1 /* 2 * Utility functions for x86 operand and address decoding 3 * 4 * Copyright (C) Intel Corporation 2017 5 */ 6 #include <linux/kernel.h> 7 #include <linux/string.h> 8 #include <linux/ratelimit.h> 9 #include <linux/mmu_context.h> 10 #include <asm/desc_defs.h> 11 #include <asm/desc.h> 12 #include <asm/inat.h> 13 #include <asm/insn.h> 14 #include <asm/insn-eval.h> 15 #include <asm/ldt.h> 16 #include <asm/vm86.h> 17 18 #undef pr_fmt 19 #define pr_fmt(fmt) "insn: " fmt 20 21 enum reg_type { 22 REG_TYPE_RM = 0, 23 REG_TYPE_INDEX, 24 REG_TYPE_BASE, 25 }; 26 27 /** 28 * is_string_insn() - Determine if instruction is a string instruction 29 * @insn: Instruction containing the opcode to inspect 30 * 31 * Returns: 32 * 33 * true if the instruction, determined by the opcode, is any of the 34 * string instructions as defined in the Intel Software Development manual. 35 * False otherwise. 36 */ 37 static bool is_string_insn(struct insn *insn) 38 { 39 insn_get_opcode(insn); 40 41 /* All string instructions have a 1-byte opcode. */ 42 if (insn->opcode.nbytes != 1) 43 return false; 44 45 switch (insn->opcode.bytes[0]) { 46 case 0x6c ... 0x6f: /* INS, OUTS */ 47 case 0xa4 ... 0xa7: /* MOVS, CMPS */ 48 case 0xaa ... 0xaf: /* STOS, LODS, SCAS */ 49 return true; 50 default: 51 return false; 52 } 53 } 54 55 /** 56 * get_seg_reg_override_idx() - obtain segment register override index 57 * @insn: Valid instruction with segment override prefixes 58 * 59 * Inspect the instruction prefixes in @insn and find segment overrides, if any. 60 * 61 * Returns: 62 * 63 * A constant identifying the segment register to use, among CS, SS, DS, 64 * ES, FS, or GS. INAT_SEG_REG_DEFAULT is returned if no segment override 65 * prefixes were found. 66 * 67 * -EINVAL in case of error. 68 */ 69 static int get_seg_reg_override_idx(struct insn *insn) 70 { 71 int idx = INAT_SEG_REG_DEFAULT; 72 int num_overrides = 0, i; 73 74 insn_get_prefixes(insn); 75 76 /* Look for any segment override prefixes. */ 77 for (i = 0; i < insn->prefixes.nbytes; i++) { 78 insn_attr_t attr; 79 80 attr = inat_get_opcode_attribute(insn->prefixes.bytes[i]); 81 switch (attr) { 82 case INAT_MAKE_PREFIX(INAT_PFX_CS): 83 idx = INAT_SEG_REG_CS; 84 num_overrides++; 85 break; 86 case INAT_MAKE_PREFIX(INAT_PFX_SS): 87 idx = INAT_SEG_REG_SS; 88 num_overrides++; 89 break; 90 case INAT_MAKE_PREFIX(INAT_PFX_DS): 91 idx = INAT_SEG_REG_DS; 92 num_overrides++; 93 break; 94 case INAT_MAKE_PREFIX(INAT_PFX_ES): 95 idx = INAT_SEG_REG_ES; 96 num_overrides++; 97 break; 98 case INAT_MAKE_PREFIX(INAT_PFX_FS): 99 idx = INAT_SEG_REG_FS; 100 num_overrides++; 101 break; 102 case INAT_MAKE_PREFIX(INAT_PFX_GS): 103 idx = INAT_SEG_REG_GS; 104 num_overrides++; 105 break; 106 /* No default action needed. */ 107 } 108 } 109 110 /* More than one segment override prefix leads to undefined behavior. */ 111 if (num_overrides > 1) 112 return -EINVAL; 113 114 return idx; 115 } 116 117 /** 118 * check_seg_overrides() - check if segment override prefixes are allowed 119 * @insn: Valid instruction with segment override prefixes 120 * @regoff: Operand offset, in pt_regs, for which the check is performed 121 * 122 * For a particular register used in register-indirect addressing, determine if 123 * segment override prefixes can be used. Specifically, no overrides are allowed 124 * for rDI if used with a string instruction. 125 * 126 * Returns: 127 * 128 * True if segment override prefixes can be used with the register indicated 129 * in @regoff. False if otherwise. 130 */ 131 static bool check_seg_overrides(struct insn *insn, int regoff) 132 { 133 if (regoff == offsetof(struct pt_regs, di) && is_string_insn(insn)) 134 return false; 135 136 return true; 137 } 138 139 /** 140 * resolve_default_seg() - resolve default segment register index for an operand 141 * @insn: Instruction with opcode and address size. Must be valid. 142 * @regs: Register values as seen when entering kernel mode 143 * @off: Operand offset, in pt_regs, for which resolution is needed 144 * 145 * Resolve the default segment register index associated with the instruction 146 * operand register indicated by @off. Such index is resolved based on defaults 147 * described in the Intel Software Development Manual. 148 * 149 * Returns: 150 * 151 * If in protected mode, a constant identifying the segment register to use, 152 * among CS, SS, ES or DS. If in long mode, INAT_SEG_REG_IGNORE. 153 * 154 * -EINVAL in case of error. 155 */ 156 static int resolve_default_seg(struct insn *insn, struct pt_regs *regs, int off) 157 { 158 if (user_64bit_mode(regs)) 159 return INAT_SEG_REG_IGNORE; 160 /* 161 * Resolve the default segment register as described in Section 3.7.4 162 * of the Intel Software Development Manual Vol. 1: 163 * 164 * + DS for all references involving r[ABCD]X, and rSI. 165 * + If used in a string instruction, ES for rDI. Otherwise, DS. 166 * + AX, CX and DX are not valid register operands in 16-bit address 167 * encodings but are valid for 32-bit and 64-bit encodings. 168 * + -EDOM is reserved to identify for cases in which no register 169 * is used (i.e., displacement-only addressing). Use DS. 170 * + SS for rSP or rBP. 171 * + CS for rIP. 172 */ 173 174 switch (off) { 175 case offsetof(struct pt_regs, ax): 176 case offsetof(struct pt_regs, cx): 177 case offsetof(struct pt_regs, dx): 178 /* Need insn to verify address size. */ 179 if (insn->addr_bytes == 2) 180 return -EINVAL; 181 182 case -EDOM: 183 case offsetof(struct pt_regs, bx): 184 case offsetof(struct pt_regs, si): 185 return INAT_SEG_REG_DS; 186 187 case offsetof(struct pt_regs, di): 188 if (is_string_insn(insn)) 189 return INAT_SEG_REG_ES; 190 return INAT_SEG_REG_DS; 191 192 case offsetof(struct pt_regs, bp): 193 case offsetof(struct pt_regs, sp): 194 return INAT_SEG_REG_SS; 195 196 case offsetof(struct pt_regs, ip): 197 return INAT_SEG_REG_CS; 198 199 default: 200 return -EINVAL; 201 } 202 } 203 204 /** 205 * resolve_seg_reg() - obtain segment register index 206 * @insn: Instruction with operands 207 * @regs: Register values as seen when entering kernel mode 208 * @regoff: Operand offset, in pt_regs, used to deterimine segment register 209 * 210 * Determine the segment register associated with the operands and, if 211 * applicable, prefixes and the instruction pointed by @insn. 212 * 213 * The segment register associated to an operand used in register-indirect 214 * addressing depends on: 215 * 216 * a) Whether running in long mode (in such a case segments are ignored, except 217 * if FS or GS are used). 218 * 219 * b) Whether segment override prefixes can be used. Certain instructions and 220 * registers do not allow override prefixes. 221 * 222 * c) Whether segment overrides prefixes are found in the instruction prefixes. 223 * 224 * d) If there are not segment override prefixes or they cannot be used, the 225 * default segment register associated with the operand register is used. 226 * 227 * The function checks first if segment override prefixes can be used with the 228 * operand indicated by @regoff. If allowed, obtain such overridden segment 229 * register index. Lastly, if not prefixes were found or cannot be used, resolve 230 * the segment register index to use based on the defaults described in the 231 * Intel documentation. In long mode, all segment register indexes will be 232 * ignored, except if overrides were found for FS or GS. All these operations 233 * are done using helper functions. 234 * 235 * The operand register, @regoff, is represented as the offset from the base of 236 * pt_regs. 237 * 238 * As stated, the main use of this function is to determine the segment register 239 * index based on the instruction, its operands and prefixes. Hence, @insn 240 * must be valid. However, if @regoff indicates rIP, we don't need to inspect 241 * @insn at all as in this case CS is used in all cases. This case is checked 242 * before proceeding further. 243 * 244 * Please note that this function does not return the value in the segment 245 * register (i.e., the segment selector) but our defined index. The segment 246 * selector needs to be obtained using get_segment_selector() and passing the 247 * segment register index resolved by this function. 248 * 249 * Returns: 250 * 251 * An index identifying the segment register to use, among CS, SS, DS, 252 * ES, FS, or GS. INAT_SEG_REG_IGNORE is returned if running in long mode. 253 * 254 * -EINVAL in case of error. 255 */ 256 static int resolve_seg_reg(struct insn *insn, struct pt_regs *regs, int regoff) 257 { 258 int idx; 259 260 /* 261 * In the unlikely event of having to resolve the segment register 262 * index for rIP, do it first. Segment override prefixes should not 263 * be used. Hence, it is not necessary to inspect the instruction, 264 * which may be invalid at this point. 265 */ 266 if (regoff == offsetof(struct pt_regs, ip)) { 267 if (user_64bit_mode(regs)) 268 return INAT_SEG_REG_IGNORE; 269 else 270 return INAT_SEG_REG_CS; 271 } 272 273 if (!insn) 274 return -EINVAL; 275 276 if (!check_seg_overrides(insn, regoff)) 277 return resolve_default_seg(insn, regs, regoff); 278 279 idx = get_seg_reg_override_idx(insn); 280 if (idx < 0) 281 return idx; 282 283 if (idx == INAT_SEG_REG_DEFAULT) 284 return resolve_default_seg(insn, regs, regoff); 285 286 /* 287 * In long mode, segment override prefixes are ignored, except for 288 * overrides for FS and GS. 289 */ 290 if (user_64bit_mode(regs)) { 291 if (idx != INAT_SEG_REG_FS && 292 idx != INAT_SEG_REG_GS) 293 idx = INAT_SEG_REG_IGNORE; 294 } 295 296 return idx; 297 } 298 299 /** 300 * get_segment_selector() - obtain segment selector 301 * @regs: Register values as seen when entering kernel mode 302 * @seg_reg_idx: Segment register index to use 303 * 304 * Obtain the segment selector from any of the CS, SS, DS, ES, FS, GS segment 305 * registers. In CONFIG_X86_32, the segment is obtained from either pt_regs or 306 * kernel_vm86_regs as applicable. In CONFIG_X86_64, CS and SS are obtained 307 * from pt_regs. DS, ES, FS and GS are obtained by reading the actual CPU 308 * registers. This done for only for completeness as in CONFIG_X86_64 segment 309 * registers are ignored. 310 * 311 * Returns: 312 * 313 * Value of the segment selector, including null when running in 314 * long mode. 315 * 316 * -EINVAL on error. 317 */ 318 static short get_segment_selector(struct pt_regs *regs, int seg_reg_idx) 319 { 320 #ifdef CONFIG_X86_64 321 unsigned short sel; 322 323 switch (seg_reg_idx) { 324 case INAT_SEG_REG_IGNORE: 325 return 0; 326 case INAT_SEG_REG_CS: 327 return (unsigned short)(regs->cs & 0xffff); 328 case INAT_SEG_REG_SS: 329 return (unsigned short)(regs->ss & 0xffff); 330 case INAT_SEG_REG_DS: 331 savesegment(ds, sel); 332 return sel; 333 case INAT_SEG_REG_ES: 334 savesegment(es, sel); 335 return sel; 336 case INAT_SEG_REG_FS: 337 savesegment(fs, sel); 338 return sel; 339 case INAT_SEG_REG_GS: 340 savesegment(gs, sel); 341 return sel; 342 default: 343 return -EINVAL; 344 } 345 #else /* CONFIG_X86_32 */ 346 struct kernel_vm86_regs *vm86regs = (struct kernel_vm86_regs *)regs; 347 348 if (v8086_mode(regs)) { 349 switch (seg_reg_idx) { 350 case INAT_SEG_REG_CS: 351 return (unsigned short)(regs->cs & 0xffff); 352 case INAT_SEG_REG_SS: 353 return (unsigned short)(regs->ss & 0xffff); 354 case INAT_SEG_REG_DS: 355 return vm86regs->ds; 356 case INAT_SEG_REG_ES: 357 return vm86regs->es; 358 case INAT_SEG_REG_FS: 359 return vm86regs->fs; 360 case INAT_SEG_REG_GS: 361 return vm86regs->gs; 362 case INAT_SEG_REG_IGNORE: 363 /* fall through */ 364 default: 365 return -EINVAL; 366 } 367 } 368 369 switch (seg_reg_idx) { 370 case INAT_SEG_REG_CS: 371 return (unsigned short)(regs->cs & 0xffff); 372 case INAT_SEG_REG_SS: 373 return (unsigned short)(regs->ss & 0xffff); 374 case INAT_SEG_REG_DS: 375 return (unsigned short)(regs->ds & 0xffff); 376 case INAT_SEG_REG_ES: 377 return (unsigned short)(regs->es & 0xffff); 378 case INAT_SEG_REG_FS: 379 return (unsigned short)(regs->fs & 0xffff); 380 case INAT_SEG_REG_GS: 381 /* 382 * GS may or may not be in regs as per CONFIG_X86_32_LAZY_GS. 383 * The macro below takes care of both cases. 384 */ 385 return get_user_gs(regs); 386 case INAT_SEG_REG_IGNORE: 387 /* fall through */ 388 default: 389 return -EINVAL; 390 } 391 #endif /* CONFIG_X86_64 */ 392 } 393 394 static int get_reg_offset(struct insn *insn, struct pt_regs *regs, 395 enum reg_type type) 396 { 397 int regno = 0; 398 399 static const int regoff[] = { 400 offsetof(struct pt_regs, ax), 401 offsetof(struct pt_regs, cx), 402 offsetof(struct pt_regs, dx), 403 offsetof(struct pt_regs, bx), 404 offsetof(struct pt_regs, sp), 405 offsetof(struct pt_regs, bp), 406 offsetof(struct pt_regs, si), 407 offsetof(struct pt_regs, di), 408 #ifdef CONFIG_X86_64 409 offsetof(struct pt_regs, r8), 410 offsetof(struct pt_regs, r9), 411 offsetof(struct pt_regs, r10), 412 offsetof(struct pt_regs, r11), 413 offsetof(struct pt_regs, r12), 414 offsetof(struct pt_regs, r13), 415 offsetof(struct pt_regs, r14), 416 offsetof(struct pt_regs, r15), 417 #endif 418 }; 419 int nr_registers = ARRAY_SIZE(regoff); 420 /* 421 * Don't possibly decode a 32-bit instructions as 422 * reading a 64-bit-only register. 423 */ 424 if (IS_ENABLED(CONFIG_X86_64) && !insn->x86_64) 425 nr_registers -= 8; 426 427 switch (type) { 428 case REG_TYPE_RM: 429 regno = X86_MODRM_RM(insn->modrm.value); 430 431 /* 432 * ModRM.mod == 0 and ModRM.rm == 5 means a 32-bit displacement 433 * follows the ModRM byte. 434 */ 435 if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5) 436 return -EDOM; 437 438 if (X86_REX_B(insn->rex_prefix.value)) 439 regno += 8; 440 break; 441 442 case REG_TYPE_INDEX: 443 regno = X86_SIB_INDEX(insn->sib.value); 444 if (X86_REX_X(insn->rex_prefix.value)) 445 regno += 8; 446 447 /* 448 * If ModRM.mod != 3 and SIB.index = 4 the scale*index 449 * portion of the address computation is null. This is 450 * true only if REX.X is 0. In such a case, the SIB index 451 * is used in the address computation. 452 */ 453 if (X86_MODRM_MOD(insn->modrm.value) != 3 && regno == 4) 454 return -EDOM; 455 break; 456 457 case REG_TYPE_BASE: 458 regno = X86_SIB_BASE(insn->sib.value); 459 /* 460 * If ModRM.mod is 0 and SIB.base == 5, the base of the 461 * register-indirect addressing is 0. In this case, a 462 * 32-bit displacement follows the SIB byte. 463 */ 464 if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5) 465 return -EDOM; 466 467 if (X86_REX_B(insn->rex_prefix.value)) 468 regno += 8; 469 break; 470 471 default: 472 pr_err_ratelimited("invalid register type: %d\n", type); 473 return -EINVAL; 474 } 475 476 if (regno >= nr_registers) { 477 WARN_ONCE(1, "decoded an instruction with an invalid register"); 478 return -EINVAL; 479 } 480 return regoff[regno]; 481 } 482 483 /** 484 * get_reg_offset_16() - Obtain offset of register indicated by instruction 485 * @insn: Instruction containing ModRM byte 486 * @regs: Register values as seen when entering kernel mode 487 * @offs1: Offset of the first operand register 488 * @offs2: Offset of the second opeand register, if applicable 489 * 490 * Obtain the offset, in pt_regs, of the registers indicated by the ModRM byte 491 * in @insn. This function is to be used with 16-bit address encodings. The 492 * @offs1 and @offs2 will be written with the offset of the two registers 493 * indicated by the instruction. In cases where any of the registers is not 494 * referenced by the instruction, the value will be set to -EDOM. 495 * 496 * Returns: 497 * 498 * 0 on success, -EINVAL on error. 499 */ 500 static int get_reg_offset_16(struct insn *insn, struct pt_regs *regs, 501 int *offs1, int *offs2) 502 { 503 /* 504 * 16-bit addressing can use one or two registers. Specifics of 505 * encodings are given in Table 2-1. "16-Bit Addressing Forms with the 506 * ModR/M Byte" of the Intel Software Development Manual. 507 */ 508 static const int regoff1[] = { 509 offsetof(struct pt_regs, bx), 510 offsetof(struct pt_regs, bx), 511 offsetof(struct pt_regs, bp), 512 offsetof(struct pt_regs, bp), 513 offsetof(struct pt_regs, si), 514 offsetof(struct pt_regs, di), 515 offsetof(struct pt_regs, bp), 516 offsetof(struct pt_regs, bx), 517 }; 518 519 static const int regoff2[] = { 520 offsetof(struct pt_regs, si), 521 offsetof(struct pt_regs, di), 522 offsetof(struct pt_regs, si), 523 offsetof(struct pt_regs, di), 524 -EDOM, 525 -EDOM, 526 -EDOM, 527 -EDOM, 528 }; 529 530 if (!offs1 || !offs2) 531 return -EINVAL; 532 533 /* Operand is a register, use the generic function. */ 534 if (X86_MODRM_MOD(insn->modrm.value) == 3) { 535 *offs1 = insn_get_modrm_rm_off(insn, regs); 536 *offs2 = -EDOM; 537 return 0; 538 } 539 540 *offs1 = regoff1[X86_MODRM_RM(insn->modrm.value)]; 541 *offs2 = regoff2[X86_MODRM_RM(insn->modrm.value)]; 542 543 /* 544 * If ModRM.mod is 0 and ModRM.rm is 110b, then we use displacement- 545 * only addressing. This means that no registers are involved in 546 * computing the effective address. Thus, ensure that the first 547 * register offset is invalild. The second register offset is already 548 * invalid under the aforementioned conditions. 549 */ 550 if ((X86_MODRM_MOD(insn->modrm.value) == 0) && 551 (X86_MODRM_RM(insn->modrm.value) == 6)) 552 *offs1 = -EDOM; 553 554 return 0; 555 } 556 557 /** 558 * get_desc() - Obtain pointer to a segment descriptor 559 * @sel: Segment selector 560 * 561 * Given a segment selector, obtain a pointer to the segment descriptor. 562 * Both global and local descriptor tables are supported. 563 * 564 * Returns: 565 * 566 * Pointer to segment descriptor on success. 567 * 568 * NULL on error. 569 */ 570 static struct desc_struct *get_desc(unsigned short sel) 571 { 572 struct desc_ptr gdt_desc = {0, 0}; 573 unsigned long desc_base; 574 575 #ifdef CONFIG_MODIFY_LDT_SYSCALL 576 if ((sel & SEGMENT_TI_MASK) == SEGMENT_LDT) { 577 struct desc_struct *desc = NULL; 578 struct ldt_struct *ldt; 579 580 /* Bits [15:3] contain the index of the desired entry. */ 581 sel >>= 3; 582 583 mutex_lock(¤t->active_mm->context.lock); 584 ldt = current->active_mm->context.ldt; 585 if (ldt && sel < ldt->nr_entries) 586 desc = &ldt->entries[sel]; 587 588 mutex_unlock(¤t->active_mm->context.lock); 589 590 return desc; 591 } 592 #endif 593 native_store_gdt(&gdt_desc); 594 595 /* 596 * Segment descriptors have a size of 8 bytes. Thus, the index is 597 * multiplied by 8 to obtain the memory offset of the desired descriptor 598 * from the base of the GDT. As bits [15:3] of the segment selector 599 * contain the index, it can be regarded as multiplied by 8 already. 600 * All that remains is to clear bits [2:0]. 601 */ 602 desc_base = sel & ~(SEGMENT_RPL_MASK | SEGMENT_TI_MASK); 603 604 if (desc_base > gdt_desc.size) 605 return NULL; 606 607 return (struct desc_struct *)(gdt_desc.address + desc_base); 608 } 609 610 /** 611 * insn_get_seg_base() - Obtain base address of segment descriptor. 612 * @regs: Register values as seen when entering kernel mode 613 * @seg_reg_idx: Index of the segment register pointing to seg descriptor 614 * 615 * Obtain the base address of the segment as indicated by the segment descriptor 616 * pointed by the segment selector. The segment selector is obtained from the 617 * input segment register index @seg_reg_idx. 618 * 619 * Returns: 620 * 621 * In protected mode, base address of the segment. Zero in long mode, 622 * except when FS or GS are used. In virtual-8086 mode, the segment 623 * selector shifted 4 bits to the right. 624 * 625 * -1L in case of error. 626 */ 627 unsigned long insn_get_seg_base(struct pt_regs *regs, int seg_reg_idx) 628 { 629 struct desc_struct *desc; 630 short sel; 631 632 sel = get_segment_selector(regs, seg_reg_idx); 633 if (sel < 0) 634 return -1L; 635 636 if (v8086_mode(regs)) 637 /* 638 * Base is simply the segment selector shifted 4 639 * bits to the right. 640 */ 641 return (unsigned long)(sel << 4); 642 643 if (user_64bit_mode(regs)) { 644 /* 645 * Only FS or GS will have a base address, the rest of 646 * the segments' bases are forced to 0. 647 */ 648 unsigned long base; 649 650 if (seg_reg_idx == INAT_SEG_REG_FS) 651 rdmsrl(MSR_FS_BASE, base); 652 else if (seg_reg_idx == INAT_SEG_REG_GS) 653 /* 654 * swapgs was called at the kernel entry point. Thus, 655 * MSR_KERNEL_GS_BASE will have the user-space GS base. 656 */ 657 rdmsrl(MSR_KERNEL_GS_BASE, base); 658 else 659 base = 0; 660 return base; 661 } 662 663 /* In protected mode the segment selector cannot be null. */ 664 if (!sel) 665 return -1L; 666 667 desc = get_desc(sel); 668 if (!desc) 669 return -1L; 670 671 return get_desc_base(desc); 672 } 673 674 /** 675 * get_seg_limit() - Obtain the limit of a segment descriptor 676 * @regs: Register values as seen when entering kernel mode 677 * @seg_reg_idx: Index of the segment register pointing to seg descriptor 678 * 679 * Obtain the limit of the segment as indicated by the segment descriptor 680 * pointed by the segment selector. The segment selector is obtained from the 681 * input segment register index @seg_reg_idx. 682 * 683 * Returns: 684 * 685 * In protected mode, the limit of the segment descriptor in bytes. 686 * In long mode and virtual-8086 mode, segment limits are not enforced. Thus, 687 * limit is returned as -1L to imply a limit-less segment. 688 * 689 * Zero is returned on error. 690 */ 691 static unsigned long get_seg_limit(struct pt_regs *regs, int seg_reg_idx) 692 { 693 struct desc_struct *desc; 694 unsigned long limit; 695 short sel; 696 697 sel = get_segment_selector(regs, seg_reg_idx); 698 if (sel < 0) 699 return 0; 700 701 if (user_64bit_mode(regs) || v8086_mode(regs)) 702 return -1L; 703 704 if (!sel) 705 return 0; 706 707 desc = get_desc(sel); 708 if (!desc) 709 return 0; 710 711 /* 712 * If the granularity bit is set, the limit is given in multiples 713 * of 4096. This also means that the 12 least significant bits are 714 * not tested when checking the segment limits. In practice, 715 * this means that the segment ends in (limit << 12) + 0xfff. 716 */ 717 limit = get_desc_limit(desc); 718 if (desc->g) 719 limit = (limit << 12) + 0xfff; 720 721 return limit; 722 } 723 724 /** 725 * insn_get_code_seg_params() - Obtain code segment parameters 726 * @regs: Structure with register values as seen when entering kernel mode 727 * 728 * Obtain address and operand sizes of the code segment. It is obtained from the 729 * selector contained in the CS register in regs. In protected mode, the default 730 * address is determined by inspecting the L and D bits of the segment 731 * descriptor. In virtual-8086 mode, the default is always two bytes for both 732 * address and operand sizes. 733 * 734 * Returns: 735 * 736 * An int containing ORed-in default parameters on success. 737 * 738 * -EINVAL on error. 739 */ 740 int insn_get_code_seg_params(struct pt_regs *regs) 741 { 742 struct desc_struct *desc; 743 short sel; 744 745 if (v8086_mode(regs)) 746 /* Address and operand size are both 16-bit. */ 747 return INSN_CODE_SEG_PARAMS(2, 2); 748 749 sel = get_segment_selector(regs, INAT_SEG_REG_CS); 750 if (sel < 0) 751 return sel; 752 753 desc = get_desc(sel); 754 if (!desc) 755 return -EINVAL; 756 757 /* 758 * The most significant byte of the Type field of the segment descriptor 759 * determines whether a segment contains data or code. If this is a data 760 * segment, return error. 761 */ 762 if (!(desc->type & BIT(3))) 763 return -EINVAL; 764 765 switch ((desc->l << 1) | desc->d) { 766 case 0: /* 767 * Legacy mode. CS.L=0, CS.D=0. Address and operand size are 768 * both 16-bit. 769 */ 770 return INSN_CODE_SEG_PARAMS(2, 2); 771 case 1: /* 772 * Legacy mode. CS.L=0, CS.D=1. Address and operand size are 773 * both 32-bit. 774 */ 775 return INSN_CODE_SEG_PARAMS(4, 4); 776 case 2: /* 777 * IA-32e 64-bit mode. CS.L=1, CS.D=0. Address size is 64-bit; 778 * operand size is 32-bit. 779 */ 780 return INSN_CODE_SEG_PARAMS(4, 8); 781 case 3: /* Invalid setting. CS.L=1, CS.D=1 */ 782 /* fall through */ 783 default: 784 return -EINVAL; 785 } 786 } 787 788 /** 789 * insn_get_modrm_rm_off() - Obtain register in r/m part of the ModRM byte 790 * @insn: Instruction containing the ModRM byte 791 * @regs: Register values as seen when entering kernel mode 792 * 793 * Returns: 794 * 795 * The register indicated by the r/m part of the ModRM byte. The 796 * register is obtained as an offset from the base of pt_regs. In specific 797 * cases, the returned value can be -EDOM to indicate that the particular value 798 * of ModRM does not refer to a register and shall be ignored. 799 */ 800 int insn_get_modrm_rm_off(struct insn *insn, struct pt_regs *regs) 801 { 802 return get_reg_offset(insn, regs, REG_TYPE_RM); 803 } 804 805 /** 806 * get_seg_base_limit() - obtain base address and limit of a segment 807 * @insn: Instruction. Must be valid. 808 * @regs: Register values as seen when entering kernel mode 809 * @regoff: Operand offset, in pt_regs, used to resolve segment descriptor 810 * @base: Obtained segment base 811 * @limit: Obtained segment limit 812 * 813 * Obtain the base address and limit of the segment associated with the operand 814 * @regoff and, if any or allowed, override prefixes in @insn. This function is 815 * different from insn_get_seg_base() as the latter does not resolve the segment 816 * associated with the instruction operand. If a limit is not needed (e.g., 817 * when running in long mode), @limit can be NULL. 818 * 819 * Returns: 820 * 821 * 0 on success. @base and @limit will contain the base address and of the 822 * resolved segment, respectively. 823 * 824 * -EINVAL on error. 825 */ 826 static int get_seg_base_limit(struct insn *insn, struct pt_regs *regs, 827 int regoff, unsigned long *base, 828 unsigned long *limit) 829 { 830 int seg_reg_idx; 831 832 if (!base) 833 return -EINVAL; 834 835 seg_reg_idx = resolve_seg_reg(insn, regs, regoff); 836 if (seg_reg_idx < 0) 837 return seg_reg_idx; 838 839 *base = insn_get_seg_base(regs, seg_reg_idx); 840 if (*base == -1L) 841 return -EINVAL; 842 843 if (!limit) 844 return 0; 845 846 *limit = get_seg_limit(regs, seg_reg_idx); 847 if (!(*limit)) 848 return -EINVAL; 849 850 return 0; 851 } 852 853 /** 854 * get_eff_addr_reg() - Obtain effective address from register operand 855 * @insn: Instruction. Must be valid. 856 * @regs: Register values as seen when entering kernel mode 857 * @regoff: Obtained operand offset, in pt_regs, with the effective address 858 * @eff_addr: Obtained effective address 859 * 860 * Obtain the effective address stored in the register operand as indicated by 861 * the ModRM byte. This function is to be used only with register addressing 862 * (i.e., ModRM.mod is 3). The effective address is saved in @eff_addr. The 863 * register operand, as an offset from the base of pt_regs, is saved in @regoff; 864 * such offset can then be used to resolve the segment associated with the 865 * operand. This function can be used with any of the supported address sizes 866 * in x86. 867 * 868 * Returns: 869 * 870 * 0 on success. @eff_addr will have the effective address stored in the 871 * operand indicated by ModRM. @regoff will have such operand as an offset from 872 * the base of pt_regs. 873 * 874 * -EINVAL on error. 875 */ 876 static int get_eff_addr_reg(struct insn *insn, struct pt_regs *regs, 877 int *regoff, long *eff_addr) 878 { 879 insn_get_modrm(insn); 880 881 if (!insn->modrm.nbytes) 882 return -EINVAL; 883 884 if (X86_MODRM_MOD(insn->modrm.value) != 3) 885 return -EINVAL; 886 887 *regoff = get_reg_offset(insn, regs, REG_TYPE_RM); 888 if (*regoff < 0) 889 return -EINVAL; 890 891 /* Ignore bytes that are outside the address size. */ 892 if (insn->addr_bytes == 2) 893 *eff_addr = regs_get_register(regs, *regoff) & 0xffff; 894 else if (insn->addr_bytes == 4) 895 *eff_addr = regs_get_register(regs, *regoff) & 0xffffffff; 896 else /* 64-bit address */ 897 *eff_addr = regs_get_register(regs, *regoff); 898 899 return 0; 900 } 901 902 /** 903 * get_eff_addr_modrm() - Obtain referenced effective address via ModRM 904 * @insn: Instruction. Must be valid. 905 * @regs: Register values as seen when entering kernel mode 906 * @regoff: Obtained operand offset, in pt_regs, associated with segment 907 * @eff_addr: Obtained effective address 908 * 909 * Obtain the effective address referenced by the ModRM byte of @insn. After 910 * identifying the registers involved in the register-indirect memory reference, 911 * its value is obtained from the operands in @regs. The computed address is 912 * stored @eff_addr. Also, the register operand that indicates the associated 913 * segment is stored in @regoff, this parameter can later be used to determine 914 * such segment. 915 * 916 * Returns: 917 * 918 * 0 on success. @eff_addr will have the referenced effective address. @regoff 919 * will have a register, as an offset from the base of pt_regs, that can be used 920 * to resolve the associated segment. 921 * 922 * -EINVAL on error. 923 */ 924 static int get_eff_addr_modrm(struct insn *insn, struct pt_regs *regs, 925 int *regoff, long *eff_addr) 926 { 927 long tmp; 928 929 if (insn->addr_bytes != 8 && insn->addr_bytes != 4) 930 return -EINVAL; 931 932 insn_get_modrm(insn); 933 934 if (!insn->modrm.nbytes) 935 return -EINVAL; 936 937 if (X86_MODRM_MOD(insn->modrm.value) > 2) 938 return -EINVAL; 939 940 *regoff = get_reg_offset(insn, regs, REG_TYPE_RM); 941 942 /* 943 * -EDOM means that we must ignore the address_offset. In such a case, 944 * in 64-bit mode the effective address relative to the rIP of the 945 * following instruction. 946 */ 947 if (*regoff == -EDOM) { 948 if (user_64bit_mode(regs)) 949 tmp = regs->ip + insn->length; 950 else 951 tmp = 0; 952 } else if (*regoff < 0) { 953 return -EINVAL; 954 } else { 955 tmp = regs_get_register(regs, *regoff); 956 } 957 958 if (insn->addr_bytes == 4) { 959 int addr32 = (int)(tmp & 0xffffffff) + insn->displacement.value; 960 961 *eff_addr = addr32 & 0xffffffff; 962 } else { 963 *eff_addr = tmp + insn->displacement.value; 964 } 965 966 return 0; 967 } 968 969 /** 970 * get_eff_addr_modrm_16() - Obtain referenced effective address via ModRM 971 * @insn: Instruction. Must be valid. 972 * @regs: Register values as seen when entering kernel mode 973 * @regoff: Obtained operand offset, in pt_regs, associated with segment 974 * @eff_addr: Obtained effective address 975 * 976 * Obtain the 16-bit effective address referenced by the ModRM byte of @insn. 977 * After identifying the registers involved in the register-indirect memory 978 * reference, its value is obtained from the operands in @regs. The computed 979 * address is stored @eff_addr. Also, the register operand that indicates 980 * the associated segment is stored in @regoff, this parameter can later be used 981 * to determine such segment. 982 * 983 * Returns: 984 * 985 * 0 on success. @eff_addr will have the referenced effective address. @regoff 986 * will have a register, as an offset from the base of pt_regs, that can be used 987 * to resolve the associated segment. 988 * 989 * -EINVAL on error. 990 */ 991 static int get_eff_addr_modrm_16(struct insn *insn, struct pt_regs *regs, 992 int *regoff, short *eff_addr) 993 { 994 int addr_offset1, addr_offset2, ret; 995 short addr1 = 0, addr2 = 0, displacement; 996 997 if (insn->addr_bytes != 2) 998 return -EINVAL; 999 1000 insn_get_modrm(insn); 1001 1002 if (!insn->modrm.nbytes) 1003 return -EINVAL; 1004 1005 if (X86_MODRM_MOD(insn->modrm.value) > 2) 1006 return -EINVAL; 1007 1008 ret = get_reg_offset_16(insn, regs, &addr_offset1, &addr_offset2); 1009 if (ret < 0) 1010 return -EINVAL; 1011 1012 /* 1013 * Don't fail on invalid offset values. They might be invalid because 1014 * they cannot be used for this particular value of ModRM. Instead, use 1015 * them in the computation only if they contain a valid value. 1016 */ 1017 if (addr_offset1 != -EDOM) 1018 addr1 = regs_get_register(regs, addr_offset1) & 0xffff; 1019 1020 if (addr_offset2 != -EDOM) 1021 addr2 = regs_get_register(regs, addr_offset2) & 0xffff; 1022 1023 displacement = insn->displacement.value & 0xffff; 1024 *eff_addr = addr1 + addr2 + displacement; 1025 1026 /* 1027 * The first operand register could indicate to use of either SS or DS 1028 * registers to obtain the segment selector. The second operand 1029 * register can only indicate the use of DS. Thus, the first operand 1030 * will be used to obtain the segment selector. 1031 */ 1032 *regoff = addr_offset1; 1033 1034 return 0; 1035 } 1036 1037 /** 1038 * get_eff_addr_sib() - Obtain referenced effective address via SIB 1039 * @insn: Instruction. Must be valid. 1040 * @regs: Register values as seen when entering kernel mode 1041 * @regoff: Obtained operand offset, in pt_regs, associated with segment 1042 * @eff_addr: Obtained effective address 1043 * 1044 * Obtain the effective address referenced by the SIB byte of @insn. After 1045 * identifying the registers involved in the indexed, register-indirect memory 1046 * reference, its value is obtained from the operands in @regs. The computed 1047 * address is stored @eff_addr. Also, the register operand that indicates the 1048 * associated segment is stored in @regoff, this parameter can later be used to 1049 * determine such segment. 1050 * 1051 * Returns: 1052 * 1053 * 0 on success. @eff_addr will have the referenced effective address. 1054 * @base_offset will have a register, as an offset from the base of pt_regs, 1055 * that can be used to resolve the associated segment. 1056 * 1057 * -EINVAL on error. 1058 */ 1059 static int get_eff_addr_sib(struct insn *insn, struct pt_regs *regs, 1060 int *base_offset, long *eff_addr) 1061 { 1062 long base, indx; 1063 int indx_offset; 1064 1065 if (insn->addr_bytes != 8 && insn->addr_bytes != 4) 1066 return -EINVAL; 1067 1068 insn_get_modrm(insn); 1069 1070 if (!insn->modrm.nbytes) 1071 return -EINVAL; 1072 1073 if (X86_MODRM_MOD(insn->modrm.value) > 2) 1074 return -EINVAL; 1075 1076 insn_get_sib(insn); 1077 1078 if (!insn->sib.nbytes) 1079 return -EINVAL; 1080 1081 *base_offset = get_reg_offset(insn, regs, REG_TYPE_BASE); 1082 indx_offset = get_reg_offset(insn, regs, REG_TYPE_INDEX); 1083 1084 /* 1085 * Negative values in the base and index offset means an error when 1086 * decoding the SIB byte. Except -EDOM, which means that the registers 1087 * should not be used in the address computation. 1088 */ 1089 if (*base_offset == -EDOM) 1090 base = 0; 1091 else if (*base_offset < 0) 1092 return -EINVAL; 1093 else 1094 base = regs_get_register(regs, *base_offset); 1095 1096 if (indx_offset == -EDOM) 1097 indx = 0; 1098 else if (indx_offset < 0) 1099 return -EINVAL; 1100 else 1101 indx = regs_get_register(regs, indx_offset); 1102 1103 if (insn->addr_bytes == 4) { 1104 int addr32, base32, idx32; 1105 1106 base32 = base & 0xffffffff; 1107 idx32 = indx & 0xffffffff; 1108 1109 addr32 = base32 + idx32 * (1 << X86_SIB_SCALE(insn->sib.value)); 1110 addr32 += insn->displacement.value; 1111 1112 *eff_addr = addr32 & 0xffffffff; 1113 } else { 1114 *eff_addr = base + indx * (1 << X86_SIB_SCALE(insn->sib.value)); 1115 *eff_addr += insn->displacement.value; 1116 } 1117 1118 return 0; 1119 } 1120 1121 /** 1122 * get_addr_ref_16() - Obtain the 16-bit address referred by instruction 1123 * @insn: Instruction containing ModRM byte and displacement 1124 * @regs: Register values as seen when entering kernel mode 1125 * 1126 * This function is to be used with 16-bit address encodings. Obtain the memory 1127 * address referred by the instruction's ModRM and displacement bytes. Also, the 1128 * segment used as base is determined by either any segment override prefixes in 1129 * @insn or the default segment of the registers involved in the address 1130 * computation. In protected mode, segment limits are enforced. 1131 * 1132 * Returns: 1133 * 1134 * Linear address referenced by the instruction operands on success. 1135 * 1136 * -1L on error. 1137 */ 1138 static void __user *get_addr_ref_16(struct insn *insn, struct pt_regs *regs) 1139 { 1140 unsigned long linear_addr = -1L, seg_base, seg_limit; 1141 int ret, regoff; 1142 short eff_addr; 1143 long tmp; 1144 1145 insn_get_modrm(insn); 1146 insn_get_displacement(insn); 1147 1148 if (insn->addr_bytes != 2) 1149 goto out; 1150 1151 if (X86_MODRM_MOD(insn->modrm.value) == 3) { 1152 ret = get_eff_addr_reg(insn, regs, ®off, &tmp); 1153 if (ret) 1154 goto out; 1155 1156 eff_addr = tmp; 1157 } else { 1158 ret = get_eff_addr_modrm_16(insn, regs, ®off, &eff_addr); 1159 if (ret) 1160 goto out; 1161 } 1162 1163 ret = get_seg_base_limit(insn, regs, regoff, &seg_base, &seg_limit); 1164 if (ret) 1165 goto out; 1166 1167 /* 1168 * Before computing the linear address, make sure the effective address 1169 * is within the limits of the segment. In virtual-8086 mode, segment 1170 * limits are not enforced. In such a case, the segment limit is -1L to 1171 * reflect this fact. 1172 */ 1173 if ((unsigned long)(eff_addr & 0xffff) > seg_limit) 1174 goto out; 1175 1176 linear_addr = (unsigned long)(eff_addr & 0xffff) + seg_base; 1177 1178 /* Limit linear address to 20 bits */ 1179 if (v8086_mode(regs)) 1180 linear_addr &= 0xfffff; 1181 1182 out: 1183 return (void __user *)linear_addr; 1184 } 1185 1186 /** 1187 * get_addr_ref_32() - Obtain a 32-bit linear address 1188 * @insn: Instruction with ModRM, SIB bytes and displacement 1189 * @regs: Register values as seen when entering kernel mode 1190 * 1191 * This function is to be used with 32-bit address encodings to obtain the 1192 * linear memory address referred by the instruction's ModRM, SIB, 1193 * displacement bytes and segment base address, as applicable. If in protected 1194 * mode, segment limits are enforced. 1195 * 1196 * Returns: 1197 * 1198 * Linear address referenced by instruction and registers on success. 1199 * 1200 * -1L on error. 1201 */ 1202 static void __user *get_addr_ref_32(struct insn *insn, struct pt_regs *regs) 1203 { 1204 unsigned long linear_addr = -1L, seg_base, seg_limit; 1205 int eff_addr, regoff; 1206 long tmp; 1207 int ret; 1208 1209 if (insn->addr_bytes != 4) 1210 goto out; 1211 1212 if (X86_MODRM_MOD(insn->modrm.value) == 3) { 1213 ret = get_eff_addr_reg(insn, regs, ®off, &tmp); 1214 if (ret) 1215 goto out; 1216 1217 eff_addr = tmp; 1218 1219 } else { 1220 if (insn->sib.nbytes) { 1221 ret = get_eff_addr_sib(insn, regs, ®off, &tmp); 1222 if (ret) 1223 goto out; 1224 1225 eff_addr = tmp; 1226 } else { 1227 ret = get_eff_addr_modrm(insn, regs, ®off, &tmp); 1228 if (ret) 1229 goto out; 1230 1231 eff_addr = tmp; 1232 } 1233 } 1234 1235 ret = get_seg_base_limit(insn, regs, regoff, &seg_base, &seg_limit); 1236 if (ret) 1237 goto out; 1238 1239 /* 1240 * In protected mode, before computing the linear address, make sure 1241 * the effective address is within the limits of the segment. 1242 * 32-bit addresses can be used in long and virtual-8086 modes if an 1243 * address override prefix is used. In such cases, segment limits are 1244 * not enforced. When in virtual-8086 mode, the segment limit is -1L 1245 * to reflect this situation. 1246 * 1247 * After computed, the effective address is treated as an unsigned 1248 * quantity. 1249 */ 1250 if (!user_64bit_mode(regs) && ((unsigned int)eff_addr > seg_limit)) 1251 goto out; 1252 1253 /* 1254 * Even though 32-bit address encodings are allowed in virtual-8086 1255 * mode, the address range is still limited to [0x-0xffff]. 1256 */ 1257 if (v8086_mode(regs) && (eff_addr & ~0xffff)) 1258 goto out; 1259 1260 /* 1261 * Data type long could be 64 bits in size. Ensure that our 32-bit 1262 * effective address is not sign-extended when computing the linear 1263 * address. 1264 */ 1265 linear_addr = (unsigned long)(eff_addr & 0xffffffff) + seg_base; 1266 1267 /* Limit linear address to 20 bits */ 1268 if (v8086_mode(regs)) 1269 linear_addr &= 0xfffff; 1270 1271 out: 1272 return (void __user *)linear_addr; 1273 } 1274 1275 /** 1276 * get_addr_ref_64() - Obtain a 64-bit linear address 1277 * @insn: Instruction struct with ModRM and SIB bytes and displacement 1278 * @regs: Structure with register values as seen when entering kernel mode 1279 * 1280 * This function is to be used with 64-bit address encodings to obtain the 1281 * linear memory address referred by the instruction's ModRM, SIB, 1282 * displacement bytes and segment base address, as applicable. 1283 * 1284 * Returns: 1285 * 1286 * Linear address referenced by instruction and registers on success. 1287 * 1288 * -1L on error. 1289 */ 1290 #ifndef CONFIG_X86_64 1291 static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs) 1292 { 1293 return (void __user *)-1L; 1294 } 1295 #else 1296 static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs) 1297 { 1298 unsigned long linear_addr = -1L, seg_base; 1299 int regoff, ret; 1300 long eff_addr; 1301 1302 if (insn->addr_bytes != 8) 1303 goto out; 1304 1305 if (X86_MODRM_MOD(insn->modrm.value) == 3) { 1306 ret = get_eff_addr_reg(insn, regs, ®off, &eff_addr); 1307 if (ret) 1308 goto out; 1309 1310 } else { 1311 if (insn->sib.nbytes) { 1312 ret = get_eff_addr_sib(insn, regs, ®off, &eff_addr); 1313 if (ret) 1314 goto out; 1315 } else { 1316 ret = get_eff_addr_modrm(insn, regs, ®off, &eff_addr); 1317 if (ret) 1318 goto out; 1319 } 1320 1321 } 1322 1323 ret = get_seg_base_limit(insn, regs, regoff, &seg_base, NULL); 1324 if (ret) 1325 goto out; 1326 1327 linear_addr = (unsigned long)eff_addr + seg_base; 1328 1329 out: 1330 return (void __user *)linear_addr; 1331 } 1332 #endif /* CONFIG_X86_64 */ 1333 1334 /** 1335 * insn_get_addr_ref() - Obtain the linear address referred by instruction 1336 * @insn: Instruction structure containing ModRM byte and displacement 1337 * @regs: Structure with register values as seen when entering kernel mode 1338 * 1339 * Obtain the linear address referred by the instruction's ModRM, SIB and 1340 * displacement bytes, and segment base, as applicable. In protected mode, 1341 * segment limits are enforced. 1342 * 1343 * Returns: 1344 * 1345 * Linear address referenced by instruction and registers on success. 1346 * 1347 * -1L on error. 1348 */ 1349 void __user *insn_get_addr_ref(struct insn *insn, struct pt_regs *regs) 1350 { 1351 if (!insn || !regs) 1352 return (void __user *)-1L; 1353 1354 switch (insn->addr_bytes) { 1355 case 2: 1356 return get_addr_ref_16(insn, regs); 1357 case 4: 1358 return get_addr_ref_32(insn, regs); 1359 case 8: 1360 return get_addr_ref_64(insn, regs); 1361 default: 1362 return (void __user *)-1L; 1363 } 1364 } 1365