1 /* 2 * Utility functions for x86 operand and address decoding 3 * 4 * Copyright (C) Intel Corporation 2017 5 */ 6 #include <linux/kernel.h> 7 #include <linux/string.h> 8 #include <linux/ratelimit.h> 9 #include <linux/mmu_context.h> 10 #include <asm/desc_defs.h> 11 #include <asm/desc.h> 12 #include <asm/inat.h> 13 #include <asm/insn.h> 14 #include <asm/insn-eval.h> 15 #include <asm/ldt.h> 16 #include <asm/vm86.h> 17 18 #undef pr_fmt 19 #define pr_fmt(fmt) "insn: " fmt 20 21 enum reg_type { 22 REG_TYPE_RM = 0, 23 REG_TYPE_REG, 24 REG_TYPE_INDEX, 25 REG_TYPE_BASE, 26 }; 27 28 /** 29 * is_string_insn() - Determine if instruction is a string instruction 30 * @insn: Instruction containing the opcode to inspect 31 * 32 * Returns: 33 * 34 * true if the instruction, determined by the opcode, is any of the 35 * string instructions as defined in the Intel Software Development manual. 36 * False otherwise. 37 */ 38 static bool is_string_insn(struct insn *insn) 39 { 40 insn_get_opcode(insn); 41 42 /* All string instructions have a 1-byte opcode. */ 43 if (insn->opcode.nbytes != 1) 44 return false; 45 46 switch (insn->opcode.bytes[0]) { 47 case 0x6c ... 0x6f: /* INS, OUTS */ 48 case 0xa4 ... 0xa7: /* MOVS, CMPS */ 49 case 0xaa ... 0xaf: /* STOS, LODS, SCAS */ 50 return true; 51 default: 52 return false; 53 } 54 } 55 56 /** 57 * insn_has_rep_prefix() - Determine if instruction has a REP prefix 58 * @insn: Instruction containing the prefix to inspect 59 * 60 * Returns: 61 * 62 * true if the instruction has a REP prefix, false if not. 63 */ 64 bool insn_has_rep_prefix(struct insn *insn) 65 { 66 insn_byte_t p; 67 int i; 68 69 insn_get_prefixes(insn); 70 71 for_each_insn_prefix(insn, i, p) { 72 if (p == 0xf2 || p == 0xf3) 73 return true; 74 } 75 76 return false; 77 } 78 79 /** 80 * get_seg_reg_override_idx() - obtain segment register override index 81 * @insn: Valid instruction with segment override prefixes 82 * 83 * Inspect the instruction prefixes in @insn and find segment overrides, if any. 84 * 85 * Returns: 86 * 87 * A constant identifying the segment register to use, among CS, SS, DS, 88 * ES, FS, or GS. INAT_SEG_REG_DEFAULT is returned if no segment override 89 * prefixes were found. 90 * 91 * -EINVAL in case of error. 92 */ 93 static int get_seg_reg_override_idx(struct insn *insn) 94 { 95 int idx = INAT_SEG_REG_DEFAULT; 96 int num_overrides = 0, i; 97 insn_byte_t p; 98 99 insn_get_prefixes(insn); 100 101 /* Look for any segment override prefixes. */ 102 for_each_insn_prefix(insn, i, p) { 103 insn_attr_t attr; 104 105 attr = inat_get_opcode_attribute(p); 106 switch (attr) { 107 case INAT_MAKE_PREFIX(INAT_PFX_CS): 108 idx = INAT_SEG_REG_CS; 109 num_overrides++; 110 break; 111 case INAT_MAKE_PREFIX(INAT_PFX_SS): 112 idx = INAT_SEG_REG_SS; 113 num_overrides++; 114 break; 115 case INAT_MAKE_PREFIX(INAT_PFX_DS): 116 idx = INAT_SEG_REG_DS; 117 num_overrides++; 118 break; 119 case INAT_MAKE_PREFIX(INAT_PFX_ES): 120 idx = INAT_SEG_REG_ES; 121 num_overrides++; 122 break; 123 case INAT_MAKE_PREFIX(INAT_PFX_FS): 124 idx = INAT_SEG_REG_FS; 125 num_overrides++; 126 break; 127 case INAT_MAKE_PREFIX(INAT_PFX_GS): 128 idx = INAT_SEG_REG_GS; 129 num_overrides++; 130 break; 131 /* No default action needed. */ 132 } 133 } 134 135 /* More than one segment override prefix leads to undefined behavior. */ 136 if (num_overrides > 1) 137 return -EINVAL; 138 139 return idx; 140 } 141 142 /** 143 * check_seg_overrides() - check if segment override prefixes are allowed 144 * @insn: Valid instruction with segment override prefixes 145 * @regoff: Operand offset, in pt_regs, for which the check is performed 146 * 147 * For a particular register used in register-indirect addressing, determine if 148 * segment override prefixes can be used. Specifically, no overrides are allowed 149 * for rDI if used with a string instruction. 150 * 151 * Returns: 152 * 153 * True if segment override prefixes can be used with the register indicated 154 * in @regoff. False if otherwise. 155 */ 156 static bool check_seg_overrides(struct insn *insn, int regoff) 157 { 158 if (regoff == offsetof(struct pt_regs, di) && is_string_insn(insn)) 159 return false; 160 161 return true; 162 } 163 164 /** 165 * resolve_default_seg() - resolve default segment register index for an operand 166 * @insn: Instruction with opcode and address size. Must be valid. 167 * @regs: Register values as seen when entering kernel mode 168 * @off: Operand offset, in pt_regs, for which resolution is needed 169 * 170 * Resolve the default segment register index associated with the instruction 171 * operand register indicated by @off. Such index is resolved based on defaults 172 * described in the Intel Software Development Manual. 173 * 174 * Returns: 175 * 176 * If in protected mode, a constant identifying the segment register to use, 177 * among CS, SS, ES or DS. If in long mode, INAT_SEG_REG_IGNORE. 178 * 179 * -EINVAL in case of error. 180 */ 181 static int resolve_default_seg(struct insn *insn, struct pt_regs *regs, int off) 182 { 183 if (any_64bit_mode(regs)) 184 return INAT_SEG_REG_IGNORE; 185 /* 186 * Resolve the default segment register as described in Section 3.7.4 187 * of the Intel Software Development Manual Vol. 1: 188 * 189 * + DS for all references involving r[ABCD]X, and rSI. 190 * + If used in a string instruction, ES for rDI. Otherwise, DS. 191 * + AX, CX and DX are not valid register operands in 16-bit address 192 * encodings but are valid for 32-bit and 64-bit encodings. 193 * + -EDOM is reserved to identify for cases in which no register 194 * is used (i.e., displacement-only addressing). Use DS. 195 * + SS for rSP or rBP. 196 * + CS for rIP. 197 */ 198 199 switch (off) { 200 case offsetof(struct pt_regs, ax): 201 case offsetof(struct pt_regs, cx): 202 case offsetof(struct pt_regs, dx): 203 /* Need insn to verify address size. */ 204 if (insn->addr_bytes == 2) 205 return -EINVAL; 206 207 fallthrough; 208 209 case -EDOM: 210 case offsetof(struct pt_regs, bx): 211 case offsetof(struct pt_regs, si): 212 return INAT_SEG_REG_DS; 213 214 case offsetof(struct pt_regs, di): 215 if (is_string_insn(insn)) 216 return INAT_SEG_REG_ES; 217 return INAT_SEG_REG_DS; 218 219 case offsetof(struct pt_regs, bp): 220 case offsetof(struct pt_regs, sp): 221 return INAT_SEG_REG_SS; 222 223 case offsetof(struct pt_regs, ip): 224 return INAT_SEG_REG_CS; 225 226 default: 227 return -EINVAL; 228 } 229 } 230 231 /** 232 * resolve_seg_reg() - obtain segment register index 233 * @insn: Instruction with operands 234 * @regs: Register values as seen when entering kernel mode 235 * @regoff: Operand offset, in pt_regs, used to deterimine segment register 236 * 237 * Determine the segment register associated with the operands and, if 238 * applicable, prefixes and the instruction pointed by @insn. 239 * 240 * The segment register associated to an operand used in register-indirect 241 * addressing depends on: 242 * 243 * a) Whether running in long mode (in such a case segments are ignored, except 244 * if FS or GS are used). 245 * 246 * b) Whether segment override prefixes can be used. Certain instructions and 247 * registers do not allow override prefixes. 248 * 249 * c) Whether segment overrides prefixes are found in the instruction prefixes. 250 * 251 * d) If there are not segment override prefixes or they cannot be used, the 252 * default segment register associated with the operand register is used. 253 * 254 * The function checks first if segment override prefixes can be used with the 255 * operand indicated by @regoff. If allowed, obtain such overridden segment 256 * register index. Lastly, if not prefixes were found or cannot be used, resolve 257 * the segment register index to use based on the defaults described in the 258 * Intel documentation. In long mode, all segment register indexes will be 259 * ignored, except if overrides were found for FS or GS. All these operations 260 * are done using helper functions. 261 * 262 * The operand register, @regoff, is represented as the offset from the base of 263 * pt_regs. 264 * 265 * As stated, the main use of this function is to determine the segment register 266 * index based on the instruction, its operands and prefixes. Hence, @insn 267 * must be valid. However, if @regoff indicates rIP, we don't need to inspect 268 * @insn at all as in this case CS is used in all cases. This case is checked 269 * before proceeding further. 270 * 271 * Please note that this function does not return the value in the segment 272 * register (i.e., the segment selector) but our defined index. The segment 273 * selector needs to be obtained using get_segment_selector() and passing the 274 * segment register index resolved by this function. 275 * 276 * Returns: 277 * 278 * An index identifying the segment register to use, among CS, SS, DS, 279 * ES, FS, or GS. INAT_SEG_REG_IGNORE is returned if running in long mode. 280 * 281 * -EINVAL in case of error. 282 */ 283 static int resolve_seg_reg(struct insn *insn, struct pt_regs *regs, int regoff) 284 { 285 int idx; 286 287 /* 288 * In the unlikely event of having to resolve the segment register 289 * index for rIP, do it first. Segment override prefixes should not 290 * be used. Hence, it is not necessary to inspect the instruction, 291 * which may be invalid at this point. 292 */ 293 if (regoff == offsetof(struct pt_regs, ip)) { 294 if (any_64bit_mode(regs)) 295 return INAT_SEG_REG_IGNORE; 296 else 297 return INAT_SEG_REG_CS; 298 } 299 300 if (!insn) 301 return -EINVAL; 302 303 if (!check_seg_overrides(insn, regoff)) 304 return resolve_default_seg(insn, regs, regoff); 305 306 idx = get_seg_reg_override_idx(insn); 307 if (idx < 0) 308 return idx; 309 310 if (idx == INAT_SEG_REG_DEFAULT) 311 return resolve_default_seg(insn, regs, regoff); 312 313 /* 314 * In long mode, segment override prefixes are ignored, except for 315 * overrides for FS and GS. 316 */ 317 if (any_64bit_mode(regs)) { 318 if (idx != INAT_SEG_REG_FS && 319 idx != INAT_SEG_REG_GS) 320 idx = INAT_SEG_REG_IGNORE; 321 } 322 323 return idx; 324 } 325 326 /** 327 * get_segment_selector() - obtain segment selector 328 * @regs: Register values as seen when entering kernel mode 329 * @seg_reg_idx: Segment register index to use 330 * 331 * Obtain the segment selector from any of the CS, SS, DS, ES, FS, GS segment 332 * registers. In CONFIG_X86_32, the segment is obtained from either pt_regs or 333 * kernel_vm86_regs as applicable. In CONFIG_X86_64, CS and SS are obtained 334 * from pt_regs. DS, ES, FS and GS are obtained by reading the actual CPU 335 * registers. This done for only for completeness as in CONFIG_X86_64 segment 336 * registers are ignored. 337 * 338 * Returns: 339 * 340 * Value of the segment selector, including null when running in 341 * long mode. 342 * 343 * -EINVAL on error. 344 */ 345 static short get_segment_selector(struct pt_regs *regs, int seg_reg_idx) 346 { 347 #ifdef CONFIG_X86_64 348 unsigned short sel; 349 350 switch (seg_reg_idx) { 351 case INAT_SEG_REG_IGNORE: 352 return 0; 353 case INAT_SEG_REG_CS: 354 return (unsigned short)(regs->cs & 0xffff); 355 case INAT_SEG_REG_SS: 356 return (unsigned short)(regs->ss & 0xffff); 357 case INAT_SEG_REG_DS: 358 savesegment(ds, sel); 359 return sel; 360 case INAT_SEG_REG_ES: 361 savesegment(es, sel); 362 return sel; 363 case INAT_SEG_REG_FS: 364 savesegment(fs, sel); 365 return sel; 366 case INAT_SEG_REG_GS: 367 savesegment(gs, sel); 368 return sel; 369 default: 370 return -EINVAL; 371 } 372 #else /* CONFIG_X86_32 */ 373 struct kernel_vm86_regs *vm86regs = (struct kernel_vm86_regs *)regs; 374 375 if (v8086_mode(regs)) { 376 switch (seg_reg_idx) { 377 case INAT_SEG_REG_CS: 378 return (unsigned short)(regs->cs & 0xffff); 379 case INAT_SEG_REG_SS: 380 return (unsigned short)(regs->ss & 0xffff); 381 case INAT_SEG_REG_DS: 382 return vm86regs->ds; 383 case INAT_SEG_REG_ES: 384 return vm86regs->es; 385 case INAT_SEG_REG_FS: 386 return vm86regs->fs; 387 case INAT_SEG_REG_GS: 388 return vm86regs->gs; 389 case INAT_SEG_REG_IGNORE: 390 default: 391 return -EINVAL; 392 } 393 } 394 395 switch (seg_reg_idx) { 396 case INAT_SEG_REG_CS: 397 return (unsigned short)(regs->cs & 0xffff); 398 case INAT_SEG_REG_SS: 399 return (unsigned short)(regs->ss & 0xffff); 400 case INAT_SEG_REG_DS: 401 return (unsigned short)(regs->ds & 0xffff); 402 case INAT_SEG_REG_ES: 403 return (unsigned short)(regs->es & 0xffff); 404 case INAT_SEG_REG_FS: 405 return (unsigned short)(regs->fs & 0xffff); 406 case INAT_SEG_REG_GS: 407 /* 408 * GS may or may not be in regs as per CONFIG_X86_32_LAZY_GS. 409 * The macro below takes care of both cases. 410 */ 411 return get_user_gs(regs); 412 case INAT_SEG_REG_IGNORE: 413 default: 414 return -EINVAL; 415 } 416 #endif /* CONFIG_X86_64 */ 417 } 418 419 static int get_reg_offset(struct insn *insn, struct pt_regs *regs, 420 enum reg_type type) 421 { 422 int regno = 0; 423 424 static const int regoff[] = { 425 offsetof(struct pt_regs, ax), 426 offsetof(struct pt_regs, cx), 427 offsetof(struct pt_regs, dx), 428 offsetof(struct pt_regs, bx), 429 offsetof(struct pt_regs, sp), 430 offsetof(struct pt_regs, bp), 431 offsetof(struct pt_regs, si), 432 offsetof(struct pt_regs, di), 433 #ifdef CONFIG_X86_64 434 offsetof(struct pt_regs, r8), 435 offsetof(struct pt_regs, r9), 436 offsetof(struct pt_regs, r10), 437 offsetof(struct pt_regs, r11), 438 offsetof(struct pt_regs, r12), 439 offsetof(struct pt_regs, r13), 440 offsetof(struct pt_regs, r14), 441 offsetof(struct pt_regs, r15), 442 #endif 443 }; 444 int nr_registers = ARRAY_SIZE(regoff); 445 /* 446 * Don't possibly decode a 32-bit instructions as 447 * reading a 64-bit-only register. 448 */ 449 if (IS_ENABLED(CONFIG_X86_64) && !insn->x86_64) 450 nr_registers -= 8; 451 452 switch (type) { 453 case REG_TYPE_RM: 454 regno = X86_MODRM_RM(insn->modrm.value); 455 456 /* 457 * ModRM.mod == 0 and ModRM.rm == 5 means a 32-bit displacement 458 * follows the ModRM byte. 459 */ 460 if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5) 461 return -EDOM; 462 463 if (X86_REX_B(insn->rex_prefix.value)) 464 regno += 8; 465 break; 466 467 case REG_TYPE_REG: 468 regno = X86_MODRM_REG(insn->modrm.value); 469 470 if (X86_REX_R(insn->rex_prefix.value)) 471 regno += 8; 472 break; 473 474 case REG_TYPE_INDEX: 475 regno = X86_SIB_INDEX(insn->sib.value); 476 if (X86_REX_X(insn->rex_prefix.value)) 477 regno += 8; 478 479 /* 480 * If ModRM.mod != 3 and SIB.index = 4 the scale*index 481 * portion of the address computation is null. This is 482 * true only if REX.X is 0. In such a case, the SIB index 483 * is used in the address computation. 484 */ 485 if (X86_MODRM_MOD(insn->modrm.value) != 3 && regno == 4) 486 return -EDOM; 487 break; 488 489 case REG_TYPE_BASE: 490 regno = X86_SIB_BASE(insn->sib.value); 491 /* 492 * If ModRM.mod is 0 and SIB.base == 5, the base of the 493 * register-indirect addressing is 0. In this case, a 494 * 32-bit displacement follows the SIB byte. 495 */ 496 if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5) 497 return -EDOM; 498 499 if (X86_REX_B(insn->rex_prefix.value)) 500 regno += 8; 501 break; 502 503 default: 504 pr_err_ratelimited("invalid register type: %d\n", type); 505 return -EINVAL; 506 } 507 508 if (regno >= nr_registers) { 509 WARN_ONCE(1, "decoded an instruction with an invalid register"); 510 return -EINVAL; 511 } 512 return regoff[regno]; 513 } 514 515 /** 516 * get_reg_offset_16() - Obtain offset of register indicated by instruction 517 * @insn: Instruction containing ModRM byte 518 * @regs: Register values as seen when entering kernel mode 519 * @offs1: Offset of the first operand register 520 * @offs2: Offset of the second opeand register, if applicable 521 * 522 * Obtain the offset, in pt_regs, of the registers indicated by the ModRM byte 523 * in @insn. This function is to be used with 16-bit address encodings. The 524 * @offs1 and @offs2 will be written with the offset of the two registers 525 * indicated by the instruction. In cases where any of the registers is not 526 * referenced by the instruction, the value will be set to -EDOM. 527 * 528 * Returns: 529 * 530 * 0 on success, -EINVAL on error. 531 */ 532 static int get_reg_offset_16(struct insn *insn, struct pt_regs *regs, 533 int *offs1, int *offs2) 534 { 535 /* 536 * 16-bit addressing can use one or two registers. Specifics of 537 * encodings are given in Table 2-1. "16-Bit Addressing Forms with the 538 * ModR/M Byte" of the Intel Software Development Manual. 539 */ 540 static const int regoff1[] = { 541 offsetof(struct pt_regs, bx), 542 offsetof(struct pt_regs, bx), 543 offsetof(struct pt_regs, bp), 544 offsetof(struct pt_regs, bp), 545 offsetof(struct pt_regs, si), 546 offsetof(struct pt_regs, di), 547 offsetof(struct pt_regs, bp), 548 offsetof(struct pt_regs, bx), 549 }; 550 551 static const int regoff2[] = { 552 offsetof(struct pt_regs, si), 553 offsetof(struct pt_regs, di), 554 offsetof(struct pt_regs, si), 555 offsetof(struct pt_regs, di), 556 -EDOM, 557 -EDOM, 558 -EDOM, 559 -EDOM, 560 }; 561 562 if (!offs1 || !offs2) 563 return -EINVAL; 564 565 /* Operand is a register, use the generic function. */ 566 if (X86_MODRM_MOD(insn->modrm.value) == 3) { 567 *offs1 = insn_get_modrm_rm_off(insn, regs); 568 *offs2 = -EDOM; 569 return 0; 570 } 571 572 *offs1 = regoff1[X86_MODRM_RM(insn->modrm.value)]; 573 *offs2 = regoff2[X86_MODRM_RM(insn->modrm.value)]; 574 575 /* 576 * If ModRM.mod is 0 and ModRM.rm is 110b, then we use displacement- 577 * only addressing. This means that no registers are involved in 578 * computing the effective address. Thus, ensure that the first 579 * register offset is invalild. The second register offset is already 580 * invalid under the aforementioned conditions. 581 */ 582 if ((X86_MODRM_MOD(insn->modrm.value) == 0) && 583 (X86_MODRM_RM(insn->modrm.value) == 6)) 584 *offs1 = -EDOM; 585 586 return 0; 587 } 588 589 /** 590 * get_desc() - Obtain contents of a segment descriptor 591 * @out: Segment descriptor contents on success 592 * @sel: Segment selector 593 * 594 * Given a segment selector, obtain a pointer to the segment descriptor. 595 * Both global and local descriptor tables are supported. 596 * 597 * Returns: 598 * 599 * True on success, false on failure. 600 * 601 * NULL on error. 602 */ 603 static bool get_desc(struct desc_struct *out, unsigned short sel) 604 { 605 struct desc_ptr gdt_desc = {0, 0}; 606 unsigned long desc_base; 607 608 #ifdef CONFIG_MODIFY_LDT_SYSCALL 609 if ((sel & SEGMENT_TI_MASK) == SEGMENT_LDT) { 610 bool success = false; 611 struct ldt_struct *ldt; 612 613 /* Bits [15:3] contain the index of the desired entry. */ 614 sel >>= 3; 615 616 mutex_lock(¤t->active_mm->context.lock); 617 ldt = current->active_mm->context.ldt; 618 if (ldt && sel < ldt->nr_entries) { 619 *out = ldt->entries[sel]; 620 success = true; 621 } 622 623 mutex_unlock(¤t->active_mm->context.lock); 624 625 return success; 626 } 627 #endif 628 native_store_gdt(&gdt_desc); 629 630 /* 631 * Segment descriptors have a size of 8 bytes. Thus, the index is 632 * multiplied by 8 to obtain the memory offset of the desired descriptor 633 * from the base of the GDT. As bits [15:3] of the segment selector 634 * contain the index, it can be regarded as multiplied by 8 already. 635 * All that remains is to clear bits [2:0]. 636 */ 637 desc_base = sel & ~(SEGMENT_RPL_MASK | SEGMENT_TI_MASK); 638 639 if (desc_base > gdt_desc.size) 640 return false; 641 642 *out = *(struct desc_struct *)(gdt_desc.address + desc_base); 643 return true; 644 } 645 646 /** 647 * insn_get_seg_base() - Obtain base address of segment descriptor. 648 * @regs: Register values as seen when entering kernel mode 649 * @seg_reg_idx: Index of the segment register pointing to seg descriptor 650 * 651 * Obtain the base address of the segment as indicated by the segment descriptor 652 * pointed by the segment selector. The segment selector is obtained from the 653 * input segment register index @seg_reg_idx. 654 * 655 * Returns: 656 * 657 * In protected mode, base address of the segment. Zero in long mode, 658 * except when FS or GS are used. In virtual-8086 mode, the segment 659 * selector shifted 4 bits to the right. 660 * 661 * -1L in case of error. 662 */ 663 unsigned long insn_get_seg_base(struct pt_regs *regs, int seg_reg_idx) 664 { 665 struct desc_struct desc; 666 short sel; 667 668 sel = get_segment_selector(regs, seg_reg_idx); 669 if (sel < 0) 670 return -1L; 671 672 if (v8086_mode(regs)) 673 /* 674 * Base is simply the segment selector shifted 4 675 * bits to the right. 676 */ 677 return (unsigned long)(sel << 4); 678 679 if (any_64bit_mode(regs)) { 680 /* 681 * Only FS or GS will have a base address, the rest of 682 * the segments' bases are forced to 0. 683 */ 684 unsigned long base; 685 686 if (seg_reg_idx == INAT_SEG_REG_FS) { 687 rdmsrl(MSR_FS_BASE, base); 688 } else if (seg_reg_idx == INAT_SEG_REG_GS) { 689 /* 690 * swapgs was called at the kernel entry point. Thus, 691 * MSR_KERNEL_GS_BASE will have the user-space GS base. 692 */ 693 if (user_mode(regs)) 694 rdmsrl(MSR_KERNEL_GS_BASE, base); 695 else 696 rdmsrl(MSR_GS_BASE, base); 697 } else { 698 base = 0; 699 } 700 return base; 701 } 702 703 /* In protected mode the segment selector cannot be null. */ 704 if (!sel) 705 return -1L; 706 707 if (!get_desc(&desc, sel)) 708 return -1L; 709 710 return get_desc_base(&desc); 711 } 712 713 /** 714 * get_seg_limit() - Obtain the limit of a segment descriptor 715 * @regs: Register values as seen when entering kernel mode 716 * @seg_reg_idx: Index of the segment register pointing to seg descriptor 717 * 718 * Obtain the limit of the segment as indicated by the segment descriptor 719 * pointed by the segment selector. The segment selector is obtained from the 720 * input segment register index @seg_reg_idx. 721 * 722 * Returns: 723 * 724 * In protected mode, the limit of the segment descriptor in bytes. 725 * In long mode and virtual-8086 mode, segment limits are not enforced. Thus, 726 * limit is returned as -1L to imply a limit-less segment. 727 * 728 * Zero is returned on error. 729 */ 730 static unsigned long get_seg_limit(struct pt_regs *regs, int seg_reg_idx) 731 { 732 struct desc_struct desc; 733 unsigned long limit; 734 short sel; 735 736 sel = get_segment_selector(regs, seg_reg_idx); 737 if (sel < 0) 738 return 0; 739 740 if (any_64bit_mode(regs) || v8086_mode(regs)) 741 return -1L; 742 743 if (!sel) 744 return 0; 745 746 if (!get_desc(&desc, sel)) 747 return 0; 748 749 /* 750 * If the granularity bit is set, the limit is given in multiples 751 * of 4096. This also means that the 12 least significant bits are 752 * not tested when checking the segment limits. In practice, 753 * this means that the segment ends in (limit << 12) + 0xfff. 754 */ 755 limit = get_desc_limit(&desc); 756 if (desc.g) 757 limit = (limit << 12) + 0xfff; 758 759 return limit; 760 } 761 762 /** 763 * insn_get_code_seg_params() - Obtain code segment parameters 764 * @regs: Structure with register values as seen when entering kernel mode 765 * 766 * Obtain address and operand sizes of the code segment. It is obtained from the 767 * selector contained in the CS register in regs. In protected mode, the default 768 * address is determined by inspecting the L and D bits of the segment 769 * descriptor. In virtual-8086 mode, the default is always two bytes for both 770 * address and operand sizes. 771 * 772 * Returns: 773 * 774 * An int containing ORed-in default parameters on success. 775 * 776 * -EINVAL on error. 777 */ 778 int insn_get_code_seg_params(struct pt_regs *regs) 779 { 780 struct desc_struct desc; 781 short sel; 782 783 if (v8086_mode(regs)) 784 /* Address and operand size are both 16-bit. */ 785 return INSN_CODE_SEG_PARAMS(2, 2); 786 787 sel = get_segment_selector(regs, INAT_SEG_REG_CS); 788 if (sel < 0) 789 return sel; 790 791 if (!get_desc(&desc, sel)) 792 return -EINVAL; 793 794 /* 795 * The most significant byte of the Type field of the segment descriptor 796 * determines whether a segment contains data or code. If this is a data 797 * segment, return error. 798 */ 799 if (!(desc.type & BIT(3))) 800 return -EINVAL; 801 802 switch ((desc.l << 1) | desc.d) { 803 case 0: /* 804 * Legacy mode. CS.L=0, CS.D=0. Address and operand size are 805 * both 16-bit. 806 */ 807 return INSN_CODE_SEG_PARAMS(2, 2); 808 case 1: /* 809 * Legacy mode. CS.L=0, CS.D=1. Address and operand size are 810 * both 32-bit. 811 */ 812 return INSN_CODE_SEG_PARAMS(4, 4); 813 case 2: /* 814 * IA-32e 64-bit mode. CS.L=1, CS.D=0. Address size is 64-bit; 815 * operand size is 32-bit. 816 */ 817 return INSN_CODE_SEG_PARAMS(4, 8); 818 case 3: /* Invalid setting. CS.L=1, CS.D=1 */ 819 fallthrough; 820 default: 821 return -EINVAL; 822 } 823 } 824 825 /** 826 * insn_get_modrm_rm_off() - Obtain register in r/m part of the ModRM byte 827 * @insn: Instruction containing the ModRM byte 828 * @regs: Register values as seen when entering kernel mode 829 * 830 * Returns: 831 * 832 * The register indicated by the r/m part of the ModRM byte. The 833 * register is obtained as an offset from the base of pt_regs. In specific 834 * cases, the returned value can be -EDOM to indicate that the particular value 835 * of ModRM does not refer to a register and shall be ignored. 836 */ 837 int insn_get_modrm_rm_off(struct insn *insn, struct pt_regs *regs) 838 { 839 return get_reg_offset(insn, regs, REG_TYPE_RM); 840 } 841 842 /** 843 * insn_get_modrm_reg_off() - Obtain register in reg part of the ModRM byte 844 * @insn: Instruction containing the ModRM byte 845 * @regs: Register values as seen when entering kernel mode 846 * 847 * Returns: 848 * 849 * The register indicated by the reg part of the ModRM byte. The 850 * register is obtained as an offset from the base of pt_regs. 851 */ 852 int insn_get_modrm_reg_off(struct insn *insn, struct pt_regs *regs) 853 { 854 return get_reg_offset(insn, regs, REG_TYPE_REG); 855 } 856 857 /** 858 * get_seg_base_limit() - obtain base address and limit of a segment 859 * @insn: Instruction. Must be valid. 860 * @regs: Register values as seen when entering kernel mode 861 * @regoff: Operand offset, in pt_regs, used to resolve segment descriptor 862 * @base: Obtained segment base 863 * @limit: Obtained segment limit 864 * 865 * Obtain the base address and limit of the segment associated with the operand 866 * @regoff and, if any or allowed, override prefixes in @insn. This function is 867 * different from insn_get_seg_base() as the latter does not resolve the segment 868 * associated with the instruction operand. If a limit is not needed (e.g., 869 * when running in long mode), @limit can be NULL. 870 * 871 * Returns: 872 * 873 * 0 on success. @base and @limit will contain the base address and of the 874 * resolved segment, respectively. 875 * 876 * -EINVAL on error. 877 */ 878 static int get_seg_base_limit(struct insn *insn, struct pt_regs *regs, 879 int regoff, unsigned long *base, 880 unsigned long *limit) 881 { 882 int seg_reg_idx; 883 884 if (!base) 885 return -EINVAL; 886 887 seg_reg_idx = resolve_seg_reg(insn, regs, regoff); 888 if (seg_reg_idx < 0) 889 return seg_reg_idx; 890 891 *base = insn_get_seg_base(regs, seg_reg_idx); 892 if (*base == -1L) 893 return -EINVAL; 894 895 if (!limit) 896 return 0; 897 898 *limit = get_seg_limit(regs, seg_reg_idx); 899 if (!(*limit)) 900 return -EINVAL; 901 902 return 0; 903 } 904 905 /** 906 * get_eff_addr_reg() - Obtain effective address from register operand 907 * @insn: Instruction. Must be valid. 908 * @regs: Register values as seen when entering kernel mode 909 * @regoff: Obtained operand offset, in pt_regs, with the effective address 910 * @eff_addr: Obtained effective address 911 * 912 * Obtain the effective address stored in the register operand as indicated by 913 * the ModRM byte. This function is to be used only with register addressing 914 * (i.e., ModRM.mod is 3). The effective address is saved in @eff_addr. The 915 * register operand, as an offset from the base of pt_regs, is saved in @regoff; 916 * such offset can then be used to resolve the segment associated with the 917 * operand. This function can be used with any of the supported address sizes 918 * in x86. 919 * 920 * Returns: 921 * 922 * 0 on success. @eff_addr will have the effective address stored in the 923 * operand indicated by ModRM. @regoff will have such operand as an offset from 924 * the base of pt_regs. 925 * 926 * -EINVAL on error. 927 */ 928 static int get_eff_addr_reg(struct insn *insn, struct pt_regs *regs, 929 int *regoff, long *eff_addr) 930 { 931 insn_get_modrm(insn); 932 933 if (!insn->modrm.nbytes) 934 return -EINVAL; 935 936 if (X86_MODRM_MOD(insn->modrm.value) != 3) 937 return -EINVAL; 938 939 *regoff = get_reg_offset(insn, regs, REG_TYPE_RM); 940 if (*regoff < 0) 941 return -EINVAL; 942 943 /* Ignore bytes that are outside the address size. */ 944 if (insn->addr_bytes == 2) 945 *eff_addr = regs_get_register(regs, *regoff) & 0xffff; 946 else if (insn->addr_bytes == 4) 947 *eff_addr = regs_get_register(regs, *regoff) & 0xffffffff; 948 else /* 64-bit address */ 949 *eff_addr = regs_get_register(regs, *regoff); 950 951 return 0; 952 } 953 954 /** 955 * get_eff_addr_modrm() - Obtain referenced effective address via ModRM 956 * @insn: Instruction. Must be valid. 957 * @regs: Register values as seen when entering kernel mode 958 * @regoff: Obtained operand offset, in pt_regs, associated with segment 959 * @eff_addr: Obtained effective address 960 * 961 * Obtain the effective address referenced by the ModRM byte of @insn. After 962 * identifying the registers involved in the register-indirect memory reference, 963 * its value is obtained from the operands in @regs. The computed address is 964 * stored @eff_addr. Also, the register operand that indicates the associated 965 * segment is stored in @regoff, this parameter can later be used to determine 966 * such segment. 967 * 968 * Returns: 969 * 970 * 0 on success. @eff_addr will have the referenced effective address. @regoff 971 * will have a register, as an offset from the base of pt_regs, that can be used 972 * to resolve the associated segment. 973 * 974 * -EINVAL on error. 975 */ 976 static int get_eff_addr_modrm(struct insn *insn, struct pt_regs *regs, 977 int *regoff, long *eff_addr) 978 { 979 long tmp; 980 981 if (insn->addr_bytes != 8 && insn->addr_bytes != 4) 982 return -EINVAL; 983 984 insn_get_modrm(insn); 985 986 if (!insn->modrm.nbytes) 987 return -EINVAL; 988 989 if (X86_MODRM_MOD(insn->modrm.value) > 2) 990 return -EINVAL; 991 992 *regoff = get_reg_offset(insn, regs, REG_TYPE_RM); 993 994 /* 995 * -EDOM means that we must ignore the address_offset. In such a case, 996 * in 64-bit mode the effective address relative to the rIP of the 997 * following instruction. 998 */ 999 if (*regoff == -EDOM) { 1000 if (any_64bit_mode(regs)) 1001 tmp = regs->ip + insn->length; 1002 else 1003 tmp = 0; 1004 } else if (*regoff < 0) { 1005 return -EINVAL; 1006 } else { 1007 tmp = regs_get_register(regs, *regoff); 1008 } 1009 1010 if (insn->addr_bytes == 4) { 1011 int addr32 = (int)(tmp & 0xffffffff) + insn->displacement.value; 1012 1013 *eff_addr = addr32 & 0xffffffff; 1014 } else { 1015 *eff_addr = tmp + insn->displacement.value; 1016 } 1017 1018 return 0; 1019 } 1020 1021 /** 1022 * get_eff_addr_modrm_16() - Obtain referenced effective address via ModRM 1023 * @insn: Instruction. Must be valid. 1024 * @regs: Register values as seen when entering kernel mode 1025 * @regoff: Obtained operand offset, in pt_regs, associated with segment 1026 * @eff_addr: Obtained effective address 1027 * 1028 * Obtain the 16-bit effective address referenced by the ModRM byte of @insn. 1029 * After identifying the registers involved in the register-indirect memory 1030 * reference, its value is obtained from the operands in @regs. The computed 1031 * address is stored @eff_addr. Also, the register operand that indicates 1032 * the associated segment is stored in @regoff, this parameter can later be used 1033 * to determine such segment. 1034 * 1035 * Returns: 1036 * 1037 * 0 on success. @eff_addr will have the referenced effective address. @regoff 1038 * will have a register, as an offset from the base of pt_regs, that can be used 1039 * to resolve the associated segment. 1040 * 1041 * -EINVAL on error. 1042 */ 1043 static int get_eff_addr_modrm_16(struct insn *insn, struct pt_regs *regs, 1044 int *regoff, short *eff_addr) 1045 { 1046 int addr_offset1, addr_offset2, ret; 1047 short addr1 = 0, addr2 = 0, displacement; 1048 1049 if (insn->addr_bytes != 2) 1050 return -EINVAL; 1051 1052 insn_get_modrm(insn); 1053 1054 if (!insn->modrm.nbytes) 1055 return -EINVAL; 1056 1057 if (X86_MODRM_MOD(insn->modrm.value) > 2) 1058 return -EINVAL; 1059 1060 ret = get_reg_offset_16(insn, regs, &addr_offset1, &addr_offset2); 1061 if (ret < 0) 1062 return -EINVAL; 1063 1064 /* 1065 * Don't fail on invalid offset values. They might be invalid because 1066 * they cannot be used for this particular value of ModRM. Instead, use 1067 * them in the computation only if they contain a valid value. 1068 */ 1069 if (addr_offset1 != -EDOM) 1070 addr1 = regs_get_register(regs, addr_offset1) & 0xffff; 1071 1072 if (addr_offset2 != -EDOM) 1073 addr2 = regs_get_register(regs, addr_offset2) & 0xffff; 1074 1075 displacement = insn->displacement.value & 0xffff; 1076 *eff_addr = addr1 + addr2 + displacement; 1077 1078 /* 1079 * The first operand register could indicate to use of either SS or DS 1080 * registers to obtain the segment selector. The second operand 1081 * register can only indicate the use of DS. Thus, the first operand 1082 * will be used to obtain the segment selector. 1083 */ 1084 *regoff = addr_offset1; 1085 1086 return 0; 1087 } 1088 1089 /** 1090 * get_eff_addr_sib() - Obtain referenced effective address via SIB 1091 * @insn: Instruction. Must be valid. 1092 * @regs: Register values as seen when entering kernel mode 1093 * @regoff: Obtained operand offset, in pt_regs, associated with segment 1094 * @eff_addr: Obtained effective address 1095 * 1096 * Obtain the effective address referenced by the SIB byte of @insn. After 1097 * identifying the registers involved in the indexed, register-indirect memory 1098 * reference, its value is obtained from the operands in @regs. The computed 1099 * address is stored @eff_addr. Also, the register operand that indicates the 1100 * associated segment is stored in @regoff, this parameter can later be used to 1101 * determine such segment. 1102 * 1103 * Returns: 1104 * 1105 * 0 on success. @eff_addr will have the referenced effective address. 1106 * @base_offset will have a register, as an offset from the base of pt_regs, 1107 * that can be used to resolve the associated segment. 1108 * 1109 * -EINVAL on error. 1110 */ 1111 static int get_eff_addr_sib(struct insn *insn, struct pt_regs *regs, 1112 int *base_offset, long *eff_addr) 1113 { 1114 long base, indx; 1115 int indx_offset; 1116 1117 if (insn->addr_bytes != 8 && insn->addr_bytes != 4) 1118 return -EINVAL; 1119 1120 insn_get_modrm(insn); 1121 1122 if (!insn->modrm.nbytes) 1123 return -EINVAL; 1124 1125 if (X86_MODRM_MOD(insn->modrm.value) > 2) 1126 return -EINVAL; 1127 1128 insn_get_sib(insn); 1129 1130 if (!insn->sib.nbytes) 1131 return -EINVAL; 1132 1133 *base_offset = get_reg_offset(insn, regs, REG_TYPE_BASE); 1134 indx_offset = get_reg_offset(insn, regs, REG_TYPE_INDEX); 1135 1136 /* 1137 * Negative values in the base and index offset means an error when 1138 * decoding the SIB byte. Except -EDOM, which means that the registers 1139 * should not be used in the address computation. 1140 */ 1141 if (*base_offset == -EDOM) 1142 base = 0; 1143 else if (*base_offset < 0) 1144 return -EINVAL; 1145 else 1146 base = regs_get_register(regs, *base_offset); 1147 1148 if (indx_offset == -EDOM) 1149 indx = 0; 1150 else if (indx_offset < 0) 1151 return -EINVAL; 1152 else 1153 indx = regs_get_register(regs, indx_offset); 1154 1155 if (insn->addr_bytes == 4) { 1156 int addr32, base32, idx32; 1157 1158 base32 = base & 0xffffffff; 1159 idx32 = indx & 0xffffffff; 1160 1161 addr32 = base32 + idx32 * (1 << X86_SIB_SCALE(insn->sib.value)); 1162 addr32 += insn->displacement.value; 1163 1164 *eff_addr = addr32 & 0xffffffff; 1165 } else { 1166 *eff_addr = base + indx * (1 << X86_SIB_SCALE(insn->sib.value)); 1167 *eff_addr += insn->displacement.value; 1168 } 1169 1170 return 0; 1171 } 1172 1173 /** 1174 * get_addr_ref_16() - Obtain the 16-bit address referred by instruction 1175 * @insn: Instruction containing ModRM byte and displacement 1176 * @regs: Register values as seen when entering kernel mode 1177 * 1178 * This function is to be used with 16-bit address encodings. Obtain the memory 1179 * address referred by the instruction's ModRM and displacement bytes. Also, the 1180 * segment used as base is determined by either any segment override prefixes in 1181 * @insn or the default segment of the registers involved in the address 1182 * computation. In protected mode, segment limits are enforced. 1183 * 1184 * Returns: 1185 * 1186 * Linear address referenced by the instruction operands on success. 1187 * 1188 * -1L on error. 1189 */ 1190 static void __user *get_addr_ref_16(struct insn *insn, struct pt_regs *regs) 1191 { 1192 unsigned long linear_addr = -1L, seg_base, seg_limit; 1193 int ret, regoff; 1194 short eff_addr; 1195 long tmp; 1196 1197 insn_get_modrm(insn); 1198 insn_get_displacement(insn); 1199 1200 if (insn->addr_bytes != 2) 1201 goto out; 1202 1203 if (X86_MODRM_MOD(insn->modrm.value) == 3) { 1204 ret = get_eff_addr_reg(insn, regs, ®off, &tmp); 1205 if (ret) 1206 goto out; 1207 1208 eff_addr = tmp; 1209 } else { 1210 ret = get_eff_addr_modrm_16(insn, regs, ®off, &eff_addr); 1211 if (ret) 1212 goto out; 1213 } 1214 1215 ret = get_seg_base_limit(insn, regs, regoff, &seg_base, &seg_limit); 1216 if (ret) 1217 goto out; 1218 1219 /* 1220 * Before computing the linear address, make sure the effective address 1221 * is within the limits of the segment. In virtual-8086 mode, segment 1222 * limits are not enforced. In such a case, the segment limit is -1L to 1223 * reflect this fact. 1224 */ 1225 if ((unsigned long)(eff_addr & 0xffff) > seg_limit) 1226 goto out; 1227 1228 linear_addr = (unsigned long)(eff_addr & 0xffff) + seg_base; 1229 1230 /* Limit linear address to 20 bits */ 1231 if (v8086_mode(regs)) 1232 linear_addr &= 0xfffff; 1233 1234 out: 1235 return (void __user *)linear_addr; 1236 } 1237 1238 /** 1239 * get_addr_ref_32() - Obtain a 32-bit linear address 1240 * @insn: Instruction with ModRM, SIB bytes and displacement 1241 * @regs: Register values as seen when entering kernel mode 1242 * 1243 * This function is to be used with 32-bit address encodings to obtain the 1244 * linear memory address referred by the instruction's ModRM, SIB, 1245 * displacement bytes and segment base address, as applicable. If in protected 1246 * mode, segment limits are enforced. 1247 * 1248 * Returns: 1249 * 1250 * Linear address referenced by instruction and registers on success. 1251 * 1252 * -1L on error. 1253 */ 1254 static void __user *get_addr_ref_32(struct insn *insn, struct pt_regs *regs) 1255 { 1256 unsigned long linear_addr = -1L, seg_base, seg_limit; 1257 int eff_addr, regoff; 1258 long tmp; 1259 int ret; 1260 1261 if (insn->addr_bytes != 4) 1262 goto out; 1263 1264 if (X86_MODRM_MOD(insn->modrm.value) == 3) { 1265 ret = get_eff_addr_reg(insn, regs, ®off, &tmp); 1266 if (ret) 1267 goto out; 1268 1269 eff_addr = tmp; 1270 1271 } else { 1272 if (insn->sib.nbytes) { 1273 ret = get_eff_addr_sib(insn, regs, ®off, &tmp); 1274 if (ret) 1275 goto out; 1276 1277 eff_addr = tmp; 1278 } else { 1279 ret = get_eff_addr_modrm(insn, regs, ®off, &tmp); 1280 if (ret) 1281 goto out; 1282 1283 eff_addr = tmp; 1284 } 1285 } 1286 1287 ret = get_seg_base_limit(insn, regs, regoff, &seg_base, &seg_limit); 1288 if (ret) 1289 goto out; 1290 1291 /* 1292 * In protected mode, before computing the linear address, make sure 1293 * the effective address is within the limits of the segment. 1294 * 32-bit addresses can be used in long and virtual-8086 modes if an 1295 * address override prefix is used. In such cases, segment limits are 1296 * not enforced. When in virtual-8086 mode, the segment limit is -1L 1297 * to reflect this situation. 1298 * 1299 * After computed, the effective address is treated as an unsigned 1300 * quantity. 1301 */ 1302 if (!any_64bit_mode(regs) && ((unsigned int)eff_addr > seg_limit)) 1303 goto out; 1304 1305 /* 1306 * Even though 32-bit address encodings are allowed in virtual-8086 1307 * mode, the address range is still limited to [0x-0xffff]. 1308 */ 1309 if (v8086_mode(regs) && (eff_addr & ~0xffff)) 1310 goto out; 1311 1312 /* 1313 * Data type long could be 64 bits in size. Ensure that our 32-bit 1314 * effective address is not sign-extended when computing the linear 1315 * address. 1316 */ 1317 linear_addr = (unsigned long)(eff_addr & 0xffffffff) + seg_base; 1318 1319 /* Limit linear address to 20 bits */ 1320 if (v8086_mode(regs)) 1321 linear_addr &= 0xfffff; 1322 1323 out: 1324 return (void __user *)linear_addr; 1325 } 1326 1327 /** 1328 * get_addr_ref_64() - Obtain a 64-bit linear address 1329 * @insn: Instruction struct with ModRM and SIB bytes and displacement 1330 * @regs: Structure with register values as seen when entering kernel mode 1331 * 1332 * This function is to be used with 64-bit address encodings to obtain the 1333 * linear memory address referred by the instruction's ModRM, SIB, 1334 * displacement bytes and segment base address, as applicable. 1335 * 1336 * Returns: 1337 * 1338 * Linear address referenced by instruction and registers on success. 1339 * 1340 * -1L on error. 1341 */ 1342 #ifndef CONFIG_X86_64 1343 static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs) 1344 { 1345 return (void __user *)-1L; 1346 } 1347 #else 1348 static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs) 1349 { 1350 unsigned long linear_addr = -1L, seg_base; 1351 int regoff, ret; 1352 long eff_addr; 1353 1354 if (insn->addr_bytes != 8) 1355 goto out; 1356 1357 if (X86_MODRM_MOD(insn->modrm.value) == 3) { 1358 ret = get_eff_addr_reg(insn, regs, ®off, &eff_addr); 1359 if (ret) 1360 goto out; 1361 1362 } else { 1363 if (insn->sib.nbytes) { 1364 ret = get_eff_addr_sib(insn, regs, ®off, &eff_addr); 1365 if (ret) 1366 goto out; 1367 } else { 1368 ret = get_eff_addr_modrm(insn, regs, ®off, &eff_addr); 1369 if (ret) 1370 goto out; 1371 } 1372 1373 } 1374 1375 ret = get_seg_base_limit(insn, regs, regoff, &seg_base, NULL); 1376 if (ret) 1377 goto out; 1378 1379 linear_addr = (unsigned long)eff_addr + seg_base; 1380 1381 out: 1382 return (void __user *)linear_addr; 1383 } 1384 #endif /* CONFIG_X86_64 */ 1385 1386 /** 1387 * insn_get_addr_ref() - Obtain the linear address referred by instruction 1388 * @insn: Instruction structure containing ModRM byte and displacement 1389 * @regs: Structure with register values as seen when entering kernel mode 1390 * 1391 * Obtain the linear address referred by the instruction's ModRM, SIB and 1392 * displacement bytes, and segment base, as applicable. In protected mode, 1393 * segment limits are enforced. 1394 * 1395 * Returns: 1396 * 1397 * Linear address referenced by instruction and registers on success. 1398 * 1399 * -1L on error. 1400 */ 1401 void __user *insn_get_addr_ref(struct insn *insn, struct pt_regs *regs) 1402 { 1403 if (!insn || !regs) 1404 return (void __user *)-1L; 1405 1406 switch (insn->addr_bytes) { 1407 case 2: 1408 return get_addr_ref_16(insn, regs); 1409 case 4: 1410 return get_addr_ref_32(insn, regs); 1411 case 8: 1412 return get_addr_ref_64(insn, regs); 1413 default: 1414 return (void __user *)-1L; 1415 } 1416 } 1417 1418 static unsigned long insn_get_effective_ip(struct pt_regs *regs) 1419 { 1420 unsigned long seg_base = 0; 1421 1422 /* 1423 * If not in user-space long mode, a custom code segment could be in 1424 * use. This is true in protected mode (if the process defined a local 1425 * descriptor table), or virtual-8086 mode. In most of the cases 1426 * seg_base will be zero as in USER_CS. 1427 */ 1428 if (!user_64bit_mode(regs)) { 1429 seg_base = insn_get_seg_base(regs, INAT_SEG_REG_CS); 1430 if (seg_base == -1L) 1431 return 0; 1432 } 1433 1434 return seg_base + regs->ip; 1435 } 1436 1437 /** 1438 * insn_fetch_from_user() - Copy instruction bytes from user-space memory 1439 * @regs: Structure with register values as seen when entering kernel mode 1440 * @buf: Array to store the fetched instruction 1441 * 1442 * Gets the linear address of the instruction and copies the instruction bytes 1443 * to the buf. 1444 * 1445 * Returns: 1446 * 1447 * Number of instruction bytes copied. 1448 * 1449 * 0 if nothing was copied. 1450 */ 1451 int insn_fetch_from_user(struct pt_regs *regs, unsigned char buf[MAX_INSN_SIZE]) 1452 { 1453 unsigned long ip; 1454 int not_copied; 1455 1456 ip = insn_get_effective_ip(regs); 1457 if (!ip) 1458 return 0; 1459 1460 not_copied = copy_from_user(buf, (void __user *)ip, MAX_INSN_SIZE); 1461 1462 return MAX_INSN_SIZE - not_copied; 1463 } 1464 1465 /** 1466 * insn_fetch_from_user_inatomic() - Copy instruction bytes from user-space memory 1467 * while in atomic code 1468 * @regs: Structure with register values as seen when entering kernel mode 1469 * @buf: Array to store the fetched instruction 1470 * 1471 * Gets the linear address of the instruction and copies the instruction bytes 1472 * to the buf. This function must be used in atomic context. 1473 * 1474 * Returns: 1475 * 1476 * Number of instruction bytes copied. 1477 * 1478 * 0 if nothing was copied. 1479 */ 1480 int insn_fetch_from_user_inatomic(struct pt_regs *regs, unsigned char buf[MAX_INSN_SIZE]) 1481 { 1482 unsigned long ip; 1483 int not_copied; 1484 1485 ip = insn_get_effective_ip(regs); 1486 if (!ip) 1487 return 0; 1488 1489 not_copied = __copy_from_user_inatomic(buf, (void __user *)ip, MAX_INSN_SIZE); 1490 1491 return MAX_INSN_SIZE - not_copied; 1492 } 1493 1494 /** 1495 * insn_decode() - Decode an instruction 1496 * @insn: Structure to store decoded instruction 1497 * @regs: Structure with register values as seen when entering kernel mode 1498 * @buf: Buffer containing the instruction bytes 1499 * @buf_size: Number of instruction bytes available in buf 1500 * 1501 * Decodes the instruction provided in buf and stores the decoding results in 1502 * insn. Also determines the correct address and operand sizes. 1503 * 1504 * Returns: 1505 * 1506 * True if instruction was decoded, False otherwise. 1507 */ 1508 bool insn_decode(struct insn *insn, struct pt_regs *regs, 1509 unsigned char buf[MAX_INSN_SIZE], int buf_size) 1510 { 1511 int seg_defs; 1512 1513 insn_init(insn, buf, buf_size, user_64bit_mode(regs)); 1514 1515 /* 1516 * Override the default operand and address sizes with what is specified 1517 * in the code segment descriptor. The instruction decoder only sets 1518 * the address size it to either 4 or 8 address bytes and does nothing 1519 * for the operand bytes. This OK for most of the cases, but we could 1520 * have special cases where, for instance, a 16-bit code segment 1521 * descriptor is used. 1522 * If there is an address override prefix, the instruction decoder 1523 * correctly updates these values, even for 16-bit defaults. 1524 */ 1525 seg_defs = insn_get_code_seg_params(regs); 1526 if (seg_defs == -EINVAL) 1527 return false; 1528 1529 insn->addr_bytes = INSN_CODE_SEG_ADDR_SZ(seg_defs); 1530 insn->opnd_bytes = INSN_CODE_SEG_OPND_SZ(seg_defs); 1531 1532 insn_get_length(insn); 1533 if (buf_size < insn->length) 1534 return false; 1535 1536 return true; 1537 } 1538