Loading...
Note: File does not exist in v3.1.
1/*
2 * Utility functions for x86 operand and address decoding
3 *
4 * Copyright (C) Intel Corporation 2017
5 */
6#include <linux/kernel.h>
7#include <linux/string.h>
8#include <linux/ratelimit.h>
9#include <linux/mmu_context.h>
10#include <asm/desc_defs.h>
11#include <asm/desc.h>
12#include <asm/inat.h>
13#include <asm/insn.h>
14#include <asm/insn-eval.h>
15#include <asm/ldt.h>
16#include <asm/vm86.h>
17
18#undef pr_fmt
19#define pr_fmt(fmt) "insn: " fmt
20
21enum reg_type {
22 REG_TYPE_RM = 0,
23 REG_TYPE_INDEX,
24 REG_TYPE_BASE,
25};
26
27/**
28 * is_string_insn() - Determine if instruction is a string instruction
29 * @insn: Instruction containing the opcode to inspect
30 *
31 * Returns:
32 *
33 * true if the instruction, determined by the opcode, is any of the
34 * string instructions as defined in the Intel Software Development manual.
35 * False otherwise.
36 */
37static bool is_string_insn(struct insn *insn)
38{
39 insn_get_opcode(insn);
40
41 /* All string instructions have a 1-byte opcode. */
42 if (insn->opcode.nbytes != 1)
43 return false;
44
45 switch (insn->opcode.bytes[0]) {
46 case 0x6c ... 0x6f: /* INS, OUTS */
47 case 0xa4 ... 0xa7: /* MOVS, CMPS */
48 case 0xaa ... 0xaf: /* STOS, LODS, SCAS */
49 return true;
50 default:
51 return false;
52 }
53}
54
55/**
56 * get_seg_reg_override_idx() - obtain segment register override index
57 * @insn: Valid instruction with segment override prefixes
58 *
59 * Inspect the instruction prefixes in @insn and find segment overrides, if any.
60 *
61 * Returns:
62 *
63 * A constant identifying the segment register to use, among CS, SS, DS,
64 * ES, FS, or GS. INAT_SEG_REG_DEFAULT is returned if no segment override
65 * prefixes were found.
66 *
67 * -EINVAL in case of error.
68 */
69static int get_seg_reg_override_idx(struct insn *insn)
70{
71 int idx = INAT_SEG_REG_DEFAULT;
72 int num_overrides = 0, i;
73
74 insn_get_prefixes(insn);
75
76 /* Look for any segment override prefixes. */
77 for (i = 0; i < insn->prefixes.nbytes; i++) {
78 insn_attr_t attr;
79
80 attr = inat_get_opcode_attribute(insn->prefixes.bytes[i]);
81 switch (attr) {
82 case INAT_MAKE_PREFIX(INAT_PFX_CS):
83 idx = INAT_SEG_REG_CS;
84 num_overrides++;
85 break;
86 case INAT_MAKE_PREFIX(INAT_PFX_SS):
87 idx = INAT_SEG_REG_SS;
88 num_overrides++;
89 break;
90 case INAT_MAKE_PREFIX(INAT_PFX_DS):
91 idx = INAT_SEG_REG_DS;
92 num_overrides++;
93 break;
94 case INAT_MAKE_PREFIX(INAT_PFX_ES):
95 idx = INAT_SEG_REG_ES;
96 num_overrides++;
97 break;
98 case INAT_MAKE_PREFIX(INAT_PFX_FS):
99 idx = INAT_SEG_REG_FS;
100 num_overrides++;
101 break;
102 case INAT_MAKE_PREFIX(INAT_PFX_GS):
103 idx = INAT_SEG_REG_GS;
104 num_overrides++;
105 break;
106 /* No default action needed. */
107 }
108 }
109
110 /* More than one segment override prefix leads to undefined behavior. */
111 if (num_overrides > 1)
112 return -EINVAL;
113
114 return idx;
115}
116
117/**
118 * check_seg_overrides() - check if segment override prefixes are allowed
119 * @insn: Valid instruction with segment override prefixes
120 * @regoff: Operand offset, in pt_regs, for which the check is performed
121 *
122 * For a particular register used in register-indirect addressing, determine if
123 * segment override prefixes can be used. Specifically, no overrides are allowed
124 * for rDI if used with a string instruction.
125 *
126 * Returns:
127 *
128 * True if segment override prefixes can be used with the register indicated
129 * in @regoff. False if otherwise.
130 */
131static bool check_seg_overrides(struct insn *insn, int regoff)
132{
133 if (regoff == offsetof(struct pt_regs, di) && is_string_insn(insn))
134 return false;
135
136 return true;
137}
138
139/**
140 * resolve_default_seg() - resolve default segment register index for an operand
141 * @insn: Instruction with opcode and address size. Must be valid.
142 * @regs: Register values as seen when entering kernel mode
143 * @off: Operand offset, in pt_regs, for which resolution is needed
144 *
145 * Resolve the default segment register index associated with the instruction
146 * operand register indicated by @off. Such index is resolved based on defaults
147 * described in the Intel Software Development Manual.
148 *
149 * Returns:
150 *
151 * If in protected mode, a constant identifying the segment register to use,
152 * among CS, SS, ES or DS. If in long mode, INAT_SEG_REG_IGNORE.
153 *
154 * -EINVAL in case of error.
155 */
156static int resolve_default_seg(struct insn *insn, struct pt_regs *regs, int off)
157{
158 if (user_64bit_mode(regs))
159 return INAT_SEG_REG_IGNORE;
160 /*
161 * Resolve the default segment register as described in Section 3.7.4
162 * of the Intel Software Development Manual Vol. 1:
163 *
164 * + DS for all references involving r[ABCD]X, and rSI.
165 * + If used in a string instruction, ES for rDI. Otherwise, DS.
166 * + AX, CX and DX are not valid register operands in 16-bit address
167 * encodings but are valid for 32-bit and 64-bit encodings.
168 * + -EDOM is reserved to identify for cases in which no register
169 * is used (i.e., displacement-only addressing). Use DS.
170 * + SS for rSP or rBP.
171 * + CS for rIP.
172 */
173
174 switch (off) {
175 case offsetof(struct pt_regs, ax):
176 case offsetof(struct pt_regs, cx):
177 case offsetof(struct pt_regs, dx):
178 /* Need insn to verify address size. */
179 if (insn->addr_bytes == 2)
180 return -EINVAL;
181
182 /* fall through */
183
184 case -EDOM:
185 case offsetof(struct pt_regs, bx):
186 case offsetof(struct pt_regs, si):
187 return INAT_SEG_REG_DS;
188
189 case offsetof(struct pt_regs, di):
190 if (is_string_insn(insn))
191 return INAT_SEG_REG_ES;
192 return INAT_SEG_REG_DS;
193
194 case offsetof(struct pt_regs, bp):
195 case offsetof(struct pt_regs, sp):
196 return INAT_SEG_REG_SS;
197
198 case offsetof(struct pt_regs, ip):
199 return INAT_SEG_REG_CS;
200
201 default:
202 return -EINVAL;
203 }
204}
205
206/**
207 * resolve_seg_reg() - obtain segment register index
208 * @insn: Instruction with operands
209 * @regs: Register values as seen when entering kernel mode
210 * @regoff: Operand offset, in pt_regs, used to deterimine segment register
211 *
212 * Determine the segment register associated with the operands and, if
213 * applicable, prefixes and the instruction pointed by @insn.
214 *
215 * The segment register associated to an operand used in register-indirect
216 * addressing depends on:
217 *
218 * a) Whether running in long mode (in such a case segments are ignored, except
219 * if FS or GS are used).
220 *
221 * b) Whether segment override prefixes can be used. Certain instructions and
222 * registers do not allow override prefixes.
223 *
224 * c) Whether segment overrides prefixes are found in the instruction prefixes.
225 *
226 * d) If there are not segment override prefixes or they cannot be used, the
227 * default segment register associated with the operand register is used.
228 *
229 * The function checks first if segment override prefixes can be used with the
230 * operand indicated by @regoff. If allowed, obtain such overridden segment
231 * register index. Lastly, if not prefixes were found or cannot be used, resolve
232 * the segment register index to use based on the defaults described in the
233 * Intel documentation. In long mode, all segment register indexes will be
234 * ignored, except if overrides were found for FS or GS. All these operations
235 * are done using helper functions.
236 *
237 * The operand register, @regoff, is represented as the offset from the base of
238 * pt_regs.
239 *
240 * As stated, the main use of this function is to determine the segment register
241 * index based on the instruction, its operands and prefixes. Hence, @insn
242 * must be valid. However, if @regoff indicates rIP, we don't need to inspect
243 * @insn at all as in this case CS is used in all cases. This case is checked
244 * before proceeding further.
245 *
246 * Please note that this function does not return the value in the segment
247 * register (i.e., the segment selector) but our defined index. The segment
248 * selector needs to be obtained using get_segment_selector() and passing the
249 * segment register index resolved by this function.
250 *
251 * Returns:
252 *
253 * An index identifying the segment register to use, among CS, SS, DS,
254 * ES, FS, or GS. INAT_SEG_REG_IGNORE is returned if running in long mode.
255 *
256 * -EINVAL in case of error.
257 */
258static int resolve_seg_reg(struct insn *insn, struct pt_regs *regs, int regoff)
259{
260 int idx;
261
262 /*
263 * In the unlikely event of having to resolve the segment register
264 * index for rIP, do it first. Segment override prefixes should not
265 * be used. Hence, it is not necessary to inspect the instruction,
266 * which may be invalid at this point.
267 */
268 if (regoff == offsetof(struct pt_regs, ip)) {
269 if (user_64bit_mode(regs))
270 return INAT_SEG_REG_IGNORE;
271 else
272 return INAT_SEG_REG_CS;
273 }
274
275 if (!insn)
276 return -EINVAL;
277
278 if (!check_seg_overrides(insn, regoff))
279 return resolve_default_seg(insn, regs, regoff);
280
281 idx = get_seg_reg_override_idx(insn);
282 if (idx < 0)
283 return idx;
284
285 if (idx == INAT_SEG_REG_DEFAULT)
286 return resolve_default_seg(insn, regs, regoff);
287
288 /*
289 * In long mode, segment override prefixes are ignored, except for
290 * overrides for FS and GS.
291 */
292 if (user_64bit_mode(regs)) {
293 if (idx != INAT_SEG_REG_FS &&
294 idx != INAT_SEG_REG_GS)
295 idx = INAT_SEG_REG_IGNORE;
296 }
297
298 return idx;
299}
300
301/**
302 * get_segment_selector() - obtain segment selector
303 * @regs: Register values as seen when entering kernel mode
304 * @seg_reg_idx: Segment register index to use
305 *
306 * Obtain the segment selector from any of the CS, SS, DS, ES, FS, GS segment
307 * registers. In CONFIG_X86_32, the segment is obtained from either pt_regs or
308 * kernel_vm86_regs as applicable. In CONFIG_X86_64, CS and SS are obtained
309 * from pt_regs. DS, ES, FS and GS are obtained by reading the actual CPU
310 * registers. This done for only for completeness as in CONFIG_X86_64 segment
311 * registers are ignored.
312 *
313 * Returns:
314 *
315 * Value of the segment selector, including null when running in
316 * long mode.
317 *
318 * -EINVAL on error.
319 */
320static short get_segment_selector(struct pt_regs *regs, int seg_reg_idx)
321{
322#ifdef CONFIG_X86_64
323 unsigned short sel;
324
325 switch (seg_reg_idx) {
326 case INAT_SEG_REG_IGNORE:
327 return 0;
328 case INAT_SEG_REG_CS:
329 return (unsigned short)(regs->cs & 0xffff);
330 case INAT_SEG_REG_SS:
331 return (unsigned short)(regs->ss & 0xffff);
332 case INAT_SEG_REG_DS:
333 savesegment(ds, sel);
334 return sel;
335 case INAT_SEG_REG_ES:
336 savesegment(es, sel);
337 return sel;
338 case INAT_SEG_REG_FS:
339 savesegment(fs, sel);
340 return sel;
341 case INAT_SEG_REG_GS:
342 savesegment(gs, sel);
343 return sel;
344 default:
345 return -EINVAL;
346 }
347#else /* CONFIG_X86_32 */
348 struct kernel_vm86_regs *vm86regs = (struct kernel_vm86_regs *)regs;
349
350 if (v8086_mode(regs)) {
351 switch (seg_reg_idx) {
352 case INAT_SEG_REG_CS:
353 return (unsigned short)(regs->cs & 0xffff);
354 case INAT_SEG_REG_SS:
355 return (unsigned short)(regs->ss & 0xffff);
356 case INAT_SEG_REG_DS:
357 return vm86regs->ds;
358 case INAT_SEG_REG_ES:
359 return vm86regs->es;
360 case INAT_SEG_REG_FS:
361 return vm86regs->fs;
362 case INAT_SEG_REG_GS:
363 return vm86regs->gs;
364 case INAT_SEG_REG_IGNORE:
365 /* fall through */
366 default:
367 return -EINVAL;
368 }
369 }
370
371 switch (seg_reg_idx) {
372 case INAT_SEG_REG_CS:
373 return (unsigned short)(regs->cs & 0xffff);
374 case INAT_SEG_REG_SS:
375 return (unsigned short)(regs->ss & 0xffff);
376 case INAT_SEG_REG_DS:
377 return (unsigned short)(regs->ds & 0xffff);
378 case INAT_SEG_REG_ES:
379 return (unsigned short)(regs->es & 0xffff);
380 case INAT_SEG_REG_FS:
381 return (unsigned short)(regs->fs & 0xffff);
382 case INAT_SEG_REG_GS:
383 /*
384 * GS may or may not be in regs as per CONFIG_X86_32_LAZY_GS.
385 * The macro below takes care of both cases.
386 */
387 return get_user_gs(regs);
388 case INAT_SEG_REG_IGNORE:
389 /* fall through */
390 default:
391 return -EINVAL;
392 }
393#endif /* CONFIG_X86_64 */
394}
395
396static int get_reg_offset(struct insn *insn, struct pt_regs *regs,
397 enum reg_type type)
398{
399 int regno = 0;
400
401 static const int regoff[] = {
402 offsetof(struct pt_regs, ax),
403 offsetof(struct pt_regs, cx),
404 offsetof(struct pt_regs, dx),
405 offsetof(struct pt_regs, bx),
406 offsetof(struct pt_regs, sp),
407 offsetof(struct pt_regs, bp),
408 offsetof(struct pt_regs, si),
409 offsetof(struct pt_regs, di),
410#ifdef CONFIG_X86_64
411 offsetof(struct pt_regs, r8),
412 offsetof(struct pt_regs, r9),
413 offsetof(struct pt_regs, r10),
414 offsetof(struct pt_regs, r11),
415 offsetof(struct pt_regs, r12),
416 offsetof(struct pt_regs, r13),
417 offsetof(struct pt_regs, r14),
418 offsetof(struct pt_regs, r15),
419#endif
420 };
421 int nr_registers = ARRAY_SIZE(regoff);
422 /*
423 * Don't possibly decode a 32-bit instructions as
424 * reading a 64-bit-only register.
425 */
426 if (IS_ENABLED(CONFIG_X86_64) && !insn->x86_64)
427 nr_registers -= 8;
428
429 switch (type) {
430 case REG_TYPE_RM:
431 regno = X86_MODRM_RM(insn->modrm.value);
432
433 /*
434 * ModRM.mod == 0 and ModRM.rm == 5 means a 32-bit displacement
435 * follows the ModRM byte.
436 */
437 if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5)
438 return -EDOM;
439
440 if (X86_REX_B(insn->rex_prefix.value))
441 regno += 8;
442 break;
443
444 case REG_TYPE_INDEX:
445 regno = X86_SIB_INDEX(insn->sib.value);
446 if (X86_REX_X(insn->rex_prefix.value))
447 regno += 8;
448
449 /*
450 * If ModRM.mod != 3 and SIB.index = 4 the scale*index
451 * portion of the address computation is null. This is
452 * true only if REX.X is 0. In such a case, the SIB index
453 * is used in the address computation.
454 */
455 if (X86_MODRM_MOD(insn->modrm.value) != 3 && regno == 4)
456 return -EDOM;
457 break;
458
459 case REG_TYPE_BASE:
460 regno = X86_SIB_BASE(insn->sib.value);
461 /*
462 * If ModRM.mod is 0 and SIB.base == 5, the base of the
463 * register-indirect addressing is 0. In this case, a
464 * 32-bit displacement follows the SIB byte.
465 */
466 if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5)
467 return -EDOM;
468
469 if (X86_REX_B(insn->rex_prefix.value))
470 regno += 8;
471 break;
472
473 default:
474 pr_err_ratelimited("invalid register type: %d\n", type);
475 return -EINVAL;
476 }
477
478 if (regno >= nr_registers) {
479 WARN_ONCE(1, "decoded an instruction with an invalid register");
480 return -EINVAL;
481 }
482 return regoff[regno];
483}
484
485/**
486 * get_reg_offset_16() - Obtain offset of register indicated by instruction
487 * @insn: Instruction containing ModRM byte
488 * @regs: Register values as seen when entering kernel mode
489 * @offs1: Offset of the first operand register
490 * @offs2: Offset of the second opeand register, if applicable
491 *
492 * Obtain the offset, in pt_regs, of the registers indicated by the ModRM byte
493 * in @insn. This function is to be used with 16-bit address encodings. The
494 * @offs1 and @offs2 will be written with the offset of the two registers
495 * indicated by the instruction. In cases where any of the registers is not
496 * referenced by the instruction, the value will be set to -EDOM.
497 *
498 * Returns:
499 *
500 * 0 on success, -EINVAL on error.
501 */
502static int get_reg_offset_16(struct insn *insn, struct pt_regs *regs,
503 int *offs1, int *offs2)
504{
505 /*
506 * 16-bit addressing can use one or two registers. Specifics of
507 * encodings are given in Table 2-1. "16-Bit Addressing Forms with the
508 * ModR/M Byte" of the Intel Software Development Manual.
509 */
510 static const int regoff1[] = {
511 offsetof(struct pt_regs, bx),
512 offsetof(struct pt_regs, bx),
513 offsetof(struct pt_regs, bp),
514 offsetof(struct pt_regs, bp),
515 offsetof(struct pt_regs, si),
516 offsetof(struct pt_regs, di),
517 offsetof(struct pt_regs, bp),
518 offsetof(struct pt_regs, bx),
519 };
520
521 static const int regoff2[] = {
522 offsetof(struct pt_regs, si),
523 offsetof(struct pt_regs, di),
524 offsetof(struct pt_regs, si),
525 offsetof(struct pt_regs, di),
526 -EDOM,
527 -EDOM,
528 -EDOM,
529 -EDOM,
530 };
531
532 if (!offs1 || !offs2)
533 return -EINVAL;
534
535 /* Operand is a register, use the generic function. */
536 if (X86_MODRM_MOD(insn->modrm.value) == 3) {
537 *offs1 = insn_get_modrm_rm_off(insn, regs);
538 *offs2 = -EDOM;
539 return 0;
540 }
541
542 *offs1 = regoff1[X86_MODRM_RM(insn->modrm.value)];
543 *offs2 = regoff2[X86_MODRM_RM(insn->modrm.value)];
544
545 /*
546 * If ModRM.mod is 0 and ModRM.rm is 110b, then we use displacement-
547 * only addressing. This means that no registers are involved in
548 * computing the effective address. Thus, ensure that the first
549 * register offset is invalild. The second register offset is already
550 * invalid under the aforementioned conditions.
551 */
552 if ((X86_MODRM_MOD(insn->modrm.value) == 0) &&
553 (X86_MODRM_RM(insn->modrm.value) == 6))
554 *offs1 = -EDOM;
555
556 return 0;
557}
558
559/**
560 * get_desc() - Obtain contents of a segment descriptor
561 * @out: Segment descriptor contents on success
562 * @sel: Segment selector
563 *
564 * Given a segment selector, obtain a pointer to the segment descriptor.
565 * Both global and local descriptor tables are supported.
566 *
567 * Returns:
568 *
569 * True on success, false on failure.
570 *
571 * NULL on error.
572 */
573static bool get_desc(struct desc_struct *out, unsigned short sel)
574{
575 struct desc_ptr gdt_desc = {0, 0};
576 unsigned long desc_base;
577
578#ifdef CONFIG_MODIFY_LDT_SYSCALL
579 if ((sel & SEGMENT_TI_MASK) == SEGMENT_LDT) {
580 bool success = false;
581 struct ldt_struct *ldt;
582
583 /* Bits [15:3] contain the index of the desired entry. */
584 sel >>= 3;
585
586 mutex_lock(¤t->active_mm->context.lock);
587 ldt = current->active_mm->context.ldt;
588 if (ldt && sel < ldt->nr_entries) {
589 *out = ldt->entries[sel];
590 success = true;
591 }
592
593 mutex_unlock(¤t->active_mm->context.lock);
594
595 return success;
596 }
597#endif
598 native_store_gdt(&gdt_desc);
599
600 /*
601 * Segment descriptors have a size of 8 bytes. Thus, the index is
602 * multiplied by 8 to obtain the memory offset of the desired descriptor
603 * from the base of the GDT. As bits [15:3] of the segment selector
604 * contain the index, it can be regarded as multiplied by 8 already.
605 * All that remains is to clear bits [2:0].
606 */
607 desc_base = sel & ~(SEGMENT_RPL_MASK | SEGMENT_TI_MASK);
608
609 if (desc_base > gdt_desc.size)
610 return false;
611
612 *out = *(struct desc_struct *)(gdt_desc.address + desc_base);
613 return true;
614}
615
616/**
617 * insn_get_seg_base() - Obtain base address of segment descriptor.
618 * @regs: Register values as seen when entering kernel mode
619 * @seg_reg_idx: Index of the segment register pointing to seg descriptor
620 *
621 * Obtain the base address of the segment as indicated by the segment descriptor
622 * pointed by the segment selector. The segment selector is obtained from the
623 * input segment register index @seg_reg_idx.
624 *
625 * Returns:
626 *
627 * In protected mode, base address of the segment. Zero in long mode,
628 * except when FS or GS are used. In virtual-8086 mode, the segment
629 * selector shifted 4 bits to the right.
630 *
631 * -1L in case of error.
632 */
633unsigned long insn_get_seg_base(struct pt_regs *regs, int seg_reg_idx)
634{
635 struct desc_struct desc;
636 short sel;
637
638 sel = get_segment_selector(regs, seg_reg_idx);
639 if (sel < 0)
640 return -1L;
641
642 if (v8086_mode(regs))
643 /*
644 * Base is simply the segment selector shifted 4
645 * bits to the right.
646 */
647 return (unsigned long)(sel << 4);
648
649 if (user_64bit_mode(regs)) {
650 /*
651 * Only FS or GS will have a base address, the rest of
652 * the segments' bases are forced to 0.
653 */
654 unsigned long base;
655
656 if (seg_reg_idx == INAT_SEG_REG_FS)
657 rdmsrl(MSR_FS_BASE, base);
658 else if (seg_reg_idx == INAT_SEG_REG_GS)
659 /*
660 * swapgs was called at the kernel entry point. Thus,
661 * MSR_KERNEL_GS_BASE will have the user-space GS base.
662 */
663 rdmsrl(MSR_KERNEL_GS_BASE, base);
664 else
665 base = 0;
666 return base;
667 }
668
669 /* In protected mode the segment selector cannot be null. */
670 if (!sel)
671 return -1L;
672
673 if (!get_desc(&desc, sel))
674 return -1L;
675
676 return get_desc_base(&desc);
677}
678
679/**
680 * get_seg_limit() - Obtain the limit of a segment descriptor
681 * @regs: Register values as seen when entering kernel mode
682 * @seg_reg_idx: Index of the segment register pointing to seg descriptor
683 *
684 * Obtain the limit of the segment as indicated by the segment descriptor
685 * pointed by the segment selector. The segment selector is obtained from the
686 * input segment register index @seg_reg_idx.
687 *
688 * Returns:
689 *
690 * In protected mode, the limit of the segment descriptor in bytes.
691 * In long mode and virtual-8086 mode, segment limits are not enforced. Thus,
692 * limit is returned as -1L to imply a limit-less segment.
693 *
694 * Zero is returned on error.
695 */
696static unsigned long get_seg_limit(struct pt_regs *regs, int seg_reg_idx)
697{
698 struct desc_struct desc;
699 unsigned long limit;
700 short sel;
701
702 sel = get_segment_selector(regs, seg_reg_idx);
703 if (sel < 0)
704 return 0;
705
706 if (user_64bit_mode(regs) || v8086_mode(regs))
707 return -1L;
708
709 if (!sel)
710 return 0;
711
712 if (!get_desc(&desc, sel))
713 return 0;
714
715 /*
716 * If the granularity bit is set, the limit is given in multiples
717 * of 4096. This also means that the 12 least significant bits are
718 * not tested when checking the segment limits. In practice,
719 * this means that the segment ends in (limit << 12) + 0xfff.
720 */
721 limit = get_desc_limit(&desc);
722 if (desc.g)
723 limit = (limit << 12) + 0xfff;
724
725 return limit;
726}
727
728/**
729 * insn_get_code_seg_params() - Obtain code segment parameters
730 * @regs: Structure with register values as seen when entering kernel mode
731 *
732 * Obtain address and operand sizes of the code segment. It is obtained from the
733 * selector contained in the CS register in regs. In protected mode, the default
734 * address is determined by inspecting the L and D bits of the segment
735 * descriptor. In virtual-8086 mode, the default is always two bytes for both
736 * address and operand sizes.
737 *
738 * Returns:
739 *
740 * An int containing ORed-in default parameters on success.
741 *
742 * -EINVAL on error.
743 */
744int insn_get_code_seg_params(struct pt_regs *regs)
745{
746 struct desc_struct desc;
747 short sel;
748
749 if (v8086_mode(regs))
750 /* Address and operand size are both 16-bit. */
751 return INSN_CODE_SEG_PARAMS(2, 2);
752
753 sel = get_segment_selector(regs, INAT_SEG_REG_CS);
754 if (sel < 0)
755 return sel;
756
757 if (!get_desc(&desc, sel))
758 return -EINVAL;
759
760 /*
761 * The most significant byte of the Type field of the segment descriptor
762 * determines whether a segment contains data or code. If this is a data
763 * segment, return error.
764 */
765 if (!(desc.type & BIT(3)))
766 return -EINVAL;
767
768 switch ((desc.l << 1) | desc.d) {
769 case 0: /*
770 * Legacy mode. CS.L=0, CS.D=0. Address and operand size are
771 * both 16-bit.
772 */
773 return INSN_CODE_SEG_PARAMS(2, 2);
774 case 1: /*
775 * Legacy mode. CS.L=0, CS.D=1. Address and operand size are
776 * both 32-bit.
777 */
778 return INSN_CODE_SEG_PARAMS(4, 4);
779 case 2: /*
780 * IA-32e 64-bit mode. CS.L=1, CS.D=0. Address size is 64-bit;
781 * operand size is 32-bit.
782 */
783 return INSN_CODE_SEG_PARAMS(4, 8);
784 case 3: /* Invalid setting. CS.L=1, CS.D=1 */
785 /* fall through */
786 default:
787 return -EINVAL;
788 }
789}
790
791/**
792 * insn_get_modrm_rm_off() - Obtain register in r/m part of the ModRM byte
793 * @insn: Instruction containing the ModRM byte
794 * @regs: Register values as seen when entering kernel mode
795 *
796 * Returns:
797 *
798 * The register indicated by the r/m part of the ModRM byte. The
799 * register is obtained as an offset from the base of pt_regs. In specific
800 * cases, the returned value can be -EDOM to indicate that the particular value
801 * of ModRM does not refer to a register and shall be ignored.
802 */
803int insn_get_modrm_rm_off(struct insn *insn, struct pt_regs *regs)
804{
805 return get_reg_offset(insn, regs, REG_TYPE_RM);
806}
807
808/**
809 * get_seg_base_limit() - obtain base address and limit of a segment
810 * @insn: Instruction. Must be valid.
811 * @regs: Register values as seen when entering kernel mode
812 * @regoff: Operand offset, in pt_regs, used to resolve segment descriptor
813 * @base: Obtained segment base
814 * @limit: Obtained segment limit
815 *
816 * Obtain the base address and limit of the segment associated with the operand
817 * @regoff and, if any or allowed, override prefixes in @insn. This function is
818 * different from insn_get_seg_base() as the latter does not resolve the segment
819 * associated with the instruction operand. If a limit is not needed (e.g.,
820 * when running in long mode), @limit can be NULL.
821 *
822 * Returns:
823 *
824 * 0 on success. @base and @limit will contain the base address and of the
825 * resolved segment, respectively.
826 *
827 * -EINVAL on error.
828 */
829static int get_seg_base_limit(struct insn *insn, struct pt_regs *regs,
830 int regoff, unsigned long *base,
831 unsigned long *limit)
832{
833 int seg_reg_idx;
834
835 if (!base)
836 return -EINVAL;
837
838 seg_reg_idx = resolve_seg_reg(insn, regs, regoff);
839 if (seg_reg_idx < 0)
840 return seg_reg_idx;
841
842 *base = insn_get_seg_base(regs, seg_reg_idx);
843 if (*base == -1L)
844 return -EINVAL;
845
846 if (!limit)
847 return 0;
848
849 *limit = get_seg_limit(regs, seg_reg_idx);
850 if (!(*limit))
851 return -EINVAL;
852
853 return 0;
854}
855
856/**
857 * get_eff_addr_reg() - Obtain effective address from register operand
858 * @insn: Instruction. Must be valid.
859 * @regs: Register values as seen when entering kernel mode
860 * @regoff: Obtained operand offset, in pt_regs, with the effective address
861 * @eff_addr: Obtained effective address
862 *
863 * Obtain the effective address stored in the register operand as indicated by
864 * the ModRM byte. This function is to be used only with register addressing
865 * (i.e., ModRM.mod is 3). The effective address is saved in @eff_addr. The
866 * register operand, as an offset from the base of pt_regs, is saved in @regoff;
867 * such offset can then be used to resolve the segment associated with the
868 * operand. This function can be used with any of the supported address sizes
869 * in x86.
870 *
871 * Returns:
872 *
873 * 0 on success. @eff_addr will have the effective address stored in the
874 * operand indicated by ModRM. @regoff will have such operand as an offset from
875 * the base of pt_regs.
876 *
877 * -EINVAL on error.
878 */
879static int get_eff_addr_reg(struct insn *insn, struct pt_regs *regs,
880 int *regoff, long *eff_addr)
881{
882 insn_get_modrm(insn);
883
884 if (!insn->modrm.nbytes)
885 return -EINVAL;
886
887 if (X86_MODRM_MOD(insn->modrm.value) != 3)
888 return -EINVAL;
889
890 *regoff = get_reg_offset(insn, regs, REG_TYPE_RM);
891 if (*regoff < 0)
892 return -EINVAL;
893
894 /* Ignore bytes that are outside the address size. */
895 if (insn->addr_bytes == 2)
896 *eff_addr = regs_get_register(regs, *regoff) & 0xffff;
897 else if (insn->addr_bytes == 4)
898 *eff_addr = regs_get_register(regs, *regoff) & 0xffffffff;
899 else /* 64-bit address */
900 *eff_addr = regs_get_register(regs, *regoff);
901
902 return 0;
903}
904
905/**
906 * get_eff_addr_modrm() - Obtain referenced effective address via ModRM
907 * @insn: Instruction. Must be valid.
908 * @regs: Register values as seen when entering kernel mode
909 * @regoff: Obtained operand offset, in pt_regs, associated with segment
910 * @eff_addr: Obtained effective address
911 *
912 * Obtain the effective address referenced by the ModRM byte of @insn. After
913 * identifying the registers involved in the register-indirect memory reference,
914 * its value is obtained from the operands in @regs. The computed address is
915 * stored @eff_addr. Also, the register operand that indicates the associated
916 * segment is stored in @regoff, this parameter can later be used to determine
917 * such segment.
918 *
919 * Returns:
920 *
921 * 0 on success. @eff_addr will have the referenced effective address. @regoff
922 * will have a register, as an offset from the base of pt_regs, that can be used
923 * to resolve the associated segment.
924 *
925 * -EINVAL on error.
926 */
927static int get_eff_addr_modrm(struct insn *insn, struct pt_regs *regs,
928 int *regoff, long *eff_addr)
929{
930 long tmp;
931
932 if (insn->addr_bytes != 8 && insn->addr_bytes != 4)
933 return -EINVAL;
934
935 insn_get_modrm(insn);
936
937 if (!insn->modrm.nbytes)
938 return -EINVAL;
939
940 if (X86_MODRM_MOD(insn->modrm.value) > 2)
941 return -EINVAL;
942
943 *regoff = get_reg_offset(insn, regs, REG_TYPE_RM);
944
945 /*
946 * -EDOM means that we must ignore the address_offset. In such a case,
947 * in 64-bit mode the effective address relative to the rIP of the
948 * following instruction.
949 */
950 if (*regoff == -EDOM) {
951 if (user_64bit_mode(regs))
952 tmp = regs->ip + insn->length;
953 else
954 tmp = 0;
955 } else if (*regoff < 0) {
956 return -EINVAL;
957 } else {
958 tmp = regs_get_register(regs, *regoff);
959 }
960
961 if (insn->addr_bytes == 4) {
962 int addr32 = (int)(tmp & 0xffffffff) + insn->displacement.value;
963
964 *eff_addr = addr32 & 0xffffffff;
965 } else {
966 *eff_addr = tmp + insn->displacement.value;
967 }
968
969 return 0;
970}
971
972/**
973 * get_eff_addr_modrm_16() - Obtain referenced effective address via ModRM
974 * @insn: Instruction. Must be valid.
975 * @regs: Register values as seen when entering kernel mode
976 * @regoff: Obtained operand offset, in pt_regs, associated with segment
977 * @eff_addr: Obtained effective address
978 *
979 * Obtain the 16-bit effective address referenced by the ModRM byte of @insn.
980 * After identifying the registers involved in the register-indirect memory
981 * reference, its value is obtained from the operands in @regs. The computed
982 * address is stored @eff_addr. Also, the register operand that indicates
983 * the associated segment is stored in @regoff, this parameter can later be used
984 * to determine such segment.
985 *
986 * Returns:
987 *
988 * 0 on success. @eff_addr will have the referenced effective address. @regoff
989 * will have a register, as an offset from the base of pt_regs, that can be used
990 * to resolve the associated segment.
991 *
992 * -EINVAL on error.
993 */
994static int get_eff_addr_modrm_16(struct insn *insn, struct pt_regs *regs,
995 int *regoff, short *eff_addr)
996{
997 int addr_offset1, addr_offset2, ret;
998 short addr1 = 0, addr2 = 0, displacement;
999
1000 if (insn->addr_bytes != 2)
1001 return -EINVAL;
1002
1003 insn_get_modrm(insn);
1004
1005 if (!insn->modrm.nbytes)
1006 return -EINVAL;
1007
1008 if (X86_MODRM_MOD(insn->modrm.value) > 2)
1009 return -EINVAL;
1010
1011 ret = get_reg_offset_16(insn, regs, &addr_offset1, &addr_offset2);
1012 if (ret < 0)
1013 return -EINVAL;
1014
1015 /*
1016 * Don't fail on invalid offset values. They might be invalid because
1017 * they cannot be used for this particular value of ModRM. Instead, use
1018 * them in the computation only if they contain a valid value.
1019 */
1020 if (addr_offset1 != -EDOM)
1021 addr1 = regs_get_register(regs, addr_offset1) & 0xffff;
1022
1023 if (addr_offset2 != -EDOM)
1024 addr2 = regs_get_register(regs, addr_offset2) & 0xffff;
1025
1026 displacement = insn->displacement.value & 0xffff;
1027 *eff_addr = addr1 + addr2 + displacement;
1028
1029 /*
1030 * The first operand register could indicate to use of either SS or DS
1031 * registers to obtain the segment selector. The second operand
1032 * register can only indicate the use of DS. Thus, the first operand
1033 * will be used to obtain the segment selector.
1034 */
1035 *regoff = addr_offset1;
1036
1037 return 0;
1038}
1039
1040/**
1041 * get_eff_addr_sib() - Obtain referenced effective address via SIB
1042 * @insn: Instruction. Must be valid.
1043 * @regs: Register values as seen when entering kernel mode
1044 * @regoff: Obtained operand offset, in pt_regs, associated with segment
1045 * @eff_addr: Obtained effective address
1046 *
1047 * Obtain the effective address referenced by the SIB byte of @insn. After
1048 * identifying the registers involved in the indexed, register-indirect memory
1049 * reference, its value is obtained from the operands in @regs. The computed
1050 * address is stored @eff_addr. Also, the register operand that indicates the
1051 * associated segment is stored in @regoff, this parameter can later be used to
1052 * determine such segment.
1053 *
1054 * Returns:
1055 *
1056 * 0 on success. @eff_addr will have the referenced effective address.
1057 * @base_offset will have a register, as an offset from the base of pt_regs,
1058 * that can be used to resolve the associated segment.
1059 *
1060 * -EINVAL on error.
1061 */
1062static int get_eff_addr_sib(struct insn *insn, struct pt_regs *regs,
1063 int *base_offset, long *eff_addr)
1064{
1065 long base, indx;
1066 int indx_offset;
1067
1068 if (insn->addr_bytes != 8 && insn->addr_bytes != 4)
1069 return -EINVAL;
1070
1071 insn_get_modrm(insn);
1072
1073 if (!insn->modrm.nbytes)
1074 return -EINVAL;
1075
1076 if (X86_MODRM_MOD(insn->modrm.value) > 2)
1077 return -EINVAL;
1078
1079 insn_get_sib(insn);
1080
1081 if (!insn->sib.nbytes)
1082 return -EINVAL;
1083
1084 *base_offset = get_reg_offset(insn, regs, REG_TYPE_BASE);
1085 indx_offset = get_reg_offset(insn, regs, REG_TYPE_INDEX);
1086
1087 /*
1088 * Negative values in the base and index offset means an error when
1089 * decoding the SIB byte. Except -EDOM, which means that the registers
1090 * should not be used in the address computation.
1091 */
1092 if (*base_offset == -EDOM)
1093 base = 0;
1094 else if (*base_offset < 0)
1095 return -EINVAL;
1096 else
1097 base = regs_get_register(regs, *base_offset);
1098
1099 if (indx_offset == -EDOM)
1100 indx = 0;
1101 else if (indx_offset < 0)
1102 return -EINVAL;
1103 else
1104 indx = regs_get_register(regs, indx_offset);
1105
1106 if (insn->addr_bytes == 4) {
1107 int addr32, base32, idx32;
1108
1109 base32 = base & 0xffffffff;
1110 idx32 = indx & 0xffffffff;
1111
1112 addr32 = base32 + idx32 * (1 << X86_SIB_SCALE(insn->sib.value));
1113 addr32 += insn->displacement.value;
1114
1115 *eff_addr = addr32 & 0xffffffff;
1116 } else {
1117 *eff_addr = base + indx * (1 << X86_SIB_SCALE(insn->sib.value));
1118 *eff_addr += insn->displacement.value;
1119 }
1120
1121 return 0;
1122}
1123
1124/**
1125 * get_addr_ref_16() - Obtain the 16-bit address referred by instruction
1126 * @insn: Instruction containing ModRM byte and displacement
1127 * @regs: Register values as seen when entering kernel mode
1128 *
1129 * This function is to be used with 16-bit address encodings. Obtain the memory
1130 * address referred by the instruction's ModRM and displacement bytes. Also, the
1131 * segment used as base is determined by either any segment override prefixes in
1132 * @insn or the default segment of the registers involved in the address
1133 * computation. In protected mode, segment limits are enforced.
1134 *
1135 * Returns:
1136 *
1137 * Linear address referenced by the instruction operands on success.
1138 *
1139 * -1L on error.
1140 */
1141static void __user *get_addr_ref_16(struct insn *insn, struct pt_regs *regs)
1142{
1143 unsigned long linear_addr = -1L, seg_base, seg_limit;
1144 int ret, regoff;
1145 short eff_addr;
1146 long tmp;
1147
1148 insn_get_modrm(insn);
1149 insn_get_displacement(insn);
1150
1151 if (insn->addr_bytes != 2)
1152 goto out;
1153
1154 if (X86_MODRM_MOD(insn->modrm.value) == 3) {
1155 ret = get_eff_addr_reg(insn, regs, ®off, &tmp);
1156 if (ret)
1157 goto out;
1158
1159 eff_addr = tmp;
1160 } else {
1161 ret = get_eff_addr_modrm_16(insn, regs, ®off, &eff_addr);
1162 if (ret)
1163 goto out;
1164 }
1165
1166 ret = get_seg_base_limit(insn, regs, regoff, &seg_base, &seg_limit);
1167 if (ret)
1168 goto out;
1169
1170 /*
1171 * Before computing the linear address, make sure the effective address
1172 * is within the limits of the segment. In virtual-8086 mode, segment
1173 * limits are not enforced. In such a case, the segment limit is -1L to
1174 * reflect this fact.
1175 */
1176 if ((unsigned long)(eff_addr & 0xffff) > seg_limit)
1177 goto out;
1178
1179 linear_addr = (unsigned long)(eff_addr & 0xffff) + seg_base;
1180
1181 /* Limit linear address to 20 bits */
1182 if (v8086_mode(regs))
1183 linear_addr &= 0xfffff;
1184
1185out:
1186 return (void __user *)linear_addr;
1187}
1188
1189/**
1190 * get_addr_ref_32() - Obtain a 32-bit linear address
1191 * @insn: Instruction with ModRM, SIB bytes and displacement
1192 * @regs: Register values as seen when entering kernel mode
1193 *
1194 * This function is to be used with 32-bit address encodings to obtain the
1195 * linear memory address referred by the instruction's ModRM, SIB,
1196 * displacement bytes and segment base address, as applicable. If in protected
1197 * mode, segment limits are enforced.
1198 *
1199 * Returns:
1200 *
1201 * Linear address referenced by instruction and registers on success.
1202 *
1203 * -1L on error.
1204 */
1205static void __user *get_addr_ref_32(struct insn *insn, struct pt_regs *regs)
1206{
1207 unsigned long linear_addr = -1L, seg_base, seg_limit;
1208 int eff_addr, regoff;
1209 long tmp;
1210 int ret;
1211
1212 if (insn->addr_bytes != 4)
1213 goto out;
1214
1215 if (X86_MODRM_MOD(insn->modrm.value) == 3) {
1216 ret = get_eff_addr_reg(insn, regs, ®off, &tmp);
1217 if (ret)
1218 goto out;
1219
1220 eff_addr = tmp;
1221
1222 } else {
1223 if (insn->sib.nbytes) {
1224 ret = get_eff_addr_sib(insn, regs, ®off, &tmp);
1225 if (ret)
1226 goto out;
1227
1228 eff_addr = tmp;
1229 } else {
1230 ret = get_eff_addr_modrm(insn, regs, ®off, &tmp);
1231 if (ret)
1232 goto out;
1233
1234 eff_addr = tmp;
1235 }
1236 }
1237
1238 ret = get_seg_base_limit(insn, regs, regoff, &seg_base, &seg_limit);
1239 if (ret)
1240 goto out;
1241
1242 /*
1243 * In protected mode, before computing the linear address, make sure
1244 * the effective address is within the limits of the segment.
1245 * 32-bit addresses can be used in long and virtual-8086 modes if an
1246 * address override prefix is used. In such cases, segment limits are
1247 * not enforced. When in virtual-8086 mode, the segment limit is -1L
1248 * to reflect this situation.
1249 *
1250 * After computed, the effective address is treated as an unsigned
1251 * quantity.
1252 */
1253 if (!user_64bit_mode(regs) && ((unsigned int)eff_addr > seg_limit))
1254 goto out;
1255
1256 /*
1257 * Even though 32-bit address encodings are allowed in virtual-8086
1258 * mode, the address range is still limited to [0x-0xffff].
1259 */
1260 if (v8086_mode(regs) && (eff_addr & ~0xffff))
1261 goto out;
1262
1263 /*
1264 * Data type long could be 64 bits in size. Ensure that our 32-bit
1265 * effective address is not sign-extended when computing the linear
1266 * address.
1267 */
1268 linear_addr = (unsigned long)(eff_addr & 0xffffffff) + seg_base;
1269
1270 /* Limit linear address to 20 bits */
1271 if (v8086_mode(regs))
1272 linear_addr &= 0xfffff;
1273
1274out:
1275 return (void __user *)linear_addr;
1276}
1277
1278/**
1279 * get_addr_ref_64() - Obtain a 64-bit linear address
1280 * @insn: Instruction struct with ModRM and SIB bytes and displacement
1281 * @regs: Structure with register values as seen when entering kernel mode
1282 *
1283 * This function is to be used with 64-bit address encodings to obtain the
1284 * linear memory address referred by the instruction's ModRM, SIB,
1285 * displacement bytes and segment base address, as applicable.
1286 *
1287 * Returns:
1288 *
1289 * Linear address referenced by instruction and registers on success.
1290 *
1291 * -1L on error.
1292 */
1293#ifndef CONFIG_X86_64
1294static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs)
1295{
1296 return (void __user *)-1L;
1297}
1298#else
1299static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs)
1300{
1301 unsigned long linear_addr = -1L, seg_base;
1302 int regoff, ret;
1303 long eff_addr;
1304
1305 if (insn->addr_bytes != 8)
1306 goto out;
1307
1308 if (X86_MODRM_MOD(insn->modrm.value) == 3) {
1309 ret = get_eff_addr_reg(insn, regs, ®off, &eff_addr);
1310 if (ret)
1311 goto out;
1312
1313 } else {
1314 if (insn->sib.nbytes) {
1315 ret = get_eff_addr_sib(insn, regs, ®off, &eff_addr);
1316 if (ret)
1317 goto out;
1318 } else {
1319 ret = get_eff_addr_modrm(insn, regs, ®off, &eff_addr);
1320 if (ret)
1321 goto out;
1322 }
1323
1324 }
1325
1326 ret = get_seg_base_limit(insn, regs, regoff, &seg_base, NULL);
1327 if (ret)
1328 goto out;
1329
1330 linear_addr = (unsigned long)eff_addr + seg_base;
1331
1332out:
1333 return (void __user *)linear_addr;
1334}
1335#endif /* CONFIG_X86_64 */
1336
1337/**
1338 * insn_get_addr_ref() - Obtain the linear address referred by instruction
1339 * @insn: Instruction structure containing ModRM byte and displacement
1340 * @regs: Structure with register values as seen when entering kernel mode
1341 *
1342 * Obtain the linear address referred by the instruction's ModRM, SIB and
1343 * displacement bytes, and segment base, as applicable. In protected mode,
1344 * segment limits are enforced.
1345 *
1346 * Returns:
1347 *
1348 * Linear address referenced by instruction and registers on success.
1349 *
1350 * -1L on error.
1351 */
1352void __user *insn_get_addr_ref(struct insn *insn, struct pt_regs *regs)
1353{
1354 if (!insn || !regs)
1355 return (void __user *)-1L;
1356
1357 switch (insn->addr_bytes) {
1358 case 2:
1359 return get_addr_ref_16(insn, regs);
1360 case 4:
1361 return get_addr_ref_32(insn, regs);
1362 case 8:
1363 return get_addr_ref_64(insn, regs);
1364 default:
1365 return (void __user *)-1L;
1366 }
1367}