Line data Source code
1 : /*
2 : * Utility functions for x86 operand and address decoding
3 : *
4 : * Copyright (C) Intel Corporation 2017
5 : */
6 : #include <linux/kernel.h>
7 : #include <linux/string.h>
8 : #include <linux/ratelimit.h>
9 : #include <linux/mmu_context.h>
10 : #include <asm/desc_defs.h>
11 : #include <asm/desc.h>
12 : #include <asm/inat.h>
13 : #include <asm/insn.h>
14 : #include <asm/insn-eval.h>
15 : #include <asm/ldt.h>
16 : #include <asm/vm86.h>
17 :
18 : #undef pr_fmt
19 : #define pr_fmt(fmt) "insn: " fmt
20 :
21 : enum reg_type {
22 : REG_TYPE_RM = 0,
23 : REG_TYPE_REG,
24 : REG_TYPE_INDEX,
25 : REG_TYPE_BASE,
26 : };
27 :
28 : /**
29 : * is_string_insn() - Determine if instruction is a string instruction
30 : * @insn: Instruction containing the opcode to inspect
31 : *
32 : * Returns:
33 : *
34 : * true if the instruction, determined by the opcode, is any of the
35 : * string instructions as defined in the Intel Software Development manual.
36 : * False otherwise.
37 : */
38 0 : static bool is_string_insn(struct insn *insn)
39 : {
40 0 : insn_get_opcode(insn);
41 :
42 : /* All string instructions have a 1-byte opcode. */
43 0 : if (insn->opcode.nbytes != 1)
44 : return false;
45 :
46 0 : switch (insn->opcode.bytes[0]) {
47 : case 0x6c ... 0x6f: /* INS, OUTS */
48 : case 0xa4 ... 0xa7: /* MOVS, CMPS */
49 : case 0xaa ... 0xaf: /* STOS, LODS, SCAS */
50 : return true;
51 0 : default:
52 0 : return false;
53 : }
54 : }
55 :
56 : /**
57 : * insn_has_rep_prefix() - Determine if instruction has a REP prefix
58 : * @insn: Instruction containing the prefix to inspect
59 : *
60 : * Returns:
61 : *
62 : * true if the instruction has a REP prefix, false if not.
63 : */
64 0 : bool insn_has_rep_prefix(struct insn *insn)
65 : {
66 0 : insn_byte_t p;
67 0 : int i;
68 :
69 0 : insn_get_prefixes(insn);
70 :
71 0 : for_each_insn_prefix(insn, i, p) {
72 0 : if (p == 0xf2 || p == 0xf3)
73 : return true;
74 : }
75 :
76 : return false;
77 : }
78 :
79 : /**
80 : * get_seg_reg_override_idx() - obtain segment register override index
81 : * @insn: Valid instruction with segment override prefixes
82 : *
83 : * Inspect the instruction prefixes in @insn and find segment overrides, if any.
84 : *
85 : * Returns:
86 : *
87 : * A constant identifying the segment register to use, among CS, SS, DS,
88 : * ES, FS, or GS. INAT_SEG_REG_DEFAULT is returned if no segment override
89 : * prefixes were found.
90 : *
91 : * -EINVAL in case of error.
92 : */
93 0 : static int get_seg_reg_override_idx(struct insn *insn)
94 : {
95 0 : int idx = INAT_SEG_REG_DEFAULT;
96 0 : int num_overrides = 0, i;
97 0 : insn_byte_t p;
98 :
99 0 : insn_get_prefixes(insn);
100 :
101 : /* Look for any segment override prefixes. */
102 0 : for_each_insn_prefix(insn, i, p) {
103 0 : insn_attr_t attr;
104 :
105 0 : attr = inat_get_opcode_attribute(p);
106 0 : switch (attr) {
107 0 : case INAT_MAKE_PREFIX(INAT_PFX_CS):
108 0 : idx = INAT_SEG_REG_CS;
109 0 : num_overrides++;
110 0 : break;
111 0 : case INAT_MAKE_PREFIX(INAT_PFX_SS):
112 0 : idx = INAT_SEG_REG_SS;
113 0 : num_overrides++;
114 0 : break;
115 0 : case INAT_MAKE_PREFIX(INAT_PFX_DS):
116 0 : idx = INAT_SEG_REG_DS;
117 0 : num_overrides++;
118 0 : break;
119 0 : case INAT_MAKE_PREFIX(INAT_PFX_ES):
120 0 : idx = INAT_SEG_REG_ES;
121 0 : num_overrides++;
122 0 : break;
123 0 : case INAT_MAKE_PREFIX(INAT_PFX_FS):
124 0 : idx = INAT_SEG_REG_FS;
125 0 : num_overrides++;
126 0 : break;
127 0 : case INAT_MAKE_PREFIX(INAT_PFX_GS):
128 0 : idx = INAT_SEG_REG_GS;
129 0 : num_overrides++;
130 0 : break;
131 : /* No default action needed. */
132 : }
133 0 : }
134 :
135 : /* More than one segment override prefix leads to undefined behavior. */
136 0 : if (num_overrides > 1)
137 0 : return -EINVAL;
138 :
139 : return idx;
140 : }
141 :
142 : /**
143 : * check_seg_overrides() - check if segment override prefixes are allowed
144 : * @insn: Valid instruction with segment override prefixes
145 : * @regoff: Operand offset, in pt_regs, for which the check is performed
146 : *
147 : * For a particular register used in register-indirect addressing, determine if
148 : * segment override prefixes can be used. Specifically, no overrides are allowed
149 : * for rDI if used with a string instruction.
150 : *
151 : * Returns:
152 : *
153 : * True if segment override prefixes can be used with the register indicated
154 : * in @regoff. False if otherwise.
155 : */
156 0 : static bool check_seg_overrides(struct insn *insn, int regoff)
157 : {
158 0 : if (regoff == offsetof(struct pt_regs, di) && is_string_insn(insn))
159 0 : return false;
160 :
161 : return true;
162 : }
163 :
164 : /**
165 : * resolve_default_seg() - resolve default segment register index for an operand
166 : * @insn: Instruction with opcode and address size. Must be valid.
167 : * @regs: Register values as seen when entering kernel mode
168 : * @off: Operand offset, in pt_regs, for which resolution is needed
169 : *
170 : * Resolve the default segment register index associated with the instruction
171 : * operand register indicated by @off. Such index is resolved based on defaults
172 : * described in the Intel Software Development Manual.
173 : *
174 : * Returns:
175 : *
176 : * If in protected mode, a constant identifying the segment register to use,
177 : * among CS, SS, ES or DS. If in long mode, INAT_SEG_REG_IGNORE.
178 : *
179 : * -EINVAL in case of error.
180 : */
181 0 : static int resolve_default_seg(struct insn *insn, struct pt_regs *regs, int off)
182 : {
183 0 : if (any_64bit_mode(regs))
184 : return INAT_SEG_REG_IGNORE;
185 : /*
186 : * Resolve the default segment register as described in Section 3.7.4
187 : * of the Intel Software Development Manual Vol. 1:
188 : *
189 : * + DS for all references involving r[ABCD]X, and rSI.
190 : * + If used in a string instruction, ES for rDI. Otherwise, DS.
191 : * + AX, CX and DX are not valid register operands in 16-bit address
192 : * encodings but are valid for 32-bit and 64-bit encodings.
193 : * + -EDOM is reserved to identify for cases in which no register
194 : * is used (i.e., displacement-only addressing). Use DS.
195 : * + SS for rSP or rBP.
196 : * + CS for rIP.
197 : */
198 :
199 0 : switch (off) {
200 0 : case offsetof(struct pt_regs, ax):
201 : case offsetof(struct pt_regs, cx):
202 : case offsetof(struct pt_regs, dx):
203 : /* Need insn to verify address size. */
204 0 : if (insn->addr_bytes == 2)
205 0 : return -EINVAL;
206 :
207 : fallthrough;
208 :
209 : case -EDOM:
210 : case offsetof(struct pt_regs, bx):
211 : case offsetof(struct pt_regs, si):
212 : return INAT_SEG_REG_DS;
213 :
214 0 : case offsetof(struct pt_regs, di):
215 0 : if (is_string_insn(insn))
216 0 : return INAT_SEG_REG_ES;
217 : return INAT_SEG_REG_DS;
218 :
219 0 : case offsetof(struct pt_regs, bp):
220 : case offsetof(struct pt_regs, sp):
221 0 : return INAT_SEG_REG_SS;
222 :
223 0 : case offsetof(struct pt_regs, ip):
224 0 : return INAT_SEG_REG_CS;
225 :
226 0 : default:
227 0 : return -EINVAL;
228 : }
229 : }
230 :
231 : /**
232 : * resolve_seg_reg() - obtain segment register index
233 : * @insn: Instruction with operands
234 : * @regs: Register values as seen when entering kernel mode
235 : * @regoff: Operand offset, in pt_regs, used to deterimine segment register
236 : *
237 : * Determine the segment register associated with the operands and, if
238 : * applicable, prefixes and the instruction pointed by @insn.
239 : *
240 : * The segment register associated to an operand used in register-indirect
241 : * addressing depends on:
242 : *
243 : * a) Whether running in long mode (in such a case segments are ignored, except
244 : * if FS or GS are used).
245 : *
246 : * b) Whether segment override prefixes can be used. Certain instructions and
247 : * registers do not allow override prefixes.
248 : *
249 : * c) Whether segment overrides prefixes are found in the instruction prefixes.
250 : *
251 : * d) If there are not segment override prefixes or they cannot be used, the
252 : * default segment register associated with the operand register is used.
253 : *
254 : * The function checks first if segment override prefixes can be used with the
255 : * operand indicated by @regoff. If allowed, obtain such overridden segment
256 : * register index. Lastly, if not prefixes were found or cannot be used, resolve
257 : * the segment register index to use based on the defaults described in the
258 : * Intel documentation. In long mode, all segment register indexes will be
259 : * ignored, except if overrides were found for FS or GS. All these operations
260 : * are done using helper functions.
261 : *
262 : * The operand register, @regoff, is represented as the offset from the base of
263 : * pt_regs.
264 : *
265 : * As stated, the main use of this function is to determine the segment register
266 : * index based on the instruction, its operands and prefixes. Hence, @insn
267 : * must be valid. However, if @regoff indicates rIP, we don't need to inspect
268 : * @insn at all as in this case CS is used in all cases. This case is checked
269 : * before proceeding further.
270 : *
271 : * Please note that this function does not return the value in the segment
272 : * register (i.e., the segment selector) but our defined index. The segment
273 : * selector needs to be obtained using get_segment_selector() and passing the
274 : * segment register index resolved by this function.
275 : *
276 : * Returns:
277 : *
278 : * An index identifying the segment register to use, among CS, SS, DS,
279 : * ES, FS, or GS. INAT_SEG_REG_IGNORE is returned if running in long mode.
280 : *
281 : * -EINVAL in case of error.
282 : */
283 0 : static int resolve_seg_reg(struct insn *insn, struct pt_regs *regs, int regoff)
284 : {
285 0 : int idx;
286 :
287 : /*
288 : * In the unlikely event of having to resolve the segment register
289 : * index for rIP, do it first. Segment override prefixes should not
290 : * be used. Hence, it is not necessary to inspect the instruction,
291 : * which may be invalid at this point.
292 : */
293 0 : if (regoff == offsetof(struct pt_regs, ip)) {
294 0 : if (any_64bit_mode(regs))
295 : return INAT_SEG_REG_IGNORE;
296 : else
297 0 : return INAT_SEG_REG_CS;
298 : }
299 :
300 0 : if (!insn)
301 : return -EINVAL;
302 :
303 0 : if (!check_seg_overrides(insn, regoff))
304 0 : return resolve_default_seg(insn, regs, regoff);
305 :
306 0 : idx = get_seg_reg_override_idx(insn);
307 0 : if (idx < 0)
308 : return idx;
309 :
310 0 : if (idx == INAT_SEG_REG_DEFAULT)
311 0 : return resolve_default_seg(insn, regs, regoff);
312 :
313 : /*
314 : * In long mode, segment override prefixes are ignored, except for
315 : * overrides for FS and GS.
316 : */
317 0 : if (any_64bit_mode(regs)) {
318 0 : if (idx != INAT_SEG_REG_FS &&
319 : idx != INAT_SEG_REG_GS)
320 0 : idx = INAT_SEG_REG_IGNORE;
321 : }
322 :
323 : return idx;
324 : }
325 :
326 : /**
327 : * get_segment_selector() - obtain segment selector
328 : * @regs: Register values as seen when entering kernel mode
329 : * @seg_reg_idx: Segment register index to use
330 : *
331 : * Obtain the segment selector from any of the CS, SS, DS, ES, FS, GS segment
332 : * registers. In CONFIG_X86_32, the segment is obtained from either pt_regs or
333 : * kernel_vm86_regs as applicable. In CONFIG_X86_64, CS and SS are obtained
334 : * from pt_regs. DS, ES, FS and GS are obtained by reading the actual CPU
335 : * registers. This done for only for completeness as in CONFIG_X86_64 segment
336 : * registers are ignored.
337 : *
338 : * Returns:
339 : *
340 : * Value of the segment selector, including null when running in
341 : * long mode.
342 : *
343 : * -EINVAL on error.
344 : */
345 0 : static short get_segment_selector(struct pt_regs *regs, int seg_reg_idx)
346 : {
347 : #ifdef CONFIG_X86_64
348 0 : unsigned short sel;
349 :
350 0 : switch (seg_reg_idx) {
351 : case INAT_SEG_REG_IGNORE:
352 : return 0;
353 0 : case INAT_SEG_REG_CS:
354 0 : return (unsigned short)(regs->cs & 0xffff);
355 0 : case INAT_SEG_REG_SS:
356 0 : return (unsigned short)(regs->ss & 0xffff);
357 0 : case INAT_SEG_REG_DS:
358 0 : savesegment(ds, sel);
359 0 : return sel;
360 0 : case INAT_SEG_REG_ES:
361 0 : savesegment(es, sel);
362 0 : return sel;
363 0 : case INAT_SEG_REG_FS:
364 0 : savesegment(fs, sel);
365 0 : return sel;
366 0 : case INAT_SEG_REG_GS:
367 0 : savesegment(gs, sel);
368 0 : return sel;
369 0 : default:
370 0 : return -EINVAL;
371 : }
372 : #else /* CONFIG_X86_32 */
373 : struct kernel_vm86_regs *vm86regs = (struct kernel_vm86_regs *)regs;
374 :
375 : if (v8086_mode(regs)) {
376 : switch (seg_reg_idx) {
377 : case INAT_SEG_REG_CS:
378 : return (unsigned short)(regs->cs & 0xffff);
379 : case INAT_SEG_REG_SS:
380 : return (unsigned short)(regs->ss & 0xffff);
381 : case INAT_SEG_REG_DS:
382 : return vm86regs->ds;
383 : case INAT_SEG_REG_ES:
384 : return vm86regs->es;
385 : case INAT_SEG_REG_FS:
386 : return vm86regs->fs;
387 : case INAT_SEG_REG_GS:
388 : return vm86regs->gs;
389 : case INAT_SEG_REG_IGNORE:
390 : default:
391 : return -EINVAL;
392 : }
393 : }
394 :
395 : switch (seg_reg_idx) {
396 : case INAT_SEG_REG_CS:
397 : return (unsigned short)(regs->cs & 0xffff);
398 : case INAT_SEG_REG_SS:
399 : return (unsigned short)(regs->ss & 0xffff);
400 : case INAT_SEG_REG_DS:
401 : return (unsigned short)(regs->ds & 0xffff);
402 : case INAT_SEG_REG_ES:
403 : return (unsigned short)(regs->es & 0xffff);
404 : case INAT_SEG_REG_FS:
405 : return (unsigned short)(regs->fs & 0xffff);
406 : case INAT_SEG_REG_GS:
407 : /*
408 : * GS may or may not be in regs as per CONFIG_X86_32_LAZY_GS.
409 : * The macro below takes care of both cases.
410 : */
411 : return get_user_gs(regs);
412 : case INAT_SEG_REG_IGNORE:
413 : default:
414 : return -EINVAL;
415 : }
416 : #endif /* CONFIG_X86_64 */
417 : }
418 :
419 0 : static int get_reg_offset(struct insn *insn, struct pt_regs *regs,
420 : enum reg_type type)
421 : {
422 0 : int regno = 0;
423 :
424 0 : static const int regoff[] = {
425 : offsetof(struct pt_regs, ax),
426 : offsetof(struct pt_regs, cx),
427 : offsetof(struct pt_regs, dx),
428 : offsetof(struct pt_regs, bx),
429 : offsetof(struct pt_regs, sp),
430 : offsetof(struct pt_regs, bp),
431 : offsetof(struct pt_regs, si),
432 : offsetof(struct pt_regs, di),
433 : #ifdef CONFIG_X86_64
434 : offsetof(struct pt_regs, r8),
435 : offsetof(struct pt_regs, r9),
436 : offsetof(struct pt_regs, r10),
437 : offsetof(struct pt_regs, r11),
438 : offsetof(struct pt_regs, r12),
439 : offsetof(struct pt_regs, r13),
440 : offsetof(struct pt_regs, r14),
441 : offsetof(struct pt_regs, r15),
442 : #endif
443 : };
444 0 : int nr_registers = ARRAY_SIZE(regoff);
445 : /*
446 : * Don't possibly decode a 32-bit instructions as
447 : * reading a 64-bit-only register.
448 : */
449 0 : if (IS_ENABLED(CONFIG_X86_64) && !insn->x86_64)
450 0 : nr_registers -= 8;
451 :
452 0 : switch (type) {
453 0 : case REG_TYPE_RM:
454 0 : regno = X86_MODRM_RM(insn->modrm.value);
455 :
456 : /*
457 : * ModRM.mod == 0 and ModRM.rm == 5 means a 32-bit displacement
458 : * follows the ModRM byte.
459 : */
460 0 : if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5)
461 : return -EDOM;
462 :
463 0 : if (X86_REX_B(insn->rex_prefix.value))
464 0 : regno += 8;
465 : break;
466 :
467 0 : case REG_TYPE_REG:
468 0 : regno = X86_MODRM_REG(insn->modrm.value);
469 :
470 0 : if (X86_REX_R(insn->rex_prefix.value))
471 0 : regno += 8;
472 : break;
473 :
474 0 : case REG_TYPE_INDEX:
475 0 : regno = X86_SIB_INDEX(insn->sib.value);
476 0 : if (X86_REX_X(insn->rex_prefix.value))
477 0 : regno += 8;
478 :
479 : /*
480 : * If ModRM.mod != 3 and SIB.index = 4 the scale*index
481 : * portion of the address computation is null. This is
482 : * true only if REX.X is 0. In such a case, the SIB index
483 : * is used in the address computation.
484 : */
485 0 : if (X86_MODRM_MOD(insn->modrm.value) != 3 && regno == 4)
486 : return -EDOM;
487 : break;
488 :
489 0 : case REG_TYPE_BASE:
490 0 : regno = X86_SIB_BASE(insn->sib.value);
491 : /*
492 : * If ModRM.mod is 0 and SIB.base == 5, the base of the
493 : * register-indirect addressing is 0. In this case, a
494 : * 32-bit displacement follows the SIB byte.
495 : */
496 0 : if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5)
497 : return -EDOM;
498 :
499 0 : if (X86_REX_B(insn->rex_prefix.value))
500 0 : regno += 8;
501 : break;
502 :
503 0 : default:
504 0 : pr_err_ratelimited("invalid register type: %d\n", type);
505 : return -EINVAL;
506 : }
507 :
508 0 : if (regno >= nr_registers) {
509 0 : WARN_ONCE(1, "decoded an instruction with an invalid register");
510 0 : return -EINVAL;
511 : }
512 0 : return regoff[regno];
513 : }
514 :
515 : /**
516 : * get_reg_offset_16() - Obtain offset of register indicated by instruction
517 : * @insn: Instruction containing ModRM byte
518 : * @regs: Register values as seen when entering kernel mode
519 : * @offs1: Offset of the first operand register
520 : * @offs2: Offset of the second opeand register, if applicable
521 : *
522 : * Obtain the offset, in pt_regs, of the registers indicated by the ModRM byte
523 : * in @insn. This function is to be used with 16-bit address encodings. The
524 : * @offs1 and @offs2 will be written with the offset of the two registers
525 : * indicated by the instruction. In cases where any of the registers is not
526 : * referenced by the instruction, the value will be set to -EDOM.
527 : *
528 : * Returns:
529 : *
530 : * 0 on success, -EINVAL on error.
531 : */
532 0 : static int get_reg_offset_16(struct insn *insn, struct pt_regs *regs,
533 : int *offs1, int *offs2)
534 : {
535 : /*
536 : * 16-bit addressing can use one or two registers. Specifics of
537 : * encodings are given in Table 2-1. "16-Bit Addressing Forms with the
538 : * ModR/M Byte" of the Intel Software Development Manual.
539 : */
540 0 : static const int regoff1[] = {
541 : offsetof(struct pt_regs, bx),
542 : offsetof(struct pt_regs, bx),
543 : offsetof(struct pt_regs, bp),
544 : offsetof(struct pt_regs, bp),
545 : offsetof(struct pt_regs, si),
546 : offsetof(struct pt_regs, di),
547 : offsetof(struct pt_regs, bp),
548 : offsetof(struct pt_regs, bx),
549 : };
550 :
551 0 : static const int regoff2[] = {
552 : offsetof(struct pt_regs, si),
553 : offsetof(struct pt_regs, di),
554 : offsetof(struct pt_regs, si),
555 : offsetof(struct pt_regs, di),
556 : -EDOM,
557 : -EDOM,
558 : -EDOM,
559 : -EDOM,
560 : };
561 :
562 0 : if (!offs1 || !offs2)
563 : return -EINVAL;
564 :
565 : /* Operand is a register, use the generic function. */
566 0 : if (X86_MODRM_MOD(insn->modrm.value) == 3) {
567 0 : *offs1 = insn_get_modrm_rm_off(insn, regs);
568 0 : *offs2 = -EDOM;
569 0 : return 0;
570 : }
571 :
572 0 : *offs1 = regoff1[X86_MODRM_RM(insn->modrm.value)];
573 0 : *offs2 = regoff2[X86_MODRM_RM(insn->modrm.value)];
574 :
575 : /*
576 : * If ModRM.mod is 0 and ModRM.rm is 110b, then we use displacement-
577 : * only addressing. This means that no registers are involved in
578 : * computing the effective address. Thus, ensure that the first
579 : * register offset is invalild. The second register offset is already
580 : * invalid under the aforementioned conditions.
581 : */
582 0 : if ((X86_MODRM_MOD(insn->modrm.value) == 0) &&
583 0 : (X86_MODRM_RM(insn->modrm.value) == 6))
584 0 : *offs1 = -EDOM;
585 :
586 : return 0;
587 : }
588 :
589 : /**
590 : * get_desc() - Obtain contents of a segment descriptor
591 : * @out: Segment descriptor contents on success
592 : * @sel: Segment selector
593 : *
594 : * Given a segment selector, obtain a pointer to the segment descriptor.
595 : * Both global and local descriptor tables are supported.
596 : *
597 : * Returns:
598 : *
599 : * True on success, false on failure.
600 : *
601 : * NULL on error.
602 : */
603 0 : static bool get_desc(struct desc_struct *out, unsigned short sel)
604 : {
605 0 : struct desc_ptr gdt_desc = {0, 0};
606 0 : unsigned long desc_base;
607 :
608 : #ifdef CONFIG_MODIFY_LDT_SYSCALL
609 : if ((sel & SEGMENT_TI_MASK) == SEGMENT_LDT) {
610 : bool success = false;
611 : struct ldt_struct *ldt;
612 :
613 : /* Bits [15:3] contain the index of the desired entry. */
614 : sel >>= 3;
615 :
616 : mutex_lock(¤t->active_mm->context.lock);
617 : ldt = current->active_mm->context.ldt;
618 : if (ldt && sel < ldt->nr_entries) {
619 : *out = ldt->entries[sel];
620 : success = true;
621 : }
622 :
623 : mutex_unlock(¤t->active_mm->context.lock);
624 :
625 : return success;
626 : }
627 : #endif
628 0 : native_store_gdt(&gdt_desc);
629 :
630 : /*
631 : * Segment descriptors have a size of 8 bytes. Thus, the index is
632 : * multiplied by 8 to obtain the memory offset of the desired descriptor
633 : * from the base of the GDT. As bits [15:3] of the segment selector
634 : * contain the index, it can be regarded as multiplied by 8 already.
635 : * All that remains is to clear bits [2:0].
636 : */
637 0 : desc_base = sel & ~(SEGMENT_RPL_MASK | SEGMENT_TI_MASK);
638 :
639 0 : if (desc_base > gdt_desc.size)
640 : return false;
641 :
642 0 : *out = *(struct desc_struct *)(gdt_desc.address + desc_base);
643 0 : return true;
644 : }
645 :
646 : /**
647 : * insn_get_seg_base() - Obtain base address of segment descriptor.
648 : * @regs: Register values as seen when entering kernel mode
649 : * @seg_reg_idx: Index of the segment register pointing to seg descriptor
650 : *
651 : * Obtain the base address of the segment as indicated by the segment descriptor
652 : * pointed by the segment selector. The segment selector is obtained from the
653 : * input segment register index @seg_reg_idx.
654 : *
655 : * Returns:
656 : *
657 : * In protected mode, base address of the segment. Zero in long mode,
658 : * except when FS or GS are used. In virtual-8086 mode, the segment
659 : * selector shifted 4 bits to the right.
660 : *
661 : * -1L in case of error.
662 : */
663 0 : unsigned long insn_get_seg_base(struct pt_regs *regs, int seg_reg_idx)
664 : {
665 0 : struct desc_struct desc;
666 0 : short sel;
667 :
668 0 : sel = get_segment_selector(regs, seg_reg_idx);
669 0 : if (sel < 0)
670 : return -1L;
671 :
672 0 : if (v8086_mode(regs))
673 : /*
674 : * Base is simply the segment selector shifted 4
675 : * bits to the right.
676 : */
677 : return (unsigned long)(sel << 4);
678 :
679 0 : if (any_64bit_mode(regs)) {
680 : /*
681 : * Only FS or GS will have a base address, the rest of
682 : * the segments' bases are forced to 0.
683 : */
684 0 : unsigned long base;
685 :
686 0 : if (seg_reg_idx == INAT_SEG_REG_FS) {
687 0 : rdmsrl(MSR_FS_BASE, base);
688 0 : } else if (seg_reg_idx == INAT_SEG_REG_GS) {
689 : /*
690 : * swapgs was called at the kernel entry point. Thus,
691 : * MSR_KERNEL_GS_BASE will have the user-space GS base.
692 : */
693 0 : if (user_mode(regs))
694 0 : rdmsrl(MSR_KERNEL_GS_BASE, base);
695 : else
696 0 : rdmsrl(MSR_GS_BASE, base);
697 : } else {
698 : base = 0;
699 : }
700 0 : return base;
701 : }
702 :
703 : /* In protected mode the segment selector cannot be null. */
704 0 : if (!sel)
705 : return -1L;
706 :
707 0 : if (!get_desc(&desc, sel))
708 : return -1L;
709 :
710 0 : return get_desc_base(&desc);
711 : }
712 :
713 : /**
714 : * get_seg_limit() - Obtain the limit of a segment descriptor
715 : * @regs: Register values as seen when entering kernel mode
716 : * @seg_reg_idx: Index of the segment register pointing to seg descriptor
717 : *
718 : * Obtain the limit of the segment as indicated by the segment descriptor
719 : * pointed by the segment selector. The segment selector is obtained from the
720 : * input segment register index @seg_reg_idx.
721 : *
722 : * Returns:
723 : *
724 : * In protected mode, the limit of the segment descriptor in bytes.
725 : * In long mode and virtual-8086 mode, segment limits are not enforced. Thus,
726 : * limit is returned as -1L to imply a limit-less segment.
727 : *
728 : * Zero is returned on error.
729 : */
730 0 : static unsigned long get_seg_limit(struct pt_regs *regs, int seg_reg_idx)
731 : {
732 0 : struct desc_struct desc;
733 0 : unsigned long limit;
734 0 : short sel;
735 :
736 0 : sel = get_segment_selector(regs, seg_reg_idx);
737 0 : if (sel < 0)
738 : return 0;
739 :
740 0 : if (any_64bit_mode(regs) || v8086_mode(regs))
741 : return -1L;
742 :
743 0 : if (!sel)
744 : return 0;
745 :
746 0 : if (!get_desc(&desc, sel))
747 : return 0;
748 :
749 : /*
750 : * If the granularity bit is set, the limit is given in multiples
751 : * of 4096. This also means that the 12 least significant bits are
752 : * not tested when checking the segment limits. In practice,
753 : * this means that the segment ends in (limit << 12) + 0xfff.
754 : */
755 0 : limit = get_desc_limit(&desc);
756 0 : if (desc.g)
757 0 : limit = (limit << 12) + 0xfff;
758 :
759 : return limit;
760 : }
761 :
762 : /**
763 : * insn_get_code_seg_params() - Obtain code segment parameters
764 : * @regs: Structure with register values as seen when entering kernel mode
765 : *
766 : * Obtain address and operand sizes of the code segment. It is obtained from the
767 : * selector contained in the CS register in regs. In protected mode, the default
768 : * address is determined by inspecting the L and D bits of the segment
769 : * descriptor. In virtual-8086 mode, the default is always two bytes for both
770 : * address and operand sizes.
771 : *
772 : * Returns:
773 : *
774 : * An int containing ORed-in default parameters on success.
775 : *
776 : * -EINVAL on error.
777 : */
778 0 : int insn_get_code_seg_params(struct pt_regs *regs)
779 : {
780 0 : struct desc_struct desc;
781 0 : short sel;
782 :
783 0 : if (v8086_mode(regs))
784 : /* Address and operand size are both 16-bit. */
785 : return INSN_CODE_SEG_PARAMS(2, 2);
786 :
787 0 : sel = get_segment_selector(regs, INAT_SEG_REG_CS);
788 0 : if (sel < 0)
789 0 : return sel;
790 :
791 0 : if (!get_desc(&desc, sel))
792 : return -EINVAL;
793 :
794 : /*
795 : * The most significant byte of the Type field of the segment descriptor
796 : * determines whether a segment contains data or code. If this is a data
797 : * segment, return error.
798 : */
799 0 : if (!(desc.type & BIT(3)))
800 : return -EINVAL;
801 :
802 0 : switch ((desc.l << 1) | desc.d) {
803 : case 0: /*
804 : * Legacy mode. CS.L=0, CS.D=0. Address and operand size are
805 : * both 16-bit.
806 : */
807 : return INSN_CODE_SEG_PARAMS(2, 2);
808 : case 1: /*
809 : * Legacy mode. CS.L=0, CS.D=1. Address and operand size are
810 : * both 32-bit.
811 : */
812 : return INSN_CODE_SEG_PARAMS(4, 4);
813 : case 2: /*
814 : * IA-32e 64-bit mode. CS.L=1, CS.D=0. Address size is 64-bit;
815 : * operand size is 32-bit.
816 : */
817 : return INSN_CODE_SEG_PARAMS(4, 8);
818 : case 3: /* Invalid setting. CS.L=1, CS.D=1 */
819 : fallthrough;
820 : default:
821 : return -EINVAL;
822 : }
823 : }
824 :
825 : /**
826 : * insn_get_modrm_rm_off() - Obtain register in r/m part of the ModRM byte
827 : * @insn: Instruction containing the ModRM byte
828 : * @regs: Register values as seen when entering kernel mode
829 : *
830 : * Returns:
831 : *
832 : * The register indicated by the r/m part of the ModRM byte. The
833 : * register is obtained as an offset from the base of pt_regs. In specific
834 : * cases, the returned value can be -EDOM to indicate that the particular value
835 : * of ModRM does not refer to a register and shall be ignored.
836 : */
837 0 : int insn_get_modrm_rm_off(struct insn *insn, struct pt_regs *regs)
838 : {
839 0 : return get_reg_offset(insn, regs, REG_TYPE_RM);
840 : }
841 :
842 : /**
843 : * insn_get_modrm_reg_off() - Obtain register in reg part of the ModRM byte
844 : * @insn: Instruction containing the ModRM byte
845 : * @regs: Register values as seen when entering kernel mode
846 : *
847 : * Returns:
848 : *
849 : * The register indicated by the reg part of the ModRM byte. The
850 : * register is obtained as an offset from the base of pt_regs.
851 : */
852 0 : int insn_get_modrm_reg_off(struct insn *insn, struct pt_regs *regs)
853 : {
854 0 : return get_reg_offset(insn, regs, REG_TYPE_REG);
855 : }
856 :
857 : /**
858 : * get_seg_base_limit() - obtain base address and limit of a segment
859 : * @insn: Instruction. Must be valid.
860 : * @regs: Register values as seen when entering kernel mode
861 : * @regoff: Operand offset, in pt_regs, used to resolve segment descriptor
862 : * @base: Obtained segment base
863 : * @limit: Obtained segment limit
864 : *
865 : * Obtain the base address and limit of the segment associated with the operand
866 : * @regoff and, if any or allowed, override prefixes in @insn. This function is
867 : * different from insn_get_seg_base() as the latter does not resolve the segment
868 : * associated with the instruction operand. If a limit is not needed (e.g.,
869 : * when running in long mode), @limit can be NULL.
870 : *
871 : * Returns:
872 : *
873 : * 0 on success. @base and @limit will contain the base address and of the
874 : * resolved segment, respectively.
875 : *
876 : * -EINVAL on error.
877 : */
878 0 : static int get_seg_base_limit(struct insn *insn, struct pt_regs *regs,
879 : int regoff, unsigned long *base,
880 : unsigned long *limit)
881 : {
882 0 : int seg_reg_idx;
883 :
884 0 : if (!base)
885 : return -EINVAL;
886 :
887 0 : seg_reg_idx = resolve_seg_reg(insn, regs, regoff);
888 0 : if (seg_reg_idx < 0)
889 : return seg_reg_idx;
890 :
891 0 : *base = insn_get_seg_base(regs, seg_reg_idx);
892 0 : if (*base == -1L)
893 : return -EINVAL;
894 :
895 0 : if (!limit)
896 : return 0;
897 :
898 0 : *limit = get_seg_limit(regs, seg_reg_idx);
899 0 : if (!(*limit))
900 0 : return -EINVAL;
901 :
902 : return 0;
903 : }
904 :
905 : /**
906 : * get_eff_addr_reg() - Obtain effective address from register operand
907 : * @insn: Instruction. Must be valid.
908 : * @regs: Register values as seen when entering kernel mode
909 : * @regoff: Obtained operand offset, in pt_regs, with the effective address
910 : * @eff_addr: Obtained effective address
911 : *
912 : * Obtain the effective address stored in the register operand as indicated by
913 : * the ModRM byte. This function is to be used only with register addressing
914 : * (i.e., ModRM.mod is 3). The effective address is saved in @eff_addr. The
915 : * register operand, as an offset from the base of pt_regs, is saved in @regoff;
916 : * such offset can then be used to resolve the segment associated with the
917 : * operand. This function can be used with any of the supported address sizes
918 : * in x86.
919 : *
920 : * Returns:
921 : *
922 : * 0 on success. @eff_addr will have the effective address stored in the
923 : * operand indicated by ModRM. @regoff will have such operand as an offset from
924 : * the base of pt_regs.
925 : *
926 : * -EINVAL on error.
927 : */
928 0 : static int get_eff_addr_reg(struct insn *insn, struct pt_regs *regs,
929 : int *regoff, long *eff_addr)
930 : {
931 0 : insn_get_modrm(insn);
932 :
933 0 : if (!insn->modrm.nbytes)
934 : return -EINVAL;
935 :
936 0 : if (X86_MODRM_MOD(insn->modrm.value) != 3)
937 : return -EINVAL;
938 :
939 0 : *regoff = get_reg_offset(insn, regs, REG_TYPE_RM);
940 0 : if (*regoff < 0)
941 : return -EINVAL;
942 :
943 : /* Ignore bytes that are outside the address size. */
944 0 : if (insn->addr_bytes == 2)
945 0 : *eff_addr = regs_get_register(regs, *regoff) & 0xffff;
946 0 : else if (insn->addr_bytes == 4)
947 0 : *eff_addr = regs_get_register(regs, *regoff) & 0xffffffff;
948 : else /* 64-bit address */
949 0 : *eff_addr = regs_get_register(regs, *regoff);
950 :
951 : return 0;
952 : }
953 :
954 : /**
955 : * get_eff_addr_modrm() - Obtain referenced effective address via ModRM
956 : * @insn: Instruction. Must be valid.
957 : * @regs: Register values as seen when entering kernel mode
958 : * @regoff: Obtained operand offset, in pt_regs, associated with segment
959 : * @eff_addr: Obtained effective address
960 : *
961 : * Obtain the effective address referenced by the ModRM byte of @insn. After
962 : * identifying the registers involved in the register-indirect memory reference,
963 : * its value is obtained from the operands in @regs. The computed address is
964 : * stored @eff_addr. Also, the register operand that indicates the associated
965 : * segment is stored in @regoff, this parameter can later be used to determine
966 : * such segment.
967 : *
968 : * Returns:
969 : *
970 : * 0 on success. @eff_addr will have the referenced effective address. @regoff
971 : * will have a register, as an offset from the base of pt_regs, that can be used
972 : * to resolve the associated segment.
973 : *
974 : * -EINVAL on error.
975 : */
976 0 : static int get_eff_addr_modrm(struct insn *insn, struct pt_regs *regs,
977 : int *regoff, long *eff_addr)
978 : {
979 0 : long tmp;
980 :
981 0 : if (insn->addr_bytes != 8 && insn->addr_bytes != 4)
982 : return -EINVAL;
983 :
984 0 : insn_get_modrm(insn);
985 :
986 0 : if (!insn->modrm.nbytes)
987 : return -EINVAL;
988 :
989 0 : if (X86_MODRM_MOD(insn->modrm.value) > 2)
990 : return -EINVAL;
991 :
992 0 : *regoff = get_reg_offset(insn, regs, REG_TYPE_RM);
993 :
994 : /*
995 : * -EDOM means that we must ignore the address_offset. In such a case,
996 : * in 64-bit mode the effective address relative to the rIP of the
997 : * following instruction.
998 : */
999 0 : if (*regoff == -EDOM) {
1000 0 : if (any_64bit_mode(regs))
1001 0 : tmp = regs->ip + insn->length;
1002 : else
1003 : tmp = 0;
1004 0 : } else if (*regoff < 0) {
1005 : return -EINVAL;
1006 : } else {
1007 0 : tmp = regs_get_register(regs, *regoff);
1008 : }
1009 :
1010 0 : if (insn->addr_bytes == 4) {
1011 0 : int addr32 = (int)(tmp & 0xffffffff) + insn->displacement.value;
1012 :
1013 0 : *eff_addr = addr32 & 0xffffffff;
1014 : } else {
1015 0 : *eff_addr = tmp + insn->displacement.value;
1016 : }
1017 :
1018 : return 0;
1019 : }
1020 :
1021 : /**
1022 : * get_eff_addr_modrm_16() - Obtain referenced effective address via ModRM
1023 : * @insn: Instruction. Must be valid.
1024 : * @regs: Register values as seen when entering kernel mode
1025 : * @regoff: Obtained operand offset, in pt_regs, associated with segment
1026 : * @eff_addr: Obtained effective address
1027 : *
1028 : * Obtain the 16-bit effective address referenced by the ModRM byte of @insn.
1029 : * After identifying the registers involved in the register-indirect memory
1030 : * reference, its value is obtained from the operands in @regs. The computed
1031 : * address is stored @eff_addr. Also, the register operand that indicates
1032 : * the associated segment is stored in @regoff, this parameter can later be used
1033 : * to determine such segment.
1034 : *
1035 : * Returns:
1036 : *
1037 : * 0 on success. @eff_addr will have the referenced effective address. @regoff
1038 : * will have a register, as an offset from the base of pt_regs, that can be used
1039 : * to resolve the associated segment.
1040 : *
1041 : * -EINVAL on error.
1042 : */
1043 0 : static int get_eff_addr_modrm_16(struct insn *insn, struct pt_regs *regs,
1044 : int *regoff, short *eff_addr)
1045 : {
1046 0 : int addr_offset1, addr_offset2, ret;
1047 0 : short addr1 = 0, addr2 = 0, displacement;
1048 :
1049 0 : if (insn->addr_bytes != 2)
1050 : return -EINVAL;
1051 :
1052 0 : insn_get_modrm(insn);
1053 :
1054 0 : if (!insn->modrm.nbytes)
1055 : return -EINVAL;
1056 :
1057 0 : if (X86_MODRM_MOD(insn->modrm.value) > 2)
1058 : return -EINVAL;
1059 :
1060 0 : ret = get_reg_offset_16(insn, regs, &addr_offset1, &addr_offset2);
1061 0 : if (ret < 0)
1062 : return -EINVAL;
1063 :
1064 : /*
1065 : * Don't fail on invalid offset values. They might be invalid because
1066 : * they cannot be used for this particular value of ModRM. Instead, use
1067 : * them in the computation only if they contain a valid value.
1068 : */
1069 0 : if (addr_offset1 != -EDOM)
1070 0 : addr1 = regs_get_register(regs, addr_offset1) & 0xffff;
1071 :
1072 0 : if (addr_offset2 != -EDOM)
1073 0 : addr2 = regs_get_register(regs, addr_offset2) & 0xffff;
1074 :
1075 0 : displacement = insn->displacement.value & 0xffff;
1076 0 : *eff_addr = addr1 + addr2 + displacement;
1077 :
1078 : /*
1079 : * The first operand register could indicate to use of either SS or DS
1080 : * registers to obtain the segment selector. The second operand
1081 : * register can only indicate the use of DS. Thus, the first operand
1082 : * will be used to obtain the segment selector.
1083 : */
1084 0 : *regoff = addr_offset1;
1085 :
1086 0 : return 0;
1087 : }
1088 :
1089 : /**
1090 : * get_eff_addr_sib() - Obtain referenced effective address via SIB
1091 : * @insn: Instruction. Must be valid.
1092 : * @regs: Register values as seen when entering kernel mode
1093 : * @regoff: Obtained operand offset, in pt_regs, associated with segment
1094 : * @eff_addr: Obtained effective address
1095 : *
1096 : * Obtain the effective address referenced by the SIB byte of @insn. After
1097 : * identifying the registers involved in the indexed, register-indirect memory
1098 : * reference, its value is obtained from the operands in @regs. The computed
1099 : * address is stored @eff_addr. Also, the register operand that indicates the
1100 : * associated segment is stored in @regoff, this parameter can later be used to
1101 : * determine such segment.
1102 : *
1103 : * Returns:
1104 : *
1105 : * 0 on success. @eff_addr will have the referenced effective address.
1106 : * @base_offset will have a register, as an offset from the base of pt_regs,
1107 : * that can be used to resolve the associated segment.
1108 : *
1109 : * -EINVAL on error.
1110 : */
1111 0 : static int get_eff_addr_sib(struct insn *insn, struct pt_regs *regs,
1112 : int *base_offset, long *eff_addr)
1113 : {
1114 0 : long base, indx;
1115 0 : int indx_offset;
1116 :
1117 0 : if (insn->addr_bytes != 8 && insn->addr_bytes != 4)
1118 : return -EINVAL;
1119 :
1120 0 : insn_get_modrm(insn);
1121 :
1122 0 : if (!insn->modrm.nbytes)
1123 : return -EINVAL;
1124 :
1125 0 : if (X86_MODRM_MOD(insn->modrm.value) > 2)
1126 : return -EINVAL;
1127 :
1128 0 : insn_get_sib(insn);
1129 :
1130 0 : if (!insn->sib.nbytes)
1131 : return -EINVAL;
1132 :
1133 0 : *base_offset = get_reg_offset(insn, regs, REG_TYPE_BASE);
1134 0 : indx_offset = get_reg_offset(insn, regs, REG_TYPE_INDEX);
1135 :
1136 : /*
1137 : * Negative values in the base and index offset means an error when
1138 : * decoding the SIB byte. Except -EDOM, which means that the registers
1139 : * should not be used in the address computation.
1140 : */
1141 0 : if (*base_offset == -EDOM)
1142 : base = 0;
1143 0 : else if (*base_offset < 0)
1144 : return -EINVAL;
1145 : else
1146 0 : base = regs_get_register(regs, *base_offset);
1147 :
1148 0 : if (indx_offset == -EDOM)
1149 : indx = 0;
1150 0 : else if (indx_offset < 0)
1151 : return -EINVAL;
1152 : else
1153 0 : indx = regs_get_register(regs, indx_offset);
1154 :
1155 0 : if (insn->addr_bytes == 4) {
1156 0 : int addr32, base32, idx32;
1157 :
1158 0 : base32 = base & 0xffffffff;
1159 0 : idx32 = indx & 0xffffffff;
1160 :
1161 0 : addr32 = base32 + idx32 * (1 << X86_SIB_SCALE(insn->sib.value));
1162 0 : addr32 += insn->displacement.value;
1163 :
1164 0 : *eff_addr = addr32 & 0xffffffff;
1165 : } else {
1166 0 : *eff_addr = base + indx * (1 << X86_SIB_SCALE(insn->sib.value));
1167 0 : *eff_addr += insn->displacement.value;
1168 : }
1169 :
1170 : return 0;
1171 : }
1172 :
1173 : /**
1174 : * get_addr_ref_16() - Obtain the 16-bit address referred by instruction
1175 : * @insn: Instruction containing ModRM byte and displacement
1176 : * @regs: Register values as seen when entering kernel mode
1177 : *
1178 : * This function is to be used with 16-bit address encodings. Obtain the memory
1179 : * address referred by the instruction's ModRM and displacement bytes. Also, the
1180 : * segment used as base is determined by either any segment override prefixes in
1181 : * @insn or the default segment of the registers involved in the address
1182 : * computation. In protected mode, segment limits are enforced.
1183 : *
1184 : * Returns:
1185 : *
1186 : * Linear address referenced by the instruction operands on success.
1187 : *
1188 : * -1L on error.
1189 : */
1190 0 : static void __user *get_addr_ref_16(struct insn *insn, struct pt_regs *regs)
1191 : {
1192 0 : unsigned long linear_addr = -1L, seg_base, seg_limit;
1193 0 : int ret, regoff;
1194 0 : short eff_addr;
1195 0 : long tmp;
1196 :
1197 0 : insn_get_modrm(insn);
1198 0 : insn_get_displacement(insn);
1199 :
1200 0 : if (insn->addr_bytes != 2)
1201 0 : goto out;
1202 :
1203 0 : if (X86_MODRM_MOD(insn->modrm.value) == 3) {
1204 0 : ret = get_eff_addr_reg(insn, regs, ®off, &tmp);
1205 0 : if (ret)
1206 0 : goto out;
1207 :
1208 0 : eff_addr = tmp;
1209 : } else {
1210 0 : ret = get_eff_addr_modrm_16(insn, regs, ®off, &eff_addr);
1211 0 : if (ret)
1212 0 : goto out;
1213 : }
1214 :
1215 0 : ret = get_seg_base_limit(insn, regs, regoff, &seg_base, &seg_limit);
1216 0 : if (ret)
1217 0 : goto out;
1218 :
1219 : /*
1220 : * Before computing the linear address, make sure the effective address
1221 : * is within the limits of the segment. In virtual-8086 mode, segment
1222 : * limits are not enforced. In such a case, the segment limit is -1L to
1223 : * reflect this fact.
1224 : */
1225 0 : if ((unsigned long)(eff_addr & 0xffff) > seg_limit)
1226 0 : goto out;
1227 :
1228 0 : linear_addr = (unsigned long)(eff_addr & 0xffff) + seg_base;
1229 :
1230 : /* Limit linear address to 20 bits */
1231 0 : if (v8086_mode(regs))
1232 : linear_addr &= 0xfffff;
1233 :
1234 0 : out:
1235 0 : return (void __user *)linear_addr;
1236 : }
1237 :
1238 : /**
1239 : * get_addr_ref_32() - Obtain a 32-bit linear address
1240 : * @insn: Instruction with ModRM, SIB bytes and displacement
1241 : * @regs: Register values as seen when entering kernel mode
1242 : *
1243 : * This function is to be used with 32-bit address encodings to obtain the
1244 : * linear memory address referred by the instruction's ModRM, SIB,
1245 : * displacement bytes and segment base address, as applicable. If in protected
1246 : * mode, segment limits are enforced.
1247 : *
1248 : * Returns:
1249 : *
1250 : * Linear address referenced by instruction and registers on success.
1251 : *
1252 : * -1L on error.
1253 : */
1254 0 : static void __user *get_addr_ref_32(struct insn *insn, struct pt_regs *regs)
1255 : {
1256 0 : unsigned long linear_addr = -1L, seg_base, seg_limit;
1257 0 : int eff_addr, regoff;
1258 0 : long tmp;
1259 0 : int ret;
1260 :
1261 0 : if (insn->addr_bytes != 4)
1262 0 : goto out;
1263 :
1264 0 : if (X86_MODRM_MOD(insn->modrm.value) == 3) {
1265 0 : ret = get_eff_addr_reg(insn, regs, ®off, &tmp);
1266 0 : if (ret)
1267 0 : goto out;
1268 :
1269 0 : eff_addr = tmp;
1270 :
1271 : } else {
1272 0 : if (insn->sib.nbytes) {
1273 0 : ret = get_eff_addr_sib(insn, regs, ®off, &tmp);
1274 0 : if (ret)
1275 0 : goto out;
1276 :
1277 0 : eff_addr = tmp;
1278 : } else {
1279 0 : ret = get_eff_addr_modrm(insn, regs, ®off, &tmp);
1280 0 : if (ret)
1281 0 : goto out;
1282 :
1283 0 : eff_addr = tmp;
1284 : }
1285 : }
1286 :
1287 0 : ret = get_seg_base_limit(insn, regs, regoff, &seg_base, &seg_limit);
1288 0 : if (ret)
1289 0 : goto out;
1290 :
1291 : /*
1292 : * In protected mode, before computing the linear address, make sure
1293 : * the effective address is within the limits of the segment.
1294 : * 32-bit addresses can be used in long and virtual-8086 modes if an
1295 : * address override prefix is used. In such cases, segment limits are
1296 : * not enforced. When in virtual-8086 mode, the segment limit is -1L
1297 : * to reflect this situation.
1298 : *
1299 : * After computed, the effective address is treated as an unsigned
1300 : * quantity.
1301 : */
1302 0 : if (!any_64bit_mode(regs) && ((unsigned int)eff_addr > seg_limit))
1303 0 : goto out;
1304 :
1305 : /*
1306 : * Even though 32-bit address encodings are allowed in virtual-8086
1307 : * mode, the address range is still limited to [0x-0xffff].
1308 : */
1309 0 : if (v8086_mode(regs) && (eff_addr & ~0xffff))
1310 : goto out;
1311 :
1312 : /*
1313 : * Data type long could be 64 bits in size. Ensure that our 32-bit
1314 : * effective address is not sign-extended when computing the linear
1315 : * address.
1316 : */
1317 0 : linear_addr = (unsigned long)(eff_addr & 0xffffffff) + seg_base;
1318 :
1319 : /* Limit linear address to 20 bits */
1320 0 : if (v8086_mode(regs))
1321 : linear_addr &= 0xfffff;
1322 :
1323 0 : out:
1324 0 : return (void __user *)linear_addr;
1325 : }
1326 :
1327 : /**
1328 : * get_addr_ref_64() - Obtain a 64-bit linear address
1329 : * @insn: Instruction struct with ModRM and SIB bytes and displacement
1330 : * @regs: Structure with register values as seen when entering kernel mode
1331 : *
1332 : * This function is to be used with 64-bit address encodings to obtain the
1333 : * linear memory address referred by the instruction's ModRM, SIB,
1334 : * displacement bytes and segment base address, as applicable.
1335 : *
1336 : * Returns:
1337 : *
1338 : * Linear address referenced by instruction and registers on success.
1339 : *
1340 : * -1L on error.
1341 : */
1342 : #ifndef CONFIG_X86_64
1343 : static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs)
1344 : {
1345 : return (void __user *)-1L;
1346 : }
1347 : #else
1348 0 : static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs)
1349 : {
1350 0 : unsigned long linear_addr = -1L, seg_base;
1351 0 : int regoff, ret;
1352 0 : long eff_addr;
1353 :
1354 0 : if (insn->addr_bytes != 8)
1355 0 : goto out;
1356 :
1357 0 : if (X86_MODRM_MOD(insn->modrm.value) == 3) {
1358 0 : ret = get_eff_addr_reg(insn, regs, ®off, &eff_addr);
1359 0 : if (ret)
1360 0 : goto out;
1361 :
1362 : } else {
1363 0 : if (insn->sib.nbytes) {
1364 0 : ret = get_eff_addr_sib(insn, regs, ®off, &eff_addr);
1365 0 : if (ret)
1366 0 : goto out;
1367 : } else {
1368 0 : ret = get_eff_addr_modrm(insn, regs, ®off, &eff_addr);
1369 0 : if (ret)
1370 0 : goto out;
1371 : }
1372 :
1373 : }
1374 :
1375 0 : ret = get_seg_base_limit(insn, regs, regoff, &seg_base, NULL);
1376 0 : if (ret)
1377 0 : goto out;
1378 :
1379 0 : linear_addr = (unsigned long)eff_addr + seg_base;
1380 :
1381 0 : out:
1382 0 : return (void __user *)linear_addr;
1383 : }
1384 : #endif /* CONFIG_X86_64 */
1385 :
1386 : /**
1387 : * insn_get_addr_ref() - Obtain the linear address referred by instruction
1388 : * @insn: Instruction structure containing ModRM byte and displacement
1389 : * @regs: Structure with register values as seen when entering kernel mode
1390 : *
1391 : * Obtain the linear address referred by the instruction's ModRM, SIB and
1392 : * displacement bytes, and segment base, as applicable. In protected mode,
1393 : * segment limits are enforced.
1394 : *
1395 : * Returns:
1396 : *
1397 : * Linear address referenced by instruction and registers on success.
1398 : *
1399 : * -1L on error.
1400 : */
1401 0 : void __user *insn_get_addr_ref(struct insn *insn, struct pt_regs *regs)
1402 : {
1403 0 : if (!insn || !regs)
1404 : return (void __user *)-1L;
1405 :
1406 0 : switch (insn->addr_bytes) {
1407 0 : case 2:
1408 0 : return get_addr_ref_16(insn, regs);
1409 0 : case 4:
1410 0 : return get_addr_ref_32(insn, regs);
1411 0 : case 8:
1412 0 : return get_addr_ref_64(insn, regs);
1413 : default:
1414 : return (void __user *)-1L;
1415 : }
1416 : }
1417 :
1418 0 : static unsigned long insn_get_effective_ip(struct pt_regs *regs)
1419 : {
1420 0 : unsigned long seg_base = 0;
1421 :
1422 : /*
1423 : * If not in user-space long mode, a custom code segment could be in
1424 : * use. This is true in protected mode (if the process defined a local
1425 : * descriptor table), or virtual-8086 mode. In most of the cases
1426 : * seg_base will be zero as in USER_CS.
1427 : */
1428 0 : if (!user_64bit_mode(regs)) {
1429 0 : seg_base = insn_get_seg_base(regs, INAT_SEG_REG_CS);
1430 0 : if (seg_base == -1L)
1431 : return 0;
1432 : }
1433 :
1434 0 : return seg_base + regs->ip;
1435 : }
1436 :
1437 : /**
1438 : * insn_fetch_from_user() - Copy instruction bytes from user-space memory
1439 : * @regs: Structure with register values as seen when entering kernel mode
1440 : * @buf: Array to store the fetched instruction
1441 : *
1442 : * Gets the linear address of the instruction and copies the instruction bytes
1443 : * to the buf.
1444 : *
1445 : * Returns:
1446 : *
1447 : * Number of instruction bytes copied.
1448 : *
1449 : * 0 if nothing was copied.
1450 : */
1451 0 : int insn_fetch_from_user(struct pt_regs *regs, unsigned char buf[MAX_INSN_SIZE])
1452 : {
1453 0 : unsigned long ip;
1454 0 : int not_copied;
1455 :
1456 0 : ip = insn_get_effective_ip(regs);
1457 0 : if (!ip)
1458 : return 0;
1459 :
1460 0 : not_copied = copy_from_user(buf, (void __user *)ip, MAX_INSN_SIZE);
1461 :
1462 0 : return MAX_INSN_SIZE - not_copied;
1463 : }
1464 :
1465 : /**
1466 : * insn_fetch_from_user_inatomic() - Copy instruction bytes from user-space memory
1467 : * while in atomic code
1468 : * @regs: Structure with register values as seen when entering kernel mode
1469 : * @buf: Array to store the fetched instruction
1470 : *
1471 : * Gets the linear address of the instruction and copies the instruction bytes
1472 : * to the buf. This function must be used in atomic context.
1473 : *
1474 : * Returns:
1475 : *
1476 : * Number of instruction bytes copied.
1477 : *
1478 : * 0 if nothing was copied.
1479 : */
1480 0 : int insn_fetch_from_user_inatomic(struct pt_regs *regs, unsigned char buf[MAX_INSN_SIZE])
1481 : {
1482 0 : unsigned long ip;
1483 0 : int not_copied;
1484 :
1485 0 : ip = insn_get_effective_ip(regs);
1486 0 : if (!ip)
1487 : return 0;
1488 :
1489 0 : not_copied = __copy_from_user_inatomic(buf, (void __user *)ip, MAX_INSN_SIZE);
1490 :
1491 0 : return MAX_INSN_SIZE - not_copied;
1492 : }
1493 :
1494 : /**
1495 : * insn_decode() - Decode an instruction
1496 : * @insn: Structure to store decoded instruction
1497 : * @regs: Structure with register values as seen when entering kernel mode
1498 : * @buf: Buffer containing the instruction bytes
1499 : * @buf_size: Number of instruction bytes available in buf
1500 : *
1501 : * Decodes the instruction provided in buf and stores the decoding results in
1502 : * insn. Also determines the correct address and operand sizes.
1503 : *
1504 : * Returns:
1505 : *
1506 : * True if instruction was decoded, False otherwise.
1507 : */
1508 0 : bool insn_decode(struct insn *insn, struct pt_regs *regs,
1509 : unsigned char buf[MAX_INSN_SIZE], int buf_size)
1510 : {
1511 0 : int seg_defs;
1512 :
1513 0 : insn_init(insn, buf, buf_size, user_64bit_mode(regs));
1514 :
1515 : /*
1516 : * Override the default operand and address sizes with what is specified
1517 : * in the code segment descriptor. The instruction decoder only sets
1518 : * the address size it to either 4 or 8 address bytes and does nothing
1519 : * for the operand bytes. This OK for most of the cases, but we could
1520 : * have special cases where, for instance, a 16-bit code segment
1521 : * descriptor is used.
1522 : * If there is an address override prefix, the instruction decoder
1523 : * correctly updates these values, even for 16-bit defaults.
1524 : */
1525 0 : seg_defs = insn_get_code_seg_params(regs);
1526 0 : if (seg_defs == -EINVAL)
1527 : return false;
1528 :
1529 0 : insn->addr_bytes = INSN_CODE_SEG_ADDR_SZ(seg_defs);
1530 0 : insn->opnd_bytes = INSN_CODE_SEG_OPND_SZ(seg_defs);
1531 :
1532 0 : insn_get_length(insn);
1533 0 : if (buf_size < insn->length)
1534 0 : return false;
1535 :
1536 : return true;
1537 : }
|
