1 /* 2 * Utility functions for x86 operand and address decoding 3 * 4 * Copyright (C) Intel Corporation 2017 5 */ 6 #include <linux/kernel.h> 7 #include <linux/string.h> 8 #include <linux/ratelimit.h> 9 #include <linux/mmu_context.h> 10 #include <asm/desc_defs.h> 11 #include <asm/desc.h> 12 #include <asm/inat.h> 13 #include <asm/insn.h> 14 #include <asm/insn-eval.h> 15 #include <asm/ldt.h> 16 #include <asm/vm86.h> 17 18 #undef pr_fmt 19 #define pr_fmt(fmt) "insn: " fmt 20 21 enum reg_type { 22 REG_TYPE_RM = 0, 23 REG_TYPE_INDEX, 24 REG_TYPE_BASE, 25 }; 26 27 /** 28 * is_string_insn() - Determine if instruction is a string instruction 29 * @insn: Instruction containing the opcode to inspect 30 * 31 * Returns: 32 * 33 * true if the instruction, determined by the opcode, is any of the 34 * string instructions as defined in the Intel Software Development manual. 35 * False otherwise. 36 */ 37 static bool is_string_insn(struct insn *insn) 38 { 39 insn_get_opcode(insn); 40 41 /* All string instructions have a 1-byte opcode. */ 42 if (insn->opcode.nbytes != 1) 43 return false; 44 45 switch (insn->opcode.bytes[0]) { 46 case 0x6c ... 0x6f: /* INS, OUTS */ 47 case 0xa4 ... 0xa7: /* MOVS, CMPS */ 48 case 0xaa ... 0xaf: /* STOS, LODS, SCAS */ 49 return true; 50 default: 51 return false; 52 } 53 } 54 55 /** 56 * get_seg_reg_override_idx() - obtain segment register override index 57 * @insn: Valid instruction with segment override prefixes 58 * 59 * Inspect the instruction prefixes in @insn and find segment overrides, if any. 60 * 61 * Returns: 62 * 63 * A constant identifying the segment register to use, among CS, SS, DS, 64 * ES, FS, or GS. INAT_SEG_REG_DEFAULT is returned if no segment override 65 * prefixes were found. 66 * 67 * -EINVAL in case of error. 68 */ 69 static int get_seg_reg_override_idx(struct insn *insn) 70 { 71 int idx = INAT_SEG_REG_DEFAULT; 72 int num_overrides = 0, i; 73 74 insn_get_prefixes(insn); 75 76 /* Look for any segment override prefixes. */ 77 for (i = 0; i < insn->prefixes.nbytes; i++) { 78 insn_attr_t attr; 79 80 attr = inat_get_opcode_attribute(insn->prefixes.bytes[i]); 81 switch (attr) { 82 case INAT_MAKE_PREFIX(INAT_PFX_CS): 83 idx = INAT_SEG_REG_CS; 84 num_overrides++; 85 break; 86 case INAT_MAKE_PREFIX(INAT_PFX_SS): 87 idx = INAT_SEG_REG_SS; 88 num_overrides++; 89 break; 90 case INAT_MAKE_PREFIX(INAT_PFX_DS): 91 idx = INAT_SEG_REG_DS; 92 num_overrides++; 93 break; 94 case INAT_MAKE_PREFIX(INAT_PFX_ES): 95 idx = INAT_SEG_REG_ES; 96 num_overrides++; 97 break; 98 case INAT_MAKE_PREFIX(INAT_PFX_FS): 99 idx = INAT_SEG_REG_FS; 100 num_overrides++; 101 break; 102 case INAT_MAKE_PREFIX(INAT_PFX_GS): 103 idx = INAT_SEG_REG_GS; 104 num_overrides++; 105 break; 106 /* No default action needed. */ 107 } 108 } 109 110 /* More than one segment override prefix leads to undefined behavior. */ 111 if (num_overrides > 1) 112 return -EINVAL; 113 114 return idx; 115 } 116 117 /** 118 * check_seg_overrides() - check if segment override prefixes are allowed 119 * @insn: Valid instruction with segment override prefixes 120 * @regoff: Operand offset, in pt_regs, for which the check is performed 121 * 122 * For a particular register used in register-indirect addressing, determine if 123 * segment override prefixes can be used. Specifically, no overrides are allowed 124 * for rDI if used with a string instruction. 125 * 126 * Returns: 127 * 128 * True if segment override prefixes can be used with the register indicated 129 * in @regoff. False if otherwise. 130 */ 131 static bool check_seg_overrides(struct insn *insn, int regoff) 132 { 133 if (regoff == offsetof(struct pt_regs, di) && is_string_insn(insn)) 134 return false; 135 136 return true; 137 } 138 139 /** 140 * resolve_default_seg() - resolve default segment register index for an operand 141 * @insn: Instruction with opcode and address size. Must be valid. 142 * @regs: Register values as seen when entering kernel mode 143 * @off: Operand offset, in pt_regs, for which resolution is needed 144 * 145 * Resolve the default segment register index associated with the instruction 146 * operand register indicated by @off. Such index is resolved based on defaults 147 * described in the Intel Software Development Manual. 148 * 149 * Returns: 150 * 151 * If in protected mode, a constant identifying the segment register to use, 152 * among CS, SS, ES or DS. If in long mode, INAT_SEG_REG_IGNORE. 153 * 154 * -EINVAL in case of error. 155 */ 156 static int resolve_default_seg(struct insn *insn, struct pt_regs *regs, int off) 157 { 158 if (user_64bit_mode(regs)) 159 return INAT_SEG_REG_IGNORE; 160 /* 161 * Resolve the default segment register as described in Section 3.7.4 162 * of the Intel Software Development Manual Vol. 1: 163 * 164 * + DS for all references involving r[ABCD]X, and rSI. 165 * + If used in a string instruction, ES for rDI. Otherwise, DS. 166 * + AX, CX and DX are not valid register operands in 16-bit address 167 * encodings but are valid for 32-bit and 64-bit encodings. 168 * + -EDOM is reserved to identify for cases in which no register 169 * is used (i.e., displacement-only addressing). Use DS. 170 * + SS for rSP or rBP. 171 * + CS for rIP. 172 */ 173 174 switch (off) { 175 case offsetof(struct pt_regs, ax): 176 case offsetof(struct pt_regs, cx): 177 case offsetof(struct pt_regs, dx): 178 /* Need insn to verify address size. */ 179 if (insn->addr_bytes == 2) 180 return -EINVAL; 181 182 /* fall through */ 183 184 case -EDOM: 185 case offsetof(struct pt_regs, bx): 186 case offsetof(struct pt_regs, si): 187 return INAT_SEG_REG_DS; 188 189 case offsetof(struct pt_regs, di): 190 if (is_string_insn(insn)) 191 return INAT_SEG_REG_ES; 192 return INAT_SEG_REG_DS; 193 194 case offsetof(struct pt_regs, bp): 195 case offsetof(struct pt_regs, sp): 196 return INAT_SEG_REG_SS; 197 198 case offsetof(struct pt_regs, ip): 199 return INAT_SEG_REG_CS; 200 201 default: 202 return -EINVAL; 203 } 204 } 205 206 /** 207 * resolve_seg_reg() - obtain segment register index 208 * @insn: Instruction with operands 209 * @regs: Register values as seen when entering kernel mode 210 * @regoff: Operand offset, in pt_regs, used to deterimine segment register 211 * 212 * Determine the segment register associated with the operands and, if 213 * applicable, prefixes and the instruction pointed by @insn. 214 * 215 * The segment register associated to an operand used in register-indirect 216 * addressing depends on: 217 * 218 * a) Whether running in long mode (in such a case segments are ignored, except 219 * if FS or GS are used). 220 * 221 * b) Whether segment override prefixes can be used. Certain instructions and 222 * registers do not allow override prefixes. 223 * 224 * c) Whether segment overrides prefixes are found in the instruction prefixes. 225 * 226 * d) If there are not segment override prefixes or they cannot be used, the 227 * default segment register associated with the operand register is used. 228 * 229 * The function checks first if segment override prefixes can be used with the 230 * operand indicated by @regoff. If allowed, obtain such overridden segment 231 * register index. Lastly, if not prefixes were found or cannot be used, resolve 232 * the segment register index to use based on the defaults described in the 233 * Intel documentation. In long mode, all segment register indexes will be 234 * ignored, except if overrides were found for FS or GS. All these operations 235 * are done using helper functions. 236 * 237 * The operand register, @regoff, is represented as the offset from the base of 238 * pt_regs. 239 * 240 * As stated, the main use of this function is to determine the segment register 241 * index based on the instruction, its operands and prefixes. Hence, @insn 242 * must be valid. However, if @regoff indicates rIP, we don't need to inspect 243 * @insn at all as in this case CS is used in all cases. This case is checked 244 * before proceeding further. 245 * 246 * Please note that this function does not return the value in the segment 247 * register (i.e., the segment selector) but our defined index. The segment 248 * selector needs to be obtained using get_segment_selector() and passing the 249 * segment register index resolved by this function. 250 * 251 * Returns: 252 * 253 * An index identifying the segment register to use, among CS, SS, DS, 254 * ES, FS, or GS. INAT_SEG_REG_IGNORE is returned if running in long mode. 255 * 256 * -EINVAL in case of error. 257 */ 258 static int resolve_seg_reg(struct insn *insn, struct pt_regs *regs, int regoff) 259 { 260 int idx; 261 262 /* 263 * In the unlikely event of having to resolve the segment register 264 * index for rIP, do it first. Segment override prefixes should not 265 * be used. Hence, it is not necessary to inspect the instruction, 266 * which may be invalid at this point. 267 */ 268 if (regoff == offsetof(struct pt_regs, ip)) { 269 if (user_64bit_mode(regs)) 270 return INAT_SEG_REG_IGNORE; 271 else 272 return INAT_SEG_REG_CS; 273 } 274 275 if (!insn) 276 return -EINVAL; 277 278 if (!check_seg_overrides(insn, regoff)) 279 return resolve_default_seg(insn, regs, regoff); 280 281 idx = get_seg_reg_override_idx(insn); 282 if (idx < 0) 283 return idx; 284 285 if (idx == INAT_SEG_REG_DEFAULT) 286 return resolve_default_seg(insn, regs, regoff); 287 288 /* 289 * In long mode, segment override prefixes are ignored, except for 290 * overrides for FS and GS. 291 */ 292 if (user_64bit_mode(regs)) { 293 if (idx != INAT_SEG_REG_FS && 294 idx != INAT_SEG_REG_GS) 295 idx = INAT_SEG_REG_IGNORE; 296 } 297 298 return idx; 299 } 300 301 /** 302 * get_segment_selector() - obtain segment selector 303 * @regs: Register values as seen when entering kernel mode 304 * @seg_reg_idx: Segment register index to use 305 * 306 * Obtain the segment selector from any of the CS, SS, DS, ES, FS, GS segment 307 * registers. In CONFIG_X86_32, the segment is obtained from either pt_regs or 308 * kernel_vm86_regs as applicable. In CONFIG_X86_64, CS and SS are obtained 309 * from pt_regs. DS, ES, FS and GS are obtained by reading the actual CPU 310 * registers. This done for only for completeness as in CONFIG_X86_64 segment 311 * registers are ignored. 312 * 313 * Returns: 314 * 315 * Value of the segment selector, including null when running in 316 * long mode. 317 * 318 * -EINVAL on error. 319 */ 320 static short get_segment_selector(struct pt_regs *regs, int seg_reg_idx) 321 { 322 #ifdef CONFIG_X86_64 323 unsigned short sel; 324 325 switch (seg_reg_idx) { 326 case INAT_SEG_REG_IGNORE: 327 return 0; 328 case INAT_SEG_REG_CS: 329 return (unsigned short)(regs->cs & 0xffff); 330 case INAT_SEG_REG_SS: 331 return (unsigned short)(regs->ss & 0xffff); 332 case INAT_SEG_REG_DS: 333 savesegment(ds, sel); 334 return sel; 335 case INAT_SEG_REG_ES: 336 savesegment(es, sel); 337 return sel; 338 case INAT_SEG_REG_FS: 339 savesegment(fs, sel); 340 return sel; 341 case INAT_SEG_REG_GS: 342 savesegment(gs, sel); 343 return sel; 344 default: 345 return -EINVAL; 346 } 347 #else /* CONFIG_X86_32 */ 348 struct kernel_vm86_regs *vm86regs = (struct kernel_vm86_regs *)regs; 349 350 if (v8086_mode(regs)) { 351 switch (seg_reg_idx) { 352 case INAT_SEG_REG_CS: 353 return (unsigned short)(regs->cs & 0xffff); 354 case INAT_SEG_REG_SS: 355 return (unsigned short)(regs->ss & 0xffff); 356 case INAT_SEG_REG_DS: 357 return vm86regs->ds; 358 case INAT_SEG_REG_ES: 359 return vm86regs->es; 360 case INAT_SEG_REG_FS: 361 return vm86regs->fs; 362 case INAT_SEG_REG_GS: 363 return vm86regs->gs; 364 case INAT_SEG_REG_IGNORE: 365 /* fall through */ 366 default: 367 return -EINVAL; 368 } 369 } 370 371 switch (seg_reg_idx) { 372 case INAT_SEG_REG_CS: 373 return (unsigned short)(regs->cs & 0xffff); 374 case INAT_SEG_REG_SS: 375 return (unsigned short)(regs->ss & 0xffff); 376 case INAT_SEG_REG_DS: 377 return (unsigned short)(regs->ds & 0xffff); 378 case INAT_SEG_REG_ES: 379 return (unsigned short)(regs->es & 0xffff); 380 case INAT_SEG_REG_FS: 381 return (unsigned short)(regs->fs & 0xffff); 382 case INAT_SEG_REG_GS: 383 /* 384 * GS may or may not be in regs as per CONFIG_X86_32_LAZY_GS. 385 * The macro below takes care of both cases. 386 */ 387 return get_user_gs(regs); 388 case INAT_SEG_REG_IGNORE: 389 /* fall through */ 390 default: 391 return -EINVAL; 392 } 393 #endif /* CONFIG_X86_64 */ 394 } 395 396 static int get_reg_offset(struct insn *insn, struct pt_regs *regs, 397 enum reg_type type) 398 { 399 int regno = 0; 400 401 static const int regoff[] = { 402 offsetof(struct pt_regs, ax), 403 offsetof(struct pt_regs, cx), 404 offsetof(struct pt_regs, dx), 405 offsetof(struct pt_regs, bx), 406 offsetof(struct pt_regs, sp), 407 offsetof(struct pt_regs, bp), 408 offsetof(struct pt_regs, si), 409 offsetof(struct pt_regs, di), 410 #ifdef CONFIG_X86_64 411 offsetof(struct pt_regs, r8), 412 offsetof(struct pt_regs, r9), 413 offsetof(struct pt_regs, r10), 414 offsetof(struct pt_regs, r11), 415 offsetof(struct pt_regs, r12), 416 offsetof(struct pt_regs, r13), 417 offsetof(struct pt_regs, r14), 418 offsetof(struct pt_regs, r15), 419 #endif 420 }; 421 int nr_registers = ARRAY_SIZE(regoff); 422 /* 423 * Don't possibly decode a 32-bit instructions as 424 * reading a 64-bit-only register. 425 */ 426 if (IS_ENABLED(CONFIG_X86_64) && !insn->x86_64) 427 nr_registers -= 8; 428 429 switch (type) { 430 case REG_TYPE_RM: 431 regno = X86_MODRM_RM(insn->modrm.value); 432 433 /* 434 * ModRM.mod == 0 and ModRM.rm == 5 means a 32-bit displacement 435 * follows the ModRM byte. 436 */ 437 if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5) 438 return -EDOM; 439 440 if (X86_REX_B(insn->rex_prefix.value)) 441 regno += 8; 442 break; 443 444 case REG_TYPE_INDEX: 445 regno = X86_SIB_INDEX(insn->sib.value); 446 if (X86_REX_X(insn->rex_prefix.value)) 447 regno += 8; 448 449 /* 450 * If ModRM.mod != 3 and SIB.index = 4 the scale*index 451 * portion of the address computation is null. This is 452 * true only if REX.X is 0. In such a case, the SIB index 453 * is used in the address computation. 454 */ 455 if (X86_MODRM_MOD(insn->modrm.value) != 3 && regno == 4) 456 return -EDOM; 457 break; 458 459 case REG_TYPE_BASE: 460 regno = X86_SIB_BASE(insn->sib.value); 461 /* 462 * If ModRM.mod is 0 and SIB.base == 5, the base of the 463 * register-indirect addressing is 0. In this case, a 464 * 32-bit displacement follows the SIB byte. 465 */ 466 if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5) 467 return -EDOM; 468 469 if (X86_REX_B(insn->rex_prefix.value)) 470 regno += 8; 471 break; 472 473 default: 474 pr_err_ratelimited("invalid register type: %d\n", type); 475 return -EINVAL; 476 } 477 478 if (regno >= nr_registers) { 479 WARN_ONCE(1, "decoded an instruction with an invalid register"); 480 return -EINVAL; 481 } 482 return regoff[regno]; 483 } 484 485 /** 486 * get_reg_offset_16() - Obtain offset of register indicated by instruction 487 * @insn: Instruction containing ModRM byte 488 * @regs: Register values as seen when entering kernel mode 489 * @offs1: Offset of the first operand register 490 * @offs2: Offset of the second opeand register, if applicable 491 * 492 * Obtain the offset, in pt_regs, of the registers indicated by the ModRM byte 493 * in @insn. This function is to be used with 16-bit address encodings. The 494 * @offs1 and @offs2 will be written with the offset of the two registers 495 * indicated by the instruction. In cases where any of the registers is not 496 * referenced by the instruction, the value will be set to -EDOM. 497 * 498 * Returns: 499 * 500 * 0 on success, -EINVAL on error. 501 */ 502 static int get_reg_offset_16(struct insn *insn, struct pt_regs *regs, 503 int *offs1, int *offs2) 504 { 505 /* 506 * 16-bit addressing can use one or two registers. Specifics of 507 * encodings are given in Table 2-1. "16-Bit Addressing Forms with the 508 * ModR/M Byte" of the Intel Software Development Manual. 509 */ 510 static const int regoff1[] = { 511 offsetof(struct pt_regs, bx), 512 offsetof(struct pt_regs, bx), 513 offsetof(struct pt_regs, bp), 514 offsetof(struct pt_regs, bp), 515 offsetof(struct pt_regs, si), 516 offsetof(struct pt_regs, di), 517 offsetof(struct pt_regs, bp), 518 offsetof(struct pt_regs, bx), 519 }; 520 521 static const int regoff2[] = { 522 offsetof(struct pt_regs, si), 523 offsetof(struct pt_regs, di), 524 offsetof(struct pt_regs, si), 525 offsetof(struct pt_regs, di), 526 -EDOM, 527 -EDOM, 528 -EDOM, 529 -EDOM, 530 }; 531 532 if (!offs1 || !offs2) 533 return -EINVAL; 534 535 /* Operand is a register, use the generic function. */ 536 if (X86_MODRM_MOD(insn->modrm.value) == 3) { 537 *offs1 = insn_get_modrm_rm_off(insn, regs); 538 *offs2 = -EDOM; 539 return 0; 540 } 541 542 *offs1 = regoff1[X86_MODRM_RM(insn->modrm.value)]; 543 *offs2 = regoff2[X86_MODRM_RM(insn->modrm.value)]; 544 545 /* 546 * If ModRM.mod is 0 and ModRM.rm is 110b, then we use displacement- 547 * only addressing. This means that no registers are involved in 548 * computing the effective address. Thus, ensure that the first 549 * register offset is invalild. The second register offset is already 550 * invalid under the aforementioned conditions. 551 */ 552 if ((X86_MODRM_MOD(insn->modrm.value) == 0) && 553 (X86_MODRM_RM(insn->modrm.value) == 6)) 554 *offs1 = -EDOM; 555 556 return 0; 557 } 558 559 /** 560 * get_desc() - Obtain contents of a segment descriptor 561 * @out: Segment descriptor contents on success 562 * @sel: Segment selector 563 * 564 * Given a segment selector, obtain a pointer to the segment descriptor. 565 * Both global and local descriptor tables are supported. 566 * 567 * Returns: 568 * 569 * True on success, false on failure. 570 * 571 * NULL on error. 572 */ 573 static bool get_desc(struct desc_struct *out, unsigned short sel) 574 { 575 struct desc_ptr gdt_desc = {0, 0}; 576 unsigned long desc_base; 577 578 #ifdef CONFIG_MODIFY_LDT_SYSCALL 579 if ((sel & SEGMENT_TI_MASK) == SEGMENT_LDT) { 580 bool success = false; 581 struct ldt_struct *ldt; 582 583 /* Bits [15:3] contain the index of the desired entry. */ 584 sel >>= 3; 585 586 mutex_lock(¤t->active_mm->context.lock); 587 ldt = current->active_mm->context.ldt; 588 if (ldt && sel < ldt->nr_entries) { 589 *out = ldt->entries[sel]; 590 success = true; 591 } 592 593 mutex_unlock(¤t->active_mm->context.lock); 594 595 return success; 596 } 597 #endif 598 native_store_gdt(&gdt_desc); 599 600 /* 601 * Segment descriptors have a size of 8 bytes. Thus, the index is 602 * multiplied by 8 to obtain the memory offset of the desired descriptor 603 * from the base of the GDT. As bits [15:3] of the segment selector 604 * contain the index, it can be regarded as multiplied by 8 already. 605 * All that remains is to clear bits [2:0]. 606 */ 607 desc_base = sel & ~(SEGMENT_RPL_MASK | SEGMENT_TI_MASK); 608 609 if (desc_base > gdt_desc.size) 610 return false; 611 612 *out = *(struct desc_struct *)(gdt_desc.address + desc_base); 613 return true; 614 } 615 616 /** 617 * insn_get_seg_base() - Obtain base address of segment descriptor. 618 * @regs: Register values as seen when entering kernel mode 619 * @seg_reg_idx: Index of the segment register pointing to seg descriptor 620 * 621 * Obtain the base address of the segment as indicated by the segment descriptor 622 * pointed by the segment selector. The segment selector is obtained from the 623 * input segment register index @seg_reg_idx. 624 * 625 * Returns: 626 * 627 * In protected mode, base address of the segment. Zero in long mode, 628 * except when FS or GS are used. In virtual-8086 mode, the segment 629 * selector shifted 4 bits to the right. 630 * 631 * -1L in case of error. 632 */ 633 unsigned long insn_get_seg_base(struct pt_regs *regs, int seg_reg_idx) 634 { 635 struct desc_struct desc; 636 short sel; 637 638 sel = get_segment_selector(regs, seg_reg_idx); 639 if (sel < 0) 640 return -1L; 641 642 if (v8086_mode(regs)) 643 /* 644 * Base is simply the segment selector shifted 4 645 * bits to the right. 646 */ 647 return (unsigned long)(sel << 4); 648 649 if (user_64bit_mode(regs)) { 650 /* 651 * Only FS or GS will have a base address, the rest of 652 * the segments' bases are forced to 0. 653 */ 654 unsigned long base; 655 656 if (seg_reg_idx == INAT_SEG_REG_FS) 657 rdmsrl(MSR_FS_BASE, base); 658 else if (seg_reg_idx == INAT_SEG_REG_GS) 659 /* 660 * swapgs was called at the kernel entry point. Thus, 661 * MSR_KERNEL_GS_BASE will have the user-space GS base. 662 */ 663 rdmsrl(MSR_KERNEL_GS_BASE, base); 664 else 665 base = 0; 666 return base; 667 } 668 669 /* In protected mode the segment selector cannot be null. */ 670 if (!sel) 671 return -1L; 672 673 if (!get_desc(&desc, sel)) 674 return -1L; 675 676 return get_desc_base(&desc); 677 } 678 679 /** 680 * get_seg_limit() - Obtain the limit of a segment descriptor 681 * @regs: Register values as seen when entering kernel mode 682 * @seg_reg_idx: Index of the segment register pointing to seg descriptor 683 * 684 * Obtain the limit of the segment as indicated by the segment descriptor 685 * pointed by the segment selector. The segment selector is obtained from the 686 * input segment register index @seg_reg_idx. 687 * 688 * Returns: 689 * 690 * In protected mode, the limit of the segment descriptor in bytes. 691 * In long mode and virtual-8086 mode, segment limits are not enforced. Thus, 692 * limit is returned as -1L to imply a limit-less segment. 693 * 694 * Zero is returned on error. 695 */ 696 static unsigned long get_seg_limit(struct pt_regs *regs, int seg_reg_idx) 697 { 698 struct desc_struct desc; 699 unsigned long limit; 700 short sel; 701 702 sel = get_segment_selector(regs, seg_reg_idx); 703 if (sel < 0) 704 return 0; 705 706 if (user_64bit_mode(regs) || v8086_mode(regs)) 707 return -1L; 708 709 if (!sel) 710 return 0; 711 712 if (!get_desc(&desc, sel)) 713 return 0; 714 715 /* 716 * If the granularity bit is set, the limit is given in multiples 717 * of 4096. This also means that the 12 least significant bits are 718 * not tested when checking the segment limits. In practice, 719 * this means that the segment ends in (limit << 12) + 0xfff. 720 */ 721 limit = get_desc_limit(&desc); 722 if (desc.g) 723 limit = (limit << 12) + 0xfff; 724 725 return limit; 726 } 727 728 /** 729 * insn_get_code_seg_params() - Obtain code segment parameters 730 * @regs: Structure with register values as seen when entering kernel mode 731 * 732 * Obtain address and operand sizes of the code segment. It is obtained from the 733 * selector contained in the CS register in regs. In protected mode, the default 734 * address is determined by inspecting the L and D bits of the segment 735 * descriptor. In virtual-8086 mode, the default is always two bytes for both 736 * address and operand sizes. 737 * 738 * Returns: 739 * 740 * An int containing ORed-in default parameters on success. 741 * 742 * -EINVAL on error. 743 */ 744 int insn_get_code_seg_params(struct pt_regs *regs) 745 { 746 struct desc_struct desc; 747 short sel; 748 749 if (v8086_mode(regs)) 750 /* Address and operand size are both 16-bit. */ 751 return INSN_CODE_SEG_PARAMS(2, 2); 752 753 sel = get_segment_selector(regs, INAT_SEG_REG_CS); 754 if (sel < 0) 755 return sel; 756 757 if (!get_desc(&desc, sel)) 758 return -EINVAL; 759 760 /* 761 * The most significant byte of the Type field of the segment descriptor 762 * determines whether a segment contains data or code. If this is a data 763 * segment, return error. 764 */ 765 if (!(desc.type & BIT(3))) 766 return -EINVAL; 767 768 switch ((desc.l << 1) | desc.d) { 769 case 0: /* 770 * Legacy mode. CS.L=0, CS.D=0. Address and operand size are 771 * both 16-bit. 772 */ 773 return INSN_CODE_SEG_PARAMS(2, 2); 774 case 1: /* 775 * Legacy mode. CS.L=0, CS.D=1. Address and operand size are 776 * both 32-bit. 777 */ 778 return INSN_CODE_SEG_PARAMS(4, 4); 779 case 2: /* 780 * IA-32e 64-bit mode. CS.L=1, CS.D=0. Address size is 64-bit; 781 * operand size is 32-bit. 782 */ 783 return INSN_CODE_SEG_PARAMS(4, 8); 784 case 3: /* Invalid setting. CS.L=1, CS.D=1 */ 785 /* fall through */ 786 default: 787 return -EINVAL; 788 } 789 } 790 791 /** 792 * insn_get_modrm_rm_off() - Obtain register in r/m part of the ModRM byte 793 * @insn: Instruction containing the ModRM byte 794 * @regs: Register values as seen when entering kernel mode 795 * 796 * Returns: 797 * 798 * The register indicated by the r/m part of the ModRM byte. The 799 * register is obtained as an offset from the base of pt_regs. In specific 800 * cases, the returned value can be -EDOM to indicate that the particular value 801 * of ModRM does not refer to a register and shall be ignored. 802 */ 803 int insn_get_modrm_rm_off(struct insn *insn, struct pt_regs *regs) 804 { 805 return get_reg_offset(insn, regs, REG_TYPE_RM); 806 } 807 808 /** 809 * get_seg_base_limit() - obtain base address and limit of a segment 810 * @insn: Instruction. Must be valid. 811 * @regs: Register values as seen when entering kernel mode 812 * @regoff: Operand offset, in pt_regs, used to resolve segment descriptor 813 * @base: Obtained segment base 814 * @limit: Obtained segment limit 815 * 816 * Obtain the base address and limit of the segment associated with the operand 817 * @regoff and, if any or allowed, override prefixes in @insn. This function is 818 * different from insn_get_seg_base() as the latter does not resolve the segment 819 * associated with the instruction operand. If a limit is not needed (e.g., 820 * when running in long mode), @limit can be NULL. 821 * 822 * Returns: 823 * 824 * 0 on success. @base and @limit will contain the base address and of the 825 * resolved segment, respectively. 826 * 827 * -EINVAL on error. 828 */ 829 static int get_seg_base_limit(struct insn *insn, struct pt_regs *regs, 830 int regoff, unsigned long *base, 831 unsigned long *limit) 832 { 833 int seg_reg_idx; 834 835 if (!base) 836 return -EINVAL; 837 838 seg_reg_idx = resolve_seg_reg(insn, regs, regoff); 839 if (seg_reg_idx < 0) 840 return seg_reg_idx; 841 842 *base = insn_get_seg_base(regs, seg_reg_idx); 843 if (*base == -1L) 844 return -EINVAL; 845 846 if (!limit) 847 return 0; 848 849 *limit = get_seg_limit(regs, seg_reg_idx); 850 if (!(*limit)) 851 return -EINVAL; 852 853 return 0; 854 } 855 856 /** 857 * get_eff_addr_reg() - Obtain effective address from register operand 858 * @insn: Instruction. Must be valid. 859 * @regs: Register values as seen when entering kernel mode 860 * @regoff: Obtained operand offset, in pt_regs, with the effective address 861 * @eff_addr: Obtained effective address 862 * 863 * Obtain the effective address stored in the register operand as indicated by 864 * the ModRM byte. This function is to be used only with register addressing 865 * (i.e., ModRM.mod is 3). The effective address is saved in @eff_addr. The 866 * register operand, as an offset from the base of pt_regs, is saved in @regoff; 867 * such offset can then be used to resolve the segment associated with the 868 * operand. This function can be used with any of the supported address sizes 869 * in x86. 870 * 871 * Returns: 872 * 873 * 0 on success. @eff_addr will have the effective address stored in the 874 * operand indicated by ModRM. @regoff will have such operand as an offset from 875 * the base of pt_regs. 876 * 877 * -EINVAL on error. 878 */ 879 static int get_eff_addr_reg(struct insn *insn, struct pt_regs *regs, 880 int *regoff, long *eff_addr) 881 { 882 insn_get_modrm(insn); 883 884 if (!insn->modrm.nbytes) 885 return -EINVAL; 886 887 if (X86_MODRM_MOD(insn->modrm.value) != 3) 888 return -EINVAL; 889 890 *regoff = get_reg_offset(insn, regs, REG_TYPE_RM); 891 if (*regoff < 0) 892 return -EINVAL; 893 894 /* Ignore bytes that are outside the address size. */ 895 if (insn->addr_bytes == 2) 896 *eff_addr = regs_get_register(regs, *regoff) & 0xffff; 897 else if (insn->addr_bytes == 4) 898 *eff_addr = regs_get_register(regs, *regoff) & 0xffffffff; 899 else /* 64-bit address */ 900 *eff_addr = regs_get_register(regs, *regoff); 901 902 return 0; 903 } 904 905 /** 906 * get_eff_addr_modrm() - Obtain referenced effective address via ModRM 907 * @insn: Instruction. Must be valid. 908 * @regs: Register values as seen when entering kernel mode 909 * @regoff: Obtained operand offset, in pt_regs, associated with segment 910 * @eff_addr: Obtained effective address 911 * 912 * Obtain the effective address referenced by the ModRM byte of @insn. After 913 * identifying the registers involved in the register-indirect memory reference, 914 * its value is obtained from the operands in @regs. The computed address is 915 * stored @eff_addr. Also, the register operand that indicates the associated 916 * segment is stored in @regoff, this parameter can later be used to determine 917 * such segment. 918 * 919 * Returns: 920 * 921 * 0 on success. @eff_addr will have the referenced effective address. @regoff 922 * will have a register, as an offset from the base of pt_regs, that can be used 923 * to resolve the associated segment. 924 * 925 * -EINVAL on error. 926 */ 927 static int get_eff_addr_modrm(struct insn *insn, struct pt_regs *regs, 928 int *regoff, long *eff_addr) 929 { 930 long tmp; 931 932 if (insn->addr_bytes != 8 && insn->addr_bytes != 4) 933 return -EINVAL; 934 935 insn_get_modrm(insn); 936 937 if (!insn->modrm.nbytes) 938 return -EINVAL; 939 940 if (X86_MODRM_MOD(insn->modrm.value) > 2) 941 return -EINVAL; 942 943 *regoff = get_reg_offset(insn, regs, REG_TYPE_RM); 944 945 /* 946 * -EDOM means that we must ignore the address_offset. In such a case, 947 * in 64-bit mode the effective address relative to the rIP of the 948 * following instruction. 949 */ 950 if (*regoff == -EDOM) { 951 if (user_64bit_mode(regs)) 952 tmp = regs->ip + insn->length; 953 else 954 tmp = 0; 955 } else if (*regoff < 0) { 956 return -EINVAL; 957 } else { 958 tmp = regs_get_register(regs, *regoff); 959 } 960 961 if (insn->addr_bytes == 4) { 962 int addr32 = (int)(tmp & 0xffffffff) + insn->displacement.value; 963 964 *eff_addr = addr32 & 0xffffffff; 965 } else { 966 *eff_addr = tmp + insn->displacement.value; 967 } 968 969 return 0; 970 } 971 972 /** 973 * get_eff_addr_modrm_16() - Obtain referenced effective address via ModRM 974 * @insn: Instruction. Must be valid. 975 * @regs: Register values as seen when entering kernel mode 976 * @regoff: Obtained operand offset, in pt_regs, associated with segment 977 * @eff_addr: Obtained effective address 978 * 979 * Obtain the 16-bit effective address referenced by the ModRM byte of @insn. 980 * After identifying the registers involved in the register-indirect memory 981 * reference, its value is obtained from the operands in @regs. The computed 982 * address is stored @eff_addr. Also, the register operand that indicates 983 * the associated segment is stored in @regoff, this parameter can later be used 984 * to determine such segment. 985 * 986 * Returns: 987 * 988 * 0 on success. @eff_addr will have the referenced effective address. @regoff 989 * will have a register, as an offset from the base of pt_regs, that can be used 990 * to resolve the associated segment. 991 * 992 * -EINVAL on error. 993 */ 994 static int get_eff_addr_modrm_16(struct insn *insn, struct pt_regs *regs, 995 int *regoff, short *eff_addr) 996 { 997 int addr_offset1, addr_offset2, ret; 998 short addr1 = 0, addr2 = 0, displacement; 999 1000 if (insn->addr_bytes != 2) 1001 return -EINVAL; 1002 1003 insn_get_modrm(insn); 1004 1005 if (!insn->modrm.nbytes) 1006 return -EINVAL; 1007 1008 if (X86_MODRM_MOD(insn->modrm.value) > 2) 1009 return -EINVAL; 1010 1011 ret = get_reg_offset_16(insn, regs, &addr_offset1, &addr_offset2); 1012 if (ret < 0) 1013 return -EINVAL; 1014 1015 /* 1016 * Don't fail on invalid offset values. They might be invalid because 1017 * they cannot be used for this particular value of ModRM. Instead, use 1018 * them in the computation only if they contain a valid value. 1019 */ 1020 if (addr_offset1 != -EDOM) 1021 addr1 = regs_get_register(regs, addr_offset1) & 0xffff; 1022 1023 if (addr_offset2 != -EDOM) 1024 addr2 = regs_get_register(regs, addr_offset2) & 0xffff; 1025 1026 displacement = insn->displacement.value & 0xffff; 1027 *eff_addr = addr1 + addr2 + displacement; 1028 1029 /* 1030 * The first operand register could indicate to use of either SS or DS 1031 * registers to obtain the segment selector. The second operand 1032 * register can only indicate the use of DS. Thus, the first operand 1033 * will be used to obtain the segment selector. 1034 */ 1035 *regoff = addr_offset1; 1036 1037 return 0; 1038 } 1039 1040 /** 1041 * get_eff_addr_sib() - Obtain referenced effective address via SIB 1042 * @insn: Instruction. Must be valid. 1043 * @regs: Register values as seen when entering kernel mode 1044 * @regoff: Obtained operand offset, in pt_regs, associated with segment 1045 * @eff_addr: Obtained effective address 1046 * 1047 * Obtain the effective address referenced by the SIB byte of @insn. After 1048 * identifying the registers involved in the indexed, register-indirect memory 1049 * reference, its value is obtained from the operands in @regs. The computed 1050 * address is stored @eff_addr. Also, the register operand that indicates the 1051 * associated segment is stored in @regoff, this parameter can later be used to 1052 * determine such segment. 1053 * 1054 * Returns: 1055 * 1056 * 0 on success. @eff_addr will have the referenced effective address. 1057 * @base_offset will have a register, as an offset from the base of pt_regs, 1058 * that can be used to resolve the associated segment. 1059 * 1060 * -EINVAL on error. 1061 */ 1062 static int get_eff_addr_sib(struct insn *insn, struct pt_regs *regs, 1063 int *base_offset, long *eff_addr) 1064 { 1065 long base, indx; 1066 int indx_offset; 1067 1068 if (insn->addr_bytes != 8 && insn->addr_bytes != 4) 1069 return -EINVAL; 1070 1071 insn_get_modrm(insn); 1072 1073 if (!insn->modrm.nbytes) 1074 return -EINVAL; 1075 1076 if (X86_MODRM_MOD(insn->modrm.value) > 2) 1077 return -EINVAL; 1078 1079 insn_get_sib(insn); 1080 1081 if (!insn->sib.nbytes) 1082 return -EINVAL; 1083 1084 *base_offset = get_reg_offset(insn, regs, REG_TYPE_BASE); 1085 indx_offset = get_reg_offset(insn, regs, REG_TYPE_INDEX); 1086 1087 /* 1088 * Negative values in the base and index offset means an error when 1089 * decoding the SIB byte. Except -EDOM, which means that the registers 1090 * should not be used in the address computation. 1091 */ 1092 if (*base_offset == -EDOM) 1093 base = 0; 1094 else if (*base_offset < 0) 1095 return -EINVAL; 1096 else 1097 base = regs_get_register(regs, *base_offset); 1098 1099 if (indx_offset == -EDOM) 1100 indx = 0; 1101 else if (indx_offset < 0) 1102 return -EINVAL; 1103 else 1104 indx = regs_get_register(regs, indx_offset); 1105 1106 if (insn->addr_bytes == 4) { 1107 int addr32, base32, idx32; 1108 1109 base32 = base & 0xffffffff; 1110 idx32 = indx & 0xffffffff; 1111 1112 addr32 = base32 + idx32 * (1 << X86_SIB_SCALE(insn->sib.value)); 1113 addr32 += insn->displacement.value; 1114 1115 *eff_addr = addr32 & 0xffffffff; 1116 } else { 1117 *eff_addr = base + indx * (1 << X86_SIB_SCALE(insn->sib.value)); 1118 *eff_addr += insn->displacement.value; 1119 } 1120 1121 return 0; 1122 } 1123 1124 /** 1125 * get_addr_ref_16() - Obtain the 16-bit address referred by instruction 1126 * @insn: Instruction containing ModRM byte and displacement 1127 * @regs: Register values as seen when entering kernel mode 1128 * 1129 * This function is to be used with 16-bit address encodings. Obtain the memory 1130 * address referred by the instruction's ModRM and displacement bytes. Also, the 1131 * segment used as base is determined by either any segment override prefixes in 1132 * @insn or the default segment of the registers involved in the address 1133 * computation. In protected mode, segment limits are enforced. 1134 * 1135 * Returns: 1136 * 1137 * Linear address referenced by the instruction operands on success. 1138 * 1139 * -1L on error. 1140 */ 1141 static void __user *get_addr_ref_16(struct insn *insn, struct pt_regs *regs) 1142 { 1143 unsigned long linear_addr = -1L, seg_base, seg_limit; 1144 int ret, regoff; 1145 short eff_addr; 1146 long tmp; 1147 1148 insn_get_modrm(insn); 1149 insn_get_displacement(insn); 1150 1151 if (insn->addr_bytes != 2) 1152 goto out; 1153 1154 if (X86_MODRM_MOD(insn->modrm.value) == 3) { 1155 ret = get_eff_addr_reg(insn, regs, ®off, &tmp); 1156 if (ret) 1157 goto out; 1158 1159 eff_addr = tmp; 1160 } else { 1161 ret = get_eff_addr_modrm_16(insn, regs, ®off, &eff_addr); 1162 if (ret) 1163 goto out; 1164 } 1165 1166 ret = get_seg_base_limit(insn, regs, regoff, &seg_base, &seg_limit); 1167 if (ret) 1168 goto out; 1169 1170 /* 1171 * Before computing the linear address, make sure the effective address 1172 * is within the limits of the segment. In virtual-8086 mode, segment 1173 * limits are not enforced. In such a case, the segment limit is -1L to 1174 * reflect this fact. 1175 */ 1176 if ((unsigned long)(eff_addr & 0xffff) > seg_limit) 1177 goto out; 1178 1179 linear_addr = (unsigned long)(eff_addr & 0xffff) + seg_base; 1180 1181 /* Limit linear address to 20 bits */ 1182 if (v8086_mode(regs)) 1183 linear_addr &= 0xfffff; 1184 1185 out: 1186 return (void __user *)linear_addr; 1187 } 1188 1189 /** 1190 * get_addr_ref_32() - Obtain a 32-bit linear address 1191 * @insn: Instruction with ModRM, SIB bytes and displacement 1192 * @regs: Register values as seen when entering kernel mode 1193 * 1194 * This function is to be used with 32-bit address encodings to obtain the 1195 * linear memory address referred by the instruction's ModRM, SIB, 1196 * displacement bytes and segment base address, as applicable. If in protected 1197 * mode, segment limits are enforced. 1198 * 1199 * Returns: 1200 * 1201 * Linear address referenced by instruction and registers on success. 1202 * 1203 * -1L on error. 1204 */ 1205 static void __user *get_addr_ref_32(struct insn *insn, struct pt_regs *regs) 1206 { 1207 unsigned long linear_addr = -1L, seg_base, seg_limit; 1208 int eff_addr, regoff; 1209 long tmp; 1210 int ret; 1211 1212 if (insn->addr_bytes != 4) 1213 goto out; 1214 1215 if (X86_MODRM_MOD(insn->modrm.value) == 3) { 1216 ret = get_eff_addr_reg(insn, regs, ®off, &tmp); 1217 if (ret) 1218 goto out; 1219 1220 eff_addr = tmp; 1221 1222 } else { 1223 if (insn->sib.nbytes) { 1224 ret = get_eff_addr_sib(insn, regs, ®off, &tmp); 1225 if (ret) 1226 goto out; 1227 1228 eff_addr = tmp; 1229 } else { 1230 ret = get_eff_addr_modrm(insn, regs, ®off, &tmp); 1231 if (ret) 1232 goto out; 1233 1234 eff_addr = tmp; 1235 } 1236 } 1237 1238 ret = get_seg_base_limit(insn, regs, regoff, &seg_base, &seg_limit); 1239 if (ret) 1240 goto out; 1241 1242 /* 1243 * In protected mode, before computing the linear address, make sure 1244 * the effective address is within the limits of the segment. 1245 * 32-bit addresses can be used in long and virtual-8086 modes if an 1246 * address override prefix is used. In such cases, segment limits are 1247 * not enforced. When in virtual-8086 mode, the segment limit is -1L 1248 * to reflect this situation. 1249 * 1250 * After computed, the effective address is treated as an unsigned 1251 * quantity. 1252 */ 1253 if (!user_64bit_mode(regs) && ((unsigned int)eff_addr > seg_limit)) 1254 goto out; 1255 1256 /* 1257 * Even though 32-bit address encodings are allowed in virtual-8086 1258 * mode, the address range is still limited to [0x-0xffff]. 1259 */ 1260 if (v8086_mode(regs) && (eff_addr & ~0xffff)) 1261 goto out; 1262 1263 /* 1264 * Data type long could be 64 bits in size. Ensure that our 32-bit 1265 * effective address is not sign-extended when computing the linear 1266 * address. 1267 */ 1268 linear_addr = (unsigned long)(eff_addr & 0xffffffff) + seg_base; 1269 1270 /* Limit linear address to 20 bits */ 1271 if (v8086_mode(regs)) 1272 linear_addr &= 0xfffff; 1273 1274 out: 1275 return (void __user *)linear_addr; 1276 } 1277 1278 /** 1279 * get_addr_ref_64() - Obtain a 64-bit linear address 1280 * @insn: Instruction struct with ModRM and SIB bytes and displacement 1281 * @regs: Structure with register values as seen when entering kernel mode 1282 * 1283 * This function is to be used with 64-bit address encodings to obtain the 1284 * linear memory address referred by the instruction's ModRM, SIB, 1285 * displacement bytes and segment base address, as applicable. 1286 * 1287 * Returns: 1288 * 1289 * Linear address referenced by instruction and registers on success. 1290 * 1291 * -1L on error. 1292 */ 1293 #ifndef CONFIG_X86_64 1294 static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs) 1295 { 1296 return (void __user *)-1L; 1297 } 1298 #else 1299 static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs) 1300 { 1301 unsigned long linear_addr = -1L, seg_base; 1302 int regoff, ret; 1303 long eff_addr; 1304 1305 if (insn->addr_bytes != 8) 1306 goto out; 1307 1308 if (X86_MODRM_MOD(insn->modrm.value) == 3) { 1309 ret = get_eff_addr_reg(insn, regs, ®off, &eff_addr); 1310 if (ret) 1311 goto out; 1312 1313 } else { 1314 if (insn->sib.nbytes) { 1315 ret = get_eff_addr_sib(insn, regs, ®off, &eff_addr); 1316 if (ret) 1317 goto out; 1318 } else { 1319 ret = get_eff_addr_modrm(insn, regs, ®off, &eff_addr); 1320 if (ret) 1321 goto out; 1322 } 1323 1324 } 1325 1326 ret = get_seg_base_limit(insn, regs, regoff, &seg_base, NULL); 1327 if (ret) 1328 goto out; 1329 1330 linear_addr = (unsigned long)eff_addr + seg_base; 1331 1332 out: 1333 return (void __user *)linear_addr; 1334 } 1335 #endif /* CONFIG_X86_64 */ 1336 1337 /** 1338 * insn_get_addr_ref() - Obtain the linear address referred by instruction 1339 * @insn: Instruction structure containing ModRM byte and displacement 1340 * @regs: Structure with register values as seen when entering kernel mode 1341 * 1342 * Obtain the linear address referred by the instruction's ModRM, SIB and 1343 * displacement bytes, and segment base, as applicable. In protected mode, 1344 * segment limits are enforced. 1345 * 1346 * Returns: 1347 * 1348 * Linear address referenced by instruction and registers on success. 1349 * 1350 * -1L on error. 1351 */ 1352 void __user *insn_get_addr_ref(struct insn *insn, struct pt_regs *regs) 1353 { 1354 if (!insn || !regs) 1355 return (void __user *)-1L; 1356 1357 switch (insn->addr_bytes) { 1358 case 2: 1359 return get_addr_ref_16(insn, regs); 1360 case 4: 1361 return get_addr_ref_32(insn, regs); 1362 case 8: 1363 return get_addr_ref_64(insn, regs); 1364 default: 1365 return (void __user *)-1L; 1366 } 1367 } 1368