1 /* 2 * Utility functions for x86 operand and address decoding 3 * 4 * Copyright (C) Intel Corporation 2017 5 */ 6 #include <linux/kernel.h> 7 #include <linux/string.h> 8 #include <linux/ratelimit.h> 9 #include <linux/mmu_context.h> 10 #include <asm/desc_defs.h> 11 #include <asm/desc.h> 12 #include <asm/inat.h> 13 #include <asm/insn.h> 14 #include <asm/insn-eval.h> 15 #include <asm/ldt.h> 16 #include <asm/vm86.h> 17 18 #undef pr_fmt 19 #define pr_fmt(fmt) "insn: " fmt 20 21 enum reg_type { 22 REG_TYPE_RM = 0, 23 REG_TYPE_INDEX, 24 REG_TYPE_BASE, 25 }; 26 27 /** 28 * is_string_insn() - Determine if instruction is a string instruction 29 * @insn: Instruction containing the opcode to inspect 30 * 31 * Returns: 32 * 33 * true if the instruction, determined by the opcode, is any of the 34 * string instructions as defined in the Intel Software Development manual. 35 * False otherwise. 36 */ 37 static bool is_string_insn(struct insn *insn) 38 { 39 insn_get_opcode(insn); 40 41 /* All string instructions have a 1-byte opcode. */ 42 if (insn->opcode.nbytes != 1) 43 return false; 44 45 switch (insn->opcode.bytes[0]) { 46 case 0x6c ... 0x6f: /* INS, OUTS */ 47 case 0xa4 ... 0xa7: /* MOVS, CMPS */ 48 case 0xaa ... 0xaf: /* STOS, LODS, SCAS */ 49 return true; 50 default: 51 return false; 52 } 53 } 54 55 /** 56 * get_seg_reg_override_idx() - obtain segment register override index 57 * @insn: Valid instruction with segment override prefixes 58 * 59 * Inspect the instruction prefixes in @insn and find segment overrides, if any. 60 * 61 * Returns: 62 * 63 * A constant identifying the segment register to use, among CS, SS, DS, 64 * ES, FS, or GS. INAT_SEG_REG_DEFAULT is returned if no segment override 65 * prefixes were found. 66 * 67 * -EINVAL in case of error. 68 */ 69 static int get_seg_reg_override_idx(struct insn *insn) 70 { 71 int idx = INAT_SEG_REG_DEFAULT; 72 int num_overrides = 0, i; 73 74 insn_get_prefixes(insn); 75 76 /* Look for any segment override prefixes. */ 77 for (i = 0; i < insn->prefixes.nbytes; i++) { 78 insn_attr_t attr; 79 80 attr = inat_get_opcode_attribute(insn->prefixes.bytes[i]); 81 switch (attr) { 82 case INAT_MAKE_PREFIX(INAT_PFX_CS): 83 idx = INAT_SEG_REG_CS; 84 num_overrides++; 85 break; 86 case INAT_MAKE_PREFIX(INAT_PFX_SS): 87 idx = INAT_SEG_REG_SS; 88 num_overrides++; 89 break; 90 case INAT_MAKE_PREFIX(INAT_PFX_DS): 91 idx = INAT_SEG_REG_DS; 92 num_overrides++; 93 break; 94 case INAT_MAKE_PREFIX(INAT_PFX_ES): 95 idx = INAT_SEG_REG_ES; 96 num_overrides++; 97 break; 98 case INAT_MAKE_PREFIX(INAT_PFX_FS): 99 idx = INAT_SEG_REG_FS; 100 num_overrides++; 101 break; 102 case INAT_MAKE_PREFIX(INAT_PFX_GS): 103 idx = INAT_SEG_REG_GS; 104 num_overrides++; 105 break; 106 /* No default action needed. */ 107 } 108 } 109 110 /* More than one segment override prefix leads to undefined behavior. */ 111 if (num_overrides > 1) 112 return -EINVAL; 113 114 return idx; 115 } 116 117 /** 118 * check_seg_overrides() - check if segment override prefixes are allowed 119 * @insn: Valid instruction with segment override prefixes 120 * @regoff: Operand offset, in pt_regs, for which the check is performed 121 * 122 * For a particular register used in register-indirect addressing, determine if 123 * segment override prefixes can be used. Specifically, no overrides are allowed 124 * for rDI if used with a string instruction. 125 * 126 * Returns: 127 * 128 * True if segment override prefixes can be used with the register indicated 129 * in @regoff. False if otherwise. 130 */ 131 static bool check_seg_overrides(struct insn *insn, int regoff) 132 { 133 if (regoff == offsetof(struct pt_regs, di) && is_string_insn(insn)) 134 return false; 135 136 return true; 137 } 138 139 /** 140 * resolve_default_seg() - resolve default segment register index for an operand 141 * @insn: Instruction with opcode and address size. Must be valid. 142 * @regs: Register values as seen when entering kernel mode 143 * @off: Operand offset, in pt_regs, for which resolution is needed 144 * 145 * Resolve the default segment register index associated with the instruction 146 * operand register indicated by @off. Such index is resolved based on defaults 147 * described in the Intel Software Development Manual. 148 * 149 * Returns: 150 * 151 * If in protected mode, a constant identifying the segment register to use, 152 * among CS, SS, ES or DS. If in long mode, INAT_SEG_REG_IGNORE. 153 * 154 * -EINVAL in case of error. 155 */ 156 static int resolve_default_seg(struct insn *insn, struct pt_regs *regs, int off) 157 { 158 if (user_64bit_mode(regs)) 159 return INAT_SEG_REG_IGNORE; 160 /* 161 * Resolve the default segment register as described in Section 3.7.4 162 * of the Intel Software Development Manual Vol. 1: 163 * 164 * + DS for all references involving r[ABCD]X, and rSI. 165 * + If used in a string instruction, ES for rDI. Otherwise, DS. 166 * + AX, CX and DX are not valid register operands in 16-bit address 167 * encodings but are valid for 32-bit and 64-bit encodings. 168 * + -EDOM is reserved to identify for cases in which no register 169 * is used (i.e., displacement-only addressing). Use DS. 170 * + SS for rSP or rBP. 171 * + CS for rIP. 172 */ 173 174 switch (off) { 175 case offsetof(struct pt_regs, ax): 176 case offsetof(struct pt_regs, cx): 177 case offsetof(struct pt_regs, dx): 178 /* Need insn to verify address size. */ 179 if (insn->addr_bytes == 2) 180 return -EINVAL; 181 182 /* fall through */ 183 184 case -EDOM: 185 case offsetof(struct pt_regs, bx): 186 case offsetof(struct pt_regs, si): 187 return INAT_SEG_REG_DS; 188 189 case offsetof(struct pt_regs, di): 190 if (is_string_insn(insn)) 191 return INAT_SEG_REG_ES; 192 return INAT_SEG_REG_DS; 193 194 case offsetof(struct pt_regs, bp): 195 case offsetof(struct pt_regs, sp): 196 return INAT_SEG_REG_SS; 197 198 case offsetof(struct pt_regs, ip): 199 return INAT_SEG_REG_CS; 200 201 default: 202 return -EINVAL; 203 } 204 } 205 206 /** 207 * resolve_seg_reg() - obtain segment register index 208 * @insn: Instruction with operands 209 * @regs: Register values as seen when entering kernel mode 210 * @regoff: Operand offset, in pt_regs, used to deterimine segment register 211 * 212 * Determine the segment register associated with the operands and, if 213 * applicable, prefixes and the instruction pointed by @insn. 214 * 215 * The segment register associated to an operand used in register-indirect 216 * addressing depends on: 217 * 218 * a) Whether running in long mode (in such a case segments are ignored, except 219 * if FS or GS are used). 220 * 221 * b) Whether segment override prefixes can be used. Certain instructions and 222 * registers do not allow override prefixes. 223 * 224 * c) Whether segment overrides prefixes are found in the instruction prefixes. 225 * 226 * d) If there are not segment override prefixes or they cannot be used, the 227 * default segment register associated with the operand register is used. 228 * 229 * The function checks first if segment override prefixes can be used with the 230 * operand indicated by @regoff. If allowed, obtain such overridden segment 231 * register index. Lastly, if not prefixes were found or cannot be used, resolve 232 * the segment register index to use based on the defaults described in the 233 * Intel documentation. In long mode, all segment register indexes will be 234 * ignored, except if overrides were found for FS or GS. All these operations 235 * are done using helper functions. 236 * 237 * The operand register, @regoff, is represented as the offset from the base of 238 * pt_regs. 239 * 240 * As stated, the main use of this function is to determine the segment register 241 * index based on the instruction, its operands and prefixes. Hence, @insn 242 * must be valid. However, if @regoff indicates rIP, we don't need to inspect 243 * @insn at all as in this case CS is used in all cases. This case is checked 244 * before proceeding further. 245 * 246 * Please note that this function does not return the value in the segment 247 * register (i.e., the segment selector) but our defined index. The segment 248 * selector needs to be obtained using get_segment_selector() and passing the 249 * segment register index resolved by this function. 250 * 251 * Returns: 252 * 253 * An index identifying the segment register to use, among CS, SS, DS, 254 * ES, FS, or GS. INAT_SEG_REG_IGNORE is returned if running in long mode. 255 * 256 * -EINVAL in case of error. 257 */ 258 static int resolve_seg_reg(struct insn *insn, struct pt_regs *regs, int regoff) 259 { 260 int idx; 261 262 /* 263 * In the unlikely event of having to resolve the segment register 264 * index for rIP, do it first. Segment override prefixes should not 265 * be used. Hence, it is not necessary to inspect the instruction, 266 * which may be invalid at this point. 267 */ 268 if (regoff == offsetof(struct pt_regs, ip)) { 269 if (user_64bit_mode(regs)) 270 return INAT_SEG_REG_IGNORE; 271 else 272 return INAT_SEG_REG_CS; 273 } 274 275 if (!insn) 276 return -EINVAL; 277 278 if (!check_seg_overrides(insn, regoff)) 279 return resolve_default_seg(insn, regs, regoff); 280 281 idx = get_seg_reg_override_idx(insn); 282 if (idx < 0) 283 return idx; 284 285 if (idx == INAT_SEG_REG_DEFAULT) 286 return resolve_default_seg(insn, regs, regoff); 287 288 /* 289 * In long mode, segment override prefixes are ignored, except for 290 * overrides for FS and GS. 291 */ 292 if (user_64bit_mode(regs)) { 293 if (idx != INAT_SEG_REG_FS && 294 idx != INAT_SEG_REG_GS) 295 idx = INAT_SEG_REG_IGNORE; 296 } 297 298 return idx; 299 } 300 301 /** 302 * get_segment_selector() - obtain segment selector 303 * @regs: Register values as seen when entering kernel mode 304 * @seg_reg_idx: Segment register index to use 305 * 306 * Obtain the segment selector from any of the CS, SS, DS, ES, FS, GS segment 307 * registers. In CONFIG_X86_32, the segment is obtained from either pt_regs or 308 * kernel_vm86_regs as applicable. In CONFIG_X86_64, CS and SS are obtained 309 * from pt_regs. DS, ES, FS and GS are obtained by reading the actual CPU 310 * registers. This done for only for completeness as in CONFIG_X86_64 segment 311 * registers are ignored. 312 * 313 * Returns: 314 * 315 * Value of the segment selector, including null when running in 316 * long mode. 317 * 318 * -EINVAL on error. 319 */ 320 static short get_segment_selector(struct pt_regs *regs, int seg_reg_idx) 321 { 322 #ifdef CONFIG_X86_64 323 unsigned short sel; 324 325 switch (seg_reg_idx) { 326 case INAT_SEG_REG_IGNORE: 327 return 0; 328 case INAT_SEG_REG_CS: 329 return (unsigned short)(regs->cs & 0xffff); 330 case INAT_SEG_REG_SS: 331 return (unsigned short)(regs->ss & 0xffff); 332 case INAT_SEG_REG_DS: 333 savesegment(ds, sel); 334 return sel; 335 case INAT_SEG_REG_ES: 336 savesegment(es, sel); 337 return sel; 338 case INAT_SEG_REG_FS: 339 savesegment(fs, sel); 340 return sel; 341 case INAT_SEG_REG_GS: 342 savesegment(gs, sel); 343 return sel; 344 default: 345 return -EINVAL; 346 } 347 #else /* CONFIG_X86_32 */ 348 struct kernel_vm86_regs *vm86regs = (struct kernel_vm86_regs *)regs; 349 350 if (v8086_mode(regs)) { 351 switch (seg_reg_idx) { 352 case INAT_SEG_REG_CS: 353 return (unsigned short)(regs->cs & 0xffff); 354 case INAT_SEG_REG_SS: 355 return (unsigned short)(regs->ss & 0xffff); 356 case INAT_SEG_REG_DS: 357 return vm86regs->ds; 358 case INAT_SEG_REG_ES: 359 return vm86regs->es; 360 case INAT_SEG_REG_FS: 361 return vm86regs->fs; 362 case INAT_SEG_REG_GS: 363 return vm86regs->gs; 364 case INAT_SEG_REG_IGNORE: 365 /* fall through */ 366 default: 367 return -EINVAL; 368 } 369 } 370 371 switch (seg_reg_idx) { 372 case INAT_SEG_REG_CS: 373 return (unsigned short)(regs->cs & 0xffff); 374 case INAT_SEG_REG_SS: 375 return (unsigned short)(regs->ss & 0xffff); 376 case INAT_SEG_REG_DS: 377 return (unsigned short)(regs->ds & 0xffff); 378 case INAT_SEG_REG_ES: 379 return (unsigned short)(regs->es & 0xffff); 380 case INAT_SEG_REG_FS: 381 return (unsigned short)(regs->fs & 0xffff); 382 case INAT_SEG_REG_GS: 383 /* 384 * GS may or may not be in regs as per CONFIG_X86_32_LAZY_GS. 385 * The macro below takes care of both cases. 386 */ 387 return get_user_gs(regs); 388 case INAT_SEG_REG_IGNORE: 389 /* fall through */ 390 default: 391 return -EINVAL; 392 } 393 #endif /* CONFIG_X86_64 */ 394 } 395 396 static int get_reg_offset(struct insn *insn, struct pt_regs *regs, 397 enum reg_type type) 398 { 399 int regno = 0; 400 401 static const int regoff[] = { 402 offsetof(struct pt_regs, ax), 403 offsetof(struct pt_regs, cx), 404 offsetof(struct pt_regs, dx), 405 offsetof(struct pt_regs, bx), 406 offsetof(struct pt_regs, sp), 407 offsetof(struct pt_regs, bp), 408 offsetof(struct pt_regs, si), 409 offsetof(struct pt_regs, di), 410 #ifdef CONFIG_X86_64 411 offsetof(struct pt_regs, r8), 412 offsetof(struct pt_regs, r9), 413 offsetof(struct pt_regs, r10), 414 offsetof(struct pt_regs, r11), 415 offsetof(struct pt_regs, r12), 416 offsetof(struct pt_regs, r13), 417 offsetof(struct pt_regs, r14), 418 offsetof(struct pt_regs, r15), 419 #endif 420 }; 421 int nr_registers = ARRAY_SIZE(regoff); 422 /* 423 * Don't possibly decode a 32-bit instructions as 424 * reading a 64-bit-only register. 425 */ 426 if (IS_ENABLED(CONFIG_X86_64) && !insn->x86_64) 427 nr_registers -= 8; 428 429 switch (type) { 430 case REG_TYPE_RM: 431 regno = X86_MODRM_RM(insn->modrm.value); 432 433 /* 434 * ModRM.mod == 0 and ModRM.rm == 5 means a 32-bit displacement 435 * follows the ModRM byte. 436 */ 437 if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5) 438 return -EDOM; 439 440 if (X86_REX_B(insn->rex_prefix.value)) 441 regno += 8; 442 break; 443 444 case REG_TYPE_INDEX: 445 regno = X86_SIB_INDEX(insn->sib.value); 446 if (X86_REX_X(insn->rex_prefix.value)) 447 regno += 8; 448 449 /* 450 * If ModRM.mod != 3 and SIB.index = 4 the scale*index 451 * portion of the address computation is null. This is 452 * true only if REX.X is 0. In such a case, the SIB index 453 * is used in the address computation. 454 */ 455 if (X86_MODRM_MOD(insn->modrm.value) != 3 && regno == 4) 456 return -EDOM; 457 break; 458 459 case REG_TYPE_BASE: 460 regno = X86_SIB_BASE(insn->sib.value); 461 /* 462 * If ModRM.mod is 0 and SIB.base == 5, the base of the 463 * register-indirect addressing is 0. In this case, a 464 * 32-bit displacement follows the SIB byte. 465 */ 466 if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5) 467 return -EDOM; 468 469 if (X86_REX_B(insn->rex_prefix.value)) 470 regno += 8; 471 break; 472 473 default: 474 pr_err_ratelimited("invalid register type: %d\n", type); 475 return -EINVAL; 476 } 477 478 if (regno >= nr_registers) { 479 WARN_ONCE(1, "decoded an instruction with an invalid register"); 480 return -EINVAL; 481 } 482 return regoff[regno]; 483 } 484 485 /** 486 * get_reg_offset_16() - Obtain offset of register indicated by instruction 487 * @insn: Instruction containing ModRM byte 488 * @regs: Register values as seen when entering kernel mode 489 * @offs1: Offset of the first operand register 490 * @offs2: Offset of the second opeand register, if applicable 491 * 492 * Obtain the offset, in pt_regs, of the registers indicated by the ModRM byte 493 * in @insn. This function is to be used with 16-bit address encodings. The 494 * @offs1 and @offs2 will be written with the offset of the two registers 495 * indicated by the instruction. In cases where any of the registers is not 496 * referenced by the instruction, the value will be set to -EDOM. 497 * 498 * Returns: 499 * 500 * 0 on success, -EINVAL on error. 501 */ 502 static int get_reg_offset_16(struct insn *insn, struct pt_regs *regs, 503 int *offs1, int *offs2) 504 { 505 /* 506 * 16-bit addressing can use one or two registers. Specifics of 507 * encodings are given in Table 2-1. "16-Bit Addressing Forms with the 508 * ModR/M Byte" of the Intel Software Development Manual. 509 */ 510 static const int regoff1[] = { 511 offsetof(struct pt_regs, bx), 512 offsetof(struct pt_regs, bx), 513 offsetof(struct pt_regs, bp), 514 offsetof(struct pt_regs, bp), 515 offsetof(struct pt_regs, si), 516 offsetof(struct pt_regs, di), 517 offsetof(struct pt_regs, bp), 518 offsetof(struct pt_regs, bx), 519 }; 520 521 static const int regoff2[] = { 522 offsetof(struct pt_regs, si), 523 offsetof(struct pt_regs, di), 524 offsetof(struct pt_regs, si), 525 offsetof(struct pt_regs, di), 526 -EDOM, 527 -EDOM, 528 -EDOM, 529 -EDOM, 530 }; 531 532 if (!offs1 || !offs2) 533 return -EINVAL; 534 535 /* Operand is a register, use the generic function. */ 536 if (X86_MODRM_MOD(insn->modrm.value) == 3) { 537 *offs1 = insn_get_modrm_rm_off(insn, regs); 538 *offs2 = -EDOM; 539 return 0; 540 } 541 542 *offs1 = regoff1[X86_MODRM_RM(insn->modrm.value)]; 543 *offs2 = regoff2[X86_MODRM_RM(insn->modrm.value)]; 544 545 /* 546 * If ModRM.mod is 0 and ModRM.rm is 110b, then we use displacement- 547 * only addressing. This means that no registers are involved in 548 * computing the effective address. Thus, ensure that the first 549 * register offset is invalild. The second register offset is already 550 * invalid under the aforementioned conditions. 551 */ 552 if ((X86_MODRM_MOD(insn->modrm.value) == 0) && 553 (X86_MODRM_RM(insn->modrm.value) == 6)) 554 *offs1 = -EDOM; 555 556 return 0; 557 } 558 559 /** 560 * get_desc() - Obtain pointer to a segment descriptor 561 * @sel: Segment selector 562 * 563 * Given a segment selector, obtain a pointer to the segment descriptor. 564 * Both global and local descriptor tables are supported. 565 * 566 * Returns: 567 * 568 * Pointer to segment descriptor on success. 569 * 570 * NULL on error. 571 */ 572 static struct desc_struct *get_desc(unsigned short sel) 573 { 574 struct desc_ptr gdt_desc = {0, 0}; 575 unsigned long desc_base; 576 577 #ifdef CONFIG_MODIFY_LDT_SYSCALL 578 if ((sel & SEGMENT_TI_MASK) == SEGMENT_LDT) { 579 struct desc_struct *desc = NULL; 580 struct ldt_struct *ldt; 581 582 /* Bits [15:3] contain the index of the desired entry. */ 583 sel >>= 3; 584 585 mutex_lock(¤t->active_mm->context.lock); 586 ldt = current->active_mm->context.ldt; 587 if (ldt && sel < ldt->nr_entries) 588 desc = &ldt->entries[sel]; 589 590 mutex_unlock(¤t->active_mm->context.lock); 591 592 return desc; 593 } 594 #endif 595 native_store_gdt(&gdt_desc); 596 597 /* 598 * Segment descriptors have a size of 8 bytes. Thus, the index is 599 * multiplied by 8 to obtain the memory offset of the desired descriptor 600 * from the base of the GDT. As bits [15:3] of the segment selector 601 * contain the index, it can be regarded as multiplied by 8 already. 602 * All that remains is to clear bits [2:0]. 603 */ 604 desc_base = sel & ~(SEGMENT_RPL_MASK | SEGMENT_TI_MASK); 605 606 if (desc_base > gdt_desc.size) 607 return NULL; 608 609 return (struct desc_struct *)(gdt_desc.address + desc_base); 610 } 611 612 /** 613 * insn_get_seg_base() - Obtain base address of segment descriptor. 614 * @regs: Register values as seen when entering kernel mode 615 * @seg_reg_idx: Index of the segment register pointing to seg descriptor 616 * 617 * Obtain the base address of the segment as indicated by the segment descriptor 618 * pointed by the segment selector. The segment selector is obtained from the 619 * input segment register index @seg_reg_idx. 620 * 621 * Returns: 622 * 623 * In protected mode, base address of the segment. Zero in long mode, 624 * except when FS or GS are used. In virtual-8086 mode, the segment 625 * selector shifted 4 bits to the right. 626 * 627 * -1L in case of error. 628 */ 629 unsigned long insn_get_seg_base(struct pt_regs *regs, int seg_reg_idx) 630 { 631 struct desc_struct *desc; 632 short sel; 633 634 sel = get_segment_selector(regs, seg_reg_idx); 635 if (sel < 0) 636 return -1L; 637 638 if (v8086_mode(regs)) 639 /* 640 * Base is simply the segment selector shifted 4 641 * bits to the right. 642 */ 643 return (unsigned long)(sel << 4); 644 645 if (user_64bit_mode(regs)) { 646 /* 647 * Only FS or GS will have a base address, the rest of 648 * the segments' bases are forced to 0. 649 */ 650 unsigned long base; 651 652 if (seg_reg_idx == INAT_SEG_REG_FS) 653 rdmsrl(MSR_FS_BASE, base); 654 else if (seg_reg_idx == INAT_SEG_REG_GS) 655 /* 656 * swapgs was called at the kernel entry point. Thus, 657 * MSR_KERNEL_GS_BASE will have the user-space GS base. 658 */ 659 rdmsrl(MSR_KERNEL_GS_BASE, base); 660 else 661 base = 0; 662 return base; 663 } 664 665 /* In protected mode the segment selector cannot be null. */ 666 if (!sel) 667 return -1L; 668 669 desc = get_desc(sel); 670 if (!desc) 671 return -1L; 672 673 return get_desc_base(desc); 674 } 675 676 /** 677 * get_seg_limit() - Obtain the limit of a segment descriptor 678 * @regs: Register values as seen when entering kernel mode 679 * @seg_reg_idx: Index of the segment register pointing to seg descriptor 680 * 681 * Obtain the limit of the segment as indicated by the segment descriptor 682 * pointed by the segment selector. The segment selector is obtained from the 683 * input segment register index @seg_reg_idx. 684 * 685 * Returns: 686 * 687 * In protected mode, the limit of the segment descriptor in bytes. 688 * In long mode and virtual-8086 mode, segment limits are not enforced. Thus, 689 * limit is returned as -1L to imply a limit-less segment. 690 * 691 * Zero is returned on error. 692 */ 693 static unsigned long get_seg_limit(struct pt_regs *regs, int seg_reg_idx) 694 { 695 struct desc_struct *desc; 696 unsigned long limit; 697 short sel; 698 699 sel = get_segment_selector(regs, seg_reg_idx); 700 if (sel < 0) 701 return 0; 702 703 if (user_64bit_mode(regs) || v8086_mode(regs)) 704 return -1L; 705 706 if (!sel) 707 return 0; 708 709 desc = get_desc(sel); 710 if (!desc) 711 return 0; 712 713 /* 714 * If the granularity bit is set, the limit is given in multiples 715 * of 4096. This also means that the 12 least significant bits are 716 * not tested when checking the segment limits. In practice, 717 * this means that the segment ends in (limit << 12) + 0xfff. 718 */ 719 limit = get_desc_limit(desc); 720 if (desc->g) 721 limit = (limit << 12) + 0xfff; 722 723 return limit; 724 } 725 726 /** 727 * insn_get_code_seg_params() - Obtain code segment parameters 728 * @regs: Structure with register values as seen when entering kernel mode 729 * 730 * Obtain address and operand sizes of the code segment. It is obtained from the 731 * selector contained in the CS register in regs. In protected mode, the default 732 * address is determined by inspecting the L and D bits of the segment 733 * descriptor. In virtual-8086 mode, the default is always two bytes for both 734 * address and operand sizes. 735 * 736 * Returns: 737 * 738 * An int containing ORed-in default parameters on success. 739 * 740 * -EINVAL on error. 741 */ 742 int insn_get_code_seg_params(struct pt_regs *regs) 743 { 744 struct desc_struct *desc; 745 short sel; 746 747 if (v8086_mode(regs)) 748 /* Address and operand size are both 16-bit. */ 749 return INSN_CODE_SEG_PARAMS(2, 2); 750 751 sel = get_segment_selector(regs, INAT_SEG_REG_CS); 752 if (sel < 0) 753 return sel; 754 755 desc = get_desc(sel); 756 if (!desc) 757 return -EINVAL; 758 759 /* 760 * The most significant byte of the Type field of the segment descriptor 761 * determines whether a segment contains data or code. If this is a data 762 * segment, return error. 763 */ 764 if (!(desc->type & BIT(3))) 765 return -EINVAL; 766 767 switch ((desc->l << 1) | desc->d) { 768 case 0: /* 769 * Legacy mode. CS.L=0, CS.D=0. Address and operand size are 770 * both 16-bit. 771 */ 772 return INSN_CODE_SEG_PARAMS(2, 2); 773 case 1: /* 774 * Legacy mode. CS.L=0, CS.D=1. Address and operand size are 775 * both 32-bit. 776 */ 777 return INSN_CODE_SEG_PARAMS(4, 4); 778 case 2: /* 779 * IA-32e 64-bit mode. CS.L=1, CS.D=0. Address size is 64-bit; 780 * operand size is 32-bit. 781 */ 782 return INSN_CODE_SEG_PARAMS(4, 8); 783 case 3: /* Invalid setting. CS.L=1, CS.D=1 */ 784 /* fall through */ 785 default: 786 return -EINVAL; 787 } 788 } 789 790 /** 791 * insn_get_modrm_rm_off() - Obtain register in r/m part of the ModRM byte 792 * @insn: Instruction containing the ModRM byte 793 * @regs: Register values as seen when entering kernel mode 794 * 795 * Returns: 796 * 797 * The register indicated by the r/m part of the ModRM byte. The 798 * register is obtained as an offset from the base of pt_regs. In specific 799 * cases, the returned value can be -EDOM to indicate that the particular value 800 * of ModRM does not refer to a register and shall be ignored. 801 */ 802 int insn_get_modrm_rm_off(struct insn *insn, struct pt_regs *regs) 803 { 804 return get_reg_offset(insn, regs, REG_TYPE_RM); 805 } 806 807 /** 808 * get_seg_base_limit() - obtain base address and limit of a segment 809 * @insn: Instruction. Must be valid. 810 * @regs: Register values as seen when entering kernel mode 811 * @regoff: Operand offset, in pt_regs, used to resolve segment descriptor 812 * @base: Obtained segment base 813 * @limit: Obtained segment limit 814 * 815 * Obtain the base address and limit of the segment associated with the operand 816 * @regoff and, if any or allowed, override prefixes in @insn. This function is 817 * different from insn_get_seg_base() as the latter does not resolve the segment 818 * associated with the instruction operand. If a limit is not needed (e.g., 819 * when running in long mode), @limit can be NULL. 820 * 821 * Returns: 822 * 823 * 0 on success. @base and @limit will contain the base address and of the 824 * resolved segment, respectively. 825 * 826 * -EINVAL on error. 827 */ 828 static int get_seg_base_limit(struct insn *insn, struct pt_regs *regs, 829 int regoff, unsigned long *base, 830 unsigned long *limit) 831 { 832 int seg_reg_idx; 833 834 if (!base) 835 return -EINVAL; 836 837 seg_reg_idx = resolve_seg_reg(insn, regs, regoff); 838 if (seg_reg_idx < 0) 839 return seg_reg_idx; 840 841 *base = insn_get_seg_base(regs, seg_reg_idx); 842 if (*base == -1L) 843 return -EINVAL; 844 845 if (!limit) 846 return 0; 847 848 *limit = get_seg_limit(regs, seg_reg_idx); 849 if (!(*limit)) 850 return -EINVAL; 851 852 return 0; 853 } 854 855 /** 856 * get_eff_addr_reg() - Obtain effective address from register operand 857 * @insn: Instruction. Must be valid. 858 * @regs: Register values as seen when entering kernel mode 859 * @regoff: Obtained operand offset, in pt_regs, with the effective address 860 * @eff_addr: Obtained effective address 861 * 862 * Obtain the effective address stored in the register operand as indicated by 863 * the ModRM byte. This function is to be used only with register addressing 864 * (i.e., ModRM.mod is 3). The effective address is saved in @eff_addr. The 865 * register operand, as an offset from the base of pt_regs, is saved in @regoff; 866 * such offset can then be used to resolve the segment associated with the 867 * operand. This function can be used with any of the supported address sizes 868 * in x86. 869 * 870 * Returns: 871 * 872 * 0 on success. @eff_addr will have the effective address stored in the 873 * operand indicated by ModRM. @regoff will have such operand as an offset from 874 * the base of pt_regs. 875 * 876 * -EINVAL on error. 877 */ 878 static int get_eff_addr_reg(struct insn *insn, struct pt_regs *regs, 879 int *regoff, long *eff_addr) 880 { 881 insn_get_modrm(insn); 882 883 if (!insn->modrm.nbytes) 884 return -EINVAL; 885 886 if (X86_MODRM_MOD(insn->modrm.value) != 3) 887 return -EINVAL; 888 889 *regoff = get_reg_offset(insn, regs, REG_TYPE_RM); 890 if (*regoff < 0) 891 return -EINVAL; 892 893 /* Ignore bytes that are outside the address size. */ 894 if (insn->addr_bytes == 2) 895 *eff_addr = regs_get_register(regs, *regoff) & 0xffff; 896 else if (insn->addr_bytes == 4) 897 *eff_addr = regs_get_register(regs, *regoff) & 0xffffffff; 898 else /* 64-bit address */ 899 *eff_addr = regs_get_register(regs, *regoff); 900 901 return 0; 902 } 903 904 /** 905 * get_eff_addr_modrm() - Obtain referenced effective address via ModRM 906 * @insn: Instruction. Must be valid. 907 * @regs: Register values as seen when entering kernel mode 908 * @regoff: Obtained operand offset, in pt_regs, associated with segment 909 * @eff_addr: Obtained effective address 910 * 911 * Obtain the effective address referenced by the ModRM byte of @insn. After 912 * identifying the registers involved in the register-indirect memory reference, 913 * its value is obtained from the operands in @regs. The computed address is 914 * stored @eff_addr. Also, the register operand that indicates the associated 915 * segment is stored in @regoff, this parameter can later be used to determine 916 * such segment. 917 * 918 * Returns: 919 * 920 * 0 on success. @eff_addr will have the referenced effective address. @regoff 921 * will have a register, as an offset from the base of pt_regs, that can be used 922 * to resolve the associated segment. 923 * 924 * -EINVAL on error. 925 */ 926 static int get_eff_addr_modrm(struct insn *insn, struct pt_regs *regs, 927 int *regoff, long *eff_addr) 928 { 929 long tmp; 930 931 if (insn->addr_bytes != 8 && insn->addr_bytes != 4) 932 return -EINVAL; 933 934 insn_get_modrm(insn); 935 936 if (!insn->modrm.nbytes) 937 return -EINVAL; 938 939 if (X86_MODRM_MOD(insn->modrm.value) > 2) 940 return -EINVAL; 941 942 *regoff = get_reg_offset(insn, regs, REG_TYPE_RM); 943 944 /* 945 * -EDOM means that we must ignore the address_offset. In such a case, 946 * in 64-bit mode the effective address relative to the rIP of the 947 * following instruction. 948 */ 949 if (*regoff == -EDOM) { 950 if (user_64bit_mode(regs)) 951 tmp = regs->ip + insn->length; 952 else 953 tmp = 0; 954 } else if (*regoff < 0) { 955 return -EINVAL; 956 } else { 957 tmp = regs_get_register(regs, *regoff); 958 } 959 960 if (insn->addr_bytes == 4) { 961 int addr32 = (int)(tmp & 0xffffffff) + insn->displacement.value; 962 963 *eff_addr = addr32 & 0xffffffff; 964 } else { 965 *eff_addr = tmp + insn->displacement.value; 966 } 967 968 return 0; 969 } 970 971 /** 972 * get_eff_addr_modrm_16() - Obtain referenced effective address via ModRM 973 * @insn: Instruction. Must be valid. 974 * @regs: Register values as seen when entering kernel mode 975 * @regoff: Obtained operand offset, in pt_regs, associated with segment 976 * @eff_addr: Obtained effective address 977 * 978 * Obtain the 16-bit effective address referenced by the ModRM byte of @insn. 979 * After identifying the registers involved in the register-indirect memory 980 * reference, its value is obtained from the operands in @regs. The computed 981 * address is stored @eff_addr. Also, the register operand that indicates 982 * the associated segment is stored in @regoff, this parameter can later be used 983 * to determine such segment. 984 * 985 * Returns: 986 * 987 * 0 on success. @eff_addr will have the referenced effective address. @regoff 988 * will have a register, as an offset from the base of pt_regs, that can be used 989 * to resolve the associated segment. 990 * 991 * -EINVAL on error. 992 */ 993 static int get_eff_addr_modrm_16(struct insn *insn, struct pt_regs *regs, 994 int *regoff, short *eff_addr) 995 { 996 int addr_offset1, addr_offset2, ret; 997 short addr1 = 0, addr2 = 0, displacement; 998 999 if (insn->addr_bytes != 2) 1000 return -EINVAL; 1001 1002 insn_get_modrm(insn); 1003 1004 if (!insn->modrm.nbytes) 1005 return -EINVAL; 1006 1007 if (X86_MODRM_MOD(insn->modrm.value) > 2) 1008 return -EINVAL; 1009 1010 ret = get_reg_offset_16(insn, regs, &addr_offset1, &addr_offset2); 1011 if (ret < 0) 1012 return -EINVAL; 1013 1014 /* 1015 * Don't fail on invalid offset values. They might be invalid because 1016 * they cannot be used for this particular value of ModRM. Instead, use 1017 * them in the computation only if they contain a valid value. 1018 */ 1019 if (addr_offset1 != -EDOM) 1020 addr1 = regs_get_register(regs, addr_offset1) & 0xffff; 1021 1022 if (addr_offset2 != -EDOM) 1023 addr2 = regs_get_register(regs, addr_offset2) & 0xffff; 1024 1025 displacement = insn->displacement.value & 0xffff; 1026 *eff_addr = addr1 + addr2 + displacement; 1027 1028 /* 1029 * The first operand register could indicate to use of either SS or DS 1030 * registers to obtain the segment selector. The second operand 1031 * register can only indicate the use of DS. Thus, the first operand 1032 * will be used to obtain the segment selector. 1033 */ 1034 *regoff = addr_offset1; 1035 1036 return 0; 1037 } 1038 1039 /** 1040 * get_eff_addr_sib() - Obtain referenced effective address via SIB 1041 * @insn: Instruction. Must be valid. 1042 * @regs: Register values as seen when entering kernel mode 1043 * @regoff: Obtained operand offset, in pt_regs, associated with segment 1044 * @eff_addr: Obtained effective address 1045 * 1046 * Obtain the effective address referenced by the SIB byte of @insn. After 1047 * identifying the registers involved in the indexed, register-indirect memory 1048 * reference, its value is obtained from the operands in @regs. The computed 1049 * address is stored @eff_addr. Also, the register operand that indicates the 1050 * associated segment is stored in @regoff, this parameter can later be used to 1051 * determine such segment. 1052 * 1053 * Returns: 1054 * 1055 * 0 on success. @eff_addr will have the referenced effective address. 1056 * @base_offset will have a register, as an offset from the base of pt_regs, 1057 * that can be used to resolve the associated segment. 1058 * 1059 * -EINVAL on error. 1060 */ 1061 static int get_eff_addr_sib(struct insn *insn, struct pt_regs *regs, 1062 int *base_offset, long *eff_addr) 1063 { 1064 long base, indx; 1065 int indx_offset; 1066 1067 if (insn->addr_bytes != 8 && insn->addr_bytes != 4) 1068 return -EINVAL; 1069 1070 insn_get_modrm(insn); 1071 1072 if (!insn->modrm.nbytes) 1073 return -EINVAL; 1074 1075 if (X86_MODRM_MOD(insn->modrm.value) > 2) 1076 return -EINVAL; 1077 1078 insn_get_sib(insn); 1079 1080 if (!insn->sib.nbytes) 1081 return -EINVAL; 1082 1083 *base_offset = get_reg_offset(insn, regs, REG_TYPE_BASE); 1084 indx_offset = get_reg_offset(insn, regs, REG_TYPE_INDEX); 1085 1086 /* 1087 * Negative values in the base and index offset means an error when 1088 * decoding the SIB byte. Except -EDOM, which means that the registers 1089 * should not be used in the address computation. 1090 */ 1091 if (*base_offset == -EDOM) 1092 base = 0; 1093 else if (*base_offset < 0) 1094 return -EINVAL; 1095 else 1096 base = regs_get_register(regs, *base_offset); 1097 1098 if (indx_offset == -EDOM) 1099 indx = 0; 1100 else if (indx_offset < 0) 1101 return -EINVAL; 1102 else 1103 indx = regs_get_register(regs, indx_offset); 1104 1105 if (insn->addr_bytes == 4) { 1106 int addr32, base32, idx32; 1107 1108 base32 = base & 0xffffffff; 1109 idx32 = indx & 0xffffffff; 1110 1111 addr32 = base32 + idx32 * (1 << X86_SIB_SCALE(insn->sib.value)); 1112 addr32 += insn->displacement.value; 1113 1114 *eff_addr = addr32 & 0xffffffff; 1115 } else { 1116 *eff_addr = base + indx * (1 << X86_SIB_SCALE(insn->sib.value)); 1117 *eff_addr += insn->displacement.value; 1118 } 1119 1120 return 0; 1121 } 1122 1123 /** 1124 * get_addr_ref_16() - Obtain the 16-bit address referred by instruction 1125 * @insn: Instruction containing ModRM byte and displacement 1126 * @regs: Register values as seen when entering kernel mode 1127 * 1128 * This function is to be used with 16-bit address encodings. Obtain the memory 1129 * address referred by the instruction's ModRM and displacement bytes. Also, the 1130 * segment used as base is determined by either any segment override prefixes in 1131 * @insn or the default segment of the registers involved in the address 1132 * computation. In protected mode, segment limits are enforced. 1133 * 1134 * Returns: 1135 * 1136 * Linear address referenced by the instruction operands on success. 1137 * 1138 * -1L on error. 1139 */ 1140 static void __user *get_addr_ref_16(struct insn *insn, struct pt_regs *regs) 1141 { 1142 unsigned long linear_addr = -1L, seg_base, seg_limit; 1143 int ret, regoff; 1144 short eff_addr; 1145 long tmp; 1146 1147 insn_get_modrm(insn); 1148 insn_get_displacement(insn); 1149 1150 if (insn->addr_bytes != 2) 1151 goto out; 1152 1153 if (X86_MODRM_MOD(insn->modrm.value) == 3) { 1154 ret = get_eff_addr_reg(insn, regs, ®off, &tmp); 1155 if (ret) 1156 goto out; 1157 1158 eff_addr = tmp; 1159 } else { 1160 ret = get_eff_addr_modrm_16(insn, regs, ®off, &eff_addr); 1161 if (ret) 1162 goto out; 1163 } 1164 1165 ret = get_seg_base_limit(insn, regs, regoff, &seg_base, &seg_limit); 1166 if (ret) 1167 goto out; 1168 1169 /* 1170 * Before computing the linear address, make sure the effective address 1171 * is within the limits of the segment. In virtual-8086 mode, segment 1172 * limits are not enforced. In such a case, the segment limit is -1L to 1173 * reflect this fact. 1174 */ 1175 if ((unsigned long)(eff_addr & 0xffff) > seg_limit) 1176 goto out; 1177 1178 linear_addr = (unsigned long)(eff_addr & 0xffff) + seg_base; 1179 1180 /* Limit linear address to 20 bits */ 1181 if (v8086_mode(regs)) 1182 linear_addr &= 0xfffff; 1183 1184 out: 1185 return (void __user *)linear_addr; 1186 } 1187 1188 /** 1189 * get_addr_ref_32() - Obtain a 32-bit linear address 1190 * @insn: Instruction with ModRM, SIB bytes and displacement 1191 * @regs: Register values as seen when entering kernel mode 1192 * 1193 * This function is to be used with 32-bit address encodings to obtain the 1194 * linear memory address referred by the instruction's ModRM, SIB, 1195 * displacement bytes and segment base address, as applicable. If in protected 1196 * mode, segment limits are enforced. 1197 * 1198 * Returns: 1199 * 1200 * Linear address referenced by instruction and registers on success. 1201 * 1202 * -1L on error. 1203 */ 1204 static void __user *get_addr_ref_32(struct insn *insn, struct pt_regs *regs) 1205 { 1206 unsigned long linear_addr = -1L, seg_base, seg_limit; 1207 int eff_addr, regoff; 1208 long tmp; 1209 int ret; 1210 1211 if (insn->addr_bytes != 4) 1212 goto out; 1213 1214 if (X86_MODRM_MOD(insn->modrm.value) == 3) { 1215 ret = get_eff_addr_reg(insn, regs, ®off, &tmp); 1216 if (ret) 1217 goto out; 1218 1219 eff_addr = tmp; 1220 1221 } else { 1222 if (insn->sib.nbytes) { 1223 ret = get_eff_addr_sib(insn, regs, ®off, &tmp); 1224 if (ret) 1225 goto out; 1226 1227 eff_addr = tmp; 1228 } else { 1229 ret = get_eff_addr_modrm(insn, regs, ®off, &tmp); 1230 if (ret) 1231 goto out; 1232 1233 eff_addr = tmp; 1234 } 1235 } 1236 1237 ret = get_seg_base_limit(insn, regs, regoff, &seg_base, &seg_limit); 1238 if (ret) 1239 goto out; 1240 1241 /* 1242 * In protected mode, before computing the linear address, make sure 1243 * the effective address is within the limits of the segment. 1244 * 32-bit addresses can be used in long and virtual-8086 modes if an 1245 * address override prefix is used. In such cases, segment limits are 1246 * not enforced. When in virtual-8086 mode, the segment limit is -1L 1247 * to reflect this situation. 1248 * 1249 * After computed, the effective address is treated as an unsigned 1250 * quantity. 1251 */ 1252 if (!user_64bit_mode(regs) && ((unsigned int)eff_addr > seg_limit)) 1253 goto out; 1254 1255 /* 1256 * Even though 32-bit address encodings are allowed in virtual-8086 1257 * mode, the address range is still limited to [0x-0xffff]. 1258 */ 1259 if (v8086_mode(regs) && (eff_addr & ~0xffff)) 1260 goto out; 1261 1262 /* 1263 * Data type long could be 64 bits in size. Ensure that our 32-bit 1264 * effective address is not sign-extended when computing the linear 1265 * address. 1266 */ 1267 linear_addr = (unsigned long)(eff_addr & 0xffffffff) + seg_base; 1268 1269 /* Limit linear address to 20 bits */ 1270 if (v8086_mode(regs)) 1271 linear_addr &= 0xfffff; 1272 1273 out: 1274 return (void __user *)linear_addr; 1275 } 1276 1277 /** 1278 * get_addr_ref_64() - Obtain a 64-bit linear address 1279 * @insn: Instruction struct with ModRM and SIB bytes and displacement 1280 * @regs: Structure with register values as seen when entering kernel mode 1281 * 1282 * This function is to be used with 64-bit address encodings to obtain the 1283 * linear memory address referred by the instruction's ModRM, SIB, 1284 * displacement bytes and segment base address, as applicable. 1285 * 1286 * Returns: 1287 * 1288 * Linear address referenced by instruction and registers on success. 1289 * 1290 * -1L on error. 1291 */ 1292 #ifndef CONFIG_X86_64 1293 static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs) 1294 { 1295 return (void __user *)-1L; 1296 } 1297 #else 1298 static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs) 1299 { 1300 unsigned long linear_addr = -1L, seg_base; 1301 int regoff, ret; 1302 long eff_addr; 1303 1304 if (insn->addr_bytes != 8) 1305 goto out; 1306 1307 if (X86_MODRM_MOD(insn->modrm.value) == 3) { 1308 ret = get_eff_addr_reg(insn, regs, ®off, &eff_addr); 1309 if (ret) 1310 goto out; 1311 1312 } else { 1313 if (insn->sib.nbytes) { 1314 ret = get_eff_addr_sib(insn, regs, ®off, &eff_addr); 1315 if (ret) 1316 goto out; 1317 } else { 1318 ret = get_eff_addr_modrm(insn, regs, ®off, &eff_addr); 1319 if (ret) 1320 goto out; 1321 } 1322 1323 } 1324 1325 ret = get_seg_base_limit(insn, regs, regoff, &seg_base, NULL); 1326 if (ret) 1327 goto out; 1328 1329 linear_addr = (unsigned long)eff_addr + seg_base; 1330 1331 out: 1332 return (void __user *)linear_addr; 1333 } 1334 #endif /* CONFIG_X86_64 */ 1335 1336 /** 1337 * insn_get_addr_ref() - Obtain the linear address referred by instruction 1338 * @insn: Instruction structure containing ModRM byte and displacement 1339 * @regs: Structure with register values as seen when entering kernel mode 1340 * 1341 * Obtain the linear address referred by the instruction's ModRM, SIB and 1342 * displacement bytes, and segment base, as applicable. In protected mode, 1343 * segment limits are enforced. 1344 * 1345 * Returns: 1346 * 1347 * Linear address referenced by instruction and registers on success. 1348 * 1349 * -1L on error. 1350 */ 1351 void __user *insn_get_addr_ref(struct insn *insn, struct pt_regs *regs) 1352 { 1353 if (!insn || !regs) 1354 return (void __user *)-1L; 1355 1356 switch (insn->addr_bytes) { 1357 case 2: 1358 return get_addr_ref_16(insn, regs); 1359 case 4: 1360 return get_addr_ref_32(insn, regs); 1361 case 8: 1362 return get_addr_ref_64(insn, regs); 1363 default: 1364 return (void __user *)-1L; 1365 } 1366 } 1367