr. Also, the register operand that indicates
  953. * the associated segment is stored in @regoff, this parameter can later be used
  954. * to determine such segment.
  955. *
  956. * Returns:
  957. *
  958. * 0 on success. @eff_addr will have the referenced effective address. @regoff
  959. * will have a register, as an offset from the base of pt_regs, that can be used
  960. * to resolve the associated segment.
  961. *
  962. * -EINVAL on error.
  963. */
  964. static int get_eff_addr_modrm_16(struct insn *insn, struct pt_regs *regs,
  965. int *regoff, short *eff_addr)
  966. {
  967. int addr_offset1, addr_offset2, ret;
  968. short addr1 = 0, addr2 = 0, displacement;
  969. if (insn->addr_bytes != 2)
  970. return -EINVAL;
  971. insn_get_modrm(insn);
  972. if (!insn->modrm.nbytes)
  973. return -EINVAL;
  974. if (X86_MODRM_MOD(insn->modrm.value) > 2)
  975. return -EINVAL;
  976. ret = get_reg_offset_16(insn, regs, &addr_offset1, &addr_offset2);
  977. if (ret < 0)
  978. return -EINVAL;
  979. /*
  980. * Don't fail on invalid offset values. They might be invalid because
  981. * they cannot be used for this particular value of ModRM. Instead, use
  982. * them in the computation only if they contain a valid value.
  983. */
  984. if (addr_offset1 != -EDOM)
  985. addr1 = regs_get_register(regs, addr_offset1) & 0xffff;
  986. if (addr_offset2 != -EDOM)
  987. addr2 = regs_get_register(regs, addr_offset2) & 0xffff;
  988. displacement = insn->displacement.value & 0xffff;
  989. *eff_addr = addr1 + addr2 + displacement;
  990. /*
  991. * The first operand register could indicate to use of either SS or DS
  992. * registers to obtain the segment selector. The second operand
  993. * register can only indicate the use of DS. Thus, the first operand
  994. * will be used to obtain the segment selector.
  995. */
  996. *regoff = addr_offset1;
  997. return 0;
  998. }
  999. /**
  1000. * get_eff_addr_sib() - Obtain referenced effective address via SIB
  1001. * @insn: Instruction. Must be valid.
  1002. * @regs: Register values as seen when entering kernel mode
  1003. * @regoff: Obtained operand offset, in pt_regs, associated with segment
  1004. * @eff_addr: Obtained effective address
  1005. *
  1006. * Obtain the effective address referenced by the SIB byte of @insn. After
  1007. * identifying the registers involved in the indexed, register-indirect memory
  1008. * reference, its value is obtained from the operands in @regs. The computed
  1009. * address is stored @eff_addr. Also, the register operand that indicates the
  1010. * associated segment is stored in @regoff, this parameter can later be used to
  1011. * determine such segment.
  1012. *
  1013. * Returns:
  1014. *
  1015. * 0 on success. @eff_addr will have the referenced effective address.
  1016. * @base_offset will have a register, as an offset from the base of pt_regs,
  1017. * that can be used to resolve the associated segment.
  1018. *
  1019. * Negative value on error.
  1020. */
  1021. static int get_eff_addr_sib(struct insn *insn, struct pt_regs *regs,
  1022. int *base_offset, long *eff_addr)
  1023. {
  1024. long base, indx;
  1025. int indx_offset;
  1026. int ret;
  1027. if (insn->addr_bytes != 8 && insn->addr_bytes != 4)
  1028. return -EINVAL;
  1029. ret = insn_get_modrm(insn);
  1030. if (ret)
  1031. return ret;
  1032. if (!insn->modrm.nbytes)
  1033. return -EINVAL;
  1034. if (X86_MODRM_MOD(insn->modrm.value) > 2)
  1035. return -EINVAL;
  1036. ret = insn_get_sib(insn);
  1037. if (ret)
  1038. return ret;
  1039. if (!insn->sib.nbytes)
  1040. return -EINVAL;
  1041. *base_offset = get_reg_offset(insn, regs, REG_TYPE_BASE);
  1042. indx_offset = get_reg_offset(insn, regs, REG_TYPE_INDEX);
  1043. /*
  1044. * Negative values in the base and index offset means an error when
  1045. * decoding the SIB byte. Except -EDOM, which means that the registers
  1046. * should not be used in the address computation.
  1047. */
  1048. if (*base_offset == -EDOM)
  1049. base = 0;
  1050. else if (*base_offset < 0)
  1051. return -EINVAL;
  1052. else
  1053. base = regs_get_register(regs, *base_offset);
  1054. if (indx_offset == -EDOM)
  1055. indx = 0;
  1056. else if (indx_offset < 0)
  1057. return -EINVAL;
  1058. else
  1059. indx = regs_get_register(regs, indx_offset);
  1060. if (insn->addr_bytes == 4) {
  1061. int addr32, base32, idx32;
  1062. base32 = base & 0xffffffff;
  1063. idx32 = indx & 0xffffffff;
  1064. addr32 = base32 + idx32 * (1 << X86_SIB_SCALE(insn->sib.value));
  1065. addr32 += insn->displacement.value;
  1066. *eff_addr = addr32 & 0xffffffff;
  1067. } else {
  1068. *eff_addr = base + indx * (1 << X86_SIB_SCALE(insn->sib.value));
  1069. *eff_addr += insn->displacement.value;
  1070. }
  1071. return 0;
  1072. }
  1073. /**
  1074. * get_addr_ref_16() - Obtain the 16-bit address referred by instruction
  1075. * @insn: Instruction containing ModRM byte and displacement
  1076. * @regs: Register values as seen when entering kernel mode
  1077. *
  1078. * This function is to be used with 16-bit address encodings. Obtain the memory
  1079. * address referred by the instruction's ModRM and displacement bytes. Also, the
  1080. * segment used as base is determined by either any segment override prefixes in
  1081. * @insn or the default segment of the registers involved in the address
  1082. * computation. In protected mode, segment limits are enforced.
  1083. *
  1084. * Returns:
  1085. *
  1086. * Linear address referenced by the instruction operands on success.
  1087. *
  1088. * -1L on error.
  1089. */
  1090. static void __user *get_addr_ref_16(struct insn *insn, struct pt_regs *regs)
  1091. {
  1092. unsigned long linear_addr = -1L, seg_base, seg_limit;
  1093. int ret, regoff;
  1094. short eff_addr;
  1095. long tmp;
  1096. if (insn_get_displacement(insn))
  1097. goto out;
  1098. if (insn->addr_bytes != 2)
  1099. goto out;
  1100. if (X86_MODRM_MOD(insn->modrm.value) == 3) {
  1101. ret = get_eff_addr_reg(insn, regs, &regoff, &tmp);
  1102. if (ret)
  1103. goto out;
  1104. eff_addr = tmp;
  1105. } else {
  1106. ret = get_eff_addr_modrm_16(insn, regs, &regoff, &eff_addr);
  1107. if (ret)
  1108. goto out;
  1109. }
  1110. ret = get_seg_base_limit(insn, regs, regoff, &seg_base, &seg_limit);
  1111. if (ret)
  1112. goto out;
  1113. /*
  1114. * Before computing the linear address, make sure the effective address
  1115. * is within the limits of the segment. In virtual-8086 mode, segment
  1116. * limits are not enforced. In such a case, the segment limit is -1L to
  1117. * reflect this fact.
  1118. */
  1119. if ((unsigned long)(eff_addr & 0xffff) > seg_limit)
  1120. goto out;
  1121. linear_addr = (unsigned long)(eff_addr & 0xffff) + seg_base;
  1122. /* Limit linear address to 20 bits */
  1123. if (v8086_mode(regs))
  1124. linear_addr &= 0xfffff;
  1125. out:
  1126. return (void __user *)linear_addr;
  1127. }
  1128. /**
  1129. * get_addr_ref_32() - Obtain a 32-bit linear address
  1130. * @insn: Instruction with ModRM, SIB bytes and displacement
  1131. * @regs: Register values as seen when entering kernel mode
  1132. *
  1133. * This function is to be used with 32-bit address encodings to obtain the
  1134. * linear memory address referred by the instruction's ModRM, SIB,
  1135. * displacement bytes and segment base address, as applicable. If in protected
  1136. * mode, segment limits are enforced.
  1137. *
  1138. * Returns:
  1139. *
  1140. * Linear address referenced by instruction and registers on success.
  1141. *
  1142. * -1L on error.
  1143. */
  1144. static void __user *get_addr_ref_32(struct insn *insn, struct pt_regs *regs)
  1145. {
  1146. unsigned long linear_addr = -1L, seg_base, seg_limit;
  1147. int eff_addr, regoff;
  1148. long tmp;
  1149. int ret;
  1150. if (insn->addr_bytes != 4)
  1151. goto out;
  1152. if (X86_MODRM_MOD(insn->modrm.value) == 3) {
  1153. ret = get_eff_addr_reg(insn, regs, &regoff, &tmp);
  1154. if (ret)
  1155. goto out;
  1156. eff_addr = tmp;
  1157. } else {
  1158. if (insn->sib.nbytes) {
  1159. ret = get_eff_addr_sib(insn, regs, &regoff, &tmp);
  1160. if (ret)
  1161. goto out;
  1162. eff_addr = tmp;
  1163. } else {
  1164. ret = get_eff_addr_modrm(insn, regs, &regoff, &tmp);
  1165. if (ret)
  1166. goto out;
  1167. eff_addr = tmp;
  1168. }
  1169. }
  1170. ret = get_seg_base_limit(insn, regs, regoff, &seg_base, &seg_limit);
  1171. if (ret)
  1172. goto out;
  1173. /*
  1174. * In protected mode, before computing the linear address, make sure
  1175. * the effective address is within the limits of the segment.
  1176. * 32-bit addresses can be used in long and virtual-8086 modes if an
  1177. * address override prefix is used. In such cases, segment limits are
  1178. * not enforced. When in virtual-8086 mode, the segment limit is -1L
  1179. * to reflect this situation.
  1180. *
  1181. * After computed, the effective address is treated as an unsigned
  1182. * quantity.
  1183. */
  1184. if (!any_64bit_mode(regs) && ((unsigned int)eff_addr > seg_limit))
  1185. goto out;
  1186. /*
  1187. * Even though 32-bit address encodings are allowed in virtual-8086
  1188. * mode, the address range is still limited to [0x-0xffff].
  1189. */
  1190. if (v8086_mode(regs) && (eff_addr & ~0xffff))
  1191. goto out;
  1192. /*
  1193. * Data type long could be 64 bits in size. Ensure that our 32-bit
  1194. * effective address is not sign-extended when computing the linear
  1195. * address.
  1196. */
  1197. linear_addr = (unsigned long)(eff_addr & 0xffffffff) + seg_base;
  1198. /* Limit linear address to 20 bits */
  1199. if (v8086_mode(regs))
  1200. linear_addr &= 0xfffff;
  1201. out:
  1202. return (void __user *)linear_addr;
  1203. }
  1204. /**
  1205. * get_addr_ref_64() - Obtain a 64-bit linear address
  1206. * @insn: Instruction struct with ModRM and SIB bytes and displacement
  1207. * @regs: Structure with register values as seen when entering kernel mode
  1208. *
  1209. * This function is to be used with 64-bit address encodings to obtain the
  1210. * linear memory address referred by the instruction's ModRM, SIB,
  1211. * displacement bytes and segment base address, as applicable.
  1212. *
  1213. * Returns:
  1214. *
  1215. * Linear address referenced by instruction and registers on success.
  1216. *
  1217. * -1L on error.
  1218. */
  1219. #ifndef CONFIG_X86_64
  1220. static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs)
  1221. {
  1222. return (void __user *)-1L;
  1223. }
  1224. #else
  1225. static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs)
  1226. {
  1227. unsigned long linear_addr = -1L, seg_base;
  1228. int regoff, ret;
  1229. long eff_addr;
  1230. if (insn->addr_bytes != 8)
  1231. goto out;
  1232. if (X86_MODRM_MOD(insn->modrm.value) == 3) {
  1233. ret = get_eff_addr_reg(insn, regs, &regoff, &eff_addr);
  1234. if (ret)
  1235. goto out;
  1236. } else {
  1237. if (insn->sib.nbytes) {
  1238. ret = get_eff_addr_sib(insn, regs, &regoff, &eff_addr);
  1239. if (ret)
  1240. goto out;
  1241. } else {
  1242. ret = get_eff_addr_modrm(insn, regs, &regoff, &eff_addr);
  1243. if (ret)
  1244. goto out;
  1245. }
  1246. }
  1247. ret = get_seg_base_limit(insn, regs, regoff, &seg_base, NULL);
  1248. if (ret)
  1249. goto out;
  1250. linear_addr = (unsigned long)eff_addr + seg_base;
  1251. out:
  1252. return (void __user *)linear_addr;
  1253. }
  1254. #endif /* CONFIG_X86_64 */
  1255. /**
  1256. * insn_get_addr_ref() - Obtain the linear address referred by instruction
  1257. * @insn: Instruction structure containing ModRM byte and displacement
  1258. * @regs: Structure with register values as seen when entering kernel mode
  1259. *
  1260. * Obtain the linear address referred by the instruction's ModRM, SIB and
  1261. * displacement bytes, and segment base, as applicable. In protected mode,
  1262. * segment limits are enforced.
  1263. *
  1264. * Returns:
  1265. *
  1266. * Linear address referenced by instruction and registers on success.
  1267. *
  1268. * -1L on error.
  1269. */
  1270. void __user *insn_get_addr_ref(struct insn *insn, struct pt_regs *regs)
  1271. {
  1272. if (!insn || !regs)
  1273. return (void __user *)-1L;
  1274. if (insn_get_opcode(insn))
  1275. return (void __user *)-1L;
  1276. switch (insn->addr_bytes) {
  1277. case 2:
  1278. return get_addr_ref_16(insn, regs);
  1279. case 4:
  1280. return get_addr_ref_32(insn, regs);
  1281. case 8:
  1282. return get_addr_ref_64(insn, regs);
  1283. default:
  1284. return (void __user *)-1L;
  1285. }
  1286. }
  1287. int insn_get_effective_ip(struct pt_regs *regs, unsigned long *ip)
  1288. {
  1289. unsigned long seg_base = 0;
  1290. /*
  1291. * If not in user-space long mode, a custom code segment could be in
  1292. * use. This is true in protected mode (if the process defined a local
  1293. * descriptor table), or virtual-8086 mode. In most of the cases
  1294. * seg_base will be zero as in USER_CS.
  1295. */
  1296. if (!user_64bit_mode(regs)) {
  1297. seg_base = insn_get_seg_base(regs, INAT_SEG_REG_CS);
  1298. if (seg_base == -1L)
  1299. return -EINVAL;
  1300. }
  1301. *ip = seg_base + regs->ip;
  1302. return 0;
  1303. }
  1304. /**
  1305. * insn_fetch_from_user() - Copy instruction bytes from user-space memory
  1306. * @regs: Structure with register values as seen when entering kernel mode
  1307. * @buf: Array to store the fetched instruction
  1308. *
  1309. * Gets the linear address of the instruction and copies the instruction bytes
  1310. * to the buf.
  1311. *
  1312. * Returns:
  1313. *
  1314. * - number of instruction bytes copied.
  1315. * - 0 if nothing was copied.
  1316. * - -EINVAL if the linear address of the instruction could not be calculated
  1317. */
  1318. int insn_fetch_from_user(struct pt_regs *regs, unsigned char buf[MAX_INSN_SIZE])
  1319. {
  1320. unsigned long ip;
  1321. int not_copied;
  1322. if (insn_get_effective_ip(regs, &ip))
  1323. return -EINVAL;
  1324. not_copied = copy_from_user(buf, (void __user *)ip, MAX_INSN_SIZE);
  1325. return MAX_INSN_SIZE - not_copied;
  1326. }
  1327. /**
  1328. * insn_fetch_from_user_inatomic() - Copy instruction bytes from user-space memory
  1329. * while in atomic code
  1330. * @regs: Structure with register values as seen when entering kernel mode
  1331. * @buf: Array to store the fetched instruction
  1332. *
  1333. * Gets the linear address of the instruction and copies the instruction bytes
  1334. * to the buf. This function must be used in atomic context.
  1335. *
  1336. * Returns:
  1337. *
  1338. * - number of instruction bytes copied.
  1339. * - 0 if nothing was copied.
  1340. * - -EINVAL if the linear address of the instruction could not be calculated.
  1341. */
  1342. int insn_fetch_from_user_inatomic(struct pt_regs *regs, unsigned char buf[MAX_INSN_SIZE])
  1343. {
  1344. unsigned long ip;
  1345. int not_copied;
  1346. if (insn_get_effective_ip(regs, &ip))
  1347. return -EINVAL;
  1348. not_copied = __copy_from_user_inatomic(buf, (void __user *)ip, MAX_INSN_SIZE);
  1349. return MAX_INSN_SIZE - not_copied;
  1350. }
  1351. /**
  1352. * insn_decode_from_regs() - Decode an instruction
  1353. * @insn: Structure to store decoded instruction
  1354. * @regs: Structure with register values as seen when entering kernel mode
  1355. * @buf: Buffer containing the instruction bytes
  1356. * @buf_size: Number of instruction bytes available in buf
  1357. *
  1358. * Decodes the instruction provided in buf and stores the decoding results in
  1359. * insn. Also determines the correct address and operand sizes.
  1360. *
  1361. * Returns:
  1362. *
  1363. * True if instruction was decoded, False otherwise.
  1364. */
  1365. bool insn_decode_from_regs(struct insn *insn, struct pt_regs *regs,
  1366. unsigned char buf[MAX_INSN_SIZE], int buf_size)
  1367. {
  1368. int seg_defs;
  1369. insn_init(insn, buf, buf_size, user_64bit_mode(regs));
  1370. /*
  1371. * Override the default operand and address sizes with what is specified
  1372. * in the code segment descriptor. The instruction decoder only sets
  1373. * the address size it to either 4 or 8 address bytes and does nothing
  1374. * for the operand bytes. This OK for most of the cases, but we could
  1375. * have special cases where, for instance, a 16-bit code segment
  1376. * descriptor is used.
  1377. * If there is an address override prefix, the instruction decoder
  1378. * correctly updates these values, even for 16-bit defaults.
  1379. */
  1380. seg_defs = insn_get_code_seg_params(regs);
  1381. if (seg_defs == -EINVAL)
  1382. return false;
  1383. insn->addr_bytes = INSN_CODE_SEG_ADDR_SZ(seg_defs);
  1384. insn->opnd_bytes = INSN_CODE_SEG_OPND_SZ(seg_defs);
  1385. if (insn_get_length(insn))
  1386. return false;
  1387. if (buf_size < insn->length)
  1388. return false;
  1389. return true;
  1390. }
  1391. /**
  1392. * insn_decode_mmio() - Decode a MMIO instruction
  1393. * @insn: Structure to store decoded instruction
  1394. * @bytes: Returns size of memory operand
  1395. *
  1396. * Decodes instruction that used for Memory-mapped I/O.
  1397. *
  1398. * Returns:
  1399. *
  1400. * Type of the instruction. Size of the memory operand is stored in
  1401. * @bytes. If decode failed, MMIO_DECODE_FAILED returned.
  1402. */
  1403. enum mmio_type insn_decode_mmio(struct insn *insn, int *bytes)
  1404. {
  1405. enum mmio_type type = MMIO_DECODE_FAILED;
  1406. *bytes = 0;
  1407. if (insn_get_opcode(insn))
  1408. return MMIO_DECODE_FAILED;
  1409. switch (insn->opcode.bytes[0]) {
  1410. case 0x88: /* MOV m8,r8 */
  1411. *bytes = 1;
  1412. fallthrough;
  1413. case 0x89: /* MOV m16/m32/m64, r16/m32/m64 */
  1414. if (!*bytes)
  1415. *bytes = insn->opnd_bytes;
  1416. type = MMIO_WRITE;
  1417. break;
  1418. case 0xc6: /* MOV m8, imm8 */
  1419. *bytes = 1;
  1420. fallthrough;
  1421. case 0xc7: /* MOV m16/m32/m64, imm16/imm32/imm64 */
  1422. if (!*bytes)
  1423. *bytes = insn->opnd_bytes;
  1424. type = MMIO_WRITE_IMM;
  1425. break;
  1426. case 0x8a: /* MOV r8, m8 */
  1427. *bytes = 1;
  1428. fallthrough;
  1429. case 0x8b: /* MOV r16/r32/r64, m16/m32/m64 */
  1430. if (!*bytes)
  1431. *bytes = insn->opnd_bytes;
  1432. type = MMIO_READ;
  1433. break;
  1434. case 0xa4: /* MOVS m8, m8 */
  1435. *bytes = 1;
  1436. fallthrough;
  1437. case 0xa5: /* MOVS m16/m32/m64, m16/m32/m64 */
  1438. if (!*bytes)
  1439. *bytes = insn->opnd_bytes;
  1440. type = MMIO_MOVS;
  1441. break;
  1442. case 0x0f: /* Two-byte instruction */
  1443. switch (insn->opcode.bytes[1]) {
  1444. case 0xb6: /* MOVZX r16/r32/r64, m8 */
  1445. *bytes = 1;
  1446. fallthrough;
  1447. case 0xb7: /* MOVZX r32/r64, m16 */
  1448. if (!*bytes)
  1449. *bytes = 2;
  1450. type = MMIO_READ_ZERO_EXTEND;
  1451. break;
  1452. case 0xbe: /* MOVSX r16/r32/r64, m8 */
  1453. *bytes = 1;
  1454. fallthrough;
  1455. case 0xbf: /* MOVSX r32/r64, m16 */
  1456. if (!*bytes)
  1457. *bytes = 2;
  1458. type = MMIO_READ_SIGN_EXTEND;
  1459. break;
  1460. }
  1461. break;
  1462. }
  1463. return type;
  1464. }