1 /* 2 * Utility functions for x86 operand and address decoding 3 * 4 * Copyright (C) Intel Corporation 2017 5 */ 6 #include <linux/kernel.h> 7 #include <linux/string.h> 8 #include <linux/ratelimit.h> 9 #include <linux/mmu_context.h> 10 #include <asm/desc_defs.h> 11 #include <asm/desc.h> 12 #include <asm/inat.h> 13 #include <asm/insn.h> 14 #include <asm/insn-eval.h> 15 #include <asm/ldt.h> 16 #include <asm/vm86.h> 17 18 #undef pr_fmt 19 #define pr_fmt(fmt) "insn: " fmt 20 21 enum reg_type { 22 REG_TYPE_RM = 0, 23 REG_TYPE_INDEX, 24 REG_TYPE_BASE, 25 }; 26 27 /** 28 * is_string_insn() - Determine if instruction is a string instruction 29 * @insn: Instruction containing the opcode to inspect 30 * 31 * Returns: 32 * 33 * true if the instruction, determined by the opcode, is any of the 34 * string instructions as defined in the Intel Software Development manual. 35 * False otherwise. 36 */ 37 static bool is_string_insn(struct insn *insn) 38 { 39 insn_get_opcode(insn); 40 41 /* All string instructions have a 1-byte opcode. */ 42 if (insn->opcode.nbytes != 1) 43 return false; 44 45 switch (insn->opcode.bytes[0]) { 46 case 0x6c ... 0x6f: /* INS, OUTS */ 47 case 0xa4 ... 0xa7: /* MOVS, CMPS */ 48 case 0xaa ... 0xaf: /* STOS, LODS, SCAS */ 49 return true; 50 default: 51 return false; 52 } 53 } 54 55 /** 56 * get_seg_reg_override_idx() - obtain segment register override index 57 * @insn: Valid instruction with segment override prefixes 58 * 59 * Inspect the instruction prefixes in @insn and find segment overrides, if any. 60 * 61 * Returns: 62 * 63 * A constant identifying the segment register to use, among CS, SS, DS, 64 * ES, FS, or GS. INAT_SEG_REG_DEFAULT is returned if no segment override 65 * prefixes were found. 66 * 67 * -EINVAL in case of error. 68 */ 69 static int get_seg_reg_override_idx(struct insn *insn) 70 { 71 int idx = INAT_SEG_REG_DEFAULT; 72 int num_overrides = 0, i; 73 74 insn_get_prefixes(insn); 75 76 /* Look for any segment override prefixes. */ 77 for (i = 0; i < insn->prefixes.nbytes; i++) { 78 insn_attr_t attr; 79 80 attr = inat_get_opcode_attribute(insn->prefixes.bytes[i]); 81 switch (attr) { 82 case INAT_MAKE_PREFIX(INAT_PFX_CS): 83 idx = INAT_SEG_REG_CS; 84 num_overrides++; 85 break; 86 case INAT_MAKE_PREFIX(INAT_PFX_SS): 87 idx = INAT_SEG_REG_SS; 88 num_overrides++; 89 break; 90 case INAT_MAKE_PREFIX(INAT_PFX_DS): 91 idx = INAT_SEG_REG_DS; 92 num_overrides++; 93 break; 94 case INAT_MAKE_PREFIX(INAT_PFX_ES): 95 idx = INAT_SEG_REG_ES; 96 num_overrides++; 97 break; 98 case INAT_MAKE_PREFIX(INAT_PFX_FS): 99 idx = INAT_SEG_REG_FS; 100 num_overrides++; 101 break; 102 case INAT_MAKE_PREFIX(INAT_PFX_GS): 103 idx = INAT_SEG_REG_GS; 104 num_overrides++; 105 break; 106 /* No default action needed. */ 107 } 108 } 109 110 /* More than one segment override prefix leads to undefined behavior. */ 111 if (num_overrides > 1) 112 return -EINVAL; 113 114 return idx; 115 } 116 117 /** 118 * check_seg_overrides() - check if segment override prefixes are allowed 119 * @insn: Valid instruction with segment override prefixes 120 * @regoff: Operand offset, in pt_regs, for which the check is performed 121 * 122 * For a particular register used in register-indirect addressing, determine if 123 * segment override prefixes can be used. Specifically, no overrides are allowed 124 * for rDI if used with a string instruction. 125 * 126 * Returns: 127 * 128 * True if segment override prefixes can be used with the register indicated 129 * in @regoff. False if otherwise. 130 */ 131 static bool check_seg_overrides(struct insn *insn, int regoff) 132 { 133 if (regoff == offsetof(struct pt_regs, di) && is_string_insn(insn)) 134 return false; 135 136 return true; 137 } 138 139 /** 140 * resolve_default_seg() - resolve default segment register index for an operand 141 * @insn: Instruction with opcode and address size. Must be valid. 142 * @regs: Register values as seen when entering kernel mode 143 * @off: Operand offset, in pt_regs, for which resolution is needed 144 * 145 * Resolve the default segment register index associated with the instruction 146 * operand register indicated by @off. Such index is resolved based on defaults 147 * described in the Intel Software Development Manual. 148 * 149 * Returns: 150 * 151 * If in protected mode, a constant identifying the segment register to use, 152 * among CS, SS, ES or DS. If in long mode, INAT_SEG_REG_IGNORE. 153 * 154 * -EINVAL in case of error. 155 */ 156 static int resolve_default_seg(struct insn *insn, struct pt_regs *regs, int off) 157 { 158 if (any_64bit_mode(regs)) 159 return INAT_SEG_REG_IGNORE; 160 /* 161 * Resolve the default segment register as described in Section 3.7.4 162 * of the Intel Software Development Manual Vol. 1: 163 * 164 * + DS for all references involving r[ABCD]X, and rSI. 165 * + If used in a string instruction, ES for rDI. Otherwise, DS. 166 * + AX, CX and DX are not valid register operands in 16-bit address 167 * encodings but are valid for 32-bit and 64-bit encodings. 168 * + -EDOM is reserved to identify for cases in which no register 169 * is used (i.e., displacement-only addressing). Use DS. 170 * + SS for rSP or rBP. 171 * + CS for rIP. 172 */ 173 174 switch (off) { 175 case offsetof(struct pt_regs, ax): 176 case offsetof(struct pt_regs, cx): 177 case offsetof(struct pt_regs, dx): 178 /* Need insn to verify address size. */ 179 if (insn->addr_bytes == 2) 180 return -EINVAL; 181 182 fallthrough; 183 184 case -EDOM: 185 case offsetof(struct pt_regs, bx): 186 case offsetof(struct pt_regs, si): 187 return INAT_SEG_REG_DS; 188 189 case offsetof(struct pt_regs, di): 190 if (is_string_insn(insn)) 191 return INAT_SEG_REG_ES; 192 return INAT_SEG_REG_DS; 193 194 case offsetof(struct pt_regs, bp): 195 case offsetof(struct pt_regs, sp): 196 return INAT_SEG_REG_SS; 197 198 case offsetof(struct pt_regs, ip): 199 return INAT_SEG_REG_CS; 200 201 default: 202 return -EINVAL; 203 } 204 } 205 206 /** 207 * resolve_seg_reg() - obtain segment register index 208 * @insn: Instruction with operands 209 * @regs: Register values as seen when entering kernel mode 210 * @regoff: Operand offset, in pt_regs, used to deterimine segment register 211 * 212 * Determine the segment register associated with the operands and, if 213 * applicable, prefixes and the instruction pointed by @insn. 214 * 215 * The segment register associated to an operand used in register-indirect 216 * addressing depends on: 217 * 218 * a) Whether running in long mode (in such a case segments are ignored, except 219 * if FS or GS are used). 220 * 221 * b) Whether segment override prefixes can be used. Certain instructions and 222 * registers do not allow override prefixes. 223 * 224 * c) Whether segment overrides prefixes are found in the instruction prefixes. 225 * 226 * d) If there are not segment override prefixes or they cannot be used, the 227 * default segment register associated with the operand register is used. 228 * 229 * The function checks first if segment override prefixes can be used with the 230 * operand indicated by @regoff. If allowed, obtain such overridden segment 231 * register index. Lastly, if not prefixes were found or cannot be used, resolve 232 * the segment register index to use based on the defaults described in the 233 * Intel documentation. In long mode, all segment register indexes will be 234 * ignored, except if overrides were found for FS or GS. All these operations 235 * are done using helper functions. 236 * 237 * The operand register, @regoff, is represented as the offset from the base of 238 * pt_regs. 239 * 240 * As stated, the main use of this function is to determine the segment register 241 * index based on the instruction, its operands and prefixes. Hence, @insn 242 * must be valid. However, if @regoff indicates rIP, we don't need to inspect 243 * @insn at all as in this case CS is used in all cases. This case is checked 244 * before proceeding further. 245 * 246 * Please note that this function does not return the value in the segment 247 * register (i.e., the segment selector) but our defined index. The segment 248 * selector needs to be obtained using get_segment_selector() and passing the 249 * segment register index resolved by this function. 250 * 251 * Returns: 252 * 253 * An index identifying the segment register to use, among CS, SS, DS, 254 * ES, FS, or GS. INAT_SEG_REG_IGNORE is returned if running in long mode. 255 * 256 * -EINVAL in case of error. 257 */ 258 static int resolve_seg_reg(struct insn *insn, struct pt_regs *regs, int regoff) 259 { 260 int idx; 261 262 /* 263 * In the unlikely event of having to resolve the segment register 264 * index for rIP, do it first. Segment override prefixes should not 265 * be used. Hence, it is not necessary to inspect the instruction, 266 * which may be invalid at this point. 267 */ 268 if (regoff == offsetof(struct pt_regs, ip)) { 269 if (any_64bit_mode(regs)) 270 return INAT_SEG_REG_IGNORE; 271 else 272 return INAT_SEG_REG_CS; 273 } 274 275 if (!insn) 276 return -EINVAL; 277 278 if (!check_seg_overrides(insn, regoff)) 279 return resolve_default_seg(insn, regs, regoff); 280 281 idx = get_seg_reg_override_idx(insn); 282 if (idx < 0) 283 return idx; 284 285 if (idx == INAT_SEG_REG_DEFAULT) 286 return resolve_default_seg(insn, regs, regoff); 287 288 /* 289 * In long mode, segment override prefixes are ignored, except for 290 * overrides for FS and GS. 291 */ 292 if (any_64bit_mode(regs)) { 293 if (idx != INAT_SEG_REG_FS && 294 idx != INAT_SEG_REG_GS) 295 idx = INAT_SEG_REG_IGNORE; 296 } 297 298 return idx; 299 } 300 301 /** 302 * get_segment_selector() - obtain segment selector 303 * @regs: Register values as seen when entering kernel mode 304 * @seg_reg_idx: Segment register index to use 305 * 306 * Obtain the segment selector from any of the CS, SS, DS, ES, FS, GS segment 307 * registers. In CONFIG_X86_32, the segment is obtained from either pt_regs or 308 * kernel_vm86_regs as applicable. In CONFIG_X86_64, CS and SS are obtained 309 * from pt_regs. DS, ES, FS and GS are obtained by reading the actual CPU 310 * registers. This done for only for completeness as in CONFIG_X86_64 segment 311 * registers are ignored. 312 * 313 * Returns: 314 * 315 * Value of the segment selector, including null when running in 316 * long mode. 317 * 318 * -EINVAL on error. 319 */ 320 static short get_segment_selector(struct pt_regs *regs, int seg_reg_idx) 321 { 322 #ifdef CONFIG_X86_64 323 unsigned short sel; 324 325 switch (seg_reg_idx) { 326 case INAT_SEG_REG_IGNORE: 327 return 0; 328 case INAT_SEG_REG_CS: 329 return (unsigned short)(regs->cs & 0xffff); 330 case INAT_SEG_REG_SS: 331 return (unsigned short)(regs->ss & 0xffff); 332 case INAT_SEG_REG_DS: 333 savesegment(ds, sel); 334 return sel; 335 case INAT_SEG_REG_ES: 336 savesegment(es, sel); 337 return sel; 338 case INAT_SEG_REG_FS: 339 savesegment(fs, sel); 340 return sel; 341 case INAT_SEG_REG_GS: 342 savesegment(gs, sel); 343 return sel; 344 default: 345 return -EINVAL; 346 } 347 #else /* CONFIG_X86_32 */ 348 struct kernel_vm86_regs *vm86regs = (struct kernel_vm86_regs *)regs; 349 350 if (v8086_mode(regs)) { 351 switch (seg_reg_idx) { 352 case INAT_SEG_REG_CS: 353 return (unsigned short)(regs->cs & 0xffff); 354 case INAT_SEG_REG_SS: 355 return (unsigned short)(regs->ss & 0xffff); 356 case INAT_SEG_REG_DS: 357 return vm86regs->ds; 358 case INAT_SEG_REG_ES: 359 return vm86regs->es; 360 case INAT_SEG_REG_FS: 361 return vm86regs->fs; 362 case INAT_SEG_REG_GS: 363 return vm86regs->gs; 364 case INAT_SEG_REG_IGNORE: 365 default: 366 return -EINVAL; 367 } 368 } 369 370 switch (seg_reg_idx) { 371 case INAT_SEG_REG_CS: 372 return (unsigned short)(regs->cs & 0xffff); 373 case INAT_SEG_REG_SS: 374 return (unsigned short)(regs->ss & 0xffff); 375 case INAT_SEG_REG_DS: 376 return (unsigned short)(regs->ds & 0xffff); 377 case INAT_SEG_REG_ES: 378 return (unsigned short)(regs->es & 0xffff); 379 case INAT_SEG_REG_FS: 380 return (unsigned short)(regs->fs & 0xffff); 381 case INAT_SEG_REG_GS: 382 /* 383 * GS may or may not be in regs as per CONFIG_X86_32_LAZY_GS. 384 * The macro below takes care of both cases. 385 */ 386 return get_user_gs(regs); 387 case INAT_SEG_REG_IGNORE: 388 default: 389 return -EINVAL; 390 } 391 #endif /* CONFIG_X86_64 */ 392 } 393 394 static int get_reg_offset(struct insn *insn, struct pt_regs *regs, 395 enum reg_type type) 396 { 397 int regno = 0; 398 399 static const int regoff[] = { 400 offsetof(struct pt_regs, ax), 401 offsetof(struct pt_regs, cx), 402 offsetof(struct pt_regs, dx), 403 offsetof(struct pt_regs, bx), 404 offsetof(struct pt_regs, sp), 405 offsetof(struct pt_regs, bp), 406 offsetof(struct pt_regs, si), 407 offsetof(struct pt_regs, di), 408 #ifdef CONFIG_X86_64 409 offsetof(struct pt_regs, r8), 410 offsetof(struct pt_regs, r9), 411 offsetof(struct pt_regs, r10), 412 offsetof(struct pt_regs, r11), 413 offsetof(struct pt_regs, r12), 414 offsetof(struct pt_regs, r13), 415 offsetof(struct pt_regs, r14), 416 offsetof(struct pt_regs, r15), 417 #endif 418 }; 419 int nr_registers = ARRAY_SIZE(regoff); 420 /* 421 * Don't possibly decode a 32-bit instructions as 422 * reading a 64-bit-only register. 423 */ 424 if (IS_ENABLED(CONFIG_X86_64) && !insn->x86_64) 425 nr_registers -= 8; 426 427 switch (type) { 428 case REG_TYPE_RM: 429 regno = X86_MODRM_RM(insn->modrm.value); 430 431 /* 432 * ModRM.mod == 0 and ModRM.rm == 5 means a 32-bit displacement 433 * follows the ModRM byte. 434 */ 435 if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5) 436 return -EDOM; 437 438 if (X86_REX_B(insn->rex_prefix.value)) 439 regno += 8; 440 break; 441 442 case REG_TYPE_INDEX: 443 regno = X86_SIB_INDEX(insn->sib.value); 444 if (X86_REX_X(insn->rex_prefix.value)) 445 regno += 8; 446 447 /* 448 * If ModRM.mod != 3 and SIB.index = 4 the scale*index 449 * portion of the address computation is null. This is 450 * true only if REX.X is 0. In such a case, the SIB index 451 * is used in the address computation. 452 */ 453 if (X86_MODRM_MOD(insn->modrm.value) != 3 && regno == 4) 454 return -EDOM; 455 break; 456 457 case REG_TYPE_BASE: 458 regno = X86_SIB_BASE(insn->sib.value); 459 /* 460 * If ModRM.mod is 0 and SIB.base == 5, the base of the 461 * register-indirect addressing is 0. In this case, a 462 * 32-bit displacement follows the SIB byte. 463 */ 464 if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5) 465 return -EDOM; 466 467 if (X86_REX_B(insn->rex_prefix.value)) 468 regno += 8; 469 break; 470 471 default: 472 pr_err_ratelimited("invalid register type: %d\n", type); 473 return -EINVAL; 474 } 475 476 if (regno >= nr_registers) { 477 WARN_ONCE(1, "decoded an instruction with an invalid register"); 478 return -EINVAL; 479 } 480 return regoff[regno]; 481 } 482 483 /** 484 * get_reg_offset_16() - Obtain offset of register indicated by instruction 485 * @insn: Instruction containing ModRM byte 486 * @regs: Register values as seen when entering kernel mode 487 * @offs1: Offset of the first operand register 488 * @offs2: Offset of the second opeand register, if applicable 489 * 490 * Obtain the offset, in pt_regs, of the registers indicated by the ModRM byte 491 * in @insn. This function is to be used with 16-bit address encodings. The 492 * @offs1 and @offs2 will be written with the offset of the two registers 493 * indicated by the instruction. In cases where any of the registers is not 494 * referenced by the instruction, the value will be set to -EDOM. 495 * 496 * Returns: 497 * 498 * 0 on success, -EINVAL on error. 499 */ 500 static int get_reg_offset_16(struct insn *insn, struct pt_regs *regs, 501 int *offs1, int *offs2) 502 { 503 /* 504 * 16-bit addressing can use one or two registers. Specifics of 505 * encodings are given in Table 2-1. "16-Bit Addressing Forms with the 506 * ModR/M Byte" of the Intel Software Development Manual. 507 */ 508 static const int regoff1[] = { 509 offsetof(struct pt_regs, bx), 510 offsetof(struct pt_regs, bx), 511 offsetof(struct pt_regs, bp), 512 offsetof(struct pt_regs, bp), 513 offsetof(struct pt_regs, si), 514 offsetof(struct pt_regs, di), 515 offsetof(struct pt_regs, bp), 516 offsetof(struct pt_regs, bx), 517 }; 518 519 static const int regoff2[] = { 520 offsetof(struct pt_regs, si), 521 offsetof(struct pt_regs, di), 522 offsetof(struct pt_regs, si), 523 offsetof(struct pt_regs, di), 524 -EDOM, 525 -EDOM, 526 -EDOM, 527 -EDOM, 528 }; 529 530 if (!offs1 || !offs2) 531 return -EINVAL; 532 533 /* Operand is a register, use the generic function. */ 534 if (X86_MODRM_MOD(insn->modrm.value) == 3) { 535 *offs1 = insn_get_modrm_rm_off(insn, regs); 536 *offs2 = -EDOM; 537 return 0; 538 } 539 540 *offs1 = regoff1[X86_MODRM_RM(insn->modrm.value)]; 541 *offs2 = regoff2[X86_MODRM_RM(insn->modrm.value)]; 542 543 /* 544 * If ModRM.mod is 0 and ModRM.rm is 110b, then we use displacement- 545 * only addressing. This means that no registers are involved in 546 * computing the effective address. Thus, ensure that the first 547 * register offset is invalild. The second register offset is already 548 * invalid under the aforementioned conditions. 549 */ 550 if ((X86_MODRM_MOD(insn->modrm.value) == 0) && 551 (X86_MODRM_RM(insn->modrm.value) == 6)) 552 *offs1 = -EDOM; 553 554 return 0; 555 } 556 557 /** 558 * get_desc() - Obtain contents of a segment descriptor 559 * @out: Segment descriptor contents on success 560 * @sel: Segment selector 561 * 562 * Given a segment selector, obtain a pointer to the segment descriptor. 563 * Both global and local descriptor tables are supported. 564 * 565 * Returns: 566 * 567 * True on success, false on failure. 568 * 569 * NULL on error. 570 */ 571 static bool get_desc(struct desc_struct *out, unsigned short sel) 572 { 573 struct desc_ptr gdt_desc = {0, 0}; 574 unsigned long desc_base; 575 576 #ifdef CONFIG_MODIFY_LDT_SYSCALL 577 if ((sel & SEGMENT_TI_MASK) == SEGMENT_LDT) { 578 bool success = false; 579 struct ldt_struct *ldt; 580 581 /* Bits [15:3] contain the index of the desired entry. */ 582 sel >>= 3; 583 584 mutex_lock(¤t->active_mm->context.lock); 585 ldt = current->active_mm->context.ldt; 586 if (ldt && sel < ldt->nr_entries) { 587 *out = ldt->entries[sel]; 588 success = true; 589 } 590 591 mutex_unlock(¤t->active_mm->context.lock); 592 593 return success; 594 } 595 #endif 596 native_store_gdt(&gdt_desc); 597 598 /* 599 * Segment descriptors have a size of 8 bytes. Thus, the index is 600 * multiplied by 8 to obtain the memory offset of the desired descriptor 601 * from the base of the GDT. As bits [15:3] of the segment selector 602 * contain the index, it can be regarded as multiplied by 8 already. 603 * All that remains is to clear bits [2:0]. 604 */ 605 desc_base = sel & ~(SEGMENT_RPL_MASK | SEGMENT_TI_MASK); 606 607 if (desc_base > gdt_desc.size) 608 return false; 609 610 *out = *(struct desc_struct *)(gdt_desc.address + desc_base); 611 return true; 612 } 613 614 /** 615 * insn_get_seg_base() - Obtain base address of segment descriptor. 616 * @regs: Register values as seen when entering kernel mode 617 * @seg_reg_idx: Index of the segment register pointing to seg descriptor 618 * 619 * Obtain the base address of the segment as indicated by the segment descriptor 620 * pointed by the segment selector. The segment selector is obtained from the 621 * input segment register index @seg_reg_idx. 622 * 623 * Returns: 624 * 625 * In protected mode, base address of the segment. Zero in long mode, 626 * except when FS or GS are used. In virtual-8086 mode, the segment 627 * selector shifted 4 bits to the right. 628 * 629 * -1L in case of error. 630 */ 631 unsigned long insn_get_seg_base(struct pt_regs *regs, int seg_reg_idx) 632 { 633 struct desc_struct desc; 634 short sel; 635 636 sel = get_segment_selector(regs, seg_reg_idx); 637 if (sel < 0) 638 return -1L; 639 640 if (v8086_mode(regs)) 641 /* 642 * Base is simply the segment selector shifted 4 643 * bits to the right. 644 */ 645 return (unsigned long)(sel << 4); 646 647 if (any_64bit_mode(regs)) { 648 /* 649 * Only FS or GS will have a base address, the rest of 650 * the segments' bases are forced to 0. 651 */ 652 unsigned long base; 653 654 if (seg_reg_idx == INAT_SEG_REG_FS) { 655 rdmsrl(MSR_FS_BASE, base); 656 } else if (seg_reg_idx == INAT_SEG_REG_GS) { 657 /* 658 * swapgs was called at the kernel entry point. Thus, 659 * MSR_KERNEL_GS_BASE will have the user-space GS base. 660 */ 661 if (user_mode(regs)) 662 rdmsrl(MSR_KERNEL_GS_BASE, base); 663 else 664 rdmsrl(MSR_GS_BASE, base); 665 } else { 666 base = 0; 667 } 668 return base; 669 } 670 671 /* In protected mode the segment selector cannot be null. */ 672 if (!sel) 673 return -1L; 674 675 if (!get_desc(&desc, sel)) 676 return -1L; 677 678 return get_desc_base(&desc); 679 } 680 681 /** 682 * get_seg_limit() - Obtain the limit of a segment descriptor 683 * @regs: Register values as seen when entering kernel mode 684 * @seg_reg_idx: Index of the segment register pointing to seg descriptor 685 * 686 * Obtain the limit of the segment as indicated by the segment descriptor 687 * pointed by the segment selector. The segment selector is obtained from the 688 * input segment register index @seg_reg_idx. 689 * 690 * Returns: 691 * 692 * In protected mode, the limit of the segment descriptor in bytes. 693 * In long mode and virtual-8086 mode, segment limits are not enforced. Thus, 694 * limit is returned as -1L to imply a limit-less segment. 695 * 696 * Zero is returned on error. 697 */ 698 static unsigned long get_seg_limit(struct pt_regs *regs, int seg_reg_idx) 699 { 700 struct desc_struct desc; 701 unsigned long limit; 702 short sel; 703 704 sel = get_segment_selector(regs, seg_reg_idx); 705 if (sel < 0) 706 return 0; 707 708 if (any_64bit_mode(regs) || v8086_mode(regs)) 709 return -1L; 710 711 if (!sel) 712 return 0; 713 714 if (!get_desc(&desc, sel)) 715 return 0; 716 717 /* 718 * If the granularity bit is set, the limit is given in multiples 719 * of 4096. This also means that the 12 least significant bits are 720 * not tested when checking the segment limits. In practice, 721 * this means that the segment ends in (limit << 12) + 0xfff. 722 */ 723 limit = get_desc_limit(&desc); 724 if (desc.g) 725 limit = (limit << 12) + 0xfff; 726 727 return limit; 728 } 729 730 /** 731 * insn_get_code_seg_params() - Obtain code segment parameters 732 * @regs: Structure with register values as seen when entering kernel mode 733 * 734 * Obtain address and operand sizes of the code segment. It is obtained from the 735 * selector contained in the CS register in regs. In protected mode, the default 736 * address is determined by inspecting the L and D bits of the segment 737 * descriptor. In virtual-8086 mode, the default is always two bytes for both 738 * address and operand sizes. 739 * 740 * Returns: 741 * 742 * An int containing ORed-in default parameters on success. 743 * 744 * -EINVAL on error. 745 */ 746 int insn_get_code_seg_params(struct pt_regs *regs) 747 { 748 struct desc_struct desc; 749 short sel; 750 751 if (v8086_mode(regs)) 752 /* Address and operand size are both 16-bit. */ 753 return INSN_CODE_SEG_PARAMS(2, 2); 754 755 sel = get_segment_selector(regs, INAT_SEG_REG_CS); 756 if (sel < 0) 757 return sel; 758 759 if (!get_desc(&desc, sel)) 760 return -EINVAL; 761 762 /* 763 * The most significant byte of the Type field of the segment descriptor 764 * determines whether a segment contains data or code. If this is a data 765 * segment, return error. 766 */ 767 if (!(desc.type & BIT(3))) 768 return -EINVAL; 769 770 switch ((desc.l << 1) | desc.d) { 771 case 0: /* 772 * Legacy mode. CS.L=0, CS.D=0. Address and operand size are 773 * both 16-bit. 774 */ 775 return INSN_CODE_SEG_PARAMS(2, 2); 776 case 1: /* 777 * Legacy mode. CS.L=0, CS.D=1. Address and operand size are 778 * both 32-bit. 779 */ 780 return INSN_CODE_SEG_PARAMS(4, 4); 781 case 2: /* 782 * IA-32e 64-bit mode. CS.L=1, CS.D=0. Address size is 64-bit; 783 * operand size is 32-bit. 784 */ 785 return INSN_CODE_SEG_PARAMS(4, 8); 786 case 3: /* Invalid setting. CS.L=1, CS.D=1 */ 787 fallthrough; 788 default: 789 return -EINVAL; 790 } 791 } 792 793 /** 794 * insn_get_modrm_rm_off() - Obtain register in r/m part of the ModRM byte 795 * @insn: Instruction containing the ModRM byte 796 * @regs: Register values as seen when entering kernel mode 797 * 798 * Returns: 799 * 800 * The register indicated by the r/m part of the ModRM byte. The 801 * register is obtained as an offset from the base of pt_regs. In specific 802 * cases, the returned value can be -EDOM to indicate that the particular value 803 * of ModRM does not refer to a register and shall be ignored. 804 */ 805 int insn_get_modrm_rm_off(struct insn *insn, struct pt_regs *regs) 806 { 807 return get_reg_offset(insn, regs, REG_TYPE_RM); 808 } 809 810 /** 811 * get_seg_base_limit() - obtain base address and limit of a segment 812 * @insn: Instruction. Must be valid. 813 * @regs: Register values as seen when entering kernel mode 814 * @regoff: Operand offset, in pt_regs, used to resolve segment descriptor 815 * @base: Obtained segment base 816 * @limit: Obtained segment limit 817 * 818 * Obtain the base address and limit of the segment associated with the operand 819 * @regoff and, if any or allowed, override prefixes in @insn. This function is 820 * different from insn_get_seg_base() as the latter does not resolve the segment 821 * associated with the instruction operand. If a limit is not needed (e.g., 822 * when running in long mode), @limit can be NULL. 823 * 824 * Returns: 825 * 826 * 0 on success. @base and @limit will contain the base address and of the 827 * resolved segment, respectively. 828 * 829 * -EINVAL on error. 830 */ 831 static int get_seg_base_limit(struct insn *insn, struct pt_regs *regs, 832 int regoff, unsigned long *base, 833 unsigned long *limit) 834 { 835 int seg_reg_idx; 836 837 if (!base) 838 return -EINVAL; 839 840 seg_reg_idx = resolve_seg_reg(insn, regs, regoff); 841 if (seg_reg_idx < 0) 842 return seg_reg_idx; 843 844 *base = insn_get_seg_base(regs, seg_reg_idx); 845 if (*base == -1L) 846 return -EINVAL; 847 848 if (!limit) 849 return 0; 850 851 *limit = get_seg_limit(regs, seg_reg_idx); 852 if (!(*limit)) 853 return -EINVAL; 854 855 return 0; 856 } 857 858 /** 859 * get_eff_addr_reg() - Obtain effective address from register operand 860 * @insn: Instruction. Must be valid. 861 * @regs: Register values as seen when entering kernel mode 862 * @regoff: Obtained operand offset, in pt_regs, with the effective address 863 * @eff_addr: Obtained effective address 864 * 865 * Obtain the effective address stored in the register operand as indicated by 866 * the ModRM byte. This function is to be used only with register addressing 867 * (i.e., ModRM.mod is 3). The effective address is saved in @eff_addr. The 868 * register operand, as an offset from the base of pt_regs, is saved in @regoff; 869 * such offset can then be used to resolve the segment associated with the 870 * operand. This function can be used with any of the supported address sizes 871 * in x86. 872 * 873 * Returns: 874 * 875 * 0 on success. @eff_addr will have the effective address stored in the 876 * operand indicated by ModRM. @regoff will have such operand as an offset from 877 * the base of pt_regs. 878 * 879 * -EINVAL on error. 880 */ 881 static int get_eff_addr_reg(struct insn *insn, struct pt_regs *regs, 882 int *regoff, long *eff_addr) 883 { 884 insn_get_modrm(insn); 885 886 if (!insn->modrm.nbytes) 887 return -EINVAL; 888 889 if (X86_MODRM_MOD(insn->modrm.value) != 3) 890 return -EINVAL; 891 892 *regoff = get_reg_offset(insn, regs, REG_TYPE_RM); 893 if (*regoff < 0) 894 return -EINVAL; 895 896 /* Ignore bytes that are outside the address size. */ 897 if (insn->addr_bytes == 2) 898 *eff_addr = regs_get_register(regs, *regoff) & 0xffff; 899 else if (insn->addr_bytes == 4) 900 *eff_addr = regs_get_register(regs, *regoff) & 0xffffffff; 901 else /* 64-bit address */ 902 *eff_addr = regs_get_register(regs, *regoff); 903 904 return 0; 905 } 906 907 /** 908 * get_eff_addr_modrm() - Obtain referenced effective address via ModRM 909 * @insn: Instruction. Must be valid. 910 * @regs: Register values as seen when entering kernel mode 911 * @regoff: Obtained operand offset, in pt_regs, associated with segment 912 * @eff_addr: Obtained effective address 913 * 914 * Obtain the effective address referenced by the ModRM byte of @insn. After 915 * identifying the registers involved in the register-indirect memory reference, 916 * its value is obtained from the operands in @regs. The computed address is 917 * stored @eff_addr. Also, the register operand that indicates the associated 918 * segment is stored in @regoff, this parameter can later be used to determine 919 * such segment. 920 * 921 * Returns: 922 * 923 * 0 on success. @eff_addr will have the referenced effective address. @regoff 924 * will have a register, as an offset from the base of pt_regs, that can be used 925 * to resolve the associated segment. 926 * 927 * -EINVAL on error. 928 */ 929 static int get_eff_addr_modrm(struct insn *insn, struct pt_regs *regs, 930 int *regoff, long *eff_addr) 931 { 932 long tmp; 933 934 if (insn->addr_bytes != 8 && insn->addr_bytes != 4) 935 return -EINVAL; 936 937 insn_get_modrm(insn); 938 939 if (!insn->modrm.nbytes) 940 return -EINVAL; 941 942 if (X86_MODRM_MOD(insn->modrm.value) > 2) 943 return -EINVAL; 944 945 *regoff = get_reg_offset(insn, regs, REG_TYPE_RM); 946 947 /* 948 * -EDOM means that we must ignore the address_offset. In such a case, 949 * in 64-bit mode the effective address relative to the rIP of the 950 * following instruction. 951 */ 952 if (*regoff == -EDOM) { 953 if (any_64bit_mode(regs)) 954 tmp = regs->ip + insn->length; 955 else 956 tmp = 0; 957 } else if (*regoff < 0) { 958 return -EINVAL; 959 } else { 960 tmp = regs_get_register(regs, *regoff); 961 } 962 963 if (insn->addr_bytes == 4) { 964 int addr32 = (int)(tmp & 0xffffffff) + insn->displacement.value; 965 966 *eff_addr = addr32 & 0xffffffff; 967 } else { 968 *eff_addr = tmp + insn->displacement.value; 969 } 970 971 return 0; 972 } 973 974 /** 975 * get_eff_addr_modrm_16() - Obtain referenced effective address via ModRM 976 * @insn: Instruction. Must be valid. 977 * @regs: Register values as seen when entering kernel mode 978 * @regoff: Obtained operand offset, in pt_regs, associated with segment 979 * @eff_addr: Obtained effective address 980 * 981 * Obtain the 16-bit effective address referenced by the ModRM byte of @insn. 982 * After identifying the registers involved in the register-indirect memory 983 * reference, its value is obtained from the operands in @regs. The computed 984 * address is stored @eff_addr. Also, the register operand that indicates 985 * the associated segment is stored in @regoff, this parameter can later be used 986 * to determine such segment. 987 * 988 * Returns: 989 * 990 * 0 on success. @eff_addr will have the referenced effective address. @regoff 991 * will have a register, as an offset from the base of pt_regs, that can be used 992 * to resolve the associated segment. 993 * 994 * -EINVAL on error. 995 */ 996 static int get_eff_addr_modrm_16(struct insn *insn, struct pt_regs *regs, 997 int *regoff, short *eff_addr) 998 { 999 int addr_offset1, addr_offset2, ret; 1000 short addr1 = 0, addr2 = 0, displacement; 1001 1002 if (insn->addr_bytes != 2) 1003 return -EINVAL; 1004 1005 insn_get_modrm(insn); 1006 1007 if (!insn->modrm.nbytes) 1008 return -EINVAL; 1009 1010 if (X86_MODRM_MOD(insn->modrm.value) > 2) 1011 return -EINVAL; 1012 1013 ret = get_reg_offset_16(insn, regs, &addr_offset1, &addr_offset2); 1014 if (ret < 0) 1015 return -EINVAL; 1016 1017 /* 1018 * Don't fail on invalid offset values. They might be invalid because 1019 * they cannot be used for this particular value of ModRM. Instead, use 1020 * them in the computation only if they contain a valid value. 1021 */ 1022 if (addr_offset1 != -EDOM) 1023 addr1 = regs_get_register(regs, addr_offset1) & 0xffff; 1024 1025 if (addr_offset2 != -EDOM) 1026 addr2 = regs_get_register(regs, addr_offset2) & 0xffff; 1027 1028 displacement = insn->displacement.value & 0xffff; 1029 *eff_addr = addr1 + addr2 + displacement; 1030 1031 /* 1032 * The first operand register could indicate to use of either SS or DS 1033 * registers to obtain the segment selector. The second operand 1034 * register can only indicate the use of DS. Thus, the first operand 1035 * will be used to obtain the segment selector. 1036 */ 1037 *regoff = addr_offset1; 1038 1039 return 0; 1040 } 1041 1042 /** 1043 * get_eff_addr_sib() - Obtain referenced effective address via SIB 1044 * @insn: Instruction. Must be valid. 1045 * @regs: Register values as seen when entering kernel mode 1046 * @regoff: Obtained operand offset, in pt_regs, associated with segment 1047 * @eff_addr: Obtained effective address 1048 * 1049 * Obtain the effective address referenced by the SIB byte of @insn. After 1050 * identifying the registers involved in the indexed, register-indirect memory 1051 * reference, its value is obtained from the operands in @regs. The computed 1052 * address is stored @eff_addr. Also, the register operand that indicates the 1053 * associated segment is stored in @regoff, this parameter can later be used to 1054 * determine such segment. 1055 * 1056 * Returns: 1057 * 1058 * 0 on success. @eff_addr will have the referenced effective address. 1059 * @base_offset will have a register, as an offset from the base of pt_regs, 1060 * that can be used to resolve the associated segment. 1061 * 1062 * -EINVAL on error. 1063 */ 1064 static int get_eff_addr_sib(struct insn *insn, struct pt_regs *regs, 1065 int *base_offset, long *eff_addr) 1066 { 1067 long base, indx; 1068 int indx_offset; 1069 1070 if (insn->addr_bytes != 8 && insn->addr_bytes != 4) 1071 return -EINVAL; 1072 1073 insn_get_modrm(insn); 1074 1075 if (!insn->modrm.nbytes) 1076 return -EINVAL; 1077 1078 if (X86_MODRM_MOD(insn->modrm.value) > 2) 1079 return -EINVAL; 1080 1081 insn_get_sib(insn); 1082 1083 if (!insn->sib.nbytes) 1084 return -EINVAL; 1085 1086 *base_offset = get_reg_offset(insn, regs, REG_TYPE_BASE); 1087 indx_offset = get_reg_offset(insn, regs, REG_TYPE_INDEX); 1088 1089 /* 1090 * Negative values in the base and index offset means an error when 1091 * decoding the SIB byte. Except -EDOM, which means that the registers 1092 * should not be used in the address computation. 1093 */ 1094 if (*base_offset == -EDOM) 1095 base = 0; 1096 else if (*base_offset < 0) 1097 return -EINVAL; 1098 else 1099 base = regs_get_register(regs, *base_offset); 1100 1101 if (indx_offset == -EDOM) 1102 indx = 0; 1103 else if (indx_offset < 0) 1104 return -EINVAL; 1105 else 1106 indx = regs_get_register(regs, indx_offset); 1107 1108 if (insn->addr_bytes == 4) { 1109 int addr32, base32, idx32; 1110 1111 base32 = base & 0xffffffff; 1112 idx32 = indx & 0xffffffff; 1113 1114 addr32 = base32 + idx32 * (1 << X86_SIB_SCALE(insn->sib.value)); 1115 addr32 += insn->displacement.value; 1116 1117 *eff_addr = addr32 & 0xffffffff; 1118 } else { 1119 *eff_addr = base + indx * (1 << X86_SIB_SCALE(insn->sib.value)); 1120 *eff_addr += insn->displacement.value; 1121 } 1122 1123 return 0; 1124 } 1125 1126 /** 1127 * get_addr_ref_16() - Obtain the 16-bit address referred by instruction 1128 * @insn: Instruction containing ModRM byte and displacement 1129 * @regs: Register values as seen when entering kernel mode 1130 * 1131 * This function is to be used with 16-bit address encodings. Obtain the memory 1132 * address referred by the instruction's ModRM and displacement bytes. Also, the 1133 * segment used as base is determined by either any segment override prefixes in 1134 * @insn or the default segment of the registers involved in the address 1135 * computation. In protected mode, segment limits are enforced. 1136 * 1137 * Returns: 1138 * 1139 * Linear address referenced by the instruction operands on success. 1140 * 1141 * -1L on error. 1142 */ 1143 static void __user *get_addr_ref_16(struct insn *insn, struct pt_regs *regs) 1144 { 1145 unsigned long linear_addr = -1L, seg_base, seg_limit; 1146 int ret, regoff; 1147 short eff_addr; 1148 long tmp; 1149 1150 insn_get_modrm(insn); 1151 insn_get_displacement(insn); 1152 1153 if (insn->addr_bytes != 2) 1154 goto out; 1155 1156 if (X86_MODRM_MOD(insn->modrm.value) == 3) { 1157 ret = get_eff_addr_reg(insn, regs, ®off, &tmp); 1158 if (ret) 1159 goto out; 1160 1161 eff_addr = tmp; 1162 } else { 1163 ret = get_eff_addr_modrm_16(insn, regs, ®off, &eff_addr); 1164 if (ret) 1165 goto out; 1166 } 1167 1168 ret = get_seg_base_limit(insn, regs, regoff, &seg_base, &seg_limit); 1169 if (ret) 1170 goto out; 1171 1172 /* 1173 * Before computing the linear address, make sure the effective address 1174 * is within the limits of the segment. In virtual-8086 mode, segment 1175 * limits are not enforced. In such a case, the segment limit is -1L to 1176 * reflect this fact. 1177 */ 1178 if ((unsigned long)(eff_addr & 0xffff) > seg_limit) 1179 goto out; 1180 1181 linear_addr = (unsigned long)(eff_addr & 0xffff) + seg_base; 1182 1183 /* Limit linear address to 20 bits */ 1184 if (v8086_mode(regs)) 1185 linear_addr &= 0xfffff; 1186 1187 out: 1188 return (void __user *)linear_addr; 1189 } 1190 1191 /** 1192 * get_addr_ref_32() - Obtain a 32-bit linear address 1193 * @insn: Instruction with ModRM, SIB bytes and displacement 1194 * @regs: Register values as seen when entering kernel mode 1195 * 1196 * This function is to be used with 32-bit address encodings to obtain the 1197 * linear memory address referred by the instruction's ModRM, SIB, 1198 * displacement bytes and segment base address, as applicable. If in protected 1199 * mode, segment limits are enforced. 1200 * 1201 * Returns: 1202 * 1203 * Linear address referenced by instruction and registers on success. 1204 * 1205 * -1L on error. 1206 */ 1207 static void __user *get_addr_ref_32(struct insn *insn, struct pt_regs *regs) 1208 { 1209 unsigned long linear_addr = -1L, seg_base, seg_limit; 1210 int eff_addr, regoff; 1211 long tmp; 1212 int ret; 1213 1214 if (insn->addr_bytes != 4) 1215 goto out; 1216 1217 if (X86_MODRM_MOD(insn->modrm.value) == 3) { 1218 ret = get_eff_addr_reg(insn, regs, ®off, &tmp); 1219 if (ret) 1220 goto out; 1221 1222 eff_addr = tmp; 1223 1224 } else { 1225 if (insn->sib.nbytes) { 1226 ret = get_eff_addr_sib(insn, regs, ®off, &tmp); 1227 if (ret) 1228 goto out; 1229 1230 eff_addr = tmp; 1231 } else { 1232 ret = get_eff_addr_modrm(insn, regs, ®off, &tmp); 1233 if (ret) 1234 goto out; 1235 1236 eff_addr = tmp; 1237 } 1238 } 1239 1240 ret = get_seg_base_limit(insn, regs, regoff, &seg_base, &seg_limit); 1241 if (ret) 1242 goto out; 1243 1244 /* 1245 * In protected mode, before computing the linear address, make sure 1246 * the effective address is within the limits of the segment. 1247 * 32-bit addresses can be used in long and virtual-8086 modes if an 1248 * address override prefix is used. In such cases, segment limits are 1249 * not enforced. When in virtual-8086 mode, the segment limit is -1L 1250 * to reflect this situation. 1251 * 1252 * After computed, the effective address is treated as an unsigned 1253 * quantity. 1254 */ 1255 if (!any_64bit_mode(regs) && ((unsigned int)eff_addr > seg_limit)) 1256 goto out; 1257 1258 /* 1259 * Even though 32-bit address encodings are allowed in virtual-8086 1260 * mode, the address range is still limited to [0x-0xffff]. 1261 */ 1262 if (v8086_mode(regs) && (eff_addr & ~0xffff)) 1263 goto out; 1264 1265 /* 1266 * Data type long could be 64 bits in size. Ensure that our 32-bit 1267 * effective address is not sign-extended when computing the linear 1268 * address. 1269 */ 1270 linear_addr = (unsigned long)(eff_addr & 0xffffffff) + seg_base; 1271 1272 /* Limit linear address to 20 bits */ 1273 if (v8086_mode(regs)) 1274 linear_addr &= 0xfffff; 1275 1276 out: 1277 return (void __user *)linear_addr; 1278 } 1279 1280 /** 1281 * get_addr_ref_64() - Obtain a 64-bit linear address 1282 * @insn: Instruction struct with ModRM and SIB bytes and displacement 1283 * @regs: Structure with register values as seen when entering kernel mode 1284 * 1285 * This function is to be used with 64-bit address encodings to obtain the 1286 * linear memory address referred by the instruction's ModRM, SIB, 1287 * displacement bytes and segment base address, as applicable. 1288 * 1289 * Returns: 1290 * 1291 * Linear address referenced by instruction and registers on success. 1292 * 1293 * -1L on error. 1294 */ 1295 #ifndef CONFIG_X86_64 1296 static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs) 1297 { 1298 return (void __user *)-1L; 1299 } 1300 #else 1301 static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs) 1302 { 1303 unsigned long linear_addr = -1L, seg_base; 1304 int regoff, ret; 1305 long eff_addr; 1306 1307 if (insn->addr_bytes != 8) 1308 goto out; 1309 1310 if (X86_MODRM_MOD(insn->modrm.value) == 3) { 1311 ret = get_eff_addr_reg(insn, regs, ®off, &eff_addr); 1312 if (ret) 1313 goto out; 1314 1315 } else { 1316 if (insn->sib.nbytes) { 1317 ret = get_eff_addr_sib(insn, regs, ®off, &eff_addr); 1318 if (ret) 1319 goto out; 1320 } else { 1321 ret = get_eff_addr_modrm(insn, regs, ®off, &eff_addr); 1322 if (ret) 1323 goto out; 1324 } 1325 1326 } 1327 1328 ret = get_seg_base_limit(insn, regs, regoff, &seg_base, NULL); 1329 if (ret) 1330 goto out; 1331 1332 linear_addr = (unsigned long)eff_addr + seg_base; 1333 1334 out: 1335 return (void __user *)linear_addr; 1336 } 1337 #endif /* CONFIG_X86_64 */ 1338 1339 /** 1340 * insn_get_addr_ref() - Obtain the linear address referred by instruction 1341 * @insn: Instruction structure containing ModRM byte and displacement 1342 * @regs: Structure with register values as seen when entering kernel mode 1343 * 1344 * Obtain the linear address referred by the instruction's ModRM, SIB and 1345 * displacement bytes, and segment base, as applicable. In protected mode, 1346 * segment limits are enforced. 1347 * 1348 * Returns: 1349 * 1350 * Linear address referenced by instruction and registers on success. 1351 * 1352 * -1L on error. 1353 */ 1354 void __user *insn_get_addr_ref(struct insn *insn, struct pt_regs *regs) 1355 { 1356 if (!insn || !regs) 1357 return (void __user *)-1L; 1358 1359 switch (insn->addr_bytes) { 1360 case 2: 1361 return get_addr_ref_16(insn, regs); 1362 case 4: 1363 return get_addr_ref_32(insn, regs); 1364 case 8: 1365 return get_addr_ref_64(insn, regs); 1366 default: 1367 return (void __user *)-1L; 1368 } 1369 } 1370