1 /* 2 * Utility functions for x86 operand and address decoding 3 * 4 * Copyright (C) Intel Corporation 2017 5 */ 6 #include <linux/kernel.h> 7 #include <linux/string.h> 8 #include <linux/ratelimit.h> 9 #include <linux/mmu_context.h> 10 #include <asm/desc_defs.h> 11 #include <asm/desc.h> 12 #include <asm/inat.h> 13 #include <asm/insn.h> 14 #include <asm/insn-eval.h> 15 #include <asm/ldt.h> 16 #include <asm/vm86.h> 17 18 #undef pr_fmt 19 #define pr_fmt(fmt) "insn: " fmt 20 21 enum reg_type { 22 REG_TYPE_RM = 0, 23 REG_TYPE_REG, 24 REG_TYPE_INDEX, 25 REG_TYPE_BASE, 26 }; 27 28 /** 29 * is_string_insn() - Determine if instruction is a string instruction 30 * @insn: Instruction containing the opcode to inspect 31 * 32 * Returns: 33 * 34 * true if the instruction, determined by the opcode, is any of the 35 * string instructions as defined in the Intel Software Development manual. 36 * False otherwise. 37 */ 38 static bool is_string_insn(struct insn *insn) 39 { 40 insn_get_opcode(insn); 41 42 /* All string instructions have a 1-byte opcode. */ 43 if (insn->opcode.nbytes != 1) 44 return false; 45 46 switch (insn->opcode.bytes[0]) { 47 case 0x6c ... 0x6f: /* INS, OUTS */ 48 case 0xa4 ... 0xa7: /* MOVS, CMPS */ 49 case 0xaa ... 0xaf: /* STOS, LODS, SCAS */ 50 return true; 51 default: 52 return false; 53 } 54 } 55 56 /** 57 * insn_has_rep_prefix() - Determine if instruction has a REP prefix 58 * @insn: Instruction containing the prefix to inspect 59 * 60 * Returns: 61 * 62 * true if the instruction has a REP prefix, false if not. 63 */ 64 bool insn_has_rep_prefix(struct insn *insn) 65 { 66 insn_byte_t p; 67 int i; 68 69 insn_get_prefixes(insn); 70 71 for_each_insn_prefix(insn, i, p) { 72 if (p == 0xf2 || p == 0xf3) 73 return true; 74 } 75 76 return false; 77 } 78 79 /** 80 * get_seg_reg_override_idx() - obtain segment register override index 81 * @insn: Valid instruction with segment override prefixes 82 * 83 * Inspect the instruction prefixes in @insn and find segment overrides, if any. 84 * 85 * Returns: 86 * 87 * A constant identifying the segment register to use, among CS, SS, DS, 88 * ES, FS, or GS. INAT_SEG_REG_DEFAULT is returned if no segment override 89 * prefixes were found. 90 * 91 * -EINVAL in case of error. 92 */ 93 static int get_seg_reg_override_idx(struct insn *insn) 94 { 95 int idx = INAT_SEG_REG_DEFAULT; 96 int num_overrides = 0, i; 97 insn_byte_t p; 98 99 insn_get_prefixes(insn); 100 101 /* Look for any segment override prefixes. */ 102 for_each_insn_prefix(insn, i, p) { 103 insn_attr_t attr; 104 105 attr = inat_get_opcode_attribute(p); 106 switch (attr) { 107 case INAT_MAKE_PREFIX(INAT_PFX_CS): 108 idx = INAT_SEG_REG_CS; 109 num_overrides++; 110 break; 111 case INAT_MAKE_PREFIX(INAT_PFX_SS): 112 idx = INAT_SEG_REG_SS; 113 num_overrides++; 114 break; 115 case INAT_MAKE_PREFIX(INAT_PFX_DS): 116 idx = INAT_SEG_REG_DS; 117 num_overrides++; 118 break; 119 case INAT_MAKE_PREFIX(INAT_PFX_ES): 120 idx = INAT_SEG_REG_ES; 121 num_overrides++; 122 break; 123 case INAT_MAKE_PREFIX(INAT_PFX_FS): 124 idx = INAT_SEG_REG_FS; 125 num_overrides++; 126 break; 127 case INAT_MAKE_PREFIX(INAT_PFX_GS): 128 idx = INAT_SEG_REG_GS; 129 num_overrides++; 130 break; 131 /* No default action needed. */ 132 } 133 } 134 135 /* More than one segment override prefix leads to undefined behavior. */ 136 if (num_overrides > 1) 137 return -EINVAL; 138 139 return idx; 140 } 141 142 /** 143 * check_seg_overrides() - check if segment override prefixes are allowed 144 * @insn: Valid instruction with segment override prefixes 145 * @regoff: Operand offset, in pt_regs, for which the check is performed 146 * 147 * For a particular register used in register-indirect addressing, determine if 148 * segment override prefixes can be used. Specifically, no overrides are allowed 149 * for rDI if used with a string instruction. 150 * 151 * Returns: 152 * 153 * True if segment override prefixes can be used with the register indicated 154 * in @regoff. False if otherwise. 155 */ 156 static bool check_seg_overrides(struct insn *insn, int regoff) 157 { 158 if (regoff == offsetof(struct pt_regs, di) && is_string_insn(insn)) 159 return false; 160 161 return true; 162 } 163 164 /** 165 * resolve_default_seg() - resolve default segment register index for an operand 166 * @insn: Instruction with opcode and address size. Must be valid. 167 * @regs: Register values as seen when entering kernel mode 168 * @off: Operand offset, in pt_regs, for which resolution is needed 169 * 170 * Resolve the default segment register index associated with the instruction 171 * operand register indicated by @off. Such index is resolved based on defaults 172 * described in the Intel Software Development Manual. 173 * 174 * Returns: 175 * 176 * If in protected mode, a constant identifying the segment register to use, 177 * among CS, SS, ES or DS. If in long mode, INAT_SEG_REG_IGNORE. 178 * 179 * -EINVAL in case of error. 180 */ 181 static int resolve_default_seg(struct insn *insn, struct pt_regs *regs, int off) 182 { 183 if (any_64bit_mode(regs)) 184 return INAT_SEG_REG_IGNORE; 185 /* 186 * Resolve the default segment register as described in Section 3.7.4 187 * of the Intel Software Development Manual Vol. 1: 188 * 189 * + DS for all references involving r[ABCD]X, and rSI. 190 * + If used in a string instruction, ES for rDI. Otherwise, DS. 191 * + AX, CX and DX are not valid register operands in 16-bit address 192 * encodings but are valid for 32-bit and 64-bit encodings. 193 * + -EDOM is reserved to identify for cases in which no register 194 * is used (i.e., displacement-only addressing). Use DS. 195 * + SS for rSP or rBP. 196 * + CS for rIP. 197 */ 198 199 switch (off) { 200 case offsetof(struct pt_regs, ax): 201 case offsetof(struct pt_regs, cx): 202 case offsetof(struct pt_regs, dx): 203 /* Need insn to verify address size. */ 204 if (insn->addr_bytes == 2) 205 return -EINVAL; 206 207 fallthrough; 208 209 case -EDOM: 210 case offsetof(struct pt_regs, bx): 211 case offsetof(struct pt_regs, si): 212 return INAT_SEG_REG_DS; 213 214 case offsetof(struct pt_regs, di): 215 if (is_string_insn(insn)) 216 return INAT_SEG_REG_ES; 217 return INAT_SEG_REG_DS; 218 219 case offsetof(struct pt_regs, bp): 220 case offsetof(struct pt_regs, sp): 221 return INAT_SEG_REG_SS; 222 223 case offsetof(struct pt_regs, ip): 224 return INAT_SEG_REG_CS; 225 226 default: 227 return -EINVAL; 228 } 229 } 230 231 /** 232 * resolve_seg_reg() - obtain segment register index 233 * @insn: Instruction with operands 234 * @regs: Register values as seen when entering kernel mode 235 * @regoff: Operand offset, in pt_regs, used to determine segment register 236 * 237 * Determine the segment register associated with the operands and, if 238 * applicable, prefixes and the instruction pointed by @insn. 239 * 240 * The segment register associated to an operand used in register-indirect 241 * addressing depends on: 242 * 243 * a) Whether running in long mode (in such a case segments are ignored, except 244 * if FS or GS are used). 245 * 246 * b) Whether segment override prefixes can be used. Certain instructions and 247 * registers do not allow override prefixes. 248 * 249 * c) Whether segment overrides prefixes are found in the instruction prefixes. 250 * 251 * d) If there are not segment override prefixes or they cannot be used, the 252 * default segment register associated with the operand register is used. 253 * 254 * The function checks first if segment override prefixes can be used with the 255 * operand indicated by @regoff. If allowed, obtain such overridden segment 256 * register index. Lastly, if not prefixes were found or cannot be used, resolve 257 * the segment register index to use based on the defaults described in the 258 * Intel documentation. In long mode, all segment register indexes will be 259 * ignored, except if overrides were found for FS or GS. All these operations 260 * are done using helper functions. 261 * 262 * The operand register, @regoff, is represented as the offset from the base of 263 * pt_regs. 264 * 265 * As stated, the main use of this function is to determine the segment register 266 * index based on the instruction, its operands and prefixes. Hence, @insn 267 * must be valid. However, if @regoff indicates rIP, we don't need to inspect 268 * @insn at all as in this case CS is used in all cases. This case is checked 269 * before proceeding further. 270 * 271 * Please note that this function does not return the value in the segment 272 * register (i.e., the segment selector) but our defined index. The segment 273 * selector needs to be obtained using get_segment_selector() and passing the 274 * segment register index resolved by this function. 275 * 276 * Returns: 277 * 278 * An index identifying the segment register to use, among CS, SS, DS, 279 * ES, FS, or GS. INAT_SEG_REG_IGNORE is returned if running in long mode. 280 * 281 * -EINVAL in case of error. 282 */ 283 static int resolve_seg_reg(struct insn *insn, struct pt_regs *regs, int regoff) 284 { 285 int idx; 286 287 /* 288 * In the unlikely event of having to resolve the segment register 289 * index for rIP, do it first. Segment override prefixes should not 290 * be used. Hence, it is not necessary to inspect the instruction, 291 * which may be invalid at this point. 292 */ 293 if (regoff == offsetof(struct pt_regs, ip)) { 294 if (any_64bit_mode(regs)) 295 return INAT_SEG_REG_IGNORE; 296 else 297 return INAT_SEG_REG_CS; 298 } 299 300 if (!insn) 301 return -EINVAL; 302 303 if (!check_seg_overrides(insn, regoff)) 304 return resolve_default_seg(insn, regs, regoff); 305 306 idx = get_seg_reg_override_idx(insn); 307 if (idx < 0) 308 return idx; 309 310 if (idx == INAT_SEG_REG_DEFAULT) 311 return resolve_default_seg(insn, regs, regoff); 312 313 /* 314 * In long mode, segment override prefixes are ignored, except for 315 * overrides for FS and GS. 316 */ 317 if (any_64bit_mode(regs)) { 318 if (idx != INAT_SEG_REG_FS && 319 idx != INAT_SEG_REG_GS) 320 idx = INAT_SEG_REG_IGNORE; 321 } 322 323 return idx; 324 } 325 326 /** 327 * get_segment_selector() - obtain segment selector 328 * @regs: Register values as seen when entering kernel mode 329 * @seg_reg_idx: Segment register index to use 330 * 331 * Obtain the segment selector from any of the CS, SS, DS, ES, FS, GS segment 332 * registers. In CONFIG_X86_32, the segment is obtained from either pt_regs or 333 * kernel_vm86_regs as applicable. In CONFIG_X86_64, CS and SS are obtained 334 * from pt_regs. DS, ES, FS and GS are obtained by reading the actual CPU 335 * registers. This done for only for completeness as in CONFIG_X86_64 segment 336 * registers are ignored. 337 * 338 * Returns: 339 * 340 * Value of the segment selector, including null when running in 341 * long mode. 342 * 343 * -EINVAL on error. 344 */ 345 static short get_segment_selector(struct pt_regs *regs, int seg_reg_idx) 346 { 347 #ifdef CONFIG_X86_64 348 unsigned short sel; 349 350 switch (seg_reg_idx) { 351 case INAT_SEG_REG_IGNORE: 352 return 0; 353 case INAT_SEG_REG_CS: 354 return (unsigned short)(regs->cs & 0xffff); 355 case INAT_SEG_REG_SS: 356 return (unsigned short)(regs->ss & 0xffff); 357 case INAT_SEG_REG_DS: 358 savesegment(ds, sel); 359 return sel; 360 case INAT_SEG_REG_ES: 361 savesegment(es, sel); 362 return sel; 363 case INAT_SEG_REG_FS: 364 savesegment(fs, sel); 365 return sel; 366 case INAT_SEG_REG_GS: 367 savesegment(gs, sel); 368 return sel; 369 default: 370 return -EINVAL; 371 } 372 #else /* CONFIG_X86_32 */ 373 struct kernel_vm86_regs *vm86regs = (struct kernel_vm86_regs *)regs; 374 375 if (v8086_mode(regs)) { 376 switch (seg_reg_idx) { 377 case INAT_SEG_REG_CS: 378 return (unsigned short)(regs->cs & 0xffff); 379 case INAT_SEG_REG_SS: 380 return (unsigned short)(regs->ss & 0xffff); 381 case INAT_SEG_REG_DS: 382 return vm86regs->ds; 383 case INAT_SEG_REG_ES: 384 return vm86regs->es; 385 case INAT_SEG_REG_FS: 386 return vm86regs->fs; 387 case INAT_SEG_REG_GS: 388 return vm86regs->gs; 389 case INAT_SEG_REG_IGNORE: 390 default: 391 return -EINVAL; 392 } 393 } 394 395 switch (seg_reg_idx) { 396 case INAT_SEG_REG_CS: 397 return (unsigned short)(regs->cs & 0xffff); 398 case INAT_SEG_REG_SS: 399 return (unsigned short)(regs->ss & 0xffff); 400 case INAT_SEG_REG_DS: 401 return (unsigned short)(regs->ds & 0xffff); 402 case INAT_SEG_REG_ES: 403 return (unsigned short)(regs->es & 0xffff); 404 case INAT_SEG_REG_FS: 405 return (unsigned short)(regs->fs & 0xffff); 406 case INAT_SEG_REG_GS: 407 return get_user_gs(regs); 408 case INAT_SEG_REG_IGNORE: 409 default: 410 return -EINVAL; 411 } 412 #endif /* CONFIG_X86_64 */ 413 } 414 415 static int get_reg_offset(struct insn *insn, struct pt_regs *regs, 416 enum reg_type type) 417 { 418 int regno = 0; 419 420 static const int regoff[] = { 421 offsetof(struct pt_regs, ax), 422 offsetof(struct pt_regs, cx), 423 offsetof(struct pt_regs, dx), 424 offsetof(struct pt_regs, bx), 425 offsetof(struct pt_regs, sp), 426 offsetof(struct pt_regs, bp), 427 offsetof(struct pt_regs, si), 428 offsetof(struct pt_regs, di), 429 #ifdef CONFIG_X86_64 430 offsetof(struct pt_regs, r8), 431 offsetof(struct pt_regs, r9), 432 offsetof(struct pt_regs, r10), 433 offsetof(struct pt_regs, r11), 434 offsetof(struct pt_regs, r12), 435 offsetof(struct pt_regs, r13), 436 offsetof(struct pt_regs, r14), 437 offsetof(struct pt_regs, r15), 438 #endif 439 }; 440 int nr_registers = ARRAY_SIZE(regoff); 441 /* 442 * Don't possibly decode a 32-bit instructions as 443 * reading a 64-bit-only register. 444 */ 445 if (IS_ENABLED(CONFIG_X86_64) && !insn->x86_64) 446 nr_registers -= 8; 447 448 switch (type) { 449 case REG_TYPE_RM: 450 regno = X86_MODRM_RM(insn->modrm.value); 451 452 /* 453 * ModRM.mod == 0 and ModRM.rm == 5 means a 32-bit displacement 454 * follows the ModRM byte. 455 */ 456 if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5) 457 return -EDOM; 458 459 if (X86_REX_B(insn->rex_prefix.value)) 460 regno += 8; 461 break; 462 463 case REG_TYPE_REG: 464 regno = X86_MODRM_REG(insn->modrm.value); 465 466 if (X86_REX_R(insn->rex_prefix.value)) 467 regno += 8; 468 break; 469 470 case REG_TYPE_INDEX: 471 regno = X86_SIB_INDEX(insn->sib.value); 472 if (X86_REX_X(insn->rex_prefix.value)) 473 regno += 8; 474 475 /* 476 * If ModRM.mod != 3 and SIB.index = 4 the scale*index 477 * portion of the address computation is null. This is 478 * true only if REX.X is 0. In such a case, the SIB index 479 * is used in the address computation. 480 */ 481 if (X86_MODRM_MOD(insn->modrm.value) != 3 && regno == 4) 482 return -EDOM; 483 break; 484 485 case REG_TYPE_BASE: 486 regno = X86_SIB_BASE(insn->sib.value); 487 /* 488 * If ModRM.mod is 0 and SIB.base == 5, the base of the 489 * register-indirect addressing is 0. In this case, a 490 * 32-bit displacement follows the SIB byte. 491 */ 492 if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5) 493 return -EDOM; 494 495 if (X86_REX_B(insn->rex_prefix.value)) 496 regno += 8; 497 break; 498 499 default: 500 pr_err_ratelimited("invalid register type: %d\n", type); 501 return -EINVAL; 502 } 503 504 if (regno >= nr_registers) { 505 WARN_ONCE(1, "decoded an instruction with an invalid register"); 506 return -EINVAL; 507 } 508 return regoff[regno]; 509 } 510 511 /** 512 * get_reg_offset_16() - Obtain offset of register indicated by instruction 513 * @insn: Instruction containing ModRM byte 514 * @regs: Register values as seen when entering kernel mode 515 * @offs1: Offset of the first operand register 516 * @offs2: Offset of the second operand register, if applicable 517 * 518 * Obtain the offset, in pt_regs, of the registers indicated by the ModRM byte 519 * in @insn. This function is to be used with 16-bit address encodings. The 520 * @offs1 and @offs2 will be written with the offset of the two registers 521 * indicated by the instruction. In cases where any of the registers is not 522 * referenced by the instruction, the value will be set to -EDOM. 523 * 524 * Returns: 525 * 526 * 0 on success, -EINVAL on error. 527 */ 528 static int get_reg_offset_16(struct insn *insn, struct pt_regs *regs, 529 int *offs1, int *offs2) 530 { 531 /* 532 * 16-bit addressing can use one or two registers. Specifics of 533 * encodings are given in Table 2-1. "16-Bit Addressing Forms with the 534 * ModR/M Byte" of the Intel Software Development Manual. 535 */ 536 static const int regoff1[] = { 537 offsetof(struct pt_regs, bx), 538 offsetof(struct pt_regs, bx), 539 offsetof(struct pt_regs, bp), 540 offsetof(struct pt_regs, bp), 541 offsetof(struct pt_regs, si), 542 offsetof(struct pt_regs, di), 543 offsetof(struct pt_regs, bp), 544 offsetof(struct pt_regs, bx), 545 }; 546 547 static const int regoff2[] = { 548 offsetof(struct pt_regs, si), 549 offsetof(struct pt_regs, di), 550 offsetof(struct pt_regs, si), 551 offsetof(struct pt_regs, di), 552 -EDOM, 553 -EDOM, 554 -EDOM, 555 -EDOM, 556 }; 557 558 if (!offs1 || !offs2) 559 return -EINVAL; 560 561 /* Operand is a register, use the generic function. */ 562 if (X86_MODRM_MOD(insn->modrm.value) == 3) { 563 *offs1 = insn_get_modrm_rm_off(insn, regs); 564 *offs2 = -EDOM; 565 return 0; 566 } 567 568 *offs1 = regoff1[X86_MODRM_RM(insn->modrm.value)]; 569 *offs2 = regoff2[X86_MODRM_RM(insn->modrm.value)]; 570 571 /* 572 * If ModRM.mod is 0 and ModRM.rm is 110b, then we use displacement- 573 * only addressing. This means that no registers are involved in 574 * computing the effective address. Thus, ensure that the first 575 * register offset is invalid. The second register offset is already 576 * invalid under the aforementioned conditions. 577 */ 578 if ((X86_MODRM_MOD(insn->modrm.value) == 0) && 579 (X86_MODRM_RM(insn->modrm.value) == 6)) 580 *offs1 = -EDOM; 581 582 return 0; 583 } 584 585 /** 586 * get_desc() - Obtain contents of a segment descriptor 587 * @out: Segment descriptor contents on success 588 * @sel: Segment selector 589 * 590 * Given a segment selector, obtain a pointer to the segment descriptor. 591 * Both global and local descriptor tables are supported. 592 * 593 * Returns: 594 * 595 * True on success, false on failure. 596 * 597 * NULL on error. 598 */ 599 static bool get_desc(struct desc_struct *out, unsigned short sel) 600 { 601 struct desc_ptr gdt_desc = {0, 0}; 602 unsigned long desc_base; 603 604 #ifdef CONFIG_MODIFY_LDT_SYSCALL 605 if ((sel & SEGMENT_TI_MASK) == SEGMENT_LDT) { 606 bool success = false; 607 struct ldt_struct *ldt; 608 609 /* Bits [15:3] contain the index of the desired entry. */ 610 sel >>= 3; 611 612 mutex_lock(¤t->active_mm->context.lock); 613 ldt = current->active_mm->context.ldt; 614 if (ldt && sel < ldt->nr_entries) { 615 *out = ldt->entries[sel]; 616 success = true; 617 } 618 619 mutex_unlock(¤t->active_mm->context.lock); 620 621 return success; 622 } 623 #endif 624 native_store_gdt(&gdt_desc); 625 626 /* 627 * Segment descriptors have a size of 8 bytes. Thus, the index is 628 * multiplied by 8 to obtain the memory offset of the desired descriptor 629 * from the base of the GDT. As bits [15:3] of the segment selector 630 * contain the index, it can be regarded as multiplied by 8 already. 631 * All that remains is to clear bits [2:0]. 632 */ 633 desc_base = sel & ~(SEGMENT_RPL_MASK | SEGMENT_TI_MASK); 634 635 if (desc_base > gdt_desc.size) 636 return false; 637 638 *out = *(struct desc_struct *)(gdt_desc.address + desc_base); 639 return true; 640 } 641 642 /** 643 * insn_get_seg_base() - Obtain base address of segment descriptor. 644 * @regs: Register values as seen when entering kernel mode 645 * @seg_reg_idx: Index of the segment register pointing to seg descriptor 646 * 647 * Obtain the base address of the segment as indicated by the segment descriptor 648 * pointed by the segment selector. The segment selector is obtained from the 649 * input segment register index @seg_reg_idx. 650 * 651 * Returns: 652 * 653 * In protected mode, base address of the segment. Zero in long mode, 654 * except when FS or GS are used. In virtual-8086 mode, the segment 655 * selector shifted 4 bits to the right. 656 * 657 * -1L in case of error. 658 */ 659 unsigned long insn_get_seg_base(struct pt_regs *regs, int seg_reg_idx) 660 { 661 struct desc_struct desc; 662 short sel; 663 664 sel = get_segment_selector(regs, seg_reg_idx); 665 if (sel < 0) 666 return -1L; 667 668 if (v8086_mode(regs)) 669 /* 670 * Base is simply the segment selector shifted 4 671 * bits to the right. 672 */ 673 return (unsigned long)(sel << 4); 674 675 if (any_64bit_mode(regs)) { 676 /* 677 * Only FS or GS will have a base address, the rest of 678 * the segments' bases are forced to 0. 679 */ 680 unsigned long base; 681 682 if (seg_reg_idx == INAT_SEG_REG_FS) { 683 rdmsrl(MSR_FS_BASE, base); 684 } else if (seg_reg_idx == INAT_SEG_REG_GS) { 685 /* 686 * swapgs was called at the kernel entry point. Thus, 687 * MSR_KERNEL_GS_BASE will have the user-space GS base. 688 */ 689 if (user_mode(regs)) 690 rdmsrl(MSR_KERNEL_GS_BASE, base); 691 else 692 rdmsrl(MSR_GS_BASE, base); 693 } else { 694 base = 0; 695 } 696 return base; 697 } 698 699 /* In protected mode the segment selector cannot be null. */ 700 if (!sel) 701 return -1L; 702 703 if (!get_desc(&desc, sel)) 704 return -1L; 705 706 return get_desc_base(&desc); 707 } 708 709 /** 710 * get_seg_limit() - Obtain the limit of a segment descriptor 711 * @regs: Register values as seen when entering kernel mode 712 * @seg_reg_idx: Index of the segment register pointing to seg descriptor 713 * 714 * Obtain the limit of the segment as indicated by the segment descriptor 715 * pointed by the segment selector. The segment selector is obtained from the 716 * input segment register index @seg_reg_idx. 717 * 718 * Returns: 719 * 720 * In protected mode, the limit of the segment descriptor in bytes. 721 * In long mode and virtual-8086 mode, segment limits are not enforced. Thus, 722 * limit is returned as -1L to imply a limit-less segment. 723 * 724 * Zero is returned on error. 725 */ 726 static unsigned long get_seg_limit(struct pt_regs *regs, int seg_reg_idx) 727 { 728 struct desc_struct desc; 729 unsigned long limit; 730 short sel; 731 732 sel = get_segment_selector(regs, seg_reg_idx); 733 if (sel < 0) 734 return 0; 735 736 if (any_64bit_mode(regs) || v8086_mode(regs)) 737 return -1L; 738 739 if (!sel) 740 return 0; 741 742 if (!get_desc(&desc, sel)) 743 return 0; 744 745 /* 746 * If the granularity bit is set, the limit is given in multiples 747 * of 4096. This also means that the 12 least significant bits are 748 * not tested when checking the segment limits. In practice, 749 * this means that the segment ends in (limit << 12) + 0xfff. 750 */ 751 limit = get_desc_limit(&desc); 752 if (desc.g) 753 limit = (limit << 12) + 0xfff; 754 755 return limit; 756 } 757 758 /** 759 * insn_get_code_seg_params() - Obtain code segment parameters 760 * @regs: Structure with register values as seen when entering kernel mode 761 * 762 * Obtain address and operand sizes of the code segment. It is obtained from the 763 * selector contained in the CS register in regs. In protected mode, the default 764 * address is determined by inspecting the L and D bits of the segment 765 * descriptor. In virtual-8086 mode, the default is always two bytes for both 766 * address and operand sizes. 767 * 768 * Returns: 769 * 770 * An int containing ORed-in default parameters on success. 771 * 772 * -EINVAL on error. 773 */ 774 int insn_get_code_seg_params(struct pt_regs *regs) 775 { 776 struct desc_struct desc; 777 short sel; 778 779 if (v8086_mode(regs)) 780 /* Address and operand size are both 16-bit. */ 781 return INSN_CODE_SEG_PARAMS(2, 2); 782 783 sel = get_segment_selector(regs, INAT_SEG_REG_CS); 784 if (sel < 0) 785 return sel; 786 787 if (!get_desc(&desc, sel)) 788 return -EINVAL; 789 790 /* 791 * The most significant byte of the Type field of the segment descriptor 792 * determines whether a segment contains data or code. If this is a data 793 * segment, return error. 794 */ 795 if (!(desc.type & BIT(3))) 796 return -EINVAL; 797 798 switch ((desc.l << 1) | desc.d) { 799 case 0: /* 800 * Legacy mode. CS.L=0, CS.D=0. Address and operand size are 801 * both 16-bit. 802 */ 803 return INSN_CODE_SEG_PARAMS(2, 2); 804 case 1: /* 805 * Legacy mode. CS.L=0, CS.D=1. Address and operand size are 806 * both 32-bit. 807 */ 808 return INSN_CODE_SEG_PARAMS(4, 4); 809 case 2: /* 810 * IA-32e 64-bit mode. CS.L=1, CS.D=0. Address size is 64-bit; 811 * operand size is 32-bit. 812 */ 813 return INSN_CODE_SEG_PARAMS(4, 8); 814 case 3: /* Invalid setting. CS.L=1, CS.D=1 */ 815 fallthrough; 816 default: 817 return -EINVAL; 818 } 819 } 820 821 /** 822 * insn_get_modrm_rm_off() - Obtain register in r/m part of the ModRM byte 823 * @insn: Instruction containing the ModRM byte 824 * @regs: Register values as seen when entering kernel mode 825 * 826 * Returns: 827 * 828 * The register indicated by the r/m part of the ModRM byte. The 829 * register is obtained as an offset from the base of pt_regs. In specific 830 * cases, the returned value can be -EDOM to indicate that the particular value 831 * of ModRM does not refer to a register and shall be ignored. 832 */ 833 int insn_get_modrm_rm_off(struct insn *insn, struct pt_regs *regs) 834 { 835 return get_reg_offset(insn, regs, REG_TYPE_RM); 836 } 837 838 /** 839 * insn_get_modrm_reg_off() - Obtain register in reg part of the ModRM byte 840 * @insn: Instruction containing the ModRM byte 841 * @regs: Register values as seen when entering kernel mode 842 * 843 * Returns: 844 * 845 * The register indicated by the reg part of the ModRM byte. The 846 * register is obtained as an offset from the base of pt_regs. 847 */ 848 int insn_get_modrm_reg_off(struct insn *insn, struct pt_regs *regs) 849 { 850 return get_reg_offset(insn, regs, REG_TYPE_REG); 851 } 852 853 /** 854 * get_seg_base_limit() - obtain base address and limit of a segment 855 * @insn: Instruction. Must be valid. 856 * @regs: Register values as seen when entering kernel mode 857 * @regoff: Operand offset, in pt_regs, used to resolve segment descriptor 858 * @base: Obtained segment base 859 * @limit: Obtained segment limit 860 * 861 * Obtain the base address and limit of the segment associated with the operand 862 * @regoff and, if any or allowed, override prefixes in @insn. This function is 863 * different from insn_get_seg_base() as the latter does not resolve the segment 864 * associated with the instruction operand. If a limit is not needed (e.g., 865 * when running in long mode), @limit can be NULL. 866 * 867 * Returns: 868 * 869 * 0 on success. @base and @limit will contain the base address and of the 870 * resolved segment, respectively. 871 * 872 * -EINVAL on error. 873 */ 874 static int get_seg_base_limit(struct insn *insn, struct pt_regs *regs, 875 int regoff, unsigned long *base, 876 unsigned long *limit) 877 { 878 int seg_reg_idx; 879 880 if (!base) 881 return -EINVAL; 882 883 seg_reg_idx = resolve_seg_reg(insn, regs, regoff); 884 if (seg_reg_idx < 0) 885 return seg_reg_idx; 886 887 *base = insn_get_seg_base(regs, seg_reg_idx); 888 if (*base == -1L) 889 return -EINVAL; 890 891 if (!limit) 892 return 0; 893 894 *limit = get_seg_limit(regs, seg_reg_idx); 895 if (!(*limit)) 896 return -EINVAL; 897 898 return 0; 899 } 900 901 /** 902 * get_eff_addr_reg() - Obtain effective address from register operand 903 * @insn: Instruction. Must be valid. 904 * @regs: Register values as seen when entering kernel mode 905 * @regoff: Obtained operand offset, in pt_regs, with the effective address 906 * @eff_addr: Obtained effective address 907 * 908 * Obtain the effective address stored in the register operand as indicated by 909 * the ModRM byte. This function is to be used only with register addressing 910 * (i.e., ModRM.mod is 3). The effective address is saved in @eff_addr. The 911 * register operand, as an offset from the base of pt_regs, is saved in @regoff; 912 * such offset can then be used to resolve the segment associated with the 913 * operand. This function can be used with any of the supported address sizes 914 * in x86. 915 * 916 * Returns: 917 * 918 * 0 on success. @eff_addr will have the effective address stored in the 919 * operand indicated by ModRM. @regoff will have such operand as an offset from 920 * the base of pt_regs. 921 * 922 * -EINVAL on error. 923 */ 924 static int get_eff_addr_reg(struct insn *insn, struct pt_regs *regs, 925 int *regoff, long *eff_addr) 926 { 927 int ret; 928 929 ret = insn_get_modrm(insn); 930 if (ret) 931 return ret; 932 933 if (X86_MODRM_MOD(insn->modrm.value) != 3) 934 return -EINVAL; 935 936 *regoff = get_reg_offset(insn, regs, REG_TYPE_RM); 937 if (*regoff < 0) 938 return -EINVAL; 939 940 /* Ignore bytes that are outside the address size. */ 941 if (insn->addr_bytes == 2) 942 *eff_addr = regs_get_register(regs, *regoff) & 0xffff; 943 else if (insn->addr_bytes == 4) 944 *eff_addr = regs_get_register(regs, *regoff) & 0xffffffff; 945 else /* 64-bit address */ 946 *eff_addr = regs_get_register(regs, *regoff); 947 948 return 0; 949 } 950 951 /** 952 * get_eff_addr_modrm() - Obtain referenced effective address via ModRM 953 * @insn: Instruction. Must be valid. 954 * @regs: Register values as seen when entering kernel mode 955 * @regoff: Obtained operand offset, in pt_regs, associated with segment 956 * @eff_addr: Obtained effective address 957 * 958 * Obtain the effective address referenced by the ModRM byte of @insn. After 959 * identifying the registers involved in the register-indirect memory reference, 960 * its value is obtained from the operands in @regs. The computed address is 961 * stored @eff_addr. Also, the register operand that indicates the associated 962 * segment is stored in @regoff, this parameter can later be used to determine 963 * such segment. 964 * 965 * Returns: 966 * 967 * 0 on success. @eff_addr will have the referenced effective address. @regoff 968 * will have a register, as an offset from the base of pt_regs, that can be used 969 * to resolve the associated segment. 970 * 971 * -EINVAL on error. 972 */ 973 static int get_eff_addr_modrm(struct insn *insn, struct pt_regs *regs, 974 int *regoff, long *eff_addr) 975 { 976 long tmp; 977 int ret; 978 979 if (insn->addr_bytes != 8 && insn->addr_bytes != 4) 980 return -EINVAL; 981 982 ret = insn_get_modrm(insn); 983 if (ret) 984 return ret; 985 986 if (X86_MODRM_MOD(insn->modrm.value) > 2) 987 return -EINVAL; 988 989 *regoff = get_reg_offset(insn, regs, REG_TYPE_RM); 990 991 /* 992 * -EDOM means that we must ignore the address_offset. In such a case, 993 * in 64-bit mode the effective address relative to the rIP of the 994 * following instruction. 995 */ 996 if (*regoff == -EDOM) { 997 if (any_64bit_mode(regs)) 998 tmp = regs->ip + insn->length; 999 else 1000 tmp = 0; 1001 } else if (*regoff < 0) { 1002 return -EINVAL; 1003 } else { 1004 tmp = regs_get_register(regs, *regoff); 1005 } 1006 1007 if (insn->addr_bytes == 4) { 1008 int addr32 = (int)(tmp & 0xffffffff) + insn->displacement.value; 1009 1010 *eff_addr = addr32 & 0xffffffff; 1011 } else { 1012 *eff_addr = tmp + insn->displacement.value; 1013 } 1014 1015 return 0; 1016 } 1017 1018 /** 1019 * get_eff_addr_modrm_16() - Obtain referenced effective address via ModRM 1020 * @insn: Instruction. Must be valid. 1021 * @regs: Register values as seen when entering kernel mode 1022 * @regoff: Obtained operand offset, in pt_regs, associated with segment 1023 * @eff_addr: Obtained effective address 1024 * 1025 * Obtain the 16-bit effective address referenced by the ModRM byte of @insn. 1026 * After identifying the registers involved in the register-indirect memory 1027 * reference, its value is obtained from the operands in @regs. The computed 1028 * address is stored @eff_addr. Also, the register operand that indicates 1029 * the associated segment is stored in @regoff, this parameter can later be used 1030 * to determine such segment. 1031 * 1032 * Returns: 1033 * 1034 * 0 on success. @eff_addr will have the referenced effective address. @regoff 1035 * will have a register, as an offset from the base of pt_regs, that can be used 1036 * to resolve the associated segment. 1037 * 1038 * -EINVAL on error. 1039 */ 1040 static int get_eff_addr_modrm_16(struct insn *insn, struct pt_regs *regs, 1041 int *regoff, short *eff_addr) 1042 { 1043 int addr_offset1, addr_offset2, ret; 1044 short addr1 = 0, addr2 = 0, displacement; 1045 1046 if (insn->addr_bytes != 2) 1047 return -EINVAL; 1048 1049 insn_get_modrm(insn); 1050 1051 if (!insn->modrm.nbytes) 1052 return -EINVAL; 1053 1054 if (X86_MODRM_MOD(insn->modrm.value) > 2) 1055 return -EINVAL; 1056 1057 ret = get_reg_offset_16(insn, regs, &addr_offset1, &addr_offset2); 1058 if (ret < 0) 1059 return -EINVAL; 1060 1061 /* 1062 * Don't fail on invalid offset values. They might be invalid because 1063 * they cannot be used for this particular value of ModRM. Instead, use 1064 * them in the computation only if they contain a valid value. 1065 */ 1066 if (addr_offset1 != -EDOM) 1067 addr1 = regs_get_register(regs, addr_offset1) & 0xffff; 1068 1069 if (addr_offset2 != -EDOM) 1070 addr2 = regs_get_register(regs, addr_offset2) & 0xffff; 1071 1072 displacement = insn->displacement.value & 0xffff; 1073 *eff_addr = addr1 + addr2 + displacement; 1074 1075 /* 1076 * The first operand register could indicate to use of either SS or DS 1077 * registers to obtain the segment selector. The second operand 1078 * register can only indicate the use of DS. Thus, the first operand 1079 * will be used to obtain the segment selector. 1080 */ 1081 *regoff = addr_offset1; 1082 1083 return 0; 1084 } 1085 1086 /** 1087 * get_eff_addr_sib() - Obtain referenced effective address via SIB 1088 * @insn: Instruction. Must be valid. 1089 * @regs: Register values as seen when entering kernel mode 1090 * @regoff: Obtained operand offset, in pt_regs, associated with segment 1091 * @eff_addr: Obtained effective address 1092 * 1093 * Obtain the effective address referenced by the SIB byte of @insn. After 1094 * identifying the registers involved in the indexed, register-indirect memory 1095 * reference, its value is obtained from the operands in @regs. The computed 1096 * address is stored @eff_addr. Also, the register operand that indicates the 1097 * associated segment is stored in @regoff, this parameter can later be used to 1098 * determine such segment. 1099 * 1100 * Returns: 1101 * 1102 * 0 on success. @eff_addr will have the referenced effective address. 1103 * @base_offset will have a register, as an offset from the base of pt_regs, 1104 * that can be used to resolve the associated segment. 1105 * 1106 * Negative value on error. 1107 */ 1108 static int get_eff_addr_sib(struct insn *insn, struct pt_regs *regs, 1109 int *base_offset, long *eff_addr) 1110 { 1111 long base, indx; 1112 int indx_offset; 1113 int ret; 1114 1115 if (insn->addr_bytes != 8 && insn->addr_bytes != 4) 1116 return -EINVAL; 1117 1118 ret = insn_get_modrm(insn); 1119 if (ret) 1120 return ret; 1121 1122 if (!insn->modrm.nbytes) 1123 return -EINVAL; 1124 1125 if (X86_MODRM_MOD(insn->modrm.value) > 2) 1126 return -EINVAL; 1127 1128 ret = insn_get_sib(insn); 1129 if (ret) 1130 return ret; 1131 1132 if (!insn->sib.nbytes) 1133 return -EINVAL; 1134 1135 *base_offset = get_reg_offset(insn, regs, REG_TYPE_BASE); 1136 indx_offset = get_reg_offset(insn, regs, REG_TYPE_INDEX); 1137 1138 /* 1139 * Negative values in the base and index offset means an error when 1140 * decoding the SIB byte. Except -EDOM, which means that the registers 1141 * should not be used in the address computation. 1142 */ 1143 if (*base_offset == -EDOM) 1144 base = 0; 1145 else if (*base_offset < 0) 1146 return -EINVAL; 1147 else 1148 base = regs_get_register(regs, *base_offset); 1149 1150 if (indx_offset == -EDOM) 1151 indx = 0; 1152 else if (indx_offset < 0) 1153 return -EINVAL; 1154 else 1155 indx = regs_get_register(regs, indx_offset); 1156 1157 if (insn->addr_bytes == 4) { 1158 int addr32, base32, idx32; 1159 1160 base32 = base & 0xffffffff; 1161 idx32 = indx & 0xffffffff; 1162 1163 addr32 = base32 + idx32 * (1 << X86_SIB_SCALE(insn->sib.value)); 1164 addr32 += insn->displacement.value; 1165 1166 *eff_addr = addr32 & 0xffffffff; 1167 } else { 1168 *eff_addr = base + indx * (1 << X86_SIB_SCALE(insn->sib.value)); 1169 *eff_addr += insn->displacement.value; 1170 } 1171 1172 return 0; 1173 } 1174 1175 /** 1176 * get_addr_ref_16() - Obtain the 16-bit address referred by instruction 1177 * @insn: Instruction containing ModRM byte and displacement 1178 * @regs: Register values as seen when entering kernel mode 1179 * 1180 * This function is to be used with 16-bit address encodings. Obtain the memory 1181 * address referred by the instruction's ModRM and displacement bytes. Also, the 1182 * segment used as base is determined by either any segment override prefixes in 1183 * @insn or the default segment of the registers involved in the address 1184 * computation. In protected mode, segment limits are enforced. 1185 * 1186 * Returns: 1187 * 1188 * Linear address referenced by the instruction operands on success. 1189 * 1190 * -1L on error. 1191 */ 1192 static void __user *get_addr_ref_16(struct insn *insn, struct pt_regs *regs) 1193 { 1194 unsigned long linear_addr = -1L, seg_base, seg_limit; 1195 int ret, regoff; 1196 short eff_addr; 1197 long tmp; 1198 1199 if (insn_get_displacement(insn)) 1200 goto out; 1201 1202 if (insn->addr_bytes != 2) 1203 goto out; 1204 1205 if (X86_MODRM_MOD(insn->modrm.value) == 3) { 1206 ret = get_eff_addr_reg(insn, regs, ®off, &tmp); 1207 if (ret) 1208 goto out; 1209 1210 eff_addr = tmp; 1211 } else { 1212 ret = get_eff_addr_modrm_16(insn, regs, ®off, &eff_addr); 1213 if (ret) 1214 goto out; 1215 } 1216 1217 ret = get_seg_base_limit(insn, regs, regoff, &seg_base, &seg_limit); 1218 if (ret) 1219 goto out; 1220 1221 /* 1222 * Before computing the linear address, make sure the effective address 1223 * is within the limits of the segment. In virtual-8086 mode, segment 1224 * limits are not enforced. In such a case, the segment limit is -1L to 1225 * reflect this fact. 1226 */ 1227 if ((unsigned long)(eff_addr & 0xffff) > seg_limit) 1228 goto out; 1229 1230 linear_addr = (unsigned long)(eff_addr & 0xffff) + seg_base; 1231 1232 /* Limit linear address to 20 bits */ 1233 if (v8086_mode(regs)) 1234 linear_addr &= 0xfffff; 1235 1236 out: 1237 return (void __user *)linear_addr; 1238 } 1239 1240 /** 1241 * get_addr_ref_32() - Obtain a 32-bit linear address 1242 * @insn: Instruction with ModRM, SIB bytes and displacement 1243 * @regs: Register values as seen when entering kernel mode 1244 * 1245 * This function is to be used with 32-bit address encodings to obtain the 1246 * linear memory address referred by the instruction's ModRM, SIB, 1247 * displacement bytes and segment base address, as applicable. If in protected 1248 * mode, segment limits are enforced. 1249 * 1250 * Returns: 1251 * 1252 * Linear address referenced by instruction and registers on success. 1253 * 1254 * -1L on error. 1255 */ 1256 static void __user *get_addr_ref_32(struct insn *insn, struct pt_regs *regs) 1257 { 1258 unsigned long linear_addr = -1L, seg_base, seg_limit; 1259 int eff_addr, regoff; 1260 long tmp; 1261 int ret; 1262 1263 if (insn->addr_bytes != 4) 1264 goto out; 1265 1266 if (X86_MODRM_MOD(insn->modrm.value) == 3) { 1267 ret = get_eff_addr_reg(insn, regs, ®off, &tmp); 1268 if (ret) 1269 goto out; 1270 1271 eff_addr = tmp; 1272 1273 } else { 1274 if (insn->sib.nbytes) { 1275 ret = get_eff_addr_sib(insn, regs, ®off, &tmp); 1276 if (ret) 1277 goto out; 1278 1279 eff_addr = tmp; 1280 } else { 1281 ret = get_eff_addr_modrm(insn, regs, ®off, &tmp); 1282 if (ret) 1283 goto out; 1284 1285 eff_addr = tmp; 1286 } 1287 } 1288 1289 ret = get_seg_base_limit(insn, regs, regoff, &seg_base, &seg_limit); 1290 if (ret) 1291 goto out; 1292 1293 /* 1294 * In protected mode, before computing the linear address, make sure 1295 * the effective address is within the limits of the segment. 1296 * 32-bit addresses can be used in long and virtual-8086 modes if an 1297 * address override prefix is used. In such cases, segment limits are 1298 * not enforced. When in virtual-8086 mode, the segment limit is -1L 1299 * to reflect this situation. 1300 * 1301 * After computed, the effective address is treated as an unsigned 1302 * quantity. 1303 */ 1304 if (!any_64bit_mode(regs) && ((unsigned int)eff_addr > seg_limit)) 1305 goto out; 1306 1307 /* 1308 * Even though 32-bit address encodings are allowed in virtual-8086 1309 * mode, the address range is still limited to [0x-0xffff]. 1310 */ 1311 if (v8086_mode(regs) && (eff_addr & ~0xffff)) 1312 goto out; 1313 1314 /* 1315 * Data type long could be 64 bits in size. Ensure that our 32-bit 1316 * effective address is not sign-extended when computing the linear 1317 * address. 1318 */ 1319 linear_addr = (unsigned long)(eff_addr & 0xffffffff) + seg_base; 1320 1321 /* Limit linear address to 20 bits */ 1322 if (v8086_mode(regs)) 1323 linear_addr &= 0xfffff; 1324 1325 out: 1326 return (void __user *)linear_addr; 1327 } 1328 1329 /** 1330 * get_addr_ref_64() - Obtain a 64-bit linear address 1331 * @insn: Instruction struct with ModRM and SIB bytes and displacement 1332 * @regs: Structure with register values as seen when entering kernel mode 1333 * 1334 * This function is to be used with 64-bit address encodings to obtain the 1335 * linear memory address referred by the instruction's ModRM, SIB, 1336 * displacement bytes and segment base address, as applicable. 1337 * 1338 * Returns: 1339 * 1340 * Linear address referenced by instruction and registers on success. 1341 * 1342 * -1L on error. 1343 */ 1344 #ifndef CONFIG_X86_64 1345 static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs) 1346 { 1347 return (void __user *)-1L; 1348 } 1349 #else 1350 static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs) 1351 { 1352 unsigned long linear_addr = -1L, seg_base; 1353 int regoff, ret; 1354 long eff_addr; 1355 1356 if (insn->addr_bytes != 8) 1357 goto out; 1358 1359 if (X86_MODRM_MOD(insn->modrm.value) == 3) { 1360 ret = get_eff_addr_reg(insn, regs, ®off, &eff_addr); 1361 if (ret) 1362 goto out; 1363 1364 } else { 1365 if (insn->sib.nbytes) { 1366 ret = get_eff_addr_sib(insn, regs, ®off, &eff_addr); 1367 if (ret) 1368 goto out; 1369 } else { 1370 ret = get_eff_addr_modrm(insn, regs, ®off, &eff_addr); 1371 if (ret) 1372 goto out; 1373 } 1374 1375 } 1376 1377 ret = get_seg_base_limit(insn, regs, regoff, &seg_base, NULL); 1378 if (ret) 1379 goto out; 1380 1381 linear_addr = (unsigned long)eff_addr + seg_base; 1382 1383 out: 1384 return (void __user *)linear_addr; 1385 } 1386 #endif /* CONFIG_X86_64 */ 1387 1388 /** 1389 * insn_get_addr_ref() - Obtain the linear address referred by instruction 1390 * @insn: Instruction structure containing ModRM byte and displacement 1391 * @regs: Structure with register values as seen when entering kernel mode 1392 * 1393 * Obtain the linear address referred by the instruction's ModRM, SIB and 1394 * displacement bytes, and segment base, as applicable. In protected mode, 1395 * segment limits are enforced. 1396 * 1397 * Returns: 1398 * 1399 * Linear address referenced by instruction and registers on success. 1400 * 1401 * -1L on error. 1402 */ 1403 void __user *insn_get_addr_ref(struct insn *insn, struct pt_regs *regs) 1404 { 1405 if (!insn || !regs) 1406 return (void __user *)-1L; 1407 1408 switch (insn->addr_bytes) { 1409 case 2: 1410 return get_addr_ref_16(insn, regs); 1411 case 4: 1412 return get_addr_ref_32(insn, regs); 1413 case 8: 1414 return get_addr_ref_64(insn, regs); 1415 default: 1416 return (void __user *)-1L; 1417 } 1418 } 1419 1420 static unsigned long insn_get_effective_ip(struct pt_regs *regs) 1421 { 1422 unsigned long seg_base = 0; 1423 1424 /* 1425 * If not in user-space long mode, a custom code segment could be in 1426 * use. This is true in protected mode (if the process defined a local 1427 * descriptor table), or virtual-8086 mode. In most of the cases 1428 * seg_base will be zero as in USER_CS. 1429 */ 1430 if (!user_64bit_mode(regs)) { 1431 seg_base = insn_get_seg_base(regs, INAT_SEG_REG_CS); 1432 if (seg_base == -1L) 1433 return 0; 1434 } 1435 1436 return seg_base + regs->ip; 1437 } 1438 1439 /** 1440 * insn_fetch_from_user() - Copy instruction bytes from user-space memory 1441 * @regs: Structure with register values as seen when entering kernel mode 1442 * @buf: Array to store the fetched instruction 1443 * 1444 * Gets the linear address of the instruction and copies the instruction bytes 1445 * to the buf. 1446 * 1447 * Returns: 1448 * 1449 * Number of instruction bytes copied. 1450 * 1451 * 0 if nothing was copied. 1452 */ 1453 int insn_fetch_from_user(struct pt_regs *regs, unsigned char buf[MAX_INSN_SIZE]) 1454 { 1455 unsigned long ip; 1456 int not_copied; 1457 1458 ip = insn_get_effective_ip(regs); 1459 if (!ip) 1460 return 0; 1461 1462 not_copied = copy_from_user(buf, (void __user *)ip, MAX_INSN_SIZE); 1463 1464 return MAX_INSN_SIZE - not_copied; 1465 } 1466 1467 /** 1468 * insn_fetch_from_user_inatomic() - Copy instruction bytes from user-space memory 1469 * while in atomic code 1470 * @regs: Structure with register values as seen when entering kernel mode 1471 * @buf: Array to store the fetched instruction 1472 * 1473 * Gets the linear address of the instruction and copies the instruction bytes 1474 * to the buf. This function must be used in atomic context. 1475 * 1476 * Returns: 1477 * 1478 * Number of instruction bytes copied. 1479 * 1480 * 0 if nothing was copied. 1481 */ 1482 int insn_fetch_from_user_inatomic(struct pt_regs *regs, unsigned char buf[MAX_INSN_SIZE]) 1483 { 1484 unsigned long ip; 1485 int not_copied; 1486 1487 ip = insn_get_effective_ip(regs); 1488 if (!ip) 1489 return 0; 1490 1491 not_copied = __copy_from_user_inatomic(buf, (void __user *)ip, MAX_INSN_SIZE); 1492 1493 return MAX_INSN_SIZE - not_copied; 1494 } 1495 1496 /** 1497 * insn_decode_from_regs() - Decode an instruction 1498 * @insn: Structure to store decoded instruction 1499 * @regs: Structure with register values as seen when entering kernel mode 1500 * @buf: Buffer containing the instruction bytes 1501 * @buf_size: Number of instruction bytes available in buf 1502 * 1503 * Decodes the instruction provided in buf and stores the decoding results in 1504 * insn. Also determines the correct address and operand sizes. 1505 * 1506 * Returns: 1507 * 1508 * True if instruction was decoded, False otherwise. 1509 */ 1510 bool insn_decode_from_regs(struct insn *insn, struct pt_regs *regs, 1511 unsigned char buf[MAX_INSN_SIZE], int buf_size) 1512 { 1513 int seg_defs; 1514 1515 insn_init(insn, buf, buf_size, user_64bit_mode(regs)); 1516 1517 /* 1518 * Override the default operand and address sizes with what is specified 1519 * in the code segment descriptor. The instruction decoder only sets 1520 * the address size it to either 4 or 8 address bytes and does nothing 1521 * for the operand bytes. This OK for most of the cases, but we could 1522 * have special cases where, for instance, a 16-bit code segment 1523 * descriptor is used. 1524 * If there is an address override prefix, the instruction decoder 1525 * correctly updates these values, even for 16-bit defaults. 1526 */ 1527 seg_defs = insn_get_code_seg_params(regs); 1528 if (seg_defs == -EINVAL) 1529 return false; 1530 1531 insn->addr_bytes = INSN_CODE_SEG_ADDR_SZ(seg_defs); 1532 insn->opnd_bytes = INSN_CODE_SEG_OPND_SZ(seg_defs); 1533 1534 if (insn_get_length(insn)) 1535 return false; 1536 1537 if (buf_size < insn->length) 1538 return false; 1539 1540 return true; 1541 } 1542