1 /* 2 * Utility functions for x86 operand and address decoding 3 * 4 * Copyright (C) Intel Corporation 2017 5 */ 6 #include <linux/kernel.h> 7 #include <linux/string.h> 8 #include <linux/ratelimit.h> 9 #include <linux/mmu_context.h> 10 #include <asm/desc_defs.h> 11 #include <asm/desc.h> 12 #include <asm/inat.h> 13 #include <asm/insn.h> 14 #include <asm/insn-eval.h> 15 #include <asm/ldt.h> 16 #include <asm/vm86.h> 17 18 #undef pr_fmt 19 #define pr_fmt(fmt) "insn: " fmt 20 21 enum reg_type { 22 REG_TYPE_RM = 0, 23 REG_TYPE_INDEX, 24 REG_TYPE_BASE, 25 }; 26 27 /** 28 * is_string_insn() - Determine if instruction is a string instruction 29 * @insn: Instruction containing the opcode to inspect 30 * 31 * Returns: 32 * 33 * true if the instruction, determined by the opcode, is any of the 34 * string instructions as defined in the Intel Software Development manual. 35 * False otherwise. 36 */ 37 static bool is_string_insn(struct insn *insn) 38 { 39 insn_get_opcode(insn); 40 41 /* All string instructions have a 1-byte opcode. */ 42 if (insn->opcode.nbytes != 1) 43 return false; 44 45 switch (insn->opcode.bytes[0]) { 46 case 0x6c ... 0x6f: /* INS, OUTS */ 47 case 0xa4 ... 0xa7: /* MOVS, CMPS */ 48 case 0xaa ... 0xaf: /* STOS, LODS, SCAS */ 49 return true; 50 default: 51 return false; 52 } 53 } 54 55 /** 56 * get_seg_reg_override_idx() - obtain segment register override index 57 * @insn: Valid instruction with segment override prefixes 58 * 59 * Inspect the instruction prefixes in @insn and find segment overrides, if any. 60 * 61 * Returns: 62 * 63 * A constant identifying the segment register to use, among CS, SS, DS, 64 * ES, FS, or GS. INAT_SEG_REG_DEFAULT is returned if no segment override 65 * prefixes were found. 66 * 67 * -EINVAL in case of error. 68 */ 69 static int get_seg_reg_override_idx(struct insn *insn) 70 { 71 int idx = INAT_SEG_REG_DEFAULT; 72 int num_overrides = 0, i; 73 74 insn_get_prefixes(insn); 75 76 /* Look for any segment override prefixes. */ 77 for (i = 0; i < insn->prefixes.nbytes; i++) { 78 insn_attr_t attr; 79 80 attr = inat_get_opcode_attribute(insn->prefixes.bytes[i]); 81 switch (attr) { 82 case INAT_MAKE_PREFIX(INAT_PFX_CS): 83 idx = INAT_SEG_REG_CS; 84 num_overrides++; 85 break; 86 case INAT_MAKE_PREFIX(INAT_PFX_SS): 87 idx = INAT_SEG_REG_SS; 88 num_overrides++; 89 break; 90 case INAT_MAKE_PREFIX(INAT_PFX_DS): 91 idx = INAT_SEG_REG_DS; 92 num_overrides++; 93 break; 94 case INAT_MAKE_PREFIX(INAT_PFX_ES): 95 idx = INAT_SEG_REG_ES; 96 num_overrides++; 97 break; 98 case INAT_MAKE_PREFIX(INAT_PFX_FS): 99 idx = INAT_SEG_REG_FS; 100 num_overrides++; 101 break; 102 case INAT_MAKE_PREFIX(INAT_PFX_GS): 103 idx = INAT_SEG_REG_GS; 104 num_overrides++; 105 break; 106 /* No default action needed. */ 107 } 108 } 109 110 /* More than one segment override prefix leads to undefined behavior. */ 111 if (num_overrides > 1) 112 return -EINVAL; 113 114 return idx; 115 } 116 117 /** 118 * check_seg_overrides() - check if segment override prefixes are allowed 119 * @insn: Valid instruction with segment override prefixes 120 * @regoff: Operand offset, in pt_regs, for which the check is performed 121 * 122 * For a particular register used in register-indirect addressing, determine if 123 * segment override prefixes can be used. Specifically, no overrides are allowed 124 * for rDI if used with a string instruction. 125 * 126 * Returns: 127 * 128 * True if segment override prefixes can be used with the register indicated 129 * in @regoff. False if otherwise. 130 */ 131 static bool check_seg_overrides(struct insn *insn, int regoff) 132 { 133 if (regoff == offsetof(struct pt_regs, di) && is_string_insn(insn)) 134 return false; 135 136 return true; 137 } 138 139 /** 140 * resolve_default_seg() - resolve default segment register index for an operand 141 * @insn: Instruction with opcode and address size. Must be valid. 142 * @regs: Register values as seen when entering kernel mode 143 * @off: Operand offset, in pt_regs, for which resolution is needed 144 * 145 * Resolve the default segment register index associated with the instruction 146 * operand register indicated by @off. Such index is resolved based on defaults 147 * described in the Intel Software Development Manual. 148 * 149 * Returns: 150 * 151 * If in protected mode, a constant identifying the segment register to use, 152 * among CS, SS, ES or DS. If in long mode, INAT_SEG_REG_IGNORE. 153 * 154 * -EINVAL in case of error. 155 */ 156 static int resolve_default_seg(struct insn *insn, struct pt_regs *regs, int off) 157 { 158 if (any_64bit_mode(regs)) 159 return INAT_SEG_REG_IGNORE; 160 /* 161 * Resolve the default segment register as described in Section 3.7.4 162 * of the Intel Software Development Manual Vol. 1: 163 * 164 * + DS for all references involving r[ABCD]X, and rSI. 165 * + If used in a string instruction, ES for rDI. Otherwise, DS. 166 * + AX, CX and DX are not valid register operands in 16-bit address 167 * encodings but are valid for 32-bit and 64-bit encodings. 168 * + -EDOM is reserved to identify for cases in which no register 169 * is used (i.e., displacement-only addressing). Use DS. 170 * + SS for rSP or rBP. 171 * + CS for rIP. 172 */ 173 174 switch (off) { 175 case offsetof(struct pt_regs, ax): 176 case offsetof(struct pt_regs, cx): 177 case offsetof(struct pt_regs, dx): 178 /* Need insn to verify address size. */ 179 if (insn->addr_bytes == 2) 180 return -EINVAL; 181 182 /* fall through */ 183 184 case -EDOM: 185 case offsetof(struct pt_regs, bx): 186 case offsetof(struct pt_regs, si): 187 return INAT_SEG_REG_DS; 188 189 case offsetof(struct pt_regs, di): 190 if (is_string_insn(insn)) 191 return INAT_SEG_REG_ES; 192 return INAT_SEG_REG_DS; 193 194 case offsetof(struct pt_regs, bp): 195 case offsetof(struct pt_regs, sp): 196 return INAT_SEG_REG_SS; 197 198 case offsetof(struct pt_regs, ip): 199 return INAT_SEG_REG_CS; 200 201 default: 202 return -EINVAL; 203 } 204 } 205 206 /** 207 * resolve_seg_reg() - obtain segment register index 208 * @insn: Instruction with operands 209 * @regs: Register values as seen when entering kernel mode 210 * @regoff: Operand offset, in pt_regs, used to deterimine segment register 211 * 212 * Determine the segment register associated with the operands and, if 213 * applicable, prefixes and the instruction pointed by @insn. 214 * 215 * The segment register associated to an operand used in register-indirect 216 * addressing depends on: 217 * 218 * a) Whether running in long mode (in such a case segments are ignored, except 219 * if FS or GS are used). 220 * 221 * b) Whether segment override prefixes can be used. Certain instructions and 222 * registers do not allow override prefixes. 223 * 224 * c) Whether segment overrides prefixes are found in the instruction prefixes. 225 * 226 * d) If there are not segment override prefixes or they cannot be used, the 227 * default segment register associated with the operand register is used. 228 * 229 * The function checks first if segment override prefixes can be used with the 230 * operand indicated by @regoff. If allowed, obtain such overridden segment 231 * register index. Lastly, if not prefixes were found or cannot be used, resolve 232 * the segment register index to use based on the defaults described in the 233 * Intel documentation. In long mode, all segment register indexes will be 234 * ignored, except if overrides were found for FS or GS. All these operations 235 * are done using helper functions. 236 * 237 * The operand register, @regoff, is represented as the offset from the base of 238 * pt_regs. 239 * 240 * As stated, the main use of this function is to determine the segment register 241 * index based on the instruction, its operands and prefixes. Hence, @insn 242 * must be valid. However, if @regoff indicates rIP, we don't need to inspect 243 * @insn at all as in this case CS is used in all cases. This case is checked 244 * before proceeding further. 245 * 246 * Please note that this function does not return the value in the segment 247 * register (i.e., the segment selector) but our defined index. The segment 248 * selector needs to be obtained using get_segment_selector() and passing the 249 * segment register index resolved by this function. 250 * 251 * Returns: 252 * 253 * An index identifying the segment register to use, among CS, SS, DS, 254 * ES, FS, or GS. INAT_SEG_REG_IGNORE is returned if running in long mode. 255 * 256 * -EINVAL in case of error. 257 */ 258 static int resolve_seg_reg(struct insn *insn, struct pt_regs *regs, int regoff) 259 { 260 int idx; 261 262 /* 263 * In the unlikely event of having to resolve the segment register 264 * index for rIP, do it first. Segment override prefixes should not 265 * be used. Hence, it is not necessary to inspect the instruction, 266 * which may be invalid at this point. 267 */ 268 if (regoff == offsetof(struct pt_regs, ip)) { 269 if (any_64bit_mode(regs)) 270 return INAT_SEG_REG_IGNORE; 271 else 272 return INAT_SEG_REG_CS; 273 } 274 275 if (!insn) 276 return -EINVAL; 277 278 if (!check_seg_overrides(insn, regoff)) 279 return resolve_default_seg(insn, regs, regoff); 280 281 idx = get_seg_reg_override_idx(insn); 282 if (idx < 0) 283 return idx; 284 285 if (idx == INAT_SEG_REG_DEFAULT) 286 return resolve_default_seg(insn, regs, regoff); 287 288 /* 289 * In long mode, segment override prefixes are ignored, except for 290 * overrides for FS and GS. 291 */ 292 if (any_64bit_mode(regs)) { 293 if (idx != INAT_SEG_REG_FS && 294 idx != INAT_SEG_REG_GS) 295 idx = INAT_SEG_REG_IGNORE; 296 } 297 298 return idx; 299 } 300 301 /** 302 * get_segment_selector() - obtain segment selector 303 * @regs: Register values as seen when entering kernel mode 304 * @seg_reg_idx: Segment register index to use 305 * 306 * Obtain the segment selector from any of the CS, SS, DS, ES, FS, GS segment 307 * registers. In CONFIG_X86_32, the segment is obtained from either pt_regs or 308 * kernel_vm86_regs as applicable. In CONFIG_X86_64, CS and SS are obtained 309 * from pt_regs. DS, ES, FS and GS are obtained by reading the actual CPU 310 * registers. This done for only for completeness as in CONFIG_X86_64 segment 311 * registers are ignored. 312 * 313 * Returns: 314 * 315 * Value of the segment selector, including null when running in 316 * long mode. 317 * 318 * -EINVAL on error. 319 */ 320 static short get_segment_selector(struct pt_regs *regs, int seg_reg_idx) 321 { 322 #ifdef CONFIG_X86_64 323 unsigned short sel; 324 325 switch (seg_reg_idx) { 326 case INAT_SEG_REG_IGNORE: 327 return 0; 328 case INAT_SEG_REG_CS: 329 return (unsigned short)(regs->cs & 0xffff); 330 case INAT_SEG_REG_SS: 331 return (unsigned short)(regs->ss & 0xffff); 332 case INAT_SEG_REG_DS: 333 savesegment(ds, sel); 334 return sel; 335 case INAT_SEG_REG_ES: 336 savesegment(es, sel); 337 return sel; 338 case INAT_SEG_REG_FS: 339 savesegment(fs, sel); 340 return sel; 341 case INAT_SEG_REG_GS: 342 savesegment(gs, sel); 343 return sel; 344 default: 345 return -EINVAL; 346 } 347 #else /* CONFIG_X86_32 */ 348 struct kernel_vm86_regs *vm86regs = (struct kernel_vm86_regs *)regs; 349 350 if (v8086_mode(regs)) { 351 switch (seg_reg_idx) { 352 case INAT_SEG_REG_CS: 353 return (unsigned short)(regs->cs & 0xffff); 354 case INAT_SEG_REG_SS: 355 return (unsigned short)(regs->ss & 0xffff); 356 case INAT_SEG_REG_DS: 357 return vm86regs->ds; 358 case INAT_SEG_REG_ES: 359 return vm86regs->es; 360 case INAT_SEG_REG_FS: 361 return vm86regs->fs; 362 case INAT_SEG_REG_GS: 363 return vm86regs->gs; 364 case INAT_SEG_REG_IGNORE: 365 /* fall through */ 366 default: 367 return -EINVAL; 368 } 369 } 370 371 switch (seg_reg_idx) { 372 case INAT_SEG_REG_CS: 373 return (unsigned short)(regs->cs & 0xffff); 374 case INAT_SEG_REG_SS: 375 return (unsigned short)(regs->ss & 0xffff); 376 case INAT_SEG_REG_DS: 377 return (unsigned short)(regs->ds & 0xffff); 378 case INAT_SEG_REG_ES: 379 return (unsigned short)(regs->es & 0xffff); 380 case INAT_SEG_REG_FS: 381 return (unsigned short)(regs->fs & 0xffff); 382 case INAT_SEG_REG_GS: 383 /* 384 * GS may or may not be in regs as per CONFIG_X86_32_LAZY_GS. 385 * The macro below takes care of both cases. 386 */ 387 return get_user_gs(regs); 388 case INAT_SEG_REG_IGNORE: 389 /* fall through */ 390 default: 391 return -EINVAL; 392 } 393 #endif /* CONFIG_X86_64 */ 394 } 395 396 static int get_reg_offset(struct insn *insn, struct pt_regs *regs, 397 enum reg_type type) 398 { 399 int regno = 0; 400 401 static const int regoff[] = { 402 offsetof(struct pt_regs, ax), 403 offsetof(struct pt_regs, cx), 404 offsetof(struct pt_regs, dx), 405 offsetof(struct pt_regs, bx), 406 offsetof(struct pt_regs, sp), 407 offsetof(struct pt_regs, bp), 408 offsetof(struct pt_regs, si), 409 offsetof(struct pt_regs, di), 410 #ifdef CONFIG_X86_64 411 offsetof(struct pt_regs, r8), 412 offsetof(struct pt_regs, r9), 413 offsetof(struct pt_regs, r10), 414 offsetof(struct pt_regs, r11), 415 offsetof(struct pt_regs, r12), 416 offsetof(struct pt_regs, r13), 417 offsetof(struct pt_regs, r14), 418 offsetof(struct pt_regs, r15), 419 #endif 420 }; 421 int nr_registers = ARRAY_SIZE(regoff); 422 /* 423 * Don't possibly decode a 32-bit instructions as 424 * reading a 64-bit-only register. 425 */ 426 if (IS_ENABLED(CONFIG_X86_64) && !insn->x86_64) 427 nr_registers -= 8; 428 429 switch (type) { 430 case REG_TYPE_RM: 431 regno = X86_MODRM_RM(insn->modrm.value); 432 433 /* 434 * ModRM.mod == 0 and ModRM.rm == 5 means a 32-bit displacement 435 * follows the ModRM byte. 436 */ 437 if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5) 438 return -EDOM; 439 440 if (X86_REX_B(insn->rex_prefix.value)) 441 regno += 8; 442 break; 443 444 case REG_TYPE_INDEX: 445 regno = X86_SIB_INDEX(insn->sib.value); 446 if (X86_REX_X(insn->rex_prefix.value)) 447 regno += 8; 448 449 /* 450 * If ModRM.mod != 3 and SIB.index = 4 the scale*index 451 * portion of the address computation is null. This is 452 * true only if REX.X is 0. In such a case, the SIB index 453 * is used in the address computation. 454 */ 455 if (X86_MODRM_MOD(insn->modrm.value) != 3 && regno == 4) 456 return -EDOM; 457 break; 458 459 case REG_TYPE_BASE: 460 regno = X86_SIB_BASE(insn->sib.value); 461 /* 462 * If ModRM.mod is 0 and SIB.base == 5, the base of the 463 * register-indirect addressing is 0. In this case, a 464 * 32-bit displacement follows the SIB byte. 465 */ 466 if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5) 467 return -EDOM; 468 469 if (X86_REX_B(insn->rex_prefix.value)) 470 regno += 8; 471 break; 472 473 default: 474 pr_err_ratelimited("invalid register type: %d\n", type); 475 return -EINVAL; 476 } 477 478 if (regno >= nr_registers) { 479 WARN_ONCE(1, "decoded an instruction with an invalid register"); 480 return -EINVAL; 481 } 482 return regoff[regno]; 483 } 484 485 /** 486 * get_reg_offset_16() - Obtain offset of register indicated by instruction 487 * @insn: Instruction containing ModRM byte 488 * @regs: Register values as seen when entering kernel mode 489 * @offs1: Offset of the first operand register 490 * @offs2: Offset of the second opeand register, if applicable 491 * 492 * Obtain the offset, in pt_regs, of the registers indicated by the ModRM byte 493 * in @insn. This function is to be used with 16-bit address encodings. The 494 * @offs1 and @offs2 will be written with the offset of the two registers 495 * indicated by the instruction. In cases where any of the registers is not 496 * referenced by the instruction, the value will be set to -EDOM. 497 * 498 * Returns: 499 * 500 * 0 on success, -EINVAL on error. 501 */ 502 static int get_reg_offset_16(struct insn *insn, struct pt_regs *regs, 503 int *offs1, int *offs2) 504 { 505 /* 506 * 16-bit addressing can use one or two registers. Specifics of 507 * encodings are given in Table 2-1. "16-Bit Addressing Forms with the 508 * ModR/M Byte" of the Intel Software Development Manual. 509 */ 510 static const int regoff1[] = { 511 offsetof(struct pt_regs, bx), 512 offsetof(struct pt_regs, bx), 513 offsetof(struct pt_regs, bp), 514 offsetof(struct pt_regs, bp), 515 offsetof(struct pt_regs, si), 516 offsetof(struct pt_regs, di), 517 offsetof(struct pt_regs, bp), 518 offsetof(struct pt_regs, bx), 519 }; 520 521 static const int regoff2[] = { 522 offsetof(struct pt_regs, si), 523 offsetof(struct pt_regs, di), 524 offsetof(struct pt_regs, si), 525 offsetof(struct pt_regs, di), 526 -EDOM, 527 -EDOM, 528 -EDOM, 529 -EDOM, 530 }; 531 532 if (!offs1 || !offs2) 533 return -EINVAL; 534 535 /* Operand is a register, use the generic function. */ 536 if (X86_MODRM_MOD(insn->modrm.value) == 3) { 537 *offs1 = insn_get_modrm_rm_off(insn, regs); 538 *offs2 = -EDOM; 539 return 0; 540 } 541 542 *offs1 = regoff1[X86_MODRM_RM(insn->modrm.value)]; 543 *offs2 = regoff2[X86_MODRM_RM(insn->modrm.value)]; 544 545 /* 546 * If ModRM.mod is 0 and ModRM.rm is 110b, then we use displacement- 547 * only addressing. This means that no registers are involved in 548 * computing the effective address. Thus, ensure that the first 549 * register offset is invalild. The second register offset is already 550 * invalid under the aforementioned conditions. 551 */ 552 if ((X86_MODRM_MOD(insn->modrm.value) == 0) && 553 (X86_MODRM_RM(insn->modrm.value) == 6)) 554 *offs1 = -EDOM; 555 556 return 0; 557 } 558 559 /** 560 * get_desc() - Obtain contents of a segment descriptor 561 * @out: Segment descriptor contents on success 562 * @sel: Segment selector 563 * 564 * Given a segment selector, obtain a pointer to the segment descriptor. 565 * Both global and local descriptor tables are supported. 566 * 567 * Returns: 568 * 569 * True on success, false on failure. 570 * 571 * NULL on error. 572 */ 573 static bool get_desc(struct desc_struct *out, unsigned short sel) 574 { 575 struct desc_ptr gdt_desc = {0, 0}; 576 unsigned long desc_base; 577 578 #ifdef CONFIG_MODIFY_LDT_SYSCALL 579 if ((sel & SEGMENT_TI_MASK) == SEGMENT_LDT) { 580 bool success = false; 581 struct ldt_struct *ldt; 582 583 /* Bits [15:3] contain the index of the desired entry. */ 584 sel >>= 3; 585 586 mutex_lock(¤t->active_mm->context.lock); 587 ldt = current->active_mm->context.ldt; 588 if (ldt && sel < ldt->nr_entries) { 589 *out = ldt->entries[sel]; 590 success = true; 591 } 592 593 mutex_unlock(¤t->active_mm->context.lock); 594 595 return success; 596 } 597 #endif 598 native_store_gdt(&gdt_desc); 599 600 /* 601 * Segment descriptors have a size of 8 bytes. Thus, the index is 602 * multiplied by 8 to obtain the memory offset of the desired descriptor 603 * from the base of the GDT. As bits [15:3] of the segment selector 604 * contain the index, it can be regarded as multiplied by 8 already. 605 * All that remains is to clear bits [2:0]. 606 */ 607 desc_base = sel & ~(SEGMENT_RPL_MASK | SEGMENT_TI_MASK); 608 609 if (desc_base > gdt_desc.size) 610 return false; 611 612 *out = *(struct desc_struct *)(gdt_desc.address + desc_base); 613 return true; 614 } 615 616 /** 617 * insn_get_seg_base() - Obtain base address of segment descriptor. 618 * @regs: Register values as seen when entering kernel mode 619 * @seg_reg_idx: Index of the segment register pointing to seg descriptor 620 * 621 * Obtain the base address of the segment as indicated by the segment descriptor 622 * pointed by the segment selector. The segment selector is obtained from the 623 * input segment register index @seg_reg_idx. 624 * 625 * Returns: 626 * 627 * In protected mode, base address of the segment. Zero in long mode, 628 * except when FS or GS are used. In virtual-8086 mode, the segment 629 * selector shifted 4 bits to the right. 630 * 631 * -1L in case of error. 632 */ 633 unsigned long insn_get_seg_base(struct pt_regs *regs, int seg_reg_idx) 634 { 635 struct desc_struct desc; 636 short sel; 637 638 sel = get_segment_selector(regs, seg_reg_idx); 639 if (sel < 0) 640 return -1L; 641 642 if (v8086_mode(regs)) 643 /* 644 * Base is simply the segment selector shifted 4 645 * bits to the right. 646 */ 647 return (unsigned long)(sel << 4); 648 649 if (any_64bit_mode(regs)) { 650 /* 651 * Only FS or GS will have a base address, the rest of 652 * the segments' bases are forced to 0. 653 */ 654 unsigned long base; 655 656 if (seg_reg_idx == INAT_SEG_REG_FS) { 657 rdmsrl(MSR_FS_BASE, base); 658 } else if (seg_reg_idx == INAT_SEG_REG_GS) { 659 /* 660 * swapgs was called at the kernel entry point. Thus, 661 * MSR_KERNEL_GS_BASE will have the user-space GS base. 662 */ 663 if (user_mode(regs)) 664 rdmsrl(MSR_KERNEL_GS_BASE, base); 665 else 666 rdmsrl(MSR_GS_BASE, base); 667 } else { 668 base = 0; 669 } 670 return base; 671 } 672 673 /* In protected mode the segment selector cannot be null. */ 674 if (!sel) 675 return -1L; 676 677 if (!get_desc(&desc, sel)) 678 return -1L; 679 680 return get_desc_base(&desc); 681 } 682 683 /** 684 * get_seg_limit() - Obtain the limit of a segment descriptor 685 * @regs: Register values as seen when entering kernel mode 686 * @seg_reg_idx: Index of the segment register pointing to seg descriptor 687 * 688 * Obtain the limit of the segment as indicated by the segment descriptor 689 * pointed by the segment selector. The segment selector is obtained from the 690 * input segment register index @seg_reg_idx. 691 * 692 * Returns: 693 * 694 * In protected mode, the limit of the segment descriptor in bytes. 695 * In long mode and virtual-8086 mode, segment limits are not enforced. Thus, 696 * limit is returned as -1L to imply a limit-less segment. 697 * 698 * Zero is returned on error. 699 */ 700 static unsigned long get_seg_limit(struct pt_regs *regs, int seg_reg_idx) 701 { 702 struct desc_struct desc; 703 unsigned long limit; 704 short sel; 705 706 sel = get_segment_selector(regs, seg_reg_idx); 707 if (sel < 0) 708 return 0; 709 710 if (any_64bit_mode(regs) || v8086_mode(regs)) 711 return -1L; 712 713 if (!sel) 714 return 0; 715 716 if (!get_desc(&desc, sel)) 717 return 0; 718 719 /* 720 * If the granularity bit is set, the limit is given in multiples 721 * of 4096. This also means that the 12 least significant bits are 722 * not tested when checking the segment limits. In practice, 723 * this means that the segment ends in (limit << 12) + 0xfff. 724 */ 725 limit = get_desc_limit(&desc); 726 if (desc.g) 727 limit = (limit << 12) + 0xfff; 728 729 return limit; 730 } 731 732 /** 733 * insn_get_code_seg_params() - Obtain code segment parameters 734 * @regs: Structure with register values as seen when entering kernel mode 735 * 736 * Obtain address and operand sizes of the code segment. It is obtained from the 737 * selector contained in the CS register in regs. In protected mode, the default 738 * address is determined by inspecting the L and D bits of the segment 739 * descriptor. In virtual-8086 mode, the default is always two bytes for both 740 * address and operand sizes. 741 * 742 * Returns: 743 * 744 * An int containing ORed-in default parameters on success. 745 * 746 * -EINVAL on error. 747 */ 748 int insn_get_code_seg_params(struct pt_regs *regs) 749 { 750 struct desc_struct desc; 751 short sel; 752 753 if (v8086_mode(regs)) 754 /* Address and operand size are both 16-bit. */ 755 return INSN_CODE_SEG_PARAMS(2, 2); 756 757 sel = get_segment_selector(regs, INAT_SEG_REG_CS); 758 if (sel < 0) 759 return sel; 760 761 if (!get_desc(&desc, sel)) 762 return -EINVAL; 763 764 /* 765 * The most significant byte of the Type field of the segment descriptor 766 * determines whether a segment contains data or code. If this is a data 767 * segment, return error. 768 */ 769 if (!(desc.type & BIT(3))) 770 return -EINVAL; 771 772 switch ((desc.l << 1) | desc.d) { 773 case 0: /* 774 * Legacy mode. CS.L=0, CS.D=0. Address and operand size are 775 * both 16-bit. 776 */ 777 return INSN_CODE_SEG_PARAMS(2, 2); 778 case 1: /* 779 * Legacy mode. CS.L=0, CS.D=1. Address and operand size are 780 * both 32-bit. 781 */ 782 return INSN_CODE_SEG_PARAMS(4, 4); 783 case 2: /* 784 * IA-32e 64-bit mode. CS.L=1, CS.D=0. Address size is 64-bit; 785 * operand size is 32-bit. 786 */ 787 return INSN_CODE_SEG_PARAMS(4, 8); 788 case 3: /* Invalid setting. CS.L=1, CS.D=1 */ 789 /* fall through */ 790 default: 791 return -EINVAL; 792 } 793 } 794 795 /** 796 * insn_get_modrm_rm_off() - Obtain register in r/m part of the ModRM byte 797 * @insn: Instruction containing the ModRM byte 798 * @regs: Register values as seen when entering kernel mode 799 * 800 * Returns: 801 * 802 * The register indicated by the r/m part of the ModRM byte. The 803 * register is obtained as an offset from the base of pt_regs. In specific 804 * cases, the returned value can be -EDOM to indicate that the particular value 805 * of ModRM does not refer to a register and shall be ignored. 806 */ 807 int insn_get_modrm_rm_off(struct insn *insn, struct pt_regs *regs) 808 { 809 return get_reg_offset(insn, regs, REG_TYPE_RM); 810 } 811 812 /** 813 * get_seg_base_limit() - obtain base address and limit of a segment 814 * @insn: Instruction. Must be valid. 815 * @regs: Register values as seen when entering kernel mode 816 * @regoff: Operand offset, in pt_regs, used to resolve segment descriptor 817 * @base: Obtained segment base 818 * @limit: Obtained segment limit 819 * 820 * Obtain the base address and limit of the segment associated with the operand 821 * @regoff and, if any or allowed, override prefixes in @insn. This function is 822 * different from insn_get_seg_base() as the latter does not resolve the segment 823 * associated with the instruction operand. If a limit is not needed (e.g., 824 * when running in long mode), @limit can be NULL. 825 * 826 * Returns: 827 * 828 * 0 on success. @base and @limit will contain the base address and of the 829 * resolved segment, respectively. 830 * 831 * -EINVAL on error. 832 */ 833 static int get_seg_base_limit(struct insn *insn, struct pt_regs *regs, 834 int regoff, unsigned long *base, 835 unsigned long *limit) 836 { 837 int seg_reg_idx; 838 839 if (!base) 840 return -EINVAL; 841 842 seg_reg_idx = resolve_seg_reg(insn, regs, regoff); 843 if (seg_reg_idx < 0) 844 return seg_reg_idx; 845 846 *base = insn_get_seg_base(regs, seg_reg_idx); 847 if (*base == -1L) 848 return -EINVAL; 849 850 if (!limit) 851 return 0; 852 853 *limit = get_seg_limit(regs, seg_reg_idx); 854 if (!(*limit)) 855 return -EINVAL; 856 857 return 0; 858 } 859 860 /** 861 * get_eff_addr_reg() - Obtain effective address from register operand 862 * @insn: Instruction. Must be valid. 863 * @regs: Register values as seen when entering kernel mode 864 * @regoff: Obtained operand offset, in pt_regs, with the effective address 865 * @eff_addr: Obtained effective address 866 * 867 * Obtain the effective address stored in the register operand as indicated by 868 * the ModRM byte. This function is to be used only with register addressing 869 * (i.e., ModRM.mod is 3). The effective address is saved in @eff_addr. The 870 * register operand, as an offset from the base of pt_regs, is saved in @regoff; 871 * such offset can then be used to resolve the segment associated with the 872 * operand. This function can be used with any of the supported address sizes 873 * in x86. 874 * 875 * Returns: 876 * 877 * 0 on success. @eff_addr will have the effective address stored in the 878 * operand indicated by ModRM. @regoff will have such operand as an offset from 879 * the base of pt_regs. 880 * 881 * -EINVAL on error. 882 */ 883 static int get_eff_addr_reg(struct insn *insn, struct pt_regs *regs, 884 int *regoff, long *eff_addr) 885 { 886 insn_get_modrm(insn); 887 888 if (!insn->modrm.nbytes) 889 return -EINVAL; 890 891 if (X86_MODRM_MOD(insn->modrm.value) != 3) 892 return -EINVAL; 893 894 *regoff = get_reg_offset(insn, regs, REG_TYPE_RM); 895 if (*regoff < 0) 896 return -EINVAL; 897 898 /* Ignore bytes that are outside the address size. */ 899 if (insn->addr_bytes == 2) 900 *eff_addr = regs_get_register(regs, *regoff) & 0xffff; 901 else if (insn->addr_bytes == 4) 902 *eff_addr = regs_get_register(regs, *regoff) & 0xffffffff; 903 else /* 64-bit address */ 904 *eff_addr = regs_get_register(regs, *regoff); 905 906 return 0; 907 } 908 909 /** 910 * get_eff_addr_modrm() - Obtain referenced effective address via ModRM 911 * @insn: Instruction. Must be valid. 912 * @regs: Register values as seen when entering kernel mode 913 * @regoff: Obtained operand offset, in pt_regs, associated with segment 914 * @eff_addr: Obtained effective address 915 * 916 * Obtain the effective address referenced by the ModRM byte of @insn. After 917 * identifying the registers involved in the register-indirect memory reference, 918 * its value is obtained from the operands in @regs. The computed address is 919 * stored @eff_addr. Also, the register operand that indicates the associated 920 * segment is stored in @regoff, this parameter can later be used to determine 921 * such segment. 922 * 923 * Returns: 924 * 925 * 0 on success. @eff_addr will have the referenced effective address. @regoff 926 * will have a register, as an offset from the base of pt_regs, that can be used 927 * to resolve the associated segment. 928 * 929 * -EINVAL on error. 930 */ 931 static int get_eff_addr_modrm(struct insn *insn, struct pt_regs *regs, 932 int *regoff, long *eff_addr) 933 { 934 long tmp; 935 936 if (insn->addr_bytes != 8 && insn->addr_bytes != 4) 937 return -EINVAL; 938 939 insn_get_modrm(insn); 940 941 if (!insn->modrm.nbytes) 942 return -EINVAL; 943 944 if (X86_MODRM_MOD(insn->modrm.value) > 2) 945 return -EINVAL; 946 947 *regoff = get_reg_offset(insn, regs, REG_TYPE_RM); 948 949 /* 950 * -EDOM means that we must ignore the address_offset. In such a case, 951 * in 64-bit mode the effective address relative to the rIP of the 952 * following instruction. 953 */ 954 if (*regoff == -EDOM) { 955 if (any_64bit_mode(regs)) 956 tmp = regs->ip + insn->length; 957 else 958 tmp = 0; 959 } else if (*regoff < 0) { 960 return -EINVAL; 961 } else { 962 tmp = regs_get_register(regs, *regoff); 963 } 964 965 if (insn->addr_bytes == 4) { 966 int addr32 = (int)(tmp & 0xffffffff) + insn->displacement.value; 967 968 *eff_addr = addr32 & 0xffffffff; 969 } else { 970 *eff_addr = tmp + insn->displacement.value; 971 } 972 973 return 0; 974 } 975 976 /** 977 * get_eff_addr_modrm_16() - Obtain referenced effective address via ModRM 978 * @insn: Instruction. Must be valid. 979 * @regs: Register values as seen when entering kernel mode 980 * @regoff: Obtained operand offset, in pt_regs, associated with segment 981 * @eff_addr: Obtained effective address 982 * 983 * Obtain the 16-bit effective address referenced by the ModRM byte of @insn. 984 * After identifying the registers involved in the register-indirect memory 985 * reference, its value is obtained from the operands in @regs. The computed 986 * address is stored @eff_addr. Also, the register operand that indicates 987 * the associated segment is stored in @regoff, this parameter can later be used 988 * to determine such segment. 989 * 990 * Returns: 991 * 992 * 0 on success. @eff_addr will have the referenced effective address. @regoff 993 * will have a register, as an offset from the base of pt_regs, that can be used 994 * to resolve the associated segment. 995 * 996 * -EINVAL on error. 997 */ 998 static int get_eff_addr_modrm_16(struct insn *insn, struct pt_regs *regs, 999 int *regoff, short *eff_addr) 1000 { 1001 int addr_offset1, addr_offset2, ret; 1002 short addr1 = 0, addr2 = 0, displacement; 1003 1004 if (insn->addr_bytes != 2) 1005 return -EINVAL; 1006 1007 insn_get_modrm(insn); 1008 1009 if (!insn->modrm.nbytes) 1010 return -EINVAL; 1011 1012 if (X86_MODRM_MOD(insn->modrm.value) > 2) 1013 return -EINVAL; 1014 1015 ret = get_reg_offset_16(insn, regs, &addr_offset1, &addr_offset2); 1016 if (ret < 0) 1017 return -EINVAL; 1018 1019 /* 1020 * Don't fail on invalid offset values. They might be invalid because 1021 * they cannot be used for this particular value of ModRM. Instead, use 1022 * them in the computation only if they contain a valid value. 1023 */ 1024 if (addr_offset1 != -EDOM) 1025 addr1 = regs_get_register(regs, addr_offset1) & 0xffff; 1026 1027 if (addr_offset2 != -EDOM) 1028 addr2 = regs_get_register(regs, addr_offset2) & 0xffff; 1029 1030 displacement = insn->displacement.value & 0xffff; 1031 *eff_addr = addr1 + addr2 + displacement; 1032 1033 /* 1034 * The first operand register could indicate to use of either SS or DS 1035 * registers to obtain the segment selector. The second operand 1036 * register can only indicate the use of DS. Thus, the first operand 1037 * will be used to obtain the segment selector. 1038 */ 1039 *regoff = addr_offset1; 1040 1041 return 0; 1042 } 1043 1044 /** 1045 * get_eff_addr_sib() - Obtain referenced effective address via SIB 1046 * @insn: Instruction. Must be valid. 1047 * @regs: Register values as seen when entering kernel mode 1048 * @regoff: Obtained operand offset, in pt_regs, associated with segment 1049 * @eff_addr: Obtained effective address 1050 * 1051 * Obtain the effective address referenced by the SIB byte of @insn. After 1052 * identifying the registers involved in the indexed, register-indirect memory 1053 * reference, its value is obtained from the operands in @regs. The computed 1054 * address is stored @eff_addr. Also, the register operand that indicates the 1055 * associated segment is stored in @regoff, this parameter can later be used to 1056 * determine such segment. 1057 * 1058 * Returns: 1059 * 1060 * 0 on success. @eff_addr will have the referenced effective address. 1061 * @base_offset will have a register, as an offset from the base of pt_regs, 1062 * that can be used to resolve the associated segment. 1063 * 1064 * -EINVAL on error. 1065 */ 1066 static int get_eff_addr_sib(struct insn *insn, struct pt_regs *regs, 1067 int *base_offset, long *eff_addr) 1068 { 1069 long base, indx; 1070 int indx_offset; 1071 1072 if (insn->addr_bytes != 8 && insn->addr_bytes != 4) 1073 return -EINVAL; 1074 1075 insn_get_modrm(insn); 1076 1077 if (!insn->modrm.nbytes) 1078 return -EINVAL; 1079 1080 if (X86_MODRM_MOD(insn->modrm.value) > 2) 1081 return -EINVAL; 1082 1083 insn_get_sib(insn); 1084 1085 if (!insn->sib.nbytes) 1086 return -EINVAL; 1087 1088 *base_offset = get_reg_offset(insn, regs, REG_TYPE_BASE); 1089 indx_offset = get_reg_offset(insn, regs, REG_TYPE_INDEX); 1090 1091 /* 1092 * Negative values in the base and index offset means an error when 1093 * decoding the SIB byte. Except -EDOM, which means that the registers 1094 * should not be used in the address computation. 1095 */ 1096 if (*base_offset == -EDOM) 1097 base = 0; 1098 else if (*base_offset < 0) 1099 return -EINVAL; 1100 else 1101 base = regs_get_register(regs, *base_offset); 1102 1103 if (indx_offset == -EDOM) 1104 indx = 0; 1105 else if (indx_offset < 0) 1106 return -EINVAL; 1107 else 1108 indx = regs_get_register(regs, indx_offset); 1109 1110 if (insn->addr_bytes == 4) { 1111 int addr32, base32, idx32; 1112 1113 base32 = base & 0xffffffff; 1114 idx32 = indx & 0xffffffff; 1115 1116 addr32 = base32 + idx32 * (1 << X86_SIB_SCALE(insn->sib.value)); 1117 addr32 += insn->displacement.value; 1118 1119 *eff_addr = addr32 & 0xffffffff; 1120 } else { 1121 *eff_addr = base + indx * (1 << X86_SIB_SCALE(insn->sib.value)); 1122 *eff_addr += insn->displacement.value; 1123 } 1124 1125 return 0; 1126 } 1127 1128 /** 1129 * get_addr_ref_16() - Obtain the 16-bit address referred by instruction 1130 * @insn: Instruction containing ModRM byte and displacement 1131 * @regs: Register values as seen when entering kernel mode 1132 * 1133 * This function is to be used with 16-bit address encodings. Obtain the memory 1134 * address referred by the instruction's ModRM and displacement bytes. Also, the 1135 * segment used as base is determined by either any segment override prefixes in 1136 * @insn or the default segment of the registers involved in the address 1137 * computation. In protected mode, segment limits are enforced. 1138 * 1139 * Returns: 1140 * 1141 * Linear address referenced by the instruction operands on success. 1142 * 1143 * -1L on error. 1144 */ 1145 static void __user *get_addr_ref_16(struct insn *insn, struct pt_regs *regs) 1146 { 1147 unsigned long linear_addr = -1L, seg_base, seg_limit; 1148 int ret, regoff; 1149 short eff_addr; 1150 long tmp; 1151 1152 insn_get_modrm(insn); 1153 insn_get_displacement(insn); 1154 1155 if (insn->addr_bytes != 2) 1156 goto out; 1157 1158 if (X86_MODRM_MOD(insn->modrm.value) == 3) { 1159 ret = get_eff_addr_reg(insn, regs, ®off, &tmp); 1160 if (ret) 1161 goto out; 1162 1163 eff_addr = tmp; 1164 } else { 1165 ret = get_eff_addr_modrm_16(insn, regs, ®off, &eff_addr); 1166 if (ret) 1167 goto out; 1168 } 1169 1170 ret = get_seg_base_limit(insn, regs, regoff, &seg_base, &seg_limit); 1171 if (ret) 1172 goto out; 1173 1174 /* 1175 * Before computing the linear address, make sure the effective address 1176 * is within the limits of the segment. In virtual-8086 mode, segment 1177 * limits are not enforced. In such a case, the segment limit is -1L to 1178 * reflect this fact. 1179 */ 1180 if ((unsigned long)(eff_addr & 0xffff) > seg_limit) 1181 goto out; 1182 1183 linear_addr = (unsigned long)(eff_addr & 0xffff) + seg_base; 1184 1185 /* Limit linear address to 20 bits */ 1186 if (v8086_mode(regs)) 1187 linear_addr &= 0xfffff; 1188 1189 out: 1190 return (void __user *)linear_addr; 1191 } 1192 1193 /** 1194 * get_addr_ref_32() - Obtain a 32-bit linear address 1195 * @insn: Instruction with ModRM, SIB bytes and displacement 1196 * @regs: Register values as seen when entering kernel mode 1197 * 1198 * This function is to be used with 32-bit address encodings to obtain the 1199 * linear memory address referred by the instruction's ModRM, SIB, 1200 * displacement bytes and segment base address, as applicable. If in protected 1201 * mode, segment limits are enforced. 1202 * 1203 * Returns: 1204 * 1205 * Linear address referenced by instruction and registers on success. 1206 * 1207 * -1L on error. 1208 */ 1209 static void __user *get_addr_ref_32(struct insn *insn, struct pt_regs *regs) 1210 { 1211 unsigned long linear_addr = -1L, seg_base, seg_limit; 1212 int eff_addr, regoff; 1213 long tmp; 1214 int ret; 1215 1216 if (insn->addr_bytes != 4) 1217 goto out; 1218 1219 if (X86_MODRM_MOD(insn->modrm.value) == 3) { 1220 ret = get_eff_addr_reg(insn, regs, ®off, &tmp); 1221 if (ret) 1222 goto out; 1223 1224 eff_addr = tmp; 1225 1226 } else { 1227 if (insn->sib.nbytes) { 1228 ret = get_eff_addr_sib(insn, regs, ®off, &tmp); 1229 if (ret) 1230 goto out; 1231 1232 eff_addr = tmp; 1233 } else { 1234 ret = get_eff_addr_modrm(insn, regs, ®off, &tmp); 1235 if (ret) 1236 goto out; 1237 1238 eff_addr = tmp; 1239 } 1240 } 1241 1242 ret = get_seg_base_limit(insn, regs, regoff, &seg_base, &seg_limit); 1243 if (ret) 1244 goto out; 1245 1246 /* 1247 * In protected mode, before computing the linear address, make sure 1248 * the effective address is within the limits of the segment. 1249 * 32-bit addresses can be used in long and virtual-8086 modes if an 1250 * address override prefix is used. In such cases, segment limits are 1251 * not enforced. When in virtual-8086 mode, the segment limit is -1L 1252 * to reflect this situation. 1253 * 1254 * After computed, the effective address is treated as an unsigned 1255 * quantity. 1256 */ 1257 if (!any_64bit_mode(regs) && ((unsigned int)eff_addr > seg_limit)) 1258 goto out; 1259 1260 /* 1261 * Even though 32-bit address encodings are allowed in virtual-8086 1262 * mode, the address range is still limited to [0x-0xffff]. 1263 */ 1264 if (v8086_mode(regs) && (eff_addr & ~0xffff)) 1265 goto out; 1266 1267 /* 1268 * Data type long could be 64 bits in size. Ensure that our 32-bit 1269 * effective address is not sign-extended when computing the linear 1270 * address. 1271 */ 1272 linear_addr = (unsigned long)(eff_addr & 0xffffffff) + seg_base; 1273 1274 /* Limit linear address to 20 bits */ 1275 if (v8086_mode(regs)) 1276 linear_addr &= 0xfffff; 1277 1278 out: 1279 return (void __user *)linear_addr; 1280 } 1281 1282 /** 1283 * get_addr_ref_64() - Obtain a 64-bit linear address 1284 * @insn: Instruction struct with ModRM and SIB bytes and displacement 1285 * @regs: Structure with register values as seen when entering kernel mode 1286 * 1287 * This function is to be used with 64-bit address encodings to obtain the 1288 * linear memory address referred by the instruction's ModRM, SIB, 1289 * displacement bytes and segment base address, as applicable. 1290 * 1291 * Returns: 1292 * 1293 * Linear address referenced by instruction and registers on success. 1294 * 1295 * -1L on error. 1296 */ 1297 #ifndef CONFIG_X86_64 1298 static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs) 1299 { 1300 return (void __user *)-1L; 1301 } 1302 #else 1303 static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs) 1304 { 1305 unsigned long linear_addr = -1L, seg_base; 1306 int regoff, ret; 1307 long eff_addr; 1308 1309 if (insn->addr_bytes != 8) 1310 goto out; 1311 1312 if (X86_MODRM_MOD(insn->modrm.value) == 3) { 1313 ret = get_eff_addr_reg(insn, regs, ®off, &eff_addr); 1314 if (ret) 1315 goto out; 1316 1317 } else { 1318 if (insn->sib.nbytes) { 1319 ret = get_eff_addr_sib(insn, regs, ®off, &eff_addr); 1320 if (ret) 1321 goto out; 1322 } else { 1323 ret = get_eff_addr_modrm(insn, regs, ®off, &eff_addr); 1324 if (ret) 1325 goto out; 1326 } 1327 1328 } 1329 1330 ret = get_seg_base_limit(insn, regs, regoff, &seg_base, NULL); 1331 if (ret) 1332 goto out; 1333 1334 linear_addr = (unsigned long)eff_addr + seg_base; 1335 1336 out: 1337 return (void __user *)linear_addr; 1338 } 1339 #endif /* CONFIG_X86_64 */ 1340 1341 /** 1342 * insn_get_addr_ref() - Obtain the linear address referred by instruction 1343 * @insn: Instruction structure containing ModRM byte and displacement 1344 * @regs: Structure with register values as seen when entering kernel mode 1345 * 1346 * Obtain the linear address referred by the instruction's ModRM, SIB and 1347 * displacement bytes, and segment base, as applicable. In protected mode, 1348 * segment limits are enforced. 1349 * 1350 * Returns: 1351 * 1352 * Linear address referenced by instruction and registers on success. 1353 * 1354 * -1L on error. 1355 */ 1356 void __user *insn_get_addr_ref(struct insn *insn, struct pt_regs *regs) 1357 { 1358 if (!insn || !regs) 1359 return (void __user *)-1L; 1360 1361 switch (insn->addr_bytes) { 1362 case 2: 1363 return get_addr_ref_16(insn, regs); 1364 case 4: 1365 return get_addr_ref_32(insn, regs); 1366 case 8: 1367 return get_addr_ref_64(insn, regs); 1368 default: 1369 return (void __user *)-1L; 1370 } 1371 } 1372