Loading...
Note: File does not exist in v3.1.
1/*
2 * Utility functions for x86 operand and address decoding
3 *
4 * Copyright (C) Intel Corporation 2017
5 */
6#include <linux/kernel.h>
7#include <linux/string.h>
8#include <linux/ratelimit.h>
9#include <linux/mmu_context.h>
10#include <asm/desc_defs.h>
11#include <asm/desc.h>
12#include <asm/inat.h>
13#include <asm/insn.h>
14#include <asm/insn-eval.h>
15#include <asm/ldt.h>
16#include <asm/vm86.h>
17
18#undef pr_fmt
19#define pr_fmt(fmt) "insn: " fmt
20
21enum reg_type {
22 REG_TYPE_RM = 0,
23 REG_TYPE_INDEX,
24 REG_TYPE_BASE,
25};
26
27/**
28 * is_string_insn() - Determine if instruction is a string instruction
29 * @insn: Instruction containing the opcode to inspect
30 *
31 * Returns:
32 *
33 * true if the instruction, determined by the opcode, is any of the
34 * string instructions as defined in the Intel Software Development manual.
35 * False otherwise.
36 */
37static bool is_string_insn(struct insn *insn)
38{
39 insn_get_opcode(insn);
40
41 /* All string instructions have a 1-byte opcode. */
42 if (insn->opcode.nbytes != 1)
43 return false;
44
45 switch (insn->opcode.bytes[0]) {
46 case 0x6c ... 0x6f: /* INS, OUTS */
47 case 0xa4 ... 0xa7: /* MOVS, CMPS */
48 case 0xaa ... 0xaf: /* STOS, LODS, SCAS */
49 return true;
50 default:
51 return false;
52 }
53}
54
55/**
56 * get_seg_reg_override_idx() - obtain segment register override index
57 * @insn: Valid instruction with segment override prefixes
58 *
59 * Inspect the instruction prefixes in @insn and find segment overrides, if any.
60 *
61 * Returns:
62 *
63 * A constant identifying the segment register to use, among CS, SS, DS,
64 * ES, FS, or GS. INAT_SEG_REG_DEFAULT is returned if no segment override
65 * prefixes were found.
66 *
67 * -EINVAL in case of error.
68 */
69static int get_seg_reg_override_idx(struct insn *insn)
70{
71 int idx = INAT_SEG_REG_DEFAULT;
72 int num_overrides = 0, i;
73
74 insn_get_prefixes(insn);
75
76 /* Look for any segment override prefixes. */
77 for (i = 0; i < insn->prefixes.nbytes; i++) {
78 insn_attr_t attr;
79
80 attr = inat_get_opcode_attribute(insn->prefixes.bytes[i]);
81 switch (attr) {
82 case INAT_MAKE_PREFIX(INAT_PFX_CS):
83 idx = INAT_SEG_REG_CS;
84 num_overrides++;
85 break;
86 case INAT_MAKE_PREFIX(INAT_PFX_SS):
87 idx = INAT_SEG_REG_SS;
88 num_overrides++;
89 break;
90 case INAT_MAKE_PREFIX(INAT_PFX_DS):
91 idx = INAT_SEG_REG_DS;
92 num_overrides++;
93 break;
94 case INAT_MAKE_PREFIX(INAT_PFX_ES):
95 idx = INAT_SEG_REG_ES;
96 num_overrides++;
97 break;
98 case INAT_MAKE_PREFIX(INAT_PFX_FS):
99 idx = INAT_SEG_REG_FS;
100 num_overrides++;
101 break;
102 case INAT_MAKE_PREFIX(INAT_PFX_GS):
103 idx = INAT_SEG_REG_GS;
104 num_overrides++;
105 break;
106 /* No default action needed. */
107 }
108 }
109
110 /* More than one segment override prefix leads to undefined behavior. */
111 if (num_overrides > 1)
112 return -EINVAL;
113
114 return idx;
115}
116
117/**
118 * check_seg_overrides() - check if segment override prefixes are allowed
119 * @insn: Valid instruction with segment override prefixes
120 * @regoff: Operand offset, in pt_regs, for which the check is performed
121 *
122 * For a particular register used in register-indirect addressing, determine if
123 * segment override prefixes can be used. Specifically, no overrides are allowed
124 * for rDI if used with a string instruction.
125 *
126 * Returns:
127 *
128 * True if segment override prefixes can be used with the register indicated
129 * in @regoff. False if otherwise.
130 */
131static bool check_seg_overrides(struct insn *insn, int regoff)
132{
133 if (regoff == offsetof(struct pt_regs, di) && is_string_insn(insn))
134 return false;
135
136 return true;
137}
138
139/**
140 * resolve_default_seg() - resolve default segment register index for an operand
141 * @insn: Instruction with opcode and address size. Must be valid.
142 * @regs: Register values as seen when entering kernel mode
143 * @off: Operand offset, in pt_regs, for which resolution is needed
144 *
145 * Resolve the default segment register index associated with the instruction
146 * operand register indicated by @off. Such index is resolved based on defaults
147 * described in the Intel Software Development Manual.
148 *
149 * Returns:
150 *
151 * If in protected mode, a constant identifying the segment register to use,
152 * among CS, SS, ES or DS. If in long mode, INAT_SEG_REG_IGNORE.
153 *
154 * -EINVAL in case of error.
155 */
156static int resolve_default_seg(struct insn *insn, struct pt_regs *regs, int off)
157{
158 if (any_64bit_mode(regs))
159 return INAT_SEG_REG_IGNORE;
160 /*
161 * Resolve the default segment register as described in Section 3.7.4
162 * of the Intel Software Development Manual Vol. 1:
163 *
164 * + DS for all references involving r[ABCD]X, and rSI.
165 * + If used in a string instruction, ES for rDI. Otherwise, DS.
166 * + AX, CX and DX are not valid register operands in 16-bit address
167 * encodings but are valid for 32-bit and 64-bit encodings.
168 * + -EDOM is reserved to identify for cases in which no register
169 * is used (i.e., displacement-only addressing). Use DS.
170 * + SS for rSP or rBP.
171 * + CS for rIP.
172 */
173
174 switch (off) {
175 case offsetof(struct pt_regs, ax):
176 case offsetof(struct pt_regs, cx):
177 case offsetof(struct pt_regs, dx):
178 /* Need insn to verify address size. */
179 if (insn->addr_bytes == 2)
180 return -EINVAL;
181
182 fallthrough;
183
184 case -EDOM:
185 case offsetof(struct pt_regs, bx):
186 case offsetof(struct pt_regs, si):
187 return INAT_SEG_REG_DS;
188
189 case offsetof(struct pt_regs, di):
190 if (is_string_insn(insn))
191 return INAT_SEG_REG_ES;
192 return INAT_SEG_REG_DS;
193
194 case offsetof(struct pt_regs, bp):
195 case offsetof(struct pt_regs, sp):
196 return INAT_SEG_REG_SS;
197
198 case offsetof(struct pt_regs, ip):
199 return INAT_SEG_REG_CS;
200
201 default:
202 return -EINVAL;
203 }
204}
205
206/**
207 * resolve_seg_reg() - obtain segment register index
208 * @insn: Instruction with operands
209 * @regs: Register values as seen when entering kernel mode
210 * @regoff: Operand offset, in pt_regs, used to deterimine segment register
211 *
212 * Determine the segment register associated with the operands and, if
213 * applicable, prefixes and the instruction pointed by @insn.
214 *
215 * The segment register associated to an operand used in register-indirect
216 * addressing depends on:
217 *
218 * a) Whether running in long mode (in such a case segments are ignored, except
219 * if FS or GS are used).
220 *
221 * b) Whether segment override prefixes can be used. Certain instructions and
222 * registers do not allow override prefixes.
223 *
224 * c) Whether segment overrides prefixes are found in the instruction prefixes.
225 *
226 * d) If there are not segment override prefixes or they cannot be used, the
227 * default segment register associated with the operand register is used.
228 *
229 * The function checks first if segment override prefixes can be used with the
230 * operand indicated by @regoff. If allowed, obtain such overridden segment
231 * register index. Lastly, if not prefixes were found or cannot be used, resolve
232 * the segment register index to use based on the defaults described in the
233 * Intel documentation. In long mode, all segment register indexes will be
234 * ignored, except if overrides were found for FS or GS. All these operations
235 * are done using helper functions.
236 *
237 * The operand register, @regoff, is represented as the offset from the base of
238 * pt_regs.
239 *
240 * As stated, the main use of this function is to determine the segment register
241 * index based on the instruction, its operands and prefixes. Hence, @insn
242 * must be valid. However, if @regoff indicates rIP, we don't need to inspect
243 * @insn at all as in this case CS is used in all cases. This case is checked
244 * before proceeding further.
245 *
246 * Please note that this function does not return the value in the segment
247 * register (i.e., the segment selector) but our defined index. The segment
248 * selector needs to be obtained using get_segment_selector() and passing the
249 * segment register index resolved by this function.
250 *
251 * Returns:
252 *
253 * An index identifying the segment register to use, among CS, SS, DS,
254 * ES, FS, or GS. INAT_SEG_REG_IGNORE is returned if running in long mode.
255 *
256 * -EINVAL in case of error.
257 */
258static int resolve_seg_reg(struct insn *insn, struct pt_regs *regs, int regoff)
259{
260 int idx;
261
262 /*
263 * In the unlikely event of having to resolve the segment register
264 * index for rIP, do it first. Segment override prefixes should not
265 * be used. Hence, it is not necessary to inspect the instruction,
266 * which may be invalid at this point.
267 */
268 if (regoff == offsetof(struct pt_regs, ip)) {
269 if (any_64bit_mode(regs))
270 return INAT_SEG_REG_IGNORE;
271 else
272 return INAT_SEG_REG_CS;
273 }
274
275 if (!insn)
276 return -EINVAL;
277
278 if (!check_seg_overrides(insn, regoff))
279 return resolve_default_seg(insn, regs, regoff);
280
281 idx = get_seg_reg_override_idx(insn);
282 if (idx < 0)
283 return idx;
284
285 if (idx == INAT_SEG_REG_DEFAULT)
286 return resolve_default_seg(insn, regs, regoff);
287
288 /*
289 * In long mode, segment override prefixes are ignored, except for
290 * overrides for FS and GS.
291 */
292 if (any_64bit_mode(regs)) {
293 if (idx != INAT_SEG_REG_FS &&
294 idx != INAT_SEG_REG_GS)
295 idx = INAT_SEG_REG_IGNORE;
296 }
297
298 return idx;
299}
300
301/**
302 * get_segment_selector() - obtain segment selector
303 * @regs: Register values as seen when entering kernel mode
304 * @seg_reg_idx: Segment register index to use
305 *
306 * Obtain the segment selector from any of the CS, SS, DS, ES, FS, GS segment
307 * registers. In CONFIG_X86_32, the segment is obtained from either pt_regs or
308 * kernel_vm86_regs as applicable. In CONFIG_X86_64, CS and SS are obtained
309 * from pt_regs. DS, ES, FS and GS are obtained by reading the actual CPU
310 * registers. This done for only for completeness as in CONFIG_X86_64 segment
311 * registers are ignored.
312 *
313 * Returns:
314 *
315 * Value of the segment selector, including null when running in
316 * long mode.
317 *
318 * -EINVAL on error.
319 */
320static short get_segment_selector(struct pt_regs *regs, int seg_reg_idx)
321{
322#ifdef CONFIG_X86_64
323 unsigned short sel;
324
325 switch (seg_reg_idx) {
326 case INAT_SEG_REG_IGNORE:
327 return 0;
328 case INAT_SEG_REG_CS:
329 return (unsigned short)(regs->cs & 0xffff);
330 case INAT_SEG_REG_SS:
331 return (unsigned short)(regs->ss & 0xffff);
332 case INAT_SEG_REG_DS:
333 savesegment(ds, sel);
334 return sel;
335 case INAT_SEG_REG_ES:
336 savesegment(es, sel);
337 return sel;
338 case INAT_SEG_REG_FS:
339 savesegment(fs, sel);
340 return sel;
341 case INAT_SEG_REG_GS:
342 savesegment(gs, sel);
343 return sel;
344 default:
345 return -EINVAL;
346 }
347#else /* CONFIG_X86_32 */
348 struct kernel_vm86_regs *vm86regs = (struct kernel_vm86_regs *)regs;
349
350 if (v8086_mode(regs)) {
351 switch (seg_reg_idx) {
352 case INAT_SEG_REG_CS:
353 return (unsigned short)(regs->cs & 0xffff);
354 case INAT_SEG_REG_SS:
355 return (unsigned short)(regs->ss & 0xffff);
356 case INAT_SEG_REG_DS:
357 return vm86regs->ds;
358 case INAT_SEG_REG_ES:
359 return vm86regs->es;
360 case INAT_SEG_REG_FS:
361 return vm86regs->fs;
362 case INAT_SEG_REG_GS:
363 return vm86regs->gs;
364 case INAT_SEG_REG_IGNORE:
365 default:
366 return -EINVAL;
367 }
368 }
369
370 switch (seg_reg_idx) {
371 case INAT_SEG_REG_CS:
372 return (unsigned short)(regs->cs & 0xffff);
373 case INAT_SEG_REG_SS:
374 return (unsigned short)(regs->ss & 0xffff);
375 case INAT_SEG_REG_DS:
376 return (unsigned short)(regs->ds & 0xffff);
377 case INAT_SEG_REG_ES:
378 return (unsigned short)(regs->es & 0xffff);
379 case INAT_SEG_REG_FS:
380 return (unsigned short)(regs->fs & 0xffff);
381 case INAT_SEG_REG_GS:
382 /*
383 * GS may or may not be in regs as per CONFIG_X86_32_LAZY_GS.
384 * The macro below takes care of both cases.
385 */
386 return get_user_gs(regs);
387 case INAT_SEG_REG_IGNORE:
388 default:
389 return -EINVAL;
390 }
391#endif /* CONFIG_X86_64 */
392}
393
394static int get_reg_offset(struct insn *insn, struct pt_regs *regs,
395 enum reg_type type)
396{
397 int regno = 0;
398
399 static const int regoff[] = {
400 offsetof(struct pt_regs, ax),
401 offsetof(struct pt_regs, cx),
402 offsetof(struct pt_regs, dx),
403 offsetof(struct pt_regs, bx),
404 offsetof(struct pt_regs, sp),
405 offsetof(struct pt_regs, bp),
406 offsetof(struct pt_regs, si),
407 offsetof(struct pt_regs, di),
408#ifdef CONFIG_X86_64
409 offsetof(struct pt_regs, r8),
410 offsetof(struct pt_regs, r9),
411 offsetof(struct pt_regs, r10),
412 offsetof(struct pt_regs, r11),
413 offsetof(struct pt_regs, r12),
414 offsetof(struct pt_regs, r13),
415 offsetof(struct pt_regs, r14),
416 offsetof(struct pt_regs, r15),
417#endif
418 };
419 int nr_registers = ARRAY_SIZE(regoff);
420 /*
421 * Don't possibly decode a 32-bit instructions as
422 * reading a 64-bit-only register.
423 */
424 if (IS_ENABLED(CONFIG_X86_64) && !insn->x86_64)
425 nr_registers -= 8;
426
427 switch (type) {
428 case REG_TYPE_RM:
429 regno = X86_MODRM_RM(insn->modrm.value);
430
431 /*
432 * ModRM.mod == 0 and ModRM.rm == 5 means a 32-bit displacement
433 * follows the ModRM byte.
434 */
435 if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5)
436 return -EDOM;
437
438 if (X86_REX_B(insn->rex_prefix.value))
439 regno += 8;
440 break;
441
442 case REG_TYPE_INDEX:
443 regno = X86_SIB_INDEX(insn->sib.value);
444 if (X86_REX_X(insn->rex_prefix.value))
445 regno += 8;
446
447 /*
448 * If ModRM.mod != 3 and SIB.index = 4 the scale*index
449 * portion of the address computation is null. This is
450 * true only if REX.X is 0. In such a case, the SIB index
451 * is used in the address computation.
452 */
453 if (X86_MODRM_MOD(insn->modrm.value) != 3 && regno == 4)
454 return -EDOM;
455 break;
456
457 case REG_TYPE_BASE:
458 regno = X86_SIB_BASE(insn->sib.value);
459 /*
460 * If ModRM.mod is 0 and SIB.base == 5, the base of the
461 * register-indirect addressing is 0. In this case, a
462 * 32-bit displacement follows the SIB byte.
463 */
464 if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5)
465 return -EDOM;
466
467 if (X86_REX_B(insn->rex_prefix.value))
468 regno += 8;
469 break;
470
471 default:
472 pr_err_ratelimited("invalid register type: %d\n", type);
473 return -EINVAL;
474 }
475
476 if (regno >= nr_registers) {
477 WARN_ONCE(1, "decoded an instruction with an invalid register");
478 return -EINVAL;
479 }
480 return regoff[regno];
481}
482
483/**
484 * get_reg_offset_16() - Obtain offset of register indicated by instruction
485 * @insn: Instruction containing ModRM byte
486 * @regs: Register values as seen when entering kernel mode
487 * @offs1: Offset of the first operand register
488 * @offs2: Offset of the second opeand register, if applicable
489 *
490 * Obtain the offset, in pt_regs, of the registers indicated by the ModRM byte
491 * in @insn. This function is to be used with 16-bit address encodings. The
492 * @offs1 and @offs2 will be written with the offset of the two registers
493 * indicated by the instruction. In cases where any of the registers is not
494 * referenced by the instruction, the value will be set to -EDOM.
495 *
496 * Returns:
497 *
498 * 0 on success, -EINVAL on error.
499 */
500static int get_reg_offset_16(struct insn *insn, struct pt_regs *regs,
501 int *offs1, int *offs2)
502{
503 /*
504 * 16-bit addressing can use one or two registers. Specifics of
505 * encodings are given in Table 2-1. "16-Bit Addressing Forms with the
506 * ModR/M Byte" of the Intel Software Development Manual.
507 */
508 static const int regoff1[] = {
509 offsetof(struct pt_regs, bx),
510 offsetof(struct pt_regs, bx),
511 offsetof(struct pt_regs, bp),
512 offsetof(struct pt_regs, bp),
513 offsetof(struct pt_regs, si),
514 offsetof(struct pt_regs, di),
515 offsetof(struct pt_regs, bp),
516 offsetof(struct pt_regs, bx),
517 };
518
519 static const int regoff2[] = {
520 offsetof(struct pt_regs, si),
521 offsetof(struct pt_regs, di),
522 offsetof(struct pt_regs, si),
523 offsetof(struct pt_regs, di),
524 -EDOM,
525 -EDOM,
526 -EDOM,
527 -EDOM,
528 };
529
530 if (!offs1 || !offs2)
531 return -EINVAL;
532
533 /* Operand is a register, use the generic function. */
534 if (X86_MODRM_MOD(insn->modrm.value) == 3) {
535 *offs1 = insn_get_modrm_rm_off(insn, regs);
536 *offs2 = -EDOM;
537 return 0;
538 }
539
540 *offs1 = regoff1[X86_MODRM_RM(insn->modrm.value)];
541 *offs2 = regoff2[X86_MODRM_RM(insn->modrm.value)];
542
543 /*
544 * If ModRM.mod is 0 and ModRM.rm is 110b, then we use displacement-
545 * only addressing. This means that no registers are involved in
546 * computing the effective address. Thus, ensure that the first
547 * register offset is invalild. The second register offset is already
548 * invalid under the aforementioned conditions.
549 */
550 if ((X86_MODRM_MOD(insn->modrm.value) == 0) &&
551 (X86_MODRM_RM(insn->modrm.value) == 6))
552 *offs1 = -EDOM;
553
554 return 0;
555}
556
557/**
558 * get_desc() - Obtain contents of a segment descriptor
559 * @out: Segment descriptor contents on success
560 * @sel: Segment selector
561 *
562 * Given a segment selector, obtain a pointer to the segment descriptor.
563 * Both global and local descriptor tables are supported.
564 *
565 * Returns:
566 *
567 * True on success, false on failure.
568 *
569 * NULL on error.
570 */
571static bool get_desc(struct desc_struct *out, unsigned short sel)
572{
573 struct desc_ptr gdt_desc = {0, 0};
574 unsigned long desc_base;
575
576#ifdef CONFIG_MODIFY_LDT_SYSCALL
577 if ((sel & SEGMENT_TI_MASK) == SEGMENT_LDT) {
578 bool success = false;
579 struct ldt_struct *ldt;
580
581 /* Bits [15:3] contain the index of the desired entry. */
582 sel >>= 3;
583
584 mutex_lock(¤t->active_mm->context.lock);
585 ldt = current->active_mm->context.ldt;
586 if (ldt && sel < ldt->nr_entries) {
587 *out = ldt->entries[sel];
588 success = true;
589 }
590
591 mutex_unlock(¤t->active_mm->context.lock);
592
593 return success;
594 }
595#endif
596 native_store_gdt(&gdt_desc);
597
598 /*
599 * Segment descriptors have a size of 8 bytes. Thus, the index is
600 * multiplied by 8 to obtain the memory offset of the desired descriptor
601 * from the base of the GDT. As bits [15:3] of the segment selector
602 * contain the index, it can be regarded as multiplied by 8 already.
603 * All that remains is to clear bits [2:0].
604 */
605 desc_base = sel & ~(SEGMENT_RPL_MASK | SEGMENT_TI_MASK);
606
607 if (desc_base > gdt_desc.size)
608 return false;
609
610 *out = *(struct desc_struct *)(gdt_desc.address + desc_base);
611 return true;
612}
613
614/**
615 * insn_get_seg_base() - Obtain base address of segment descriptor.
616 * @regs: Register values as seen when entering kernel mode
617 * @seg_reg_idx: Index of the segment register pointing to seg descriptor
618 *
619 * Obtain the base address of the segment as indicated by the segment descriptor
620 * pointed by the segment selector. The segment selector is obtained from the
621 * input segment register index @seg_reg_idx.
622 *
623 * Returns:
624 *
625 * In protected mode, base address of the segment. Zero in long mode,
626 * except when FS or GS are used. In virtual-8086 mode, the segment
627 * selector shifted 4 bits to the right.
628 *
629 * -1L in case of error.
630 */
631unsigned long insn_get_seg_base(struct pt_regs *regs, int seg_reg_idx)
632{
633 struct desc_struct desc;
634 short sel;
635
636 sel = get_segment_selector(regs, seg_reg_idx);
637 if (sel < 0)
638 return -1L;
639
640 if (v8086_mode(regs))
641 /*
642 * Base is simply the segment selector shifted 4
643 * bits to the right.
644 */
645 return (unsigned long)(sel << 4);
646
647 if (any_64bit_mode(regs)) {
648 /*
649 * Only FS or GS will have a base address, the rest of
650 * the segments' bases are forced to 0.
651 */
652 unsigned long base;
653
654 if (seg_reg_idx == INAT_SEG_REG_FS) {
655 rdmsrl(MSR_FS_BASE, base);
656 } else if (seg_reg_idx == INAT_SEG_REG_GS) {
657 /*
658 * swapgs was called at the kernel entry point. Thus,
659 * MSR_KERNEL_GS_BASE will have the user-space GS base.
660 */
661 if (user_mode(regs))
662 rdmsrl(MSR_KERNEL_GS_BASE, base);
663 else
664 rdmsrl(MSR_GS_BASE, base);
665 } else {
666 base = 0;
667 }
668 return base;
669 }
670
671 /* In protected mode the segment selector cannot be null. */
672 if (!sel)
673 return -1L;
674
675 if (!get_desc(&desc, sel))
676 return -1L;
677
678 return get_desc_base(&desc);
679}
680
681/**
682 * get_seg_limit() - Obtain the limit of a segment descriptor
683 * @regs: Register values as seen when entering kernel mode
684 * @seg_reg_idx: Index of the segment register pointing to seg descriptor
685 *
686 * Obtain the limit of the segment as indicated by the segment descriptor
687 * pointed by the segment selector. The segment selector is obtained from the
688 * input segment register index @seg_reg_idx.
689 *
690 * Returns:
691 *
692 * In protected mode, the limit of the segment descriptor in bytes.
693 * In long mode and virtual-8086 mode, segment limits are not enforced. Thus,
694 * limit is returned as -1L to imply a limit-less segment.
695 *
696 * Zero is returned on error.
697 */
698static unsigned long get_seg_limit(struct pt_regs *regs, int seg_reg_idx)
699{
700 struct desc_struct desc;
701 unsigned long limit;
702 short sel;
703
704 sel = get_segment_selector(regs, seg_reg_idx);
705 if (sel < 0)
706 return 0;
707
708 if (any_64bit_mode(regs) || v8086_mode(regs))
709 return -1L;
710
711 if (!sel)
712 return 0;
713
714 if (!get_desc(&desc, sel))
715 return 0;
716
717 /*
718 * If the granularity bit is set, the limit is given in multiples
719 * of 4096. This also means that the 12 least significant bits are
720 * not tested when checking the segment limits. In practice,
721 * this means that the segment ends in (limit << 12) + 0xfff.
722 */
723 limit = get_desc_limit(&desc);
724 if (desc.g)
725 limit = (limit << 12) + 0xfff;
726
727 return limit;
728}
729
730/**
731 * insn_get_code_seg_params() - Obtain code segment parameters
732 * @regs: Structure with register values as seen when entering kernel mode
733 *
734 * Obtain address and operand sizes of the code segment. It is obtained from the
735 * selector contained in the CS register in regs. In protected mode, the default
736 * address is determined by inspecting the L and D bits of the segment
737 * descriptor. In virtual-8086 mode, the default is always two bytes for both
738 * address and operand sizes.
739 *
740 * Returns:
741 *
742 * An int containing ORed-in default parameters on success.
743 *
744 * -EINVAL on error.
745 */
746int insn_get_code_seg_params(struct pt_regs *regs)
747{
748 struct desc_struct desc;
749 short sel;
750
751 if (v8086_mode(regs))
752 /* Address and operand size are both 16-bit. */
753 return INSN_CODE_SEG_PARAMS(2, 2);
754
755 sel = get_segment_selector(regs, INAT_SEG_REG_CS);
756 if (sel < 0)
757 return sel;
758
759 if (!get_desc(&desc, sel))
760 return -EINVAL;
761
762 /*
763 * The most significant byte of the Type field of the segment descriptor
764 * determines whether a segment contains data or code. If this is a data
765 * segment, return error.
766 */
767 if (!(desc.type & BIT(3)))
768 return -EINVAL;
769
770 switch ((desc.l << 1) | desc.d) {
771 case 0: /*
772 * Legacy mode. CS.L=0, CS.D=0. Address and operand size are
773 * both 16-bit.
774 */
775 return INSN_CODE_SEG_PARAMS(2, 2);
776 case 1: /*
777 * Legacy mode. CS.L=0, CS.D=1. Address and operand size are
778 * both 32-bit.
779 */
780 return INSN_CODE_SEG_PARAMS(4, 4);
781 case 2: /*
782 * IA-32e 64-bit mode. CS.L=1, CS.D=0. Address size is 64-bit;
783 * operand size is 32-bit.
784 */
785 return INSN_CODE_SEG_PARAMS(4, 8);
786 case 3: /* Invalid setting. CS.L=1, CS.D=1 */
787 fallthrough;
788 default:
789 return -EINVAL;
790 }
791}
792
793/**
794 * insn_get_modrm_rm_off() - Obtain register in r/m part of the ModRM byte
795 * @insn: Instruction containing the ModRM byte
796 * @regs: Register values as seen when entering kernel mode
797 *
798 * Returns:
799 *
800 * The register indicated by the r/m part of the ModRM byte. The
801 * register is obtained as an offset from the base of pt_regs. In specific
802 * cases, the returned value can be -EDOM to indicate that the particular value
803 * of ModRM does not refer to a register and shall be ignored.
804 */
805int insn_get_modrm_rm_off(struct insn *insn, struct pt_regs *regs)
806{
807 return get_reg_offset(insn, regs, REG_TYPE_RM);
808}
809
810/**
811 * get_seg_base_limit() - obtain base address and limit of a segment
812 * @insn: Instruction. Must be valid.
813 * @regs: Register values as seen when entering kernel mode
814 * @regoff: Operand offset, in pt_regs, used to resolve segment descriptor
815 * @base: Obtained segment base
816 * @limit: Obtained segment limit
817 *
818 * Obtain the base address and limit of the segment associated with the operand
819 * @regoff and, if any or allowed, override prefixes in @insn. This function is
820 * different from insn_get_seg_base() as the latter does not resolve the segment
821 * associated with the instruction operand. If a limit is not needed (e.g.,
822 * when running in long mode), @limit can be NULL.
823 *
824 * Returns:
825 *
826 * 0 on success. @base and @limit will contain the base address and of the
827 * resolved segment, respectively.
828 *
829 * -EINVAL on error.
830 */
831static int get_seg_base_limit(struct insn *insn, struct pt_regs *regs,
832 int regoff, unsigned long *base,
833 unsigned long *limit)
834{
835 int seg_reg_idx;
836
837 if (!base)
838 return -EINVAL;
839
840 seg_reg_idx = resolve_seg_reg(insn, regs, regoff);
841 if (seg_reg_idx < 0)
842 return seg_reg_idx;
843
844 *base = insn_get_seg_base(regs, seg_reg_idx);
845 if (*base == -1L)
846 return -EINVAL;
847
848 if (!limit)
849 return 0;
850
851 *limit = get_seg_limit(regs, seg_reg_idx);
852 if (!(*limit))
853 return -EINVAL;
854
855 return 0;
856}
857
858/**
859 * get_eff_addr_reg() - Obtain effective address from register operand
860 * @insn: Instruction. Must be valid.
861 * @regs: Register values as seen when entering kernel mode
862 * @regoff: Obtained operand offset, in pt_regs, with the effective address
863 * @eff_addr: Obtained effective address
864 *
865 * Obtain the effective address stored in the register operand as indicated by
866 * the ModRM byte. This function is to be used only with register addressing
867 * (i.e., ModRM.mod is 3). The effective address is saved in @eff_addr. The
868 * register operand, as an offset from the base of pt_regs, is saved in @regoff;
869 * such offset can then be used to resolve the segment associated with the
870 * operand. This function can be used with any of the supported address sizes
871 * in x86.
872 *
873 * Returns:
874 *
875 * 0 on success. @eff_addr will have the effective address stored in the
876 * operand indicated by ModRM. @regoff will have such operand as an offset from
877 * the base of pt_regs.
878 *
879 * -EINVAL on error.
880 */
881static int get_eff_addr_reg(struct insn *insn, struct pt_regs *regs,
882 int *regoff, long *eff_addr)
883{
884 insn_get_modrm(insn);
885
886 if (!insn->modrm.nbytes)
887 return -EINVAL;
888
889 if (X86_MODRM_MOD(insn->modrm.value) != 3)
890 return -EINVAL;
891
892 *regoff = get_reg_offset(insn, regs, REG_TYPE_RM);
893 if (*regoff < 0)
894 return -EINVAL;
895
896 /* Ignore bytes that are outside the address size. */
897 if (insn->addr_bytes == 2)
898 *eff_addr = regs_get_register(regs, *regoff) & 0xffff;
899 else if (insn->addr_bytes == 4)
900 *eff_addr = regs_get_register(regs, *regoff) & 0xffffffff;
901 else /* 64-bit address */
902 *eff_addr = regs_get_register(regs, *regoff);
903
904 return 0;
905}
906
907/**
908 * get_eff_addr_modrm() - Obtain referenced effective address via ModRM
909 * @insn: Instruction. Must be valid.
910 * @regs: Register values as seen when entering kernel mode
911 * @regoff: Obtained operand offset, in pt_regs, associated with segment
912 * @eff_addr: Obtained effective address
913 *
914 * Obtain the effective address referenced by the ModRM byte of @insn. After
915 * identifying the registers involved in the register-indirect memory reference,
916 * its value is obtained from the operands in @regs. The computed address is
917 * stored @eff_addr. Also, the register operand that indicates the associated
918 * segment is stored in @regoff, this parameter can later be used to determine
919 * such segment.
920 *
921 * Returns:
922 *
923 * 0 on success. @eff_addr will have the referenced effective address. @regoff
924 * will have a register, as an offset from the base of pt_regs, that can be used
925 * to resolve the associated segment.
926 *
927 * -EINVAL on error.
928 */
929static int get_eff_addr_modrm(struct insn *insn, struct pt_regs *regs,
930 int *regoff, long *eff_addr)
931{
932 long tmp;
933
934 if (insn->addr_bytes != 8 && insn->addr_bytes != 4)
935 return -EINVAL;
936
937 insn_get_modrm(insn);
938
939 if (!insn->modrm.nbytes)
940 return -EINVAL;
941
942 if (X86_MODRM_MOD(insn->modrm.value) > 2)
943 return -EINVAL;
944
945 *regoff = get_reg_offset(insn, regs, REG_TYPE_RM);
946
947 /*
948 * -EDOM means that we must ignore the address_offset. In such a case,
949 * in 64-bit mode the effective address relative to the rIP of the
950 * following instruction.
951 */
952 if (*regoff == -EDOM) {
953 if (any_64bit_mode(regs))
954 tmp = regs->ip + insn->length;
955 else
956 tmp = 0;
957 } else if (*regoff < 0) {
958 return -EINVAL;
959 } else {
960 tmp = regs_get_register(regs, *regoff);
961 }
962
963 if (insn->addr_bytes == 4) {
964 int addr32 = (int)(tmp & 0xffffffff) + insn->displacement.value;
965
966 *eff_addr = addr32 & 0xffffffff;
967 } else {
968 *eff_addr = tmp + insn->displacement.value;
969 }
970
971 return 0;
972}
973
974/**
975 * get_eff_addr_modrm_16() - Obtain referenced effective address via ModRM
976 * @insn: Instruction. Must be valid.
977 * @regs: Register values as seen when entering kernel mode
978 * @regoff: Obtained operand offset, in pt_regs, associated with segment
979 * @eff_addr: Obtained effective address
980 *
981 * Obtain the 16-bit effective address referenced by the ModRM byte of @insn.
982 * After identifying the registers involved in the register-indirect memory
983 * reference, its value is obtained from the operands in @regs. The computed
984 * address is stored @eff_addr. Also, the register operand that indicates
985 * the associated segment is stored in @regoff, this parameter can later be used
986 * to determine such segment.
987 *
988 * Returns:
989 *
990 * 0 on success. @eff_addr will have the referenced effective address. @regoff
991 * will have a register, as an offset from the base of pt_regs, that can be used
992 * to resolve the associated segment.
993 *
994 * -EINVAL on error.
995 */
996static int get_eff_addr_modrm_16(struct insn *insn, struct pt_regs *regs,
997 int *regoff, short *eff_addr)
998{
999 int addr_offset1, addr_offset2, ret;
1000 short addr1 = 0, addr2 = 0, displacement;
1001
1002 if (insn->addr_bytes != 2)
1003 return -EINVAL;
1004
1005 insn_get_modrm(insn);
1006
1007 if (!insn->modrm.nbytes)
1008 return -EINVAL;
1009
1010 if (X86_MODRM_MOD(insn->modrm.value) > 2)
1011 return -EINVAL;
1012
1013 ret = get_reg_offset_16(insn, regs, &addr_offset1, &addr_offset2);
1014 if (ret < 0)
1015 return -EINVAL;
1016
1017 /*
1018 * Don't fail on invalid offset values. They might be invalid because
1019 * they cannot be used for this particular value of ModRM. Instead, use
1020 * them in the computation only if they contain a valid value.
1021 */
1022 if (addr_offset1 != -EDOM)
1023 addr1 = regs_get_register(regs, addr_offset1) & 0xffff;
1024
1025 if (addr_offset2 != -EDOM)
1026 addr2 = regs_get_register(regs, addr_offset2) & 0xffff;
1027
1028 displacement = insn->displacement.value & 0xffff;
1029 *eff_addr = addr1 + addr2 + displacement;
1030
1031 /*
1032 * The first operand register could indicate to use of either SS or DS
1033 * registers to obtain the segment selector. The second operand
1034 * register can only indicate the use of DS. Thus, the first operand
1035 * will be used to obtain the segment selector.
1036 */
1037 *regoff = addr_offset1;
1038
1039 return 0;
1040}
1041
1042/**
1043 * get_eff_addr_sib() - Obtain referenced effective address via SIB
1044 * @insn: Instruction. Must be valid.
1045 * @regs: Register values as seen when entering kernel mode
1046 * @regoff: Obtained operand offset, in pt_regs, associated with segment
1047 * @eff_addr: Obtained effective address
1048 *
1049 * Obtain the effective address referenced by the SIB byte of @insn. After
1050 * identifying the registers involved in the indexed, register-indirect memory
1051 * reference, its value is obtained from the operands in @regs. The computed
1052 * address is stored @eff_addr. Also, the register operand that indicates the
1053 * associated segment is stored in @regoff, this parameter can later be used to
1054 * determine such segment.
1055 *
1056 * Returns:
1057 *
1058 * 0 on success. @eff_addr will have the referenced effective address.
1059 * @base_offset will have a register, as an offset from the base of pt_regs,
1060 * that can be used to resolve the associated segment.
1061 *
1062 * -EINVAL on error.
1063 */
1064static int get_eff_addr_sib(struct insn *insn, struct pt_regs *regs,
1065 int *base_offset, long *eff_addr)
1066{
1067 long base, indx;
1068 int indx_offset;
1069
1070 if (insn->addr_bytes != 8 && insn->addr_bytes != 4)
1071 return -EINVAL;
1072
1073 insn_get_modrm(insn);
1074
1075 if (!insn->modrm.nbytes)
1076 return -EINVAL;
1077
1078 if (X86_MODRM_MOD(insn->modrm.value) > 2)
1079 return -EINVAL;
1080
1081 insn_get_sib(insn);
1082
1083 if (!insn->sib.nbytes)
1084 return -EINVAL;
1085
1086 *base_offset = get_reg_offset(insn, regs, REG_TYPE_BASE);
1087 indx_offset = get_reg_offset(insn, regs, REG_TYPE_INDEX);
1088
1089 /*
1090 * Negative values in the base and index offset means an error when
1091 * decoding the SIB byte. Except -EDOM, which means that the registers
1092 * should not be used in the address computation.
1093 */
1094 if (*base_offset == -EDOM)
1095 base = 0;
1096 else if (*base_offset < 0)
1097 return -EINVAL;
1098 else
1099 base = regs_get_register(regs, *base_offset);
1100
1101 if (indx_offset == -EDOM)
1102 indx = 0;
1103 else if (indx_offset < 0)
1104 return -EINVAL;
1105 else
1106 indx = regs_get_register(regs, indx_offset);
1107
1108 if (insn->addr_bytes == 4) {
1109 int addr32, base32, idx32;
1110
1111 base32 = base & 0xffffffff;
1112 idx32 = indx & 0xffffffff;
1113
1114 addr32 = base32 + idx32 * (1 << X86_SIB_SCALE(insn->sib.value));
1115 addr32 += insn->displacement.value;
1116
1117 *eff_addr = addr32 & 0xffffffff;
1118 } else {
1119 *eff_addr = base + indx * (1 << X86_SIB_SCALE(insn->sib.value));
1120 *eff_addr += insn->displacement.value;
1121 }
1122
1123 return 0;
1124}
1125
1126/**
1127 * get_addr_ref_16() - Obtain the 16-bit address referred by instruction
1128 * @insn: Instruction containing ModRM byte and displacement
1129 * @regs: Register values as seen when entering kernel mode
1130 *
1131 * This function is to be used with 16-bit address encodings. Obtain the memory
1132 * address referred by the instruction's ModRM and displacement bytes. Also, the
1133 * segment used as base is determined by either any segment override prefixes in
1134 * @insn or the default segment of the registers involved in the address
1135 * computation. In protected mode, segment limits are enforced.
1136 *
1137 * Returns:
1138 *
1139 * Linear address referenced by the instruction operands on success.
1140 *
1141 * -1L on error.
1142 */
1143static void __user *get_addr_ref_16(struct insn *insn, struct pt_regs *regs)
1144{
1145 unsigned long linear_addr = -1L, seg_base, seg_limit;
1146 int ret, regoff;
1147 short eff_addr;
1148 long tmp;
1149
1150 insn_get_modrm(insn);
1151 insn_get_displacement(insn);
1152
1153 if (insn->addr_bytes != 2)
1154 goto out;
1155
1156 if (X86_MODRM_MOD(insn->modrm.value) == 3) {
1157 ret = get_eff_addr_reg(insn, regs, ®off, &tmp);
1158 if (ret)
1159 goto out;
1160
1161 eff_addr = tmp;
1162 } else {
1163 ret = get_eff_addr_modrm_16(insn, regs, ®off, &eff_addr);
1164 if (ret)
1165 goto out;
1166 }
1167
1168 ret = get_seg_base_limit(insn, regs, regoff, &seg_base, &seg_limit);
1169 if (ret)
1170 goto out;
1171
1172 /*
1173 * Before computing the linear address, make sure the effective address
1174 * is within the limits of the segment. In virtual-8086 mode, segment
1175 * limits are not enforced. In such a case, the segment limit is -1L to
1176 * reflect this fact.
1177 */
1178 if ((unsigned long)(eff_addr & 0xffff) > seg_limit)
1179 goto out;
1180
1181 linear_addr = (unsigned long)(eff_addr & 0xffff) + seg_base;
1182
1183 /* Limit linear address to 20 bits */
1184 if (v8086_mode(regs))
1185 linear_addr &= 0xfffff;
1186
1187out:
1188 return (void __user *)linear_addr;
1189}
1190
1191/**
1192 * get_addr_ref_32() - Obtain a 32-bit linear address
1193 * @insn: Instruction with ModRM, SIB bytes and displacement
1194 * @regs: Register values as seen when entering kernel mode
1195 *
1196 * This function is to be used with 32-bit address encodings to obtain the
1197 * linear memory address referred by the instruction's ModRM, SIB,
1198 * displacement bytes and segment base address, as applicable. If in protected
1199 * mode, segment limits are enforced.
1200 *
1201 * Returns:
1202 *
1203 * Linear address referenced by instruction and registers on success.
1204 *
1205 * -1L on error.
1206 */
1207static void __user *get_addr_ref_32(struct insn *insn, struct pt_regs *regs)
1208{
1209 unsigned long linear_addr = -1L, seg_base, seg_limit;
1210 int eff_addr, regoff;
1211 long tmp;
1212 int ret;
1213
1214 if (insn->addr_bytes != 4)
1215 goto out;
1216
1217 if (X86_MODRM_MOD(insn->modrm.value) == 3) {
1218 ret = get_eff_addr_reg(insn, regs, ®off, &tmp);
1219 if (ret)
1220 goto out;
1221
1222 eff_addr = tmp;
1223
1224 } else {
1225 if (insn->sib.nbytes) {
1226 ret = get_eff_addr_sib(insn, regs, ®off, &tmp);
1227 if (ret)
1228 goto out;
1229
1230 eff_addr = tmp;
1231 } else {
1232 ret = get_eff_addr_modrm(insn, regs, ®off, &tmp);
1233 if (ret)
1234 goto out;
1235
1236 eff_addr = tmp;
1237 }
1238 }
1239
1240 ret = get_seg_base_limit(insn, regs, regoff, &seg_base, &seg_limit);
1241 if (ret)
1242 goto out;
1243
1244 /*
1245 * In protected mode, before computing the linear address, make sure
1246 * the effective address is within the limits of the segment.
1247 * 32-bit addresses can be used in long and virtual-8086 modes if an
1248 * address override prefix is used. In such cases, segment limits are
1249 * not enforced. When in virtual-8086 mode, the segment limit is -1L
1250 * to reflect this situation.
1251 *
1252 * After computed, the effective address is treated as an unsigned
1253 * quantity.
1254 */
1255 if (!any_64bit_mode(regs) && ((unsigned int)eff_addr > seg_limit))
1256 goto out;
1257
1258 /*
1259 * Even though 32-bit address encodings are allowed in virtual-8086
1260 * mode, the address range is still limited to [0x-0xffff].
1261 */
1262 if (v8086_mode(regs) && (eff_addr & ~0xffff))
1263 goto out;
1264
1265 /*
1266 * Data type long could be 64 bits in size. Ensure that our 32-bit
1267 * effective address is not sign-extended when computing the linear
1268 * address.
1269 */
1270 linear_addr = (unsigned long)(eff_addr & 0xffffffff) + seg_base;
1271
1272 /* Limit linear address to 20 bits */
1273 if (v8086_mode(regs))
1274 linear_addr &= 0xfffff;
1275
1276out:
1277 return (void __user *)linear_addr;
1278}
1279
1280/**
1281 * get_addr_ref_64() - Obtain a 64-bit linear address
1282 * @insn: Instruction struct with ModRM and SIB bytes and displacement
1283 * @regs: Structure with register values as seen when entering kernel mode
1284 *
1285 * This function is to be used with 64-bit address encodings to obtain the
1286 * linear memory address referred by the instruction's ModRM, SIB,
1287 * displacement bytes and segment base address, as applicable.
1288 *
1289 * Returns:
1290 *
1291 * Linear address referenced by instruction and registers on success.
1292 *
1293 * -1L on error.
1294 */
1295#ifndef CONFIG_X86_64
1296static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs)
1297{
1298 return (void __user *)-1L;
1299}
1300#else
1301static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs)
1302{
1303 unsigned long linear_addr = -1L, seg_base;
1304 int regoff, ret;
1305 long eff_addr;
1306
1307 if (insn->addr_bytes != 8)
1308 goto out;
1309
1310 if (X86_MODRM_MOD(insn->modrm.value) == 3) {
1311 ret = get_eff_addr_reg(insn, regs, ®off, &eff_addr);
1312 if (ret)
1313 goto out;
1314
1315 } else {
1316 if (insn->sib.nbytes) {
1317 ret = get_eff_addr_sib(insn, regs, ®off, &eff_addr);
1318 if (ret)
1319 goto out;
1320 } else {
1321 ret = get_eff_addr_modrm(insn, regs, ®off, &eff_addr);
1322 if (ret)
1323 goto out;
1324 }
1325
1326 }
1327
1328 ret = get_seg_base_limit(insn, regs, regoff, &seg_base, NULL);
1329 if (ret)
1330 goto out;
1331
1332 linear_addr = (unsigned long)eff_addr + seg_base;
1333
1334out:
1335 return (void __user *)linear_addr;
1336}
1337#endif /* CONFIG_X86_64 */
1338
1339/**
1340 * insn_get_addr_ref() - Obtain the linear address referred by instruction
1341 * @insn: Instruction structure containing ModRM byte and displacement
1342 * @regs: Structure with register values as seen when entering kernel mode
1343 *
1344 * Obtain the linear address referred by the instruction's ModRM, SIB and
1345 * displacement bytes, and segment base, as applicable. In protected mode,
1346 * segment limits are enforced.
1347 *
1348 * Returns:
1349 *
1350 * Linear address referenced by instruction and registers on success.
1351 *
1352 * -1L on error.
1353 */
1354void __user *insn_get_addr_ref(struct insn *insn, struct pt_regs *regs)
1355{
1356 if (!insn || !regs)
1357 return (void __user *)-1L;
1358
1359 switch (insn->addr_bytes) {
1360 case 2:
1361 return get_addr_ref_16(insn, regs);
1362 case 4:
1363 return get_addr_ref_32(insn, regs);
1364 case 8:
1365 return get_addr_ref_64(insn, regs);
1366 default:
1367 return (void __user *)-1L;
1368 }
1369}