1 /* 2 * umip.c Emulation for instruction protected by the Intel User-Mode 3 * Instruction Prevention feature 4 * 5 * Copyright (c) 2017, Intel Corporation. 6 * Ricardo Neri <ricardo.neri-calderon@linux.intel.com> 7 */ 8 9 #include <linux/uaccess.h> 10 #include <asm/umip.h> 11 #include <asm/traps.h> 12 #include <asm/insn.h> 13 #include <asm/insn-eval.h> 14 #include <linux/ratelimit.h> 15 16 #undef pr_fmt 17 #define pr_fmt(fmt) "umip: " fmt 18 19 /** DOC: Emulation for User-Mode Instruction Prevention (UMIP) 20 * 21 * The feature User-Mode Instruction Prevention present in recent Intel 22 * processor prevents a group of instructions (sgdt, sidt, sldt, smsw, and str) 23 * from being executed with CPL > 0. Otherwise, a general protection fault is 24 * issued. 25 * 26 * Rather than relaying to the user space the general protection fault caused by 27 * the UMIP-protected instructions (in the form of a SIGSEGV signal), it can be 28 * trapped and emulate the result of such instructions to provide dummy values. 29 * This allows to both conserve the current kernel behavior and not reveal the 30 * system resources that UMIP intends to protect (i.e., the locations of the 31 * global descriptor and interrupt descriptor tables, the segment selectors of 32 * the local descriptor table, the value of the task state register and the 33 * contents of the CR0 register). 34 * 35 * This emulation is needed because certain applications (e.g., WineHQ and 36 * DOSEMU2) rely on this subset of instructions to function. 37 * 38 * The instructions protected by UMIP can be split in two groups. Those which 39 * return a kernel memory address (sgdt and sidt) and those which return a 40 * value (sldt, str and smsw). 41 * 42 * For the instructions that return a kernel memory address, applications 43 * such as WineHQ rely on the result being located in the kernel memory space, 44 * not the actual location of the table. The result is emulated as a hard-coded 45 * value that, lies close to the top of the kernel memory. The limit for the GDT 46 * and the IDT are set to zero. 47 * 48 * Given that sldt and str are not commonly used in programs that run on WineHQ 49 * or DOSEMU2, they are not emulated. 50 * 51 * The instruction smsw is emulated to return the value that the register CR0 52 * has at boot time as set in the head_32. 53 * 54 * Also, emulation is provided only for 32-bit processes; 64-bit processes 55 * that attempt to use the instructions that UMIP protects will receive the 56 * SIGSEGV signal issued as a consequence of the general protection fault. 57 * 58 * Care is taken to appropriately emulate the results when segmentation is 59 * used. That is, rather than relying on USER_DS and USER_CS, the function 60 * insn_get_addr_ref() inspects the segment descriptor pointed by the 61 * registers in pt_regs. This ensures that we correctly obtain the segment 62 * base address and the address and operand sizes even if the user space 63 * application uses a local descriptor table. 64 */ 65 66 #define UMIP_DUMMY_GDT_BASE 0xfffe0000 67 #define UMIP_DUMMY_IDT_BASE 0xffff0000 68 69 /* 70 * The SGDT and SIDT instructions store the contents of the global descriptor 71 * table and interrupt table registers, respectively. The destination is a 72 * memory operand of X+2 bytes. X bytes are used to store the base address of 73 * the table and 2 bytes are used to store the limit. In 32-bit processes, the 74 * only processes for which emulation is provided, X has a value of 4. 75 */ 76 #define UMIP_GDT_IDT_BASE_SIZE 4 77 #define UMIP_GDT_IDT_LIMIT_SIZE 2 78 79 #define UMIP_INST_SGDT 0 /* 0F 01 /0 */ 80 #define UMIP_INST_SIDT 1 /* 0F 01 /1 */ 81 #define UMIP_INST_SMSW 3 /* 0F 01 /4 */ 82 83 /** 84 * identify_insn() - Identify a UMIP-protected instruction 85 * @insn: Instruction structure with opcode and ModRM byte. 86 * 87 * From the opcode and ModRM.reg in @insn identify, if any, a UMIP-protected 88 * instruction that can be emulated. 89 * 90 * Returns: 91 * 92 * On success, a constant identifying a specific UMIP-protected instruction that 93 * can be emulated. 94 * 95 * -EINVAL on error or when not an UMIP-protected instruction that can be 96 * emulated. 97 */ 98 static int identify_insn(struct insn *insn) 99 { 100 /* By getting modrm we also get the opcode. */ 101 insn_get_modrm(insn); 102 103 if (!insn->modrm.nbytes) 104 return -EINVAL; 105 106 /* All the instructions of interest start with 0x0f. */ 107 if (insn->opcode.bytes[0] != 0xf) 108 return -EINVAL; 109 110 if (insn->opcode.bytes[1] == 0x1) { 111 switch (X86_MODRM_REG(insn->modrm.value)) { 112 case 0: 113 return UMIP_INST_SGDT; 114 case 1: 115 return UMIP_INST_SIDT; 116 case 4: 117 return UMIP_INST_SMSW; 118 default: 119 return -EINVAL; 120 } 121 } 122 123 /* SLDT AND STR are not emulated */ 124 return -EINVAL; 125 } 126 127 /** 128 * emulate_umip_insn() - Emulate UMIP instructions and return dummy values 129 * @insn: Instruction structure with operands 130 * @umip_inst: A constant indicating the instruction to emulate 131 * @data: Buffer into which the dummy result is stored 132 * @data_size: Size of the emulated result 133 * 134 * Emulate an instruction protected by UMIP and provide a dummy result. The 135 * result of the emulation is saved in @data. The size of the results depends 136 * on both the instruction and type of operand (register vs memory address). 137 * The size of the result is updated in @data_size. Caller is responsible 138 * of providing a @data buffer of at least UMIP_GDT_IDT_BASE_SIZE + 139 * UMIP_GDT_IDT_LIMIT_SIZE bytes. 140 * 141 * Returns: 142 * 143 * 0 on success, -EINVAL on error while emulating. 144 */ 145 static int emulate_umip_insn(struct insn *insn, int umip_inst, 146 unsigned char *data, int *data_size) 147 { 148 unsigned long dummy_base_addr, dummy_value; 149 unsigned short dummy_limit = 0; 150 151 if (!data || !data_size || !insn) 152 return -EINVAL; 153 /* 154 * These two instructions return the base address and limit of the 155 * global and interrupt descriptor table, respectively. According to the 156 * Intel Software Development manual, the base address can be 24-bit, 157 * 32-bit or 64-bit. Limit is always 16-bit. If the operand size is 158 * 16-bit, the returned value of the base address is supposed to be a 159 * zero-extended 24-byte number. However, it seems that a 32-byte number 160 * is always returned irrespective of the operand size. 161 */ 162 if (umip_inst == UMIP_INST_SGDT || umip_inst == UMIP_INST_SIDT) { 163 /* SGDT and SIDT do not use registers operands. */ 164 if (X86_MODRM_MOD(insn->modrm.value) == 3) 165 return -EINVAL; 166 167 if (umip_inst == UMIP_INST_SGDT) 168 dummy_base_addr = UMIP_DUMMY_GDT_BASE; 169 else 170 dummy_base_addr = UMIP_DUMMY_IDT_BASE; 171 172 *data_size = UMIP_GDT_IDT_LIMIT_SIZE + UMIP_GDT_IDT_BASE_SIZE; 173 174 memcpy(data + 2, &dummy_base_addr, UMIP_GDT_IDT_BASE_SIZE); 175 memcpy(data, &dummy_limit, UMIP_GDT_IDT_LIMIT_SIZE); 176 177 } else if (umip_inst == UMIP_INST_SMSW) { 178 dummy_value = CR0_STATE; 179 180 /* 181 * Even though the CR0 register has 4 bytes, the number 182 * of bytes to be copied in the result buffer is determined 183 * by whether the operand is a register or a memory location. 184 * If operand is a register, return as many bytes as the operand 185 * size. If operand is memory, return only the two least 186 * siginificant bytes of CR0. 187 */ 188 if (X86_MODRM_MOD(insn->modrm.value) == 3) 189 *data_size = insn->opnd_bytes; 190 else 191 *data_size = 2; 192 193 memcpy(data, &dummy_value, *data_size); 194 /* STR and SLDT are not emulated */ 195 } else { 196 return -EINVAL; 197 } 198 199 return 0; 200 } 201 202 /** 203 * force_sig_info_umip_fault() - Force a SIGSEGV with SEGV_MAPERR 204 * @addr: Address that caused the signal 205 * @regs: Register set containing the instruction pointer 206 * 207 * Force a SIGSEGV signal with SEGV_MAPERR as the error code. This function is 208 * intended to be used to provide a segmentation fault when the result of the 209 * UMIP emulation could not be copied to the user space memory. 210 * 211 * Returns: none 212 */ 213 static void force_sig_info_umip_fault(void __user *addr, struct pt_regs *regs) 214 { 215 siginfo_t info; 216 struct task_struct *tsk = current; 217 218 tsk->thread.cr2 = (unsigned long)addr; 219 tsk->thread.error_code = X86_PF_USER | X86_PF_WRITE; 220 tsk->thread.trap_nr = X86_TRAP_PF; 221 222 info.si_signo = SIGSEGV; 223 info.si_errno = 0; 224 info.si_code = SEGV_MAPERR; 225 info.si_addr = addr; 226 force_sig_info(SIGSEGV, &info, tsk); 227 228 if (!(show_unhandled_signals && unhandled_signal(tsk, SIGSEGV))) 229 return; 230 231 pr_err_ratelimited("%s[%d] umip emulation segfault ip:%lx sp:%lx error:%x in %lx\n", 232 tsk->comm, task_pid_nr(tsk), regs->ip, 233 regs->sp, X86_PF_USER | X86_PF_WRITE, 234 regs->ip); 235 } 236 237 /** 238 * fixup_umip_exception() - Fixup a general protection fault caused by UMIP 239 * @regs: Registers as saved when entering the #GP handler 240 * 241 * The instructions sgdt, sidt, str, smsw, sldt cause a general protection 242 * fault if executed with CPL > 0 (i.e., from user space). If the offending 243 * user-space process is not in long mode, this function fixes the exception 244 * up and provides dummy results for sgdt, sidt and smsw; str and sldt are not 245 * fixed up. Also long mode user-space processes are not fixed up. 246 * 247 * If operands are memory addresses, results are copied to user-space memory as 248 * indicated by the instruction pointed by eIP using the registers indicated in 249 * the instruction operands. If operands are registers, results are copied into 250 * the context that was saved when entering kernel mode. 251 * 252 * Returns: 253 * 254 * True if emulation was successful; false if not. 255 */ 256 bool fixup_umip_exception(struct pt_regs *regs) 257 { 258 int not_copied, nr_copied, reg_offset, dummy_data_size, umip_inst; 259 unsigned long seg_base = 0, *reg_addr; 260 /* 10 bytes is the maximum size of the result of UMIP instructions */ 261 unsigned char dummy_data[10] = { 0 }; 262 unsigned char buf[MAX_INSN_SIZE]; 263 void __user *uaddr; 264 struct insn insn; 265 char seg_defs; 266 267 if (!regs) 268 return false; 269 270 /* Do not emulate 64-bit processes. */ 271 if (user_64bit_mode(regs)) 272 return false; 273 274 /* 275 * If not in user-space long mode, a custom code segment could be in 276 * use. This is true in protected mode (if the process defined a local 277 * descriptor table), or virtual-8086 mode. In most of the cases 278 * seg_base will be zero as in USER_CS. 279 */ 280 if (!user_64bit_mode(regs)) 281 seg_base = insn_get_seg_base(regs, INAT_SEG_REG_CS); 282 283 if (seg_base == -1L) 284 return false; 285 286 not_copied = copy_from_user(buf, (void __user *)(seg_base + regs->ip), 287 sizeof(buf)); 288 nr_copied = sizeof(buf) - not_copied; 289 290 /* 291 * The copy_from_user above could have failed if user code is protected 292 * by a memory protection key. Give up on emulation in such a case. 293 * Should we issue a page fault? 294 */ 295 if (!nr_copied) 296 return false; 297 298 insn_init(&insn, buf, nr_copied, user_64bit_mode(regs)); 299 300 /* 301 * Override the default operand and address sizes with what is specified 302 * in the code segment descriptor. The instruction decoder only sets 303 * the address size it to either 4 or 8 address bytes and does nothing 304 * for the operand bytes. This OK for most of the cases, but we could 305 * have special cases where, for instance, a 16-bit code segment 306 * descriptor is used. 307 * If there is an address override prefix, the instruction decoder 308 * correctly updates these values, even for 16-bit defaults. 309 */ 310 seg_defs = insn_get_code_seg_params(regs); 311 if (seg_defs == -EINVAL) 312 return false; 313 314 insn.addr_bytes = INSN_CODE_SEG_ADDR_SZ(seg_defs); 315 insn.opnd_bytes = INSN_CODE_SEG_OPND_SZ(seg_defs); 316 317 insn_get_length(&insn); 318 if (nr_copied < insn.length) 319 return false; 320 321 umip_inst = identify_insn(&insn); 322 if (umip_inst < 0) 323 return false; 324 325 if (emulate_umip_insn(&insn, umip_inst, dummy_data, &dummy_data_size)) 326 return false; 327 328 /* 329 * If operand is a register, write result to the copy of the register 330 * value that was pushed to the stack when entering into kernel mode. 331 * Upon exit, the value we write will be restored to the actual hardware 332 * register. 333 */ 334 if (X86_MODRM_MOD(insn.modrm.value) == 3) { 335 reg_offset = insn_get_modrm_rm_off(&insn, regs); 336 337 /* 338 * Negative values are usually errors. In memory addressing, 339 * the exception is -EDOM. Since we expect a register operand, 340 * all negative values are errors. 341 */ 342 if (reg_offset < 0) 343 return false; 344 345 reg_addr = (unsigned long *)((unsigned long)regs + reg_offset); 346 memcpy(reg_addr, dummy_data, dummy_data_size); 347 } else { 348 uaddr = insn_get_addr_ref(&insn, regs); 349 if ((unsigned long)uaddr == -1L) 350 return false; 351 352 nr_copied = copy_to_user(uaddr, dummy_data, dummy_data_size); 353 if (nr_copied > 0) { 354 /* 355 * If copy fails, send a signal and tell caller that 356 * fault was fixed up. 357 */ 358 force_sig_info_umip_fault(uaddr, regs); 359 return true; 360 } 361 } 362 363 /* increase IP to let the program keep going */ 364 regs->ip += insn.length; 365 return true; 366 } 367