1 /* 2 * Utility functions for x86 operand and address decoding 3 * 4 * Copyright (C) Intel Corporation 2017 5 */ 6 #include <linux/kernel.h> 7 #include <linux/string.h> 8 #include <linux/ratelimit.h> 9 #include <linux/mmu_context.h> 10 #include <asm/desc_defs.h> 11 #include <asm/desc.h> 12 #include <asm/inat.h> 13 #include <asm/insn.h> 14 #include <asm/insn-eval.h> 15 #include <asm/ldt.h> 16 #include <asm/vm86.h> 17 18 #undef pr_fmt 19 #define pr_fmt(fmt) "insn: " fmt 20 21 enum reg_type { 22 REG_TYPE_RM = 0, 23 REG_TYPE_REG, 24 REG_TYPE_INDEX, 25 REG_TYPE_BASE, 26 }; 27 28 /** 29 * is_string_insn() - Determine if instruction is a string instruction 30 * @insn: Instruction containing the opcode to inspect 31 * 32 * Returns: 33 * 34 * true if the instruction, determined by the opcode, is any of the 35 * string instructions as defined in the Intel Software Development manual. 36 * False otherwise. 37 */ 38 static bool is_string_insn(struct insn *insn) 39 { 40 /* All string instructions have a 1-byte opcode. */ 41 if (insn->opcode.nbytes != 1) 42 return false; 43 44 switch (insn->opcode.bytes[0]) { 45 case 0x6c ... 0x6f: /* INS, OUTS */ 46 case 0xa4 ... 0xa7: /* MOVS, CMPS */ 47 case 0xaa ... 0xaf: /* STOS, LODS, SCAS */ 48 return true; 49 default: 50 return false; 51 } 52 } 53 54 /** 55 * insn_has_rep_prefix() - Determine if instruction has a REP prefix 56 * @insn: Instruction containing the prefix to inspect 57 * 58 * Returns: 59 * 60 * true if the instruction has a REP prefix, false if not. 61 */ 62 bool insn_has_rep_prefix(struct insn *insn) 63 { 64 insn_byte_t p; 65 int i; 66 67 insn_get_prefixes(insn); 68 69 for_each_insn_prefix(insn, i, p) { 70 if (p == 0xf2 || p == 0xf3) 71 return true; 72 } 73 74 return false; 75 } 76 77 /** 78 * get_seg_reg_override_idx() - obtain segment register override index 79 * @insn: Valid instruction with segment override prefixes 80 * 81 * Inspect the instruction prefixes in @insn and find segment overrides, if any. 82 * 83 * Returns: 84 * 85 * A constant identifying the segment register to use, among CS, SS, DS, 86 * ES, FS, or GS. INAT_SEG_REG_DEFAULT is returned if no segment override 87 * prefixes were found. 88 * 89 * -EINVAL in case of error. 90 */ 91 static int get_seg_reg_override_idx(struct insn *insn) 92 { 93 int idx = INAT_SEG_REG_DEFAULT; 94 int num_overrides = 0, i; 95 insn_byte_t p; 96 97 insn_get_prefixes(insn); 98 99 /* Look for any segment override prefixes. */ 100 for_each_insn_prefix(insn, i, p) { 101 insn_attr_t attr; 102 103 attr = inat_get_opcode_attribute(p); 104 switch (attr) { 105 case INAT_MAKE_PREFIX(INAT_PFX_CS): 106 idx = INAT_SEG_REG_CS; 107 num_overrides++; 108 break; 109 case INAT_MAKE_PREFIX(INAT_PFX_SS): 110 idx = INAT_SEG_REG_SS; 111 num_overrides++; 112 break; 113 case INAT_MAKE_PREFIX(INAT_PFX_DS): 114 idx = INAT_SEG_REG_DS; 115 num_overrides++; 116 break; 117 case INAT_MAKE_PREFIX(INAT_PFX_ES): 118 idx = INAT_SEG_REG_ES; 119 num_overrides++; 120 break; 121 case INAT_MAKE_PREFIX(INAT_PFX_FS): 122 idx = INAT_SEG_REG_FS; 123 num_overrides++; 124 break; 125 case INAT_MAKE_PREFIX(INAT_PFX_GS): 126 idx = INAT_SEG_REG_GS; 127 num_overrides++; 128 break; 129 /* No default action needed. */ 130 } 131 } 132 133 /* More than one segment override prefix leads to undefined behavior. */ 134 if (num_overrides > 1) 135 return -EINVAL; 136 137 return idx; 138 } 139 140 /** 141 * check_seg_overrides() - check if segment override prefixes are allowed 142 * @insn: Valid instruction with segment override prefixes 143 * @regoff: Operand offset, in pt_regs, for which the check is performed 144 * 145 * For a particular register used in register-indirect addressing, determine if 146 * segment override prefixes can be used. Specifically, no overrides are allowed 147 * for rDI if used with a string instruction. 148 * 149 * Returns: 150 * 151 * True if segment override prefixes can be used with the register indicated 152 * in @regoff. False if otherwise. 153 */ 154 static bool check_seg_overrides(struct insn *insn, int regoff) 155 { 156 if (regoff == offsetof(struct pt_regs, di) && is_string_insn(insn)) 157 return false; 158 159 return true; 160 } 161 162 /** 163 * resolve_default_seg() - resolve default segment register index for an operand 164 * @insn: Instruction with opcode and address size. Must be valid. 165 * @regs: Register values as seen when entering kernel mode 166 * @off: Operand offset, in pt_regs, for which resolution is needed 167 * 168 * Resolve the default segment register index associated with the instruction 169 * operand register indicated by @off. Such index is resolved based on defaults 170 * described in the Intel Software Development Manual. 171 * 172 * Returns: 173 * 174 * If in protected mode, a constant identifying the segment register to use, 175 * among CS, SS, ES or DS. If in long mode, INAT_SEG_REG_IGNORE. 176 * 177 * -EINVAL in case of error. 178 */ 179 static int resolve_default_seg(struct insn *insn, struct pt_regs *regs, int off) 180 { 181 if (any_64bit_mode(regs)) 182 return INAT_SEG_REG_IGNORE; 183 /* 184 * Resolve the default segment register as described in Section 3.7.4 185 * of the Intel Software Development Manual Vol. 1: 186 * 187 * + DS for all references involving r[ABCD]X, and rSI. 188 * + If used in a string instruction, ES for rDI. Otherwise, DS. 189 * + AX, CX and DX are not valid register operands in 16-bit address 190 * encodings but are valid for 32-bit and 64-bit encodings. 191 * + -EDOM is reserved to identify for cases in which no register 192 * is used (i.e., displacement-only addressing). Use DS. 193 * + SS for rSP or rBP. 194 * + CS for rIP. 195 */ 196 197 switch (off) { 198 case offsetof(struct pt_regs, ax): 199 case offsetof(struct pt_regs, cx): 200 case offsetof(struct pt_regs, dx): 201 /* Need insn to verify address size. */ 202 if (insn->addr_bytes == 2) 203 return -EINVAL; 204 205 fallthrough; 206 207 case -EDOM: 208 case offsetof(struct pt_regs, bx): 209 case offsetof(struct pt_regs, si): 210 return INAT_SEG_REG_DS; 211 212 case offsetof(struct pt_regs, di): 213 if (is_string_insn(insn)) 214 return INAT_SEG_REG_ES; 215 return INAT_SEG_REG_DS; 216 217 case offsetof(struct pt_regs, bp): 218 case offsetof(struct pt_regs, sp): 219 return INAT_SEG_REG_SS; 220 221 case offsetof(struct pt_regs, ip): 222 return INAT_SEG_REG_CS; 223 224 default: 225 return -EINVAL; 226 } 227 } 228 229 /** 230 * resolve_seg_reg() - obtain segment register index 231 * @insn: Instruction with operands 232 * @regs: Register values as seen when entering kernel mode 233 * @regoff: Operand offset, in pt_regs, used to determine segment register 234 * 235 * Determine the segment register associated with the operands and, if 236 * applicable, prefixes and the instruction pointed by @insn. 237 * 238 * The segment register associated to an operand used in register-indirect 239 * addressing depends on: 240 * 241 * a) Whether running in long mode (in such a case segments are ignored, except 242 * if FS or GS are used). 243 * 244 * b) Whether segment override prefixes can be used. Certain instructions and 245 * registers do not allow override prefixes. 246 * 247 * c) Whether segment overrides prefixes are found in the instruction prefixes. 248 * 249 * d) If there are not segment override prefixes or they cannot be used, the 250 * default segment register associated with the operand register is used. 251 * 252 * The function checks first if segment override prefixes can be used with the 253 * operand indicated by @regoff. If allowed, obtain such overridden segment 254 * register index. Lastly, if not prefixes were found or cannot be used, resolve 255 * the segment register index to use based on the defaults described in the 256 * Intel documentation. In long mode, all segment register indexes will be 257 * ignored, except if overrides were found for FS or GS. All these operations 258 * are done using helper functions. 259 * 260 * The operand register, @regoff, is represented as the offset from the base of 261 * pt_regs. 262 * 263 * As stated, the main use of this function is to determine the segment register 264 * index based on the instruction, its operands and prefixes. Hence, @insn 265 * must be valid. However, if @regoff indicates rIP, we don't need to inspect 266 * @insn at all as in this case CS is used in all cases. This case is checked 267 * before proceeding further. 268 * 269 * Please note that this function does not return the value in the segment 270 * register (i.e., the segment selector) but our defined index. The segment 271 * selector needs to be obtained using get_segment_selector() and passing the 272 * segment register index resolved by this function. 273 * 274 * Returns: 275 * 276 * An index identifying the segment register to use, among CS, SS, DS, 277 * ES, FS, or GS. INAT_SEG_REG_IGNORE is returned if running in long mode. 278 * 279 * -EINVAL in case of error. 280 */ 281 static int resolve_seg_reg(struct insn *insn, struct pt_regs *regs, int regoff) 282 { 283 int idx; 284 285 /* 286 * In the unlikely event of having to resolve the segment register 287 * index for rIP, do it first. Segment override prefixes should not 288 * be used. Hence, it is not necessary to inspect the instruction, 289 * which may be invalid at this point. 290 */ 291 if (regoff == offsetof(struct pt_regs, ip)) { 292 if (any_64bit_mode(regs)) 293 return INAT_SEG_REG_IGNORE; 294 else 295 return INAT_SEG_REG_CS; 296 } 297 298 if (!insn) 299 return -EINVAL; 300 301 if (!check_seg_overrides(insn, regoff)) 302 return resolve_default_seg(insn, regs, regoff); 303 304 idx = get_seg_reg_override_idx(insn); 305 if (idx < 0) 306 return idx; 307 308 if (idx == INAT_SEG_REG_DEFAULT) 309 return resolve_default_seg(insn, regs, regoff); 310 311 /* 312 * In long mode, segment override prefixes are ignored, except for 313 * overrides for FS and GS. 314 */ 315 if (any_64bit_mode(regs)) { 316 if (idx != INAT_SEG_REG_FS && 317 idx != INAT_SEG_REG_GS) 318 idx = INAT_SEG_REG_IGNORE; 319 } 320 321 return idx; 322 } 323 324 /** 325 * get_segment_selector() - obtain segment selector 326 * @regs: Register values as seen when entering kernel mode 327 * @seg_reg_idx: Segment register index to use 328 * 329 * Obtain the segment selector from any of the CS, SS, DS, ES, FS, GS segment 330 * registers. In CONFIG_X86_32, the segment is obtained from either pt_regs or 331 * kernel_vm86_regs as applicable. In CONFIG_X86_64, CS and SS are obtained 332 * from pt_regs. DS, ES, FS and GS are obtained by reading the actual CPU 333 * registers. This done for only for completeness as in CONFIG_X86_64 segment 334 * registers are ignored. 335 * 336 * Returns: 337 * 338 * Value of the segment selector, including null when running in 339 * long mode. 340 * 341 * -EINVAL on error. 342 */ 343 static short get_segment_selector(struct pt_regs *regs, int seg_reg_idx) 344 { 345 #ifdef CONFIG_X86_64 346 unsigned short sel; 347 348 switch (seg_reg_idx) { 349 case INAT_SEG_REG_IGNORE: 350 return 0; 351 case INAT_SEG_REG_CS: 352 return (unsigned short)(regs->cs & 0xffff); 353 case INAT_SEG_REG_SS: 354 return (unsigned short)(regs->ss & 0xffff); 355 case INAT_SEG_REG_DS: 356 savesegment(ds, sel); 357 return sel; 358 case INAT_SEG_REG_ES: 359 savesegment(es, sel); 360 return sel; 361 case INAT_SEG_REG_FS: 362 savesegment(fs, sel); 363 return sel; 364 case INAT_SEG_REG_GS: 365 savesegment(gs, sel); 366 return sel; 367 default: 368 return -EINVAL; 369 } 370 #else /* CONFIG_X86_32 */ 371 struct kernel_vm86_regs *vm86regs = (struct kernel_vm86_regs *)regs; 372 373 if (v8086_mode(regs)) { 374 switch (seg_reg_idx) { 375 case INAT_SEG_REG_CS: 376 return (unsigned short)(regs->cs & 0xffff); 377 case INAT_SEG_REG_SS: 378 return (unsigned short)(regs->ss & 0xffff); 379 case INAT_SEG_REG_DS: 380 return vm86regs->ds; 381 case INAT_SEG_REG_ES: 382 return vm86regs->es; 383 case INAT_SEG_REG_FS: 384 return vm86regs->fs; 385 case INAT_SEG_REG_GS: 386 return vm86regs->gs; 387 case INAT_SEG_REG_IGNORE: 388 default: 389 return -EINVAL; 390 } 391 } 392 393 switch (seg_reg_idx) { 394 case INAT_SEG_REG_CS: 395 return (unsigned short)(regs->cs & 0xffff); 396 case INAT_SEG_REG_SS: 397 return (unsigned short)(regs->ss & 0xffff); 398 case INAT_SEG_REG_DS: 399 return (unsigned short)(regs->ds & 0xffff); 400 case INAT_SEG_REG_ES: 401 return (unsigned short)(regs->es & 0xffff); 402 case INAT_SEG_REG_FS: 403 return (unsigned short)(regs->fs & 0xffff); 404 case INAT_SEG_REG_GS: 405 return get_user_gs(regs); 406 case INAT_SEG_REG_IGNORE: 407 default: 408 return -EINVAL; 409 } 410 #endif /* CONFIG_X86_64 */ 411 } 412 413 static const int pt_regoff[] = { 414 offsetof(struct pt_regs, ax), 415 offsetof(struct pt_regs, cx), 416 offsetof(struct pt_regs, dx), 417 offsetof(struct pt_regs, bx), 418 offsetof(struct pt_regs, sp), 419 offsetof(struct pt_regs, bp), 420 offsetof(struct pt_regs, si), 421 offsetof(struct pt_regs, di), 422 #ifdef CONFIG_X86_64 423 offsetof(struct pt_regs, r8), 424 offsetof(struct pt_regs, r9), 425 offsetof(struct pt_regs, r10), 426 offsetof(struct pt_regs, r11), 427 offsetof(struct pt_regs, r12), 428 offsetof(struct pt_regs, r13), 429 offsetof(struct pt_regs, r14), 430 offsetof(struct pt_regs, r15), 431 #else 432 offsetof(struct pt_regs, ds), 433 offsetof(struct pt_regs, es), 434 offsetof(struct pt_regs, fs), 435 offsetof(struct pt_regs, gs), 436 #endif 437 }; 438 439 int pt_regs_offset(struct pt_regs *regs, int regno) 440 { 441 if ((unsigned)regno < ARRAY_SIZE(pt_regoff)) 442 return pt_regoff[regno]; 443 return -EDOM; 444 } 445 446 static int get_regno(struct insn *insn, enum reg_type type) 447 { 448 int nr_registers = ARRAY_SIZE(pt_regoff); 449 int regno = 0; 450 451 /* 452 * Don't possibly decode a 32-bit instructions as 453 * reading a 64-bit-only register. 454 */ 455 if (IS_ENABLED(CONFIG_X86_64) && !insn->x86_64) 456 nr_registers -= 8; 457 458 switch (type) { 459 case REG_TYPE_RM: 460 regno = X86_MODRM_RM(insn->modrm.value); 461 462 /* 463 * ModRM.mod == 0 and ModRM.rm == 5 means a 32-bit displacement 464 * follows the ModRM byte. 465 */ 466 if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5) 467 return -EDOM; 468 469 if (X86_REX_B(insn->rex_prefix.value)) 470 regno += 8; 471 break; 472 473 case REG_TYPE_REG: 474 regno = X86_MODRM_REG(insn->modrm.value); 475 476 if (X86_REX_R(insn->rex_prefix.value)) 477 regno += 8; 478 break; 479 480 case REG_TYPE_INDEX: 481 regno = X86_SIB_INDEX(insn->sib.value); 482 if (X86_REX_X(insn->rex_prefix.value)) 483 regno += 8; 484 485 /* 486 * If ModRM.mod != 3 and SIB.index = 4 the scale*index 487 * portion of the address computation is null. This is 488 * true only if REX.X is 0. In such a case, the SIB index 489 * is used in the address computation. 490 */ 491 if (X86_MODRM_MOD(insn->modrm.value) != 3 && regno == 4) 492 return -EDOM; 493 break; 494 495 case REG_TYPE_BASE: 496 regno = X86_SIB_BASE(insn->sib.value); 497 /* 498 * If ModRM.mod is 0 and SIB.base == 5, the base of the 499 * register-indirect addressing is 0. In this case, a 500 * 32-bit displacement follows the SIB byte. 501 */ 502 if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5) 503 return -EDOM; 504 505 if (X86_REX_B(insn->rex_prefix.value)) 506 regno += 8; 507 break; 508 509 default: 510 pr_err_ratelimited("invalid register type: %d\n", type); 511 return -EINVAL; 512 } 513 514 if (regno >= nr_registers) { 515 WARN_ONCE(1, "decoded an instruction with an invalid register"); 516 return -EINVAL; 517 } 518 return regno; 519 } 520 521 static int get_reg_offset(struct insn *insn, struct pt_regs *regs, 522 enum reg_type type) 523 { 524 int regno = get_regno(insn, type); 525 526 if (regno < 0) 527 return regno; 528 529 return pt_regs_offset(regs, regno); 530 } 531 532 /** 533 * get_reg_offset_16() - Obtain offset of register indicated by instruction 534 * @insn: Instruction containing ModRM byte 535 * @regs: Register values as seen when entering kernel mode 536 * @offs1: Offset of the first operand register 537 * @offs2: Offset of the second operand register, if applicable 538 * 539 * Obtain the offset, in pt_regs, of the registers indicated by the ModRM byte 540 * in @insn. This function is to be used with 16-bit address encodings. The 541 * @offs1 and @offs2 will be written with the offset of the two registers 542 * indicated by the instruction. In cases where any of the registers is not 543 * referenced by the instruction, the value will be set to -EDOM. 544 * 545 * Returns: 546 * 547 * 0 on success, -EINVAL on error. 548 */ 549 static int get_reg_offset_16(struct insn *insn, struct pt_regs *regs, 550 int *offs1, int *offs2) 551 { 552 /* 553 * 16-bit addressing can use one or two registers. Specifics of 554 * encodings are given in Table 2-1. "16-Bit Addressing Forms with the 555 * ModR/M Byte" of the Intel Software Development Manual. 556 */ 557 static const int regoff1[] = { 558 offsetof(struct pt_regs, bx), 559 offsetof(struct pt_regs, bx), 560 offsetof(struct pt_regs, bp), 561 offsetof(struct pt_regs, bp), 562 offsetof(struct pt_regs, si), 563 offsetof(struct pt_regs, di), 564 offsetof(struct pt_regs, bp), 565 offsetof(struct pt_regs, bx), 566 }; 567 568 static const int regoff2[] = { 569 offsetof(struct pt_regs, si), 570 offsetof(struct pt_regs, di), 571 offsetof(struct pt_regs, si), 572 offsetof(struct pt_regs, di), 573 -EDOM, 574 -EDOM, 575 -EDOM, 576 -EDOM, 577 }; 578 579 if (!offs1 || !offs2) 580 return -EINVAL; 581 582 /* Operand is a register, use the generic function. */ 583 if (X86_MODRM_MOD(insn->modrm.value) == 3) { 584 *offs1 = insn_get_modrm_rm_off(insn, regs); 585 *offs2 = -EDOM; 586 return 0; 587 } 588 589 *offs1 = regoff1[X86_MODRM_RM(insn->modrm.value)]; 590 *offs2 = regoff2[X86_MODRM_RM(insn->modrm.value)]; 591 592 /* 593 * If ModRM.mod is 0 and ModRM.rm is 110b, then we use displacement- 594 * only addressing. This means that no registers are involved in 595 * computing the effective address. Thus, ensure that the first 596 * register offset is invalid. The second register offset is already 597 * invalid under the aforementioned conditions. 598 */ 599 if ((X86_MODRM_MOD(insn->modrm.value) == 0) && 600 (X86_MODRM_RM(insn->modrm.value) == 6)) 601 *offs1 = -EDOM; 602 603 return 0; 604 } 605 606 /** 607 * get_desc() - Obtain contents of a segment descriptor 608 * @out: Segment descriptor contents on success 609 * @sel: Segment selector 610 * 611 * Given a segment selector, obtain a pointer to the segment descriptor. 612 * Both global and local descriptor tables are supported. 613 * 614 * Returns: 615 * 616 * True on success, false on failure. 617 * 618 * NULL on error. 619 */ 620 static bool get_desc(struct desc_struct *out, unsigned short sel) 621 { 622 struct desc_ptr gdt_desc = {0, 0}; 623 unsigned long desc_base; 624 625 #ifdef CONFIG_MODIFY_LDT_SYSCALL 626 if ((sel & SEGMENT_TI_MASK) == SEGMENT_LDT) { 627 bool success = false; 628 struct ldt_struct *ldt; 629 630 /* Bits [15:3] contain the index of the desired entry. */ 631 sel >>= 3; 632 633 mutex_lock(¤t->active_mm->context.lock); 634 ldt = current->active_mm->context.ldt; 635 if (ldt && sel < ldt->nr_entries) { 636 *out = ldt->entries[sel]; 637 success = true; 638 } 639 640 mutex_unlock(¤t->active_mm->context.lock); 641 642 return success; 643 } 644 #endif 645 native_store_gdt(&gdt_desc); 646 647 /* 648 * Segment descriptors have a size of 8 bytes. Thus, the index is 649 * multiplied by 8 to obtain the memory offset of the desired descriptor 650 * from the base of the GDT. As bits [15:3] of the segment selector 651 * contain the index, it can be regarded as multiplied by 8 already. 652 * All that remains is to clear bits [2:0]. 653 */ 654 desc_base = sel & ~(SEGMENT_RPL_MASK | SEGMENT_TI_MASK); 655 656 if (desc_base > gdt_desc.size) 657 return false; 658 659 *out = *(struct desc_struct *)(gdt_desc.address + desc_base); 660 return true; 661 } 662 663 /** 664 * insn_get_seg_base() - Obtain base address of segment descriptor. 665 * @regs: Register values as seen when entering kernel mode 666 * @seg_reg_idx: Index of the segment register pointing to seg descriptor 667 * 668 * Obtain the base address of the segment as indicated by the segment descriptor 669 * pointed by the segment selector. The segment selector is obtained from the 670 * input segment register index @seg_reg_idx. 671 * 672 * Returns: 673 * 674 * In protected mode, base address of the segment. Zero in long mode, 675 * except when FS or GS are used. In virtual-8086 mode, the segment 676 * selector shifted 4 bits to the right. 677 * 678 * -1L in case of error. 679 */ 680 unsigned long insn_get_seg_base(struct pt_regs *regs, int seg_reg_idx) 681 { 682 struct desc_struct desc; 683 short sel; 684 685 sel = get_segment_selector(regs, seg_reg_idx); 686 if (sel < 0) 687 return -1L; 688 689 if (v8086_mode(regs)) 690 /* 691 * Base is simply the segment selector shifted 4 692 * bits to the right. 693 */ 694 return (unsigned long)(sel << 4); 695 696 if (any_64bit_mode(regs)) { 697 /* 698 * Only FS or GS will have a base address, the rest of 699 * the segments' bases are forced to 0. 700 */ 701 unsigned long base; 702 703 if (seg_reg_idx == INAT_SEG_REG_FS) { 704 rdmsrl(MSR_FS_BASE, base); 705 } else if (seg_reg_idx == INAT_SEG_REG_GS) { 706 /* 707 * swapgs was called at the kernel entry point. Thus, 708 * MSR_KERNEL_GS_BASE will have the user-space GS base. 709 */ 710 if (user_mode(regs)) 711 rdmsrl(MSR_KERNEL_GS_BASE, base); 712 else 713 rdmsrl(MSR_GS_BASE, base); 714 } else { 715 base = 0; 716 } 717 return base; 718 } 719 720 /* In protected mode the segment selector cannot be null. */ 721 if (!sel) 722 return -1L; 723 724 if (!get_desc(&desc, sel)) 725 return -1L; 726 727 return get_desc_base(&desc); 728 } 729 730 /** 731 * get_seg_limit() - Obtain the limit of a segment descriptor 732 * @regs: Register values as seen when entering kernel mode 733 * @seg_reg_idx: Index of the segment register pointing to seg descriptor 734 * 735 * Obtain the limit of the segment as indicated by the segment descriptor 736 * pointed by the segment selector. The segment selector is obtained from the 737 * input segment register index @seg_reg_idx. 738 * 739 * Returns: 740 * 741 * In protected mode, the limit of the segment descriptor in bytes. 742 * In long mode and virtual-8086 mode, segment limits are not enforced. Thus, 743 * limit is returned as -1L to imply a limit-less segment. 744 * 745 * Zero is returned on error. 746 */ 747 static unsigned long get_seg_limit(struct pt_regs *regs, int seg_reg_idx) 748 { 749 struct desc_struct desc; 750 unsigned long limit; 751 short sel; 752 753 sel = get_segment_selector(regs, seg_reg_idx); 754 if (sel < 0) 755 return 0; 756 757 if (any_64bit_mode(regs) || v8086_mode(regs)) 758 return -1L; 759 760 if (!sel) 761 return 0; 762 763 if (!get_desc(&desc, sel)) 764 return 0; 765 766 /* 767 * If the granularity bit is set, the limit is given in multiples 768 * of 4096. This also means that the 12 least significant bits are 769 * not tested when checking the segment limits. In practice, 770 * this means that the segment ends in (limit << 12) + 0xfff. 771 */ 772 limit = get_desc_limit(&desc); 773 if (desc.g) 774 limit = (limit << 12) + 0xfff; 775 776 return limit; 777 } 778 779 /** 780 * insn_get_code_seg_params() - Obtain code segment parameters 781 * @regs: Structure with register values as seen when entering kernel mode 782 * 783 * Obtain address and operand sizes of the code segment. It is obtained from the 784 * selector contained in the CS register in regs. In protected mode, the default 785 * address is determined by inspecting the L and D bits of the segment 786 * descriptor. In virtual-8086 mode, the default is always two bytes for both 787 * address and operand sizes. 788 * 789 * Returns: 790 * 791 * An int containing ORed-in default parameters on success. 792 * 793 * -EINVAL on error. 794 */ 795 int insn_get_code_seg_params(struct pt_regs *regs) 796 { 797 struct desc_struct desc; 798 short sel; 799 800 if (v8086_mode(regs)) 801 /* Address and operand size are both 16-bit. */ 802 return INSN_CODE_SEG_PARAMS(2, 2); 803 804 sel = get_segment_selector(regs, INAT_SEG_REG_CS); 805 if (sel < 0) 806 return sel; 807 808 if (!get_desc(&desc, sel)) 809 return -EINVAL; 810 811 /* 812 * The most significant byte of the Type field of the segment descriptor 813 * determines whether a segment contains data or code. If this is a data 814 * segment, return error. 815 */ 816 if (!(desc.type & BIT(3))) 817 return -EINVAL; 818 819 switch ((desc.l << 1) | desc.d) { 820 case 0: /* 821 * Legacy mode. CS.L=0, CS.D=0. Address and operand size are 822 * both 16-bit. 823 */ 824 return INSN_CODE_SEG_PARAMS(2, 2); 825 case 1: /* 826 * Legacy mode. CS.L=0, CS.D=1. Address and operand size are 827 * both 32-bit. 828 */ 829 return INSN_CODE_SEG_PARAMS(4, 4); 830 case 2: /* 831 * IA-32e 64-bit mode. CS.L=1, CS.D=0. Address size is 64-bit; 832 * operand size is 32-bit. 833 */ 834 return INSN_CODE_SEG_PARAMS(4, 8); 835 case 3: /* Invalid setting. CS.L=1, CS.D=1 */ 836 fallthrough; 837 default: 838 return -EINVAL; 839 } 840 } 841 842 /** 843 * insn_get_modrm_rm_off() - Obtain register in r/m part of the ModRM byte 844 * @insn: Instruction containing the ModRM byte 845 * @regs: Register values as seen when entering kernel mode 846 * 847 * Returns: 848 * 849 * The register indicated by the r/m part of the ModRM byte. The 850 * register is obtained as an offset from the base of pt_regs. In specific 851 * cases, the returned value can be -EDOM to indicate that the particular value 852 * of ModRM does not refer to a register and shall be ignored. 853 */ 854 int insn_get_modrm_rm_off(struct insn *insn, struct pt_regs *regs) 855 { 856 return get_reg_offset(insn, regs, REG_TYPE_RM); 857 } 858 859 /** 860 * insn_get_modrm_reg_off() - Obtain register in reg part of the ModRM byte 861 * @insn: Instruction containing the ModRM byte 862 * @regs: Register values as seen when entering kernel mode 863 * 864 * Returns: 865 * 866 * The register indicated by the reg part of the ModRM byte. The 867 * register is obtained as an offset from the base of pt_regs. 868 */ 869 int insn_get_modrm_reg_off(struct insn *insn, struct pt_regs *regs) 870 { 871 return get_reg_offset(insn, regs, REG_TYPE_REG); 872 } 873 874 /** 875 * insn_get_modrm_reg_ptr() - Obtain register pointer based on ModRM byte 876 * @insn: Instruction containing the ModRM byte 877 * @regs: Register values as seen when entering kernel mode 878 * 879 * Returns: 880 * 881 * The register indicated by the reg part of the ModRM byte. 882 * The register is obtained as a pointer within pt_regs. 883 */ 884 unsigned long *insn_get_modrm_reg_ptr(struct insn *insn, struct pt_regs *regs) 885 { 886 int offset; 887 888 offset = insn_get_modrm_reg_off(insn, regs); 889 if (offset < 0) 890 return NULL; 891 return (void *)regs + offset; 892 } 893 894 /** 895 * get_seg_base_limit() - obtain base address and limit of a segment 896 * @insn: Instruction. Must be valid. 897 * @regs: Register values as seen when entering kernel mode 898 * @regoff: Operand offset, in pt_regs, used to resolve segment descriptor 899 * @base: Obtained segment base 900 * @limit: Obtained segment limit 901 * 902 * Obtain the base address and limit of the segment associated with the operand 903 * @regoff and, if any or allowed, override prefixes in @insn. This function is 904 * different from insn_get_seg_base() as the latter does not resolve the segment 905 * associated with the instruction operand. If a limit is not needed (e.g., 906 * when running in long mode), @limit can be NULL. 907 * 908 * Returns: 909 * 910 * 0 on success. @base and @limit will contain the base address and of the 911 * resolved segment, respectively. 912 * 913 * -EINVAL on error. 914 */ 915 static int get_seg_base_limit(struct insn *insn, struct pt_regs *regs, 916 int regoff, unsigned long *base, 917 unsigned long *limit) 918 { 919 int seg_reg_idx; 920 921 if (!base) 922 return -EINVAL; 923 924 seg_reg_idx = resolve_seg_reg(insn, regs, regoff); 925 if (seg_reg_idx < 0) 926 return seg_reg_idx; 927 928 *base = insn_get_seg_base(regs, seg_reg_idx); 929 if (*base == -1L) 930 return -EINVAL; 931 932 if (!limit) 933 return 0; 934 935 *limit = get_seg_limit(regs, seg_reg_idx); 936 if (!(*limit)) 937 return -EINVAL; 938 939 return 0; 940 } 941 942 /** 943 * get_eff_addr_reg() - Obtain effective address from register operand 944 * @insn: Instruction. Must be valid. 945 * @regs: Register values as seen when entering kernel mode 946 * @regoff: Obtained operand offset, in pt_regs, with the effective address 947 * @eff_addr: Obtained effective address 948 * 949 * Obtain the effective address stored in the register operand as indicated by 950 * the ModRM byte. This function is to be used only with register addressing 951 * (i.e., ModRM.mod is 3). The effective address is saved in @eff_addr. The 952 * register operand, as an offset from the base of pt_regs, is saved in @regoff; 953 * such offset can then be used to resolve the segment associated with the 954 * operand. This function can be used with any of the supported address sizes 955 * in x86. 956 * 957 * Returns: 958 * 959 * 0 on success. @eff_addr will have the effective address stored in the 960 * operand indicated by ModRM. @regoff will have such operand as an offset from 961 * the base of pt_regs. 962 * 963 * -EINVAL on error. 964 */ 965 static int get_eff_addr_reg(struct insn *insn, struct pt_regs *regs, 966 int *regoff, long *eff_addr) 967 { 968 int ret; 969 970 ret = insn_get_modrm(insn); 971 if (ret) 972 return ret; 973 974 if (X86_MODRM_MOD(insn->modrm.value) != 3) 975 return -EINVAL; 976 977 *regoff = get_reg_offset(insn, regs, REG_TYPE_RM); 978 if (*regoff < 0) 979 return -EINVAL; 980 981 /* Ignore bytes that are outside the address size. */ 982 if (insn->addr_bytes == 2) 983 *eff_addr = regs_get_register(regs, *regoff) & 0xffff; 984 else if (insn->addr_bytes == 4) 985 *eff_addr = regs_get_register(regs, *regoff) & 0xffffffff; 986 else /* 64-bit address */ 987 *eff_addr = regs_get_register(regs, *regoff); 988 989 return 0; 990 } 991 992 /** 993 * get_eff_addr_modrm() - Obtain referenced effective address via ModRM 994 * @insn: Instruction. Must be valid. 995 * @regs: Register values as seen when entering kernel mode 996 * @regoff: Obtained operand offset, in pt_regs, associated with segment 997 * @eff_addr: Obtained effective address 998 * 999 * Obtain the effective address referenced by the ModRM byte of @insn. After 1000 * identifying the registers involved in the register-indirect memory reference, 1001 * its value is obtained from the operands in @regs. The computed address is 1002 * stored @eff_addr. Also, the register operand that indicates the associated 1003 * segment is stored in @regoff, this parameter can later be used to determine 1004 * such segment. 1005 * 1006 * Returns: 1007 * 1008 * 0 on success. @eff_addr will have the referenced effective address. @regoff 1009 * will have a register, as an offset from the base of pt_regs, that can be used 1010 * to resolve the associated segment. 1011 * 1012 * -EINVAL on error. 1013 */ 1014 static int get_eff_addr_modrm(struct insn *insn, struct pt_regs *regs, 1015 int *regoff, long *eff_addr) 1016 { 1017 long tmp; 1018 int ret; 1019 1020 if (insn->addr_bytes != 8 && insn->addr_bytes != 4) 1021 return -EINVAL; 1022 1023 ret = insn_get_modrm(insn); 1024 if (ret) 1025 return ret; 1026 1027 if (X86_MODRM_MOD(insn->modrm.value) > 2) 1028 return -EINVAL; 1029 1030 *regoff = get_reg_offset(insn, regs, REG_TYPE_RM); 1031 1032 /* 1033 * -EDOM means that we must ignore the address_offset. In such a case, 1034 * in 64-bit mode the effective address relative to the rIP of the 1035 * following instruction. 1036 */ 1037 if (*regoff == -EDOM) { 1038 if (any_64bit_mode(regs)) 1039 tmp = regs->ip + insn->length; 1040 else 1041 tmp = 0; 1042 } else if (*regoff < 0) { 1043 return -EINVAL; 1044 } else { 1045 tmp = regs_get_register(regs, *regoff); 1046 } 1047 1048 if (insn->addr_bytes == 4) { 1049 int addr32 = (int)(tmp & 0xffffffff) + insn->displacement.value; 1050 1051 *eff_addr = addr32 & 0xffffffff; 1052 } else { 1053 *eff_addr = tmp + insn->displacement.value; 1054 } 1055 1056 return 0; 1057 } 1058 1059 /** 1060 * get_eff_addr_modrm_16() - Obtain referenced effective address via ModRM 1061 * @insn: Instruction. Must be valid. 1062 * @regs: Register values as seen when entering kernel mode 1063 * @regoff: Obtained operand offset, in pt_regs, associated with segment 1064 * @eff_addr: Obtained effective address 1065 * 1066 * Obtain the 16-bit effective address referenced by the ModRM byte of @insn. 1067 * After identifying the registers involved in the register-indirect memory 1068 * reference, its value is obtained from the operands in @regs. The computed 1069 * address is stored @eff_addr. Also, the register operand that indicates 1070 * the associated segment is stored in @regoff, this parameter can later be used 1071 * to determine such segment. 1072 * 1073 * Returns: 1074 * 1075 * 0 on success. @eff_addr will have the referenced effective address. @regoff 1076 * will have a register, as an offset from the base of pt_regs, that can be used 1077 * to resolve the associated segment. 1078 * 1079 * -EINVAL on error. 1080 */ 1081 static int get_eff_addr_modrm_16(struct insn *insn, struct pt_regs *regs, 1082 int *regoff, short *eff_addr) 1083 { 1084 int addr_offset1, addr_offset2, ret; 1085 short addr1 = 0, addr2 = 0, displacement; 1086 1087 if (insn->addr_bytes != 2) 1088 return -EINVAL; 1089 1090 insn_get_modrm(insn); 1091 1092 if (!insn->modrm.nbytes) 1093 return -EINVAL; 1094 1095 if (X86_MODRM_MOD(insn->modrm.value) > 2) 1096 return -EINVAL; 1097 1098 ret = get_reg_offset_16(insn, regs, &addr_offset1, &addr_offset2); 1099 if (ret < 0) 1100 return -EINVAL; 1101 1102 /* 1103 * Don't fail on invalid offset values. They might be invalid because 1104 * they cannot be used for this particular value of ModRM. Instead, use 1105 * them in the computation only if they contain a valid value. 1106 */ 1107 if (addr_offset1 != -EDOM) 1108 addr1 = regs_get_register(regs, addr_offset1) & 0xffff; 1109 1110 if (addr_offset2 != -EDOM) 1111 addr2 = regs_get_register(regs, addr_offset2) & 0xffff; 1112 1113 displacement = insn->displacement.value & 0xffff; 1114 *eff_addr = addr1 + addr2 + displacement; 1115 1116 /* 1117 * The first operand register could indicate to use of either SS or DS 1118 * registers to obtain the segment selector. The second operand 1119 * register can only indicate the use of DS. Thus, the first operand 1120 * will be used to obtain the segment selector. 1121 */ 1122 *regoff = addr_offset1; 1123 1124 return 0; 1125 } 1126 1127 /** 1128 * get_eff_addr_sib() - Obtain referenced effective address via SIB 1129 * @insn: Instruction. Must be valid. 1130 * @regs: Register values as seen when entering kernel mode 1131 * @regoff: Obtained operand offset, in pt_regs, associated with segment 1132 * @eff_addr: Obtained effective address 1133 * 1134 * Obtain the effective address referenced by the SIB byte of @insn. After 1135 * identifying the registers involved in the indexed, register-indirect memory 1136 * reference, its value is obtained from the operands in @regs. The computed 1137 * address is stored @eff_addr. Also, the register operand that indicates the 1138 * associated segment is stored in @regoff, this parameter can later be used to 1139 * determine such segment. 1140 * 1141 * Returns: 1142 * 1143 * 0 on success. @eff_addr will have the referenced effective address. 1144 * @base_offset will have a register, as an offset from the base of pt_regs, 1145 * that can be used to resolve the associated segment. 1146 * 1147 * Negative value on error. 1148 */ 1149 static int get_eff_addr_sib(struct insn *insn, struct pt_regs *regs, 1150 int *base_offset, long *eff_addr) 1151 { 1152 long base, indx; 1153 int indx_offset; 1154 int ret; 1155 1156 if (insn->addr_bytes != 8 && insn->addr_bytes != 4) 1157 return -EINVAL; 1158 1159 ret = insn_get_modrm(insn); 1160 if (ret) 1161 return ret; 1162 1163 if (!insn->modrm.nbytes) 1164 return -EINVAL; 1165 1166 if (X86_MODRM_MOD(insn->modrm.value) > 2) 1167 return -EINVAL; 1168 1169 ret = insn_get_sib(insn); 1170 if (ret) 1171 return ret; 1172 1173 if (!insn->sib.nbytes) 1174 return -EINVAL; 1175 1176 *base_offset = get_reg_offset(insn, regs, REG_TYPE_BASE); 1177 indx_offset = get_reg_offset(insn, regs, REG_TYPE_INDEX); 1178 1179 /* 1180 * Negative values in the base and index offset means an error when 1181 * decoding the SIB byte. Except -EDOM, which means that the registers 1182 * should not be used in the address computation. 1183 */ 1184 if (*base_offset == -EDOM) 1185 base = 0; 1186 else if (*base_offset < 0) 1187 return -EINVAL; 1188 else 1189 base = regs_get_register(regs, *base_offset); 1190 1191 if (indx_offset == -EDOM) 1192 indx = 0; 1193 else if (indx_offset < 0) 1194 return -EINVAL; 1195 else 1196 indx = regs_get_register(regs, indx_offset); 1197 1198 if (insn->addr_bytes == 4) { 1199 int addr32, base32, idx32; 1200 1201 base32 = base & 0xffffffff; 1202 idx32 = indx & 0xffffffff; 1203 1204 addr32 = base32 + idx32 * (1 << X86_SIB_SCALE(insn->sib.value)); 1205 addr32 += insn->displacement.value; 1206 1207 *eff_addr = addr32 & 0xffffffff; 1208 } else { 1209 *eff_addr = base + indx * (1 << X86_SIB_SCALE(insn->sib.value)); 1210 *eff_addr += insn->displacement.value; 1211 } 1212 1213 return 0; 1214 } 1215 1216 /** 1217 * get_addr_ref_16() - Obtain the 16-bit address referred by instruction 1218 * @insn: Instruction containing ModRM byte and displacement 1219 * @regs: Register values as seen when entering kernel mode 1220 * 1221 * This function is to be used with 16-bit address encodings. Obtain the memory 1222 * address referred by the instruction's ModRM and displacement bytes. Also, the 1223 * segment used as base is determined by either any segment override prefixes in 1224 * @insn or the default segment of the registers involved in the address 1225 * computation. In protected mode, segment limits are enforced. 1226 * 1227 * Returns: 1228 * 1229 * Linear address referenced by the instruction operands on success. 1230 * 1231 * -1L on error. 1232 */ 1233 static void __user *get_addr_ref_16(struct insn *insn, struct pt_regs *regs) 1234 { 1235 unsigned long linear_addr = -1L, seg_base, seg_limit; 1236 int ret, regoff; 1237 short eff_addr; 1238 long tmp; 1239 1240 if (insn_get_displacement(insn)) 1241 goto out; 1242 1243 if (insn->addr_bytes != 2) 1244 goto out; 1245 1246 if (X86_MODRM_MOD(insn->modrm.value) == 3) { 1247 ret = get_eff_addr_reg(insn, regs, ®off, &tmp); 1248 if (ret) 1249 goto out; 1250 1251 eff_addr = tmp; 1252 } else { 1253 ret = get_eff_addr_modrm_16(insn, regs, ®off, &eff_addr); 1254 if (ret) 1255 goto out; 1256 } 1257 1258 ret = get_seg_base_limit(insn, regs, regoff, &seg_base, &seg_limit); 1259 if (ret) 1260 goto out; 1261 1262 /* 1263 * Before computing the linear address, make sure the effective address 1264 * is within the limits of the segment. In virtual-8086 mode, segment 1265 * limits are not enforced. In such a case, the segment limit is -1L to 1266 * reflect this fact. 1267 */ 1268 if ((unsigned long)(eff_addr & 0xffff) > seg_limit) 1269 goto out; 1270 1271 linear_addr = (unsigned long)(eff_addr & 0xffff) + seg_base; 1272 1273 /* Limit linear address to 20 bits */ 1274 if (v8086_mode(regs)) 1275 linear_addr &= 0xfffff; 1276 1277 out: 1278 return (void __user *)linear_addr; 1279 } 1280 1281 /** 1282 * get_addr_ref_32() - Obtain a 32-bit linear address 1283 * @insn: Instruction with ModRM, SIB bytes and displacement 1284 * @regs: Register values as seen when entering kernel mode 1285 * 1286 * This function is to be used with 32-bit address encodings to obtain the 1287 * linear memory address referred by the instruction's ModRM, SIB, 1288 * displacement bytes and segment base address, as applicable. If in protected 1289 * mode, segment limits are enforced. 1290 * 1291 * Returns: 1292 * 1293 * Linear address referenced by instruction and registers on success. 1294 * 1295 * -1L on error. 1296 */ 1297 static void __user *get_addr_ref_32(struct insn *insn, struct pt_regs *regs) 1298 { 1299 unsigned long linear_addr = -1L, seg_base, seg_limit; 1300 int eff_addr, regoff; 1301 long tmp; 1302 int ret; 1303 1304 if (insn->addr_bytes != 4) 1305 goto out; 1306 1307 if (X86_MODRM_MOD(insn->modrm.value) == 3) { 1308 ret = get_eff_addr_reg(insn, regs, ®off, &tmp); 1309 if (ret) 1310 goto out; 1311 1312 eff_addr = tmp; 1313 1314 } else { 1315 if (insn->sib.nbytes) { 1316 ret = get_eff_addr_sib(insn, regs, ®off, &tmp); 1317 if (ret) 1318 goto out; 1319 1320 eff_addr = tmp; 1321 } else { 1322 ret = get_eff_addr_modrm(insn, regs, ®off, &tmp); 1323 if (ret) 1324 goto out; 1325 1326 eff_addr = tmp; 1327 } 1328 } 1329 1330 ret = get_seg_base_limit(insn, regs, regoff, &seg_base, &seg_limit); 1331 if (ret) 1332 goto out; 1333 1334 /* 1335 * In protected mode, before computing the linear address, make sure 1336 * the effective address is within the limits of the segment. 1337 * 32-bit addresses can be used in long and virtual-8086 modes if an 1338 * address override prefix is used. In such cases, segment limits are 1339 * not enforced. When in virtual-8086 mode, the segment limit is -1L 1340 * to reflect this situation. 1341 * 1342 * After computed, the effective address is treated as an unsigned 1343 * quantity. 1344 */ 1345 if (!any_64bit_mode(regs) && ((unsigned int)eff_addr > seg_limit)) 1346 goto out; 1347 1348 /* 1349 * Even though 32-bit address encodings are allowed in virtual-8086 1350 * mode, the address range is still limited to [0x-0xffff]. 1351 */ 1352 if (v8086_mode(regs) && (eff_addr & ~0xffff)) 1353 goto out; 1354 1355 /* 1356 * Data type long could be 64 bits in size. Ensure that our 32-bit 1357 * effective address is not sign-extended when computing the linear 1358 * address. 1359 */ 1360 linear_addr = (unsigned long)(eff_addr & 0xffffffff) + seg_base; 1361 1362 /* Limit linear address to 20 bits */ 1363 if (v8086_mode(regs)) 1364 linear_addr &= 0xfffff; 1365 1366 out: 1367 return (void __user *)linear_addr; 1368 } 1369 1370 /** 1371 * get_addr_ref_64() - Obtain a 64-bit linear address 1372 * @insn: Instruction struct with ModRM and SIB bytes and displacement 1373 * @regs: Structure with register values as seen when entering kernel mode 1374 * 1375 * This function is to be used with 64-bit address encodings to obtain the 1376 * linear memory address referred by the instruction's ModRM, SIB, 1377 * displacement bytes and segment base address, as applicable. 1378 * 1379 * Returns: 1380 * 1381 * Linear address referenced by instruction and registers on success. 1382 * 1383 * -1L on error. 1384 */ 1385 #ifndef CONFIG_X86_64 1386 static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs) 1387 { 1388 return (void __user *)-1L; 1389 } 1390 #else 1391 static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs) 1392 { 1393 unsigned long linear_addr = -1L, seg_base; 1394 int regoff, ret; 1395 long eff_addr; 1396 1397 if (insn->addr_bytes != 8) 1398 goto out; 1399 1400 if (X86_MODRM_MOD(insn->modrm.value) == 3) { 1401 ret = get_eff_addr_reg(insn, regs, ®off, &eff_addr); 1402 if (ret) 1403 goto out; 1404 1405 } else { 1406 if (insn->sib.nbytes) { 1407 ret = get_eff_addr_sib(insn, regs, ®off, &eff_addr); 1408 if (ret) 1409 goto out; 1410 } else { 1411 ret = get_eff_addr_modrm(insn, regs, ®off, &eff_addr); 1412 if (ret) 1413 goto out; 1414 } 1415 1416 } 1417 1418 ret = get_seg_base_limit(insn, regs, regoff, &seg_base, NULL); 1419 if (ret) 1420 goto out; 1421 1422 linear_addr = (unsigned long)eff_addr + seg_base; 1423 1424 out: 1425 return (void __user *)linear_addr; 1426 } 1427 #endif /* CONFIG_X86_64 */ 1428 1429 /** 1430 * insn_get_addr_ref() - Obtain the linear address referred by instruction 1431 * @insn: Instruction structure containing ModRM byte and displacement 1432 * @regs: Structure with register values as seen when entering kernel mode 1433 * 1434 * Obtain the linear address referred by the instruction's ModRM, SIB and 1435 * displacement bytes, and segment base, as applicable. In protected mode, 1436 * segment limits are enforced. 1437 * 1438 * Returns: 1439 * 1440 * Linear address referenced by instruction and registers on success. 1441 * 1442 * -1L on error. 1443 */ 1444 void __user *insn_get_addr_ref(struct insn *insn, struct pt_regs *regs) 1445 { 1446 if (!insn || !regs) 1447 return (void __user *)-1L; 1448 1449 if (insn_get_opcode(insn)) 1450 return (void __user *)-1L; 1451 1452 switch (insn->addr_bytes) { 1453 case 2: 1454 return get_addr_ref_16(insn, regs); 1455 case 4: 1456 return get_addr_ref_32(insn, regs); 1457 case 8: 1458 return get_addr_ref_64(insn, regs); 1459 default: 1460 return (void __user *)-1L; 1461 } 1462 } 1463 1464 int insn_get_effective_ip(struct pt_regs *regs, unsigned long *ip) 1465 { 1466 unsigned long seg_base = 0; 1467 1468 /* 1469 * If not in user-space long mode, a custom code segment could be in 1470 * use. This is true in protected mode (if the process defined a local 1471 * descriptor table), or virtual-8086 mode. In most of the cases 1472 * seg_base will be zero as in USER_CS. 1473 */ 1474 if (!user_64bit_mode(regs)) { 1475 seg_base = insn_get_seg_base(regs, INAT_SEG_REG_CS); 1476 if (seg_base == -1L) 1477 return -EINVAL; 1478 } 1479 1480 *ip = seg_base + regs->ip; 1481 1482 return 0; 1483 } 1484 1485 /** 1486 * insn_fetch_from_user() - Copy instruction bytes from user-space memory 1487 * @regs: Structure with register values as seen when entering kernel mode 1488 * @buf: Array to store the fetched instruction 1489 * 1490 * Gets the linear address of the instruction and copies the instruction bytes 1491 * to the buf. 1492 * 1493 * Returns: 1494 * 1495 * - number of instruction bytes copied. 1496 * - 0 if nothing was copied. 1497 * - -EINVAL if the linear address of the instruction could not be calculated 1498 */ 1499 int insn_fetch_from_user(struct pt_regs *regs, unsigned char buf[MAX_INSN_SIZE]) 1500 { 1501 unsigned long ip; 1502 int not_copied; 1503 1504 if (insn_get_effective_ip(regs, &ip)) 1505 return -EINVAL; 1506 1507 not_copied = copy_from_user(buf, (void __user *)ip, MAX_INSN_SIZE); 1508 1509 return MAX_INSN_SIZE - not_copied; 1510 } 1511 1512 /** 1513 * insn_fetch_from_user_inatomic() - Copy instruction bytes from user-space memory 1514 * while in atomic code 1515 * @regs: Structure with register values as seen when entering kernel mode 1516 * @buf: Array to store the fetched instruction 1517 * 1518 * Gets the linear address of the instruction and copies the instruction bytes 1519 * to the buf. This function must be used in atomic context. 1520 * 1521 * Returns: 1522 * 1523 * - number of instruction bytes copied. 1524 * - 0 if nothing was copied. 1525 * - -EINVAL if the linear address of the instruction could not be calculated. 1526 */ 1527 int insn_fetch_from_user_inatomic(struct pt_regs *regs, unsigned char buf[MAX_INSN_SIZE]) 1528 { 1529 unsigned long ip; 1530 int not_copied; 1531 1532 if (insn_get_effective_ip(regs, &ip)) 1533 return -EINVAL; 1534 1535 not_copied = __copy_from_user_inatomic(buf, (void __user *)ip, MAX_INSN_SIZE); 1536 1537 return MAX_INSN_SIZE - not_copied; 1538 } 1539 1540 /** 1541 * insn_decode_from_regs() - Decode an instruction 1542 * @insn: Structure to store decoded instruction 1543 * @regs: Structure with register values as seen when entering kernel mode 1544 * @buf: Buffer containing the instruction bytes 1545 * @buf_size: Number of instruction bytes available in buf 1546 * 1547 * Decodes the instruction provided in buf and stores the decoding results in 1548 * insn. Also determines the correct address and operand sizes. 1549 * 1550 * Returns: 1551 * 1552 * True if instruction was decoded, False otherwise. 1553 */ 1554 bool insn_decode_from_regs(struct insn *insn, struct pt_regs *regs, 1555 unsigned char buf[MAX_INSN_SIZE], int buf_size) 1556 { 1557 int seg_defs; 1558 1559 insn_init(insn, buf, buf_size, user_64bit_mode(regs)); 1560 1561 /* 1562 * Override the default operand and address sizes with what is specified 1563 * in the code segment descriptor. The instruction decoder only sets 1564 * the address size it to either 4 or 8 address bytes and does nothing 1565 * for the operand bytes. This OK for most of the cases, but we could 1566 * have special cases where, for instance, a 16-bit code segment 1567 * descriptor is used. 1568 * If there is an address override prefix, the instruction decoder 1569 * correctly updates these values, even for 16-bit defaults. 1570 */ 1571 seg_defs = insn_get_code_seg_params(regs); 1572 if (seg_defs == -EINVAL) 1573 return false; 1574 1575 insn->addr_bytes = INSN_CODE_SEG_ADDR_SZ(seg_defs); 1576 insn->opnd_bytes = INSN_CODE_SEG_OPND_SZ(seg_defs); 1577 1578 if (insn_get_length(insn)) 1579 return false; 1580 1581 if (buf_size < insn->length) 1582 return false; 1583 1584 return true; 1585 } 1586 1587 /** 1588 * insn_decode_mmio() - Decode a MMIO instruction 1589 * @insn: Structure to store decoded instruction 1590 * @bytes: Returns size of memory operand 1591 * 1592 * Decodes instruction that used for Memory-mapped I/O. 1593 * 1594 * Returns: 1595 * 1596 * Type of the instruction. Size of the memory operand is stored in 1597 * @bytes. If decode failed, MMIO_DECODE_FAILED returned. 1598 */ 1599 enum mmio_type insn_decode_mmio(struct insn *insn, int *bytes) 1600 { 1601 enum mmio_type type = MMIO_DECODE_FAILED; 1602 1603 *bytes = 0; 1604 1605 if (insn_get_opcode(insn)) 1606 return MMIO_DECODE_FAILED; 1607 1608 switch (insn->opcode.bytes[0]) { 1609 case 0x88: /* MOV m8,r8 */ 1610 *bytes = 1; 1611 fallthrough; 1612 case 0x89: /* MOV m16/m32/m64, r16/m32/m64 */ 1613 if (!*bytes) 1614 *bytes = insn->opnd_bytes; 1615 type = MMIO_WRITE; 1616 break; 1617 1618 case 0xc6: /* MOV m8, imm8 */ 1619 *bytes = 1; 1620 fallthrough; 1621 case 0xc7: /* MOV m16/m32/m64, imm16/imm32/imm64 */ 1622 if (!*bytes) 1623 *bytes = insn->opnd_bytes; 1624 type = MMIO_WRITE_IMM; 1625 break; 1626 1627 case 0x8a: /* MOV r8, m8 */ 1628 *bytes = 1; 1629 fallthrough; 1630 case 0x8b: /* MOV r16/r32/r64, m16/m32/m64 */ 1631 if (!*bytes) 1632 *bytes = insn->opnd_bytes; 1633 type = MMIO_READ; 1634 break; 1635 1636 case 0xa4: /* MOVS m8, m8 */ 1637 *bytes = 1; 1638 fallthrough; 1639 case 0xa5: /* MOVS m16/m32/m64, m16/m32/m64 */ 1640 if (!*bytes) 1641 *bytes = insn->opnd_bytes; 1642 type = MMIO_MOVS; 1643 break; 1644 1645 case 0x0f: /* Two-byte instruction */ 1646 switch (insn->opcode.bytes[1]) { 1647 case 0xb6: /* MOVZX r16/r32/r64, m8 */ 1648 *bytes = 1; 1649 fallthrough; 1650 case 0xb7: /* MOVZX r32/r64, m16 */ 1651 if (!*bytes) 1652 *bytes = 2; 1653 type = MMIO_READ_ZERO_EXTEND; 1654 break; 1655 1656 case 0xbe: /* MOVSX r16/r32/r64, m8 */ 1657 *bytes = 1; 1658 fallthrough; 1659 case 0xbf: /* MOVSX r32/r64, m16 */ 1660 if (!*bytes) 1661 *bytes = 2; 1662 type = MMIO_READ_SIGN_EXTEND; 1663 break; 1664 } 1665 break; 1666 } 1667 1668 return type; 1669 } 1670