1 /*
2 * Utility functions for x86 operand and address decoding
3 *
4 * Copyright (C) Intel Corporation 2017
5 */
6 #include <linux/kernel.h>
7 #include <linux/string.h>
8 #include <linux/ratelimit.h>
9 #include <linux/mmu_context.h>
10 #include <asm/desc_defs.h>
11 #include <asm/desc.h>
12 #include <asm/inat.h>
13 #include <asm/insn.h>
14 #include <asm/insn-eval.h>
15 #include <asm/ldt.h>
16 #include <asm/msr.h>
17 #include <asm/vm86.h>
18
19 #undef pr_fmt
20 #define pr_fmt(fmt) "insn: " fmt
21
22 enum reg_type {
23 REG_TYPE_RM = 0,
24 REG_TYPE_REG,
25 REG_TYPE_INDEX,
26 REG_TYPE_BASE,
27 };
28
29 /**
30 * is_string_insn() - Determine if instruction is a string instruction
31 * @insn: Instruction containing the opcode to inspect
32 *
33 * Returns:
34 *
35 * true if the instruction, determined by the opcode, is any of the
36 * string instructions as defined in the Intel Software Development manual.
37 * False otherwise.
38 */
is_string_insn(struct insn * insn)39 static bool is_string_insn(struct insn *insn)
40 {
41 /* All string instructions have a 1-byte opcode. */
42 if (insn->opcode.nbytes != 1)
43 return false;
44
45 switch (insn->opcode.bytes[0]) {
46 case 0x6c ... 0x6f: /* INS, OUTS */
47 case 0xa4 ... 0xa7: /* MOVS, CMPS */
48 case 0xaa ... 0xaf: /* STOS, LODS, SCAS */
49 return true;
50 default:
51 return false;
52 }
53 }
54
55 /**
56 * insn_has_rep_prefix() - Determine if instruction has a REP prefix
57 * @insn: Instruction containing the prefix to inspect
58 *
59 * Returns:
60 *
61 * true if the instruction has a REP prefix, false if not.
62 */
insn_has_rep_prefix(struct insn * insn)63 bool insn_has_rep_prefix(struct insn *insn)
64 {
65 insn_byte_t p;
66 int i;
67
68 insn_get_prefixes(insn);
69
70 for_each_insn_prefix(insn, i, p) {
71 if (p == 0xf2 || p == 0xf3)
72 return true;
73 }
74
75 return false;
76 }
77
78 /**
79 * get_seg_reg_override_idx() - obtain segment register override index
80 * @insn: Valid instruction with segment override prefixes
81 *
82 * Inspect the instruction prefixes in @insn and find segment overrides, if any.
83 *
84 * Returns:
85 *
86 * A constant identifying the segment register to use, among CS, SS, DS,
87 * ES, FS, or GS. INAT_SEG_REG_DEFAULT is returned if no segment override
88 * prefixes were found.
89 *
90 * -EINVAL in case of error.
91 */
get_seg_reg_override_idx(struct insn * insn)92 static int get_seg_reg_override_idx(struct insn *insn)
93 {
94 int idx = INAT_SEG_REG_DEFAULT;
95 int num_overrides = 0, i;
96 insn_byte_t p;
97
98 insn_get_prefixes(insn);
99
100 /* Look for any segment override prefixes. */
101 for_each_insn_prefix(insn, i, p) {
102 insn_attr_t attr;
103
104 attr = inat_get_opcode_attribute(p);
105 switch (attr) {
106 case INAT_MAKE_PREFIX(INAT_PFX_CS):
107 idx = INAT_SEG_REG_CS;
108 num_overrides++;
109 break;
110 case INAT_MAKE_PREFIX(INAT_PFX_SS):
111 idx = INAT_SEG_REG_SS;
112 num_overrides++;
113 break;
114 case INAT_MAKE_PREFIX(INAT_PFX_DS):
115 idx = INAT_SEG_REG_DS;
116 num_overrides++;
117 break;
118 case INAT_MAKE_PREFIX(INAT_PFX_ES):
119 idx = INAT_SEG_REG_ES;
120 num_overrides++;
121 break;
122 case INAT_MAKE_PREFIX(INAT_PFX_FS):
123 idx = INAT_SEG_REG_FS;
124 num_overrides++;
125 break;
126 case INAT_MAKE_PREFIX(INAT_PFX_GS):
127 idx = INAT_SEG_REG_GS;
128 num_overrides++;
129 break;
130 /* No default action needed. */
131 }
132 }
133
134 /* More than one segment override prefix leads to undefined behavior. */
135 if (num_overrides > 1)
136 return -EINVAL;
137
138 return idx;
139 }
140
141 /**
142 * check_seg_overrides() - check if segment override prefixes are allowed
143 * @insn: Valid instruction with segment override prefixes
144 * @regoff: Operand offset, in pt_regs, for which the check is performed
145 *
146 * For a particular register used in register-indirect addressing, determine if
147 * segment override prefixes can be used. Specifically, no overrides are allowed
148 * for rDI if used with a string instruction.
149 *
150 * Returns:
151 *
152 * True if segment override prefixes can be used with the register indicated
153 * in @regoff. False if otherwise.
154 */
check_seg_overrides(struct insn * insn,int regoff)155 static bool check_seg_overrides(struct insn *insn, int regoff)
156 {
157 if (regoff == offsetof(struct pt_regs, di) && is_string_insn(insn))
158 return false;
159
160 return true;
161 }
162
163 /**
164 * resolve_default_seg() - resolve default segment register index for an operand
165 * @insn: Instruction with opcode and address size. Must be valid.
166 * @regs: Register values as seen when entering kernel mode
167 * @off: Operand offset, in pt_regs, for which resolution is needed
168 *
169 * Resolve the default segment register index associated with the instruction
170 * operand register indicated by @off. Such index is resolved based on defaults
171 * described in the Intel Software Development Manual.
172 *
173 * Returns:
174 *
175 * If in protected mode, a constant identifying the segment register to use,
176 * among CS, SS, ES or DS. If in long mode, INAT_SEG_REG_IGNORE.
177 *
178 * -EINVAL in case of error.
179 */
resolve_default_seg(struct insn * insn,struct pt_regs * regs,int off)180 static int resolve_default_seg(struct insn *insn, struct pt_regs *regs, int off)
181 {
182 if (any_64bit_mode(regs))
183 return INAT_SEG_REG_IGNORE;
184 /*
185 * Resolve the default segment register as described in Section 3.7.4
186 * of the Intel Software Development Manual Vol. 1:
187 *
188 * + DS for all references involving r[ABCD]X, and rSI.
189 * + If used in a string instruction, ES for rDI. Otherwise, DS.
190 * + AX, CX and DX are not valid register operands in 16-bit address
191 * encodings but are valid for 32-bit and 64-bit encodings.
192 * + -EDOM is reserved to identify for cases in which no register
193 * is used (i.e., displacement-only addressing). Use DS.
194 * + SS for rSP or rBP.
195 * + CS for rIP.
196 */
197
198 switch (off) {
199 case offsetof(struct pt_regs, ax):
200 case offsetof(struct pt_regs, cx):
201 case offsetof(struct pt_regs, dx):
202 /* Need insn to verify address size. */
203 if (insn->addr_bytes == 2)
204 return -EINVAL;
205
206 fallthrough;
207
208 case -EDOM:
209 case offsetof(struct pt_regs, bx):
210 case offsetof(struct pt_regs, si):
211 return INAT_SEG_REG_DS;
212
213 case offsetof(struct pt_regs, di):
214 if (is_string_insn(insn))
215 return INAT_SEG_REG_ES;
216 return INAT_SEG_REG_DS;
217
218 case offsetof(struct pt_regs, bp):
219 case offsetof(struct pt_regs, sp):
220 return INAT_SEG_REG_SS;
221
222 case offsetof(struct pt_regs, ip):
223 return INAT_SEG_REG_CS;
224
225 default:
226 return -EINVAL;
227 }
228 }
229
230 /**
231 * resolve_seg_reg() - obtain segment register index
232 * @insn: Instruction with operands
233 * @regs: Register values as seen when entering kernel mode
234 * @regoff: Operand offset, in pt_regs, used to determine segment register
235 *
236 * Determine the segment register associated with the operands and, if
237 * applicable, prefixes and the instruction pointed by @insn.
238 *
239 * The segment register associated to an operand used in register-indirect
240 * addressing depends on:
241 *
242 * a) Whether running in long mode (in such a case segments are ignored, except
243 * if FS or GS are used).
244 *
245 * b) Whether segment override prefixes can be used. Certain instructions and
246 * registers do not allow override prefixes.
247 *
248 * c) Whether segment overrides prefixes are found in the instruction prefixes.
249 *
250 * d) If there are not segment override prefixes or they cannot be used, the
251 * default segment register associated with the operand register is used.
252 *
253 * The function checks first if segment override prefixes can be used with the
254 * operand indicated by @regoff. If allowed, obtain such overridden segment
255 * register index. Lastly, if not prefixes were found or cannot be used, resolve
256 * the segment register index to use based on the defaults described in the
257 * Intel documentation. In long mode, all segment register indexes will be
258 * ignored, except if overrides were found for FS or GS. All these operations
259 * are done using helper functions.
260 *
261 * The operand register, @regoff, is represented as the offset from the base of
262 * pt_regs.
263 *
264 * As stated, the main use of this function is to determine the segment register
265 * index based on the instruction, its operands and prefixes. Hence, @insn
266 * must be valid. However, if @regoff indicates rIP, we don't need to inspect
267 * @insn at all as in this case CS is used in all cases. This case is checked
268 * before proceeding further.
269 *
270 * Please note that this function does not return the value in the segment
271 * register (i.e., the segment selector) but our defined index. The segment
272 * selector needs to be obtained using get_segment_selector() and passing the
273 * segment register index resolved by this function.
274 *
275 * Returns:
276 *
277 * An index identifying the segment register to use, among CS, SS, DS,
278 * ES, FS, or GS. INAT_SEG_REG_IGNORE is returned if running in long mode.
279 *
280 * -EINVAL in case of error.
281 */
resolve_seg_reg(struct insn * insn,struct pt_regs * regs,int regoff)282 static int resolve_seg_reg(struct insn *insn, struct pt_regs *regs, int regoff)
283 {
284 int idx;
285
286 /*
287 * In the unlikely event of having to resolve the segment register
288 * index for rIP, do it first. Segment override prefixes should not
289 * be used. Hence, it is not necessary to inspect the instruction,
290 * which may be invalid at this point.
291 */
292 if (regoff == offsetof(struct pt_regs, ip)) {
293 if (any_64bit_mode(regs))
294 return INAT_SEG_REG_IGNORE;
295 else
296 return INAT_SEG_REG_CS;
297 }
298
299 if (!insn)
300 return -EINVAL;
301
302 if (!check_seg_overrides(insn, regoff))
303 return resolve_default_seg(insn, regs, regoff);
304
305 idx = get_seg_reg_override_idx(insn);
306 if (idx < 0)
307 return idx;
308
309 if (idx == INAT_SEG_REG_DEFAULT)
310 return resolve_default_seg(insn, regs, regoff);
311
312 /*
313 * In long mode, segment override prefixes are ignored, except for
314 * overrides for FS and GS.
315 */
316 if (any_64bit_mode(regs)) {
317 if (idx != INAT_SEG_REG_FS &&
318 idx != INAT_SEG_REG_GS)
319 idx = INAT_SEG_REG_IGNORE;
320 }
321
322 return idx;
323 }
324
325 /**
326 * get_segment_selector() - obtain segment selector
327 * @regs: Register values as seen when entering kernel mode
328 * @seg_reg_idx: Segment register index to use
329 *
330 * Obtain the segment selector from any of the CS, SS, DS, ES, FS, GS segment
331 * registers. In CONFIG_X86_32, the segment is obtained from either pt_regs or
332 * kernel_vm86_regs as applicable. In CONFIG_X86_64, CS and SS are obtained
333 * from pt_regs. DS, ES, FS and GS are obtained by reading the actual CPU
334 * registers. This done for only for completeness as in CONFIG_X86_64 segment
335 * registers are ignored.
336 *
337 * Returns:
338 *
339 * Value of the segment selector, including null when running in
340 * long mode.
341 *
342 * -EINVAL on error.
343 */
get_segment_selector(struct pt_regs * regs,int seg_reg_idx)344 static short get_segment_selector(struct pt_regs *regs, int seg_reg_idx)
345 {
346 unsigned short sel;
347
348 #ifdef CONFIG_X86_64
349 switch (seg_reg_idx) {
350 case INAT_SEG_REG_IGNORE:
351 return 0;
352 case INAT_SEG_REG_CS:
353 return (unsigned short)(regs->cs & 0xffff);
354 case INAT_SEG_REG_SS:
355 return (unsigned short)(regs->ss & 0xffff);
356 case INAT_SEG_REG_DS:
357 savesegment(ds, sel);
358 return sel;
359 case INAT_SEG_REG_ES:
360 savesegment(es, sel);
361 return sel;
362 case INAT_SEG_REG_FS:
363 savesegment(fs, sel);
364 return sel;
365 case INAT_SEG_REG_GS:
366 savesegment(gs, sel);
367 return sel;
368 default:
369 return -EINVAL;
370 }
371 #else /* CONFIG_X86_32 */
372 struct kernel_vm86_regs *vm86regs = (struct kernel_vm86_regs *)regs;
373
374 if (v8086_mode(regs)) {
375 switch (seg_reg_idx) {
376 case INAT_SEG_REG_CS:
377 return (unsigned short)(regs->cs & 0xffff);
378 case INAT_SEG_REG_SS:
379 return (unsigned short)(regs->ss & 0xffff);
380 case INAT_SEG_REG_DS:
381 return vm86regs->ds;
382 case INAT_SEG_REG_ES:
383 return vm86regs->es;
384 case INAT_SEG_REG_FS:
385 return vm86regs->fs;
386 case INAT_SEG_REG_GS:
387 return vm86regs->gs;
388 case INAT_SEG_REG_IGNORE:
389 default:
390 return -EINVAL;
391 }
392 }
393
394 switch (seg_reg_idx) {
395 case INAT_SEG_REG_CS:
396 return (unsigned short)(regs->cs & 0xffff);
397 case INAT_SEG_REG_SS:
398 return (unsigned short)(regs->ss & 0xffff);
399 case INAT_SEG_REG_DS:
400 return (unsigned short)(regs->ds & 0xffff);
401 case INAT_SEG_REG_ES:
402 return (unsigned short)(regs->es & 0xffff);
403 case INAT_SEG_REG_FS:
404 return (unsigned short)(regs->fs & 0xffff);
405 case INAT_SEG_REG_GS:
406 savesegment(gs, sel);
407 return sel;
408 case INAT_SEG_REG_IGNORE:
409 default:
410 return -EINVAL;
411 }
412 #endif /* CONFIG_X86_64 */
413 }
414
415 static const int pt_regoff[] = {
416 offsetof(struct pt_regs, ax),
417 offsetof(struct pt_regs, cx),
418 offsetof(struct pt_regs, dx),
419 offsetof(struct pt_regs, bx),
420 offsetof(struct pt_regs, sp),
421 offsetof(struct pt_regs, bp),
422 offsetof(struct pt_regs, si),
423 offsetof(struct pt_regs, di),
424 #ifdef CONFIG_X86_64
425 offsetof(struct pt_regs, r8),
426 offsetof(struct pt_regs, r9),
427 offsetof(struct pt_regs, r10),
428 offsetof(struct pt_regs, r11),
429 offsetof(struct pt_regs, r12),
430 offsetof(struct pt_regs, r13),
431 offsetof(struct pt_regs, r14),
432 offsetof(struct pt_regs, r15),
433 #else
434 offsetof(struct pt_regs, ds),
435 offsetof(struct pt_regs, es),
436 offsetof(struct pt_regs, fs),
437 offsetof(struct pt_regs, gs),
438 #endif
439 };
440
pt_regs_offset(struct pt_regs * regs,int regno)441 int pt_regs_offset(struct pt_regs *regs, int regno)
442 {
443 if ((unsigned)regno < ARRAY_SIZE(pt_regoff))
444 return pt_regoff[regno];
445 return -EDOM;
446 }
447
get_regno(struct insn * insn,enum reg_type type)448 static int get_regno(struct insn *insn, enum reg_type type)
449 {
450 int nr_registers = ARRAY_SIZE(pt_regoff);
451 int regno = 0;
452
453 /*
454 * Don't possibly decode a 32-bit instructions as
455 * reading a 64-bit-only register.
456 */
457 if (IS_ENABLED(CONFIG_X86_64) && !insn->x86_64)
458 nr_registers -= 8;
459
460 switch (type) {
461 case REG_TYPE_RM:
462 regno = X86_MODRM_RM(insn->modrm.value);
463
464 /*
465 * ModRM.mod == 0 and ModRM.rm == 5 means a 32-bit displacement
466 * follows the ModRM byte.
467 */
468 if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5)
469 return -EDOM;
470
471 if (X86_REX_B(insn->rex_prefix.value))
472 regno += 8;
473 break;
474
475 case REG_TYPE_REG:
476 regno = X86_MODRM_REG(insn->modrm.value);
477
478 if (X86_REX_R(insn->rex_prefix.value))
479 regno += 8;
480 break;
481
482 case REG_TYPE_INDEX:
483 regno = X86_SIB_INDEX(insn->sib.value);
484 if (X86_REX_X(insn->rex_prefix.value))
485 regno += 8;
486
487 /*
488 * If ModRM.mod != 3 and SIB.index = 4 the scale*index
489 * portion of the address computation is null. This is
490 * true only if REX.X is 0. In such a case, the SIB index
491 * is used in the address computation.
492 */
493 if (X86_MODRM_MOD(insn->modrm.value) != 3 && regno == 4)
494 return -EDOM;
495 break;
496
497 case REG_TYPE_BASE:
498 regno = X86_SIB_BASE(insn->sib.value);
499 /*
500 * If ModRM.mod is 0 and SIB.base == 5, the base of the
501 * register-indirect addressing is 0. In this case, a
502 * 32-bit displacement follows the SIB byte.
503 */
504 if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5)
505 return -EDOM;
506
507 if (X86_REX_B(insn->rex_prefix.value))
508 regno += 8;
509 break;
510
511 default:
512 pr_err_ratelimited("invalid register type: %d\n", type);
513 return -EINVAL;
514 }
515
516 if (regno >= nr_registers) {
517 WARN_ONCE(1, "decoded an instruction with an invalid register");
518 return -EINVAL;
519 }
520 return regno;
521 }
522
get_reg_offset(struct insn * insn,struct pt_regs * regs,enum reg_type type)523 static int get_reg_offset(struct insn *insn, struct pt_regs *regs,
524 enum reg_type type)
525 {
526 int regno = get_regno(insn, type);
527
528 if (regno < 0)
529 return regno;
530
531 return pt_regs_offset(regs, regno);
532 }
533
534 /**
535 * get_reg_offset_16() - Obtain offset of register indicated by instruction
536 * @insn: Instruction containing ModRM byte
537 * @regs: Register values as seen when entering kernel mode
538 * @offs1: Offset of the first operand register
539 * @offs2: Offset of the second operand register, if applicable
540 *
541 * Obtain the offset, in pt_regs, of the registers indicated by the ModRM byte
542 * in @insn. This function is to be used with 16-bit address encodings. The
543 * @offs1 and @offs2 will be written with the offset of the two registers
544 * indicated by the instruction. In cases where any of the registers is not
545 * referenced by the instruction, the value will be set to -EDOM.
546 *
547 * Returns:
548 *
549 * 0 on success, -EINVAL on error.
550 */
get_reg_offset_16(struct insn * insn,struct pt_regs * regs,int * offs1,int * offs2)551 static int get_reg_offset_16(struct insn *insn, struct pt_regs *regs,
552 int *offs1, int *offs2)
553 {
554 /*
555 * 16-bit addressing can use one or two registers. Specifics of
556 * encodings are given in Table 2-1. "16-Bit Addressing Forms with the
557 * ModR/M Byte" of the Intel Software Development Manual.
558 */
559 static const int regoff1[] = {
560 offsetof(struct pt_regs, bx),
561 offsetof(struct pt_regs, bx),
562 offsetof(struct pt_regs, bp),
563 offsetof(struct pt_regs, bp),
564 offsetof(struct pt_regs, si),
565 offsetof(struct pt_regs, di),
566 offsetof(struct pt_regs, bp),
567 offsetof(struct pt_regs, bx),
568 };
569
570 static const int regoff2[] = {
571 offsetof(struct pt_regs, si),
572 offsetof(struct pt_regs, di),
573 offsetof(struct pt_regs, si),
574 offsetof(struct pt_regs, di),
575 -EDOM,
576 -EDOM,
577 -EDOM,
578 -EDOM,
579 };
580
581 if (!offs1 || !offs2)
582 return -EINVAL;
583
584 /* Operand is a register, use the generic function. */
585 if (X86_MODRM_MOD(insn->modrm.value) == 3) {
586 *offs1 = insn_get_modrm_rm_off(insn, regs);
587 *offs2 = -EDOM;
588 return 0;
589 }
590
591 *offs1 = regoff1[X86_MODRM_RM(insn->modrm.value)];
592 *offs2 = regoff2[X86_MODRM_RM(insn->modrm.value)];
593
594 /*
595 * If ModRM.mod is 0 and ModRM.rm is 110b, then we use displacement-
596 * only addressing. This means that no registers are involved in
597 * computing the effective address. Thus, ensure that the first
598 * register offset is invalid. The second register offset is already
599 * invalid under the aforementioned conditions.
600 */
601 if ((X86_MODRM_MOD(insn->modrm.value) == 0) &&
602 (X86_MODRM_RM(insn->modrm.value) == 6))
603 *offs1 = -EDOM;
604
605 return 0;
606 }
607
608 /**
609 * get_desc() - Obtain contents of a segment descriptor
610 * @out: Segment descriptor contents on success
611 * @sel: Segment selector
612 *
613 * Given a segment selector, obtain a pointer to the segment descriptor.
614 * Both global and local descriptor tables are supported.
615 *
616 * Returns:
617 *
618 * True on success, false on failure.
619 *
620 * NULL on error.
621 */
get_desc(struct desc_struct * out,unsigned short sel)622 static bool get_desc(struct desc_struct *out, unsigned short sel)
623 {
624 struct desc_ptr gdt_desc = {0, 0};
625 unsigned long desc_base;
626
627 #ifdef CONFIG_MODIFY_LDT_SYSCALL
628 if ((sel & SEGMENT_TI_MASK) == SEGMENT_LDT) {
629 bool success = false;
630 struct ldt_struct *ldt;
631
632 /* Bits [15:3] contain the index of the desired entry. */
633 sel >>= 3;
634
635 /*
636 * If we're not in a valid context with a real (not just lazy)
637 * user mm, then don't even try.
638 */
639 if (!nmi_uaccess_okay())
640 return false;
641
642 mutex_lock(¤t->mm->context.lock);
643 ldt = current->mm->context.ldt;
644 if (ldt && sel < ldt->nr_entries) {
645 *out = ldt->entries[sel];
646 success = true;
647 }
648
649 mutex_unlock(¤t->mm->context.lock);
650
651 return success;
652 }
653 #endif
654 native_store_gdt(&gdt_desc);
655
656 /*
657 * Segment descriptors have a size of 8 bytes. Thus, the index is
658 * multiplied by 8 to obtain the memory offset of the desired descriptor
659 * from the base of the GDT. As bits [15:3] of the segment selector
660 * contain the index, it can be regarded as multiplied by 8 already.
661 * All that remains is to clear bits [2:0].
662 */
663 desc_base = sel & ~(SEGMENT_RPL_MASK | SEGMENT_TI_MASK);
664
665 if (desc_base > gdt_desc.size)
666 return false;
667
668 *out = *(struct desc_struct *)(gdt_desc.address + desc_base);
669 return true;
670 }
671
672 /**
673 * insn_get_seg_base() - Obtain base address of segment descriptor.
674 * @regs: Register values as seen when entering kernel mode
675 * @seg_reg_idx: Index of the segment register pointing to seg descriptor
676 *
677 * Obtain the base address of the segment as indicated by the segment descriptor
678 * pointed by the segment selector. The segment selector is obtained from the
679 * input segment register index @seg_reg_idx.
680 *
681 * Returns:
682 *
683 * In protected mode, base address of the segment. Zero in long mode,
684 * except when FS or GS are used. In virtual-8086 mode, the segment
685 * selector shifted 4 bits to the right.
686 *
687 * -1L in case of error.
688 */
insn_get_seg_base(struct pt_regs * regs,int seg_reg_idx)689 unsigned long insn_get_seg_base(struct pt_regs *regs, int seg_reg_idx)
690 {
691 struct desc_struct desc;
692 short sel;
693
694 sel = get_segment_selector(regs, seg_reg_idx);
695 if (sel < 0)
696 return -1L;
697
698 if (v8086_mode(regs))
699 /*
700 * Base is simply the segment selector shifted 4
701 * bits to the right.
702 */
703 return (unsigned long)(sel << 4);
704
705 if (any_64bit_mode(regs)) {
706 /*
707 * Only FS or GS will have a base address, the rest of
708 * the segments' bases are forced to 0.
709 */
710 unsigned long base;
711
712 if (seg_reg_idx == INAT_SEG_REG_FS) {
713 rdmsrq(MSR_FS_BASE, base);
714 } else if (seg_reg_idx == INAT_SEG_REG_GS) {
715 /*
716 * swapgs was called at the kernel entry point. Thus,
717 * MSR_KERNEL_GS_BASE will have the user-space GS base.
718 */
719 if (user_mode(regs))
720 rdmsrq(MSR_KERNEL_GS_BASE, base);
721 else
722 rdmsrq(MSR_GS_BASE, base);
723 } else {
724 base = 0;
725 }
726 return base;
727 }
728
729 /* In protected mode the segment selector cannot be null. */
730 if (!sel)
731 return -1L;
732
733 if (!get_desc(&desc, sel))
734 return -1L;
735
736 return get_desc_base(&desc);
737 }
738
739 /**
740 * get_seg_limit() - Obtain the limit of a segment descriptor
741 * @regs: Register values as seen when entering kernel mode
742 * @seg_reg_idx: Index of the segment register pointing to seg descriptor
743 *
744 * Obtain the limit of the segment as indicated by the segment descriptor
745 * pointed by the segment selector. The segment selector is obtained from the
746 * input segment register index @seg_reg_idx.
747 *
748 * Returns:
749 *
750 * In protected mode, the limit of the segment descriptor in bytes.
751 * In long mode and virtual-8086 mode, segment limits are not enforced. Thus,
752 * limit is returned as -1L to imply a limit-less segment.
753 *
754 * Zero is returned on error.
755 */
get_seg_limit(struct pt_regs * regs,int seg_reg_idx)756 static unsigned long get_seg_limit(struct pt_regs *regs, int seg_reg_idx)
757 {
758 struct desc_struct desc;
759 unsigned long limit;
760 short sel;
761
762 sel = get_segment_selector(regs, seg_reg_idx);
763 if (sel < 0)
764 return 0;
765
766 if (any_64bit_mode(regs) || v8086_mode(regs))
767 return -1L;
768
769 if (!sel)
770 return 0;
771
772 if (!get_desc(&desc, sel))
773 return 0;
774
775 /*
776 * If the granularity bit is set, the limit is given in multiples
777 * of 4096. This also means that the 12 least significant bits are
778 * not tested when checking the segment limits. In practice,
779 * this means that the segment ends in (limit << 12) + 0xfff.
780 */
781 limit = get_desc_limit(&desc);
782 if (desc.g)
783 limit = (limit << 12) + 0xfff;
784
785 return limit;
786 }
787
788 /**
789 * insn_get_code_seg_params() - Obtain code segment parameters
790 * @regs: Structure with register values as seen when entering kernel mode
791 *
792 * Obtain address and operand sizes of the code segment. It is obtained from the
793 * selector contained in the CS register in regs. In protected mode, the default
794 * address is determined by inspecting the L and D bits of the segment
795 * descriptor. In virtual-8086 mode, the default is always two bytes for both
796 * address and operand sizes.
797 *
798 * Returns:
799 *
800 * An int containing ORed-in default parameters on success.
801 *
802 * -EINVAL on error.
803 */
insn_get_code_seg_params(struct pt_regs * regs)804 int insn_get_code_seg_params(struct pt_regs *regs)
805 {
806 struct desc_struct desc;
807 short sel;
808
809 if (v8086_mode(regs))
810 /* Address and operand size are both 16-bit. */
811 return INSN_CODE_SEG_PARAMS(2, 2);
812
813 sel = get_segment_selector(regs, INAT_SEG_REG_CS);
814 if (sel < 0)
815 return sel;
816
817 if (!get_desc(&desc, sel))
818 return -EINVAL;
819
820 /*
821 * The most significant byte of the Type field of the segment descriptor
822 * determines whether a segment contains data or code. If this is a data
823 * segment, return error.
824 */
825 if (!(desc.type & BIT(3)))
826 return -EINVAL;
827
828 switch ((desc.l << 1) | desc.d) {
829 case 0: /*
830 * Legacy mode. CS.L=0, CS.D=0. Address and operand size are
831 * both 16-bit.
832 */
833 return INSN_CODE_SEG_PARAMS(2, 2);
834 case 1: /*
835 * Legacy mode. CS.L=0, CS.D=1. Address and operand size are
836 * both 32-bit.
837 */
838 return INSN_CODE_SEG_PARAMS(4, 4);
839 case 2: /*
840 * IA-32e 64-bit mode. CS.L=1, CS.D=0. Address size is 64-bit;
841 * operand size is 32-bit.
842 */
843 return INSN_CODE_SEG_PARAMS(4, 8);
844 case 3: /* Invalid setting. CS.L=1, CS.D=1 */
845 fallthrough;
846 default:
847 return -EINVAL;
848 }
849 }
850
851 /**
852 * insn_get_modrm_rm_off() - Obtain register in r/m part of the ModRM byte
853 * @insn: Instruction containing the ModRM byte
854 * @regs: Register values as seen when entering kernel mode
855 *
856 * Returns:
857 *
858 * The register indicated by the r/m part of the ModRM byte. The
859 * register is obtained as an offset from the base of pt_regs. In specific
860 * cases, the returned value can be -EDOM to indicate that the particular value
861 * of ModRM does not refer to a register and shall be ignored.
862 */
insn_get_modrm_rm_off(struct insn * insn,struct pt_regs * regs)863 int insn_get_modrm_rm_off(struct insn *insn, struct pt_regs *regs)
864 {
865 return get_reg_offset(insn, regs, REG_TYPE_RM);
866 }
867
868 /**
869 * insn_get_modrm_reg_off() - Obtain register in reg part of the ModRM byte
870 * @insn: Instruction containing the ModRM byte
871 * @regs: Register values as seen when entering kernel mode
872 *
873 * Returns:
874 *
875 * The register indicated by the reg part of the ModRM byte. The
876 * register is obtained as an offset from the base of pt_regs.
877 */
insn_get_modrm_reg_off(struct insn * insn,struct pt_regs * regs)878 int insn_get_modrm_reg_off(struct insn *insn, struct pt_regs *regs)
879 {
880 return get_reg_offset(insn, regs, REG_TYPE_REG);
881 }
882
883 /**
884 * insn_get_modrm_reg_ptr() - Obtain register pointer based on ModRM byte
885 * @insn: Instruction containing the ModRM byte
886 * @regs: Register values as seen when entering kernel mode
887 *
888 * Returns:
889 *
890 * The register indicated by the reg part of the ModRM byte.
891 * The register is obtained as a pointer within pt_regs.
892 */
insn_get_modrm_reg_ptr(struct insn * insn,struct pt_regs * regs)893 unsigned long *insn_get_modrm_reg_ptr(struct insn *insn, struct pt_regs *regs)
894 {
895 int offset;
896
897 offset = insn_get_modrm_reg_off(insn, regs);
898 if (offset < 0)
899 return NULL;
900 return (void *)regs + offset;
901 }
902
903 /**
904 * get_seg_base_limit() - obtain base address and limit of a segment
905 * @insn: Instruction. Must be valid.
906 * @regs: Register values as seen when entering kernel mode
907 * @regoff: Operand offset, in pt_regs, used to resolve segment descriptor
908 * @base: Obtained segment base
909 * @limit: Obtained segment limit
910 *
911 * Obtain the base address and limit of the segment associated with the operand
912 * @regoff and, if any or allowed, override prefixes in @insn. This function is
913 * different from insn_get_seg_base() as the latter does not resolve the segment
914 * associated with the instruction operand. If a limit is not needed (e.g.,
915 * when running in long mode), @limit can be NULL.
916 *
917 * Returns:
918 *
919 * 0 on success. @base and @limit will contain the base address and of the
920 * resolved segment, respectively.
921 *
922 * -EINVAL on error.
923 */
get_seg_base_limit(struct insn * insn,struct pt_regs * regs,int regoff,unsigned long * base,unsigned long * limit)924 static int get_seg_base_limit(struct insn *insn, struct pt_regs *regs,
925 int regoff, unsigned long *base,
926 unsigned long *limit)
927 {
928 int seg_reg_idx;
929
930 if (!base)
931 return -EINVAL;
932
933 seg_reg_idx = resolve_seg_reg(insn, regs, regoff);
934 if (seg_reg_idx < 0)
935 return seg_reg_idx;
936
937 *base = insn_get_seg_base(regs, seg_reg_idx);
938 if (*base == -1L)
939 return -EINVAL;
940
941 if (!limit)
942 return 0;
943
944 *limit = get_seg_limit(regs, seg_reg_idx);
945 if (!(*limit))
946 return -EINVAL;
947
948 return 0;
949 }
950
951 /**
952 * get_eff_addr_reg() - Obtain effective address from register operand
953 * @insn: Instruction. Must be valid.
954 * @regs: Register values as seen when entering kernel mode
955 * @regoff: Obtained operand offset, in pt_regs, with the effective address
956 * @eff_addr: Obtained effective address
957 *
958 * Obtain the effective address stored in the register operand as indicated by
959 * the ModRM byte. This function is to be used only with register addressing
960 * (i.e., ModRM.mod is 3). The effective address is saved in @eff_addr. The
961 * register operand, as an offset from the base of pt_regs, is saved in @regoff;
962 * such offset can then be used to resolve the segment associated with the
963 * operand. This function can be used with any of the supported address sizes
964 * in x86.
965 *
966 * Returns:
967 *
968 * 0 on success. @eff_addr will have the effective address stored in the
969 * operand indicated by ModRM. @regoff will have such operand as an offset from
970 * the base of pt_regs.
971 *
972 * -EINVAL on error.
973 */
get_eff_addr_reg(struct insn * insn,struct pt_regs * regs,int * regoff,long * eff_addr)974 static int get_eff_addr_reg(struct insn *insn, struct pt_regs *regs,
975 int *regoff, long *eff_addr)
976 {
977 int ret;
978
979 ret = insn_get_modrm(insn);
980 if (ret)
981 return ret;
982
983 if (X86_MODRM_MOD(insn->modrm.value) != 3)
984 return -EINVAL;
985
986 *regoff = get_reg_offset(insn, regs, REG_TYPE_RM);
987 if (*regoff < 0)
988 return -EINVAL;
989
990 /* Ignore bytes that are outside the address size. */
991 if (insn->addr_bytes == 2)
992 *eff_addr = regs_get_register(regs, *regoff) & 0xffff;
993 else if (insn->addr_bytes == 4)
994 *eff_addr = regs_get_register(regs, *regoff) & 0xffffffff;
995 else /* 64-bit address */
996 *eff_addr = regs_get_register(regs, *regoff);
997
998 return 0;
999 }
1000
1001 /**
1002 * get_eff_addr_modrm() - Obtain referenced effective address via ModRM
1003 * @insn: Instruction. Must be valid.
1004 * @regs: Register values as seen when entering kernel mode
1005 * @regoff: Obtained operand offset, in pt_regs, associated with segment
1006 * @eff_addr: Obtained effective address
1007 *
1008 * Obtain the effective address referenced by the ModRM byte of @insn. After
1009 * identifying the registers involved in the register-indirect memory reference,
1010 * its value is obtained from the operands in @regs. The computed address is
1011 * stored @eff_addr. Also, the register operand that indicates the associated
1012 * segment is stored in @regoff, this parameter can later be used to determine
1013 * such segment.
1014 *
1015 * Returns:
1016 *
1017 * 0 on success. @eff_addr will have the referenced effective address. @regoff
1018 * will have a register, as an offset from the base of pt_regs, that can be used
1019 * to resolve the associated segment.
1020 *
1021 * -EINVAL on error.
1022 */
get_eff_addr_modrm(struct insn * insn,struct pt_regs * regs,int * regoff,long * eff_addr)1023 static int get_eff_addr_modrm(struct insn *insn, struct pt_regs *regs,
1024 int *regoff, long *eff_addr)
1025 {
1026 long tmp;
1027 int ret;
1028
1029 if (insn->addr_bytes != 8 && insn->addr_bytes != 4)
1030 return -EINVAL;
1031
1032 ret = insn_get_modrm(insn);
1033 if (ret)
1034 return ret;
1035
1036 if (X86_MODRM_MOD(insn->modrm.value) > 2)
1037 return -EINVAL;
1038
1039 *regoff = get_reg_offset(insn, regs, REG_TYPE_RM);
1040
1041 /*
1042 * -EDOM means that we must ignore the address_offset. In such a case,
1043 * in 64-bit mode the effective address relative to the rIP of the
1044 * following instruction.
1045 */
1046 if (*regoff == -EDOM) {
1047 if (any_64bit_mode(regs))
1048 tmp = regs->ip + insn->length;
1049 else
1050 tmp = 0;
1051 } else if (*regoff < 0) {
1052 return -EINVAL;
1053 } else {
1054 tmp = regs_get_register(regs, *regoff);
1055 }
1056
1057 if (insn->addr_bytes == 4) {
1058 int addr32 = (int)(tmp & 0xffffffff) + insn->displacement.value;
1059
1060 *eff_addr = addr32 & 0xffffffff;
1061 } else {
1062 *eff_addr = tmp + insn->displacement.value;
1063 }
1064
1065 return 0;
1066 }
1067
1068 /**
1069 * get_eff_addr_modrm_16() - Obtain referenced effective address via ModRM
1070 * @insn: Instruction. Must be valid.
1071 * @regs: Register values as seen when entering kernel mode
1072 * @regoff: Obtained operand offset, in pt_regs, associated with segment
1073 * @eff_addr: Obtained effective address
1074 *
1075 * Obtain the 16-bit effective address referenced by the ModRM byte of @insn.
1076 * After identifying the registers involved in the register-indirect memory
1077 * reference, its value is obtained from the operands in @regs. The computed
1078 * address is stored @eff_addr. Also, the register operand that indicates
1079 * the associated segment is stored in @regoff, this parameter can later be used
1080 * to determine such segment.
1081 *
1082 * Returns:
1083 *
1084 * 0 on success. @eff_addr will have the referenced effective address. @regoff
1085 * will have a register, as an offset from the base of pt_regs, that can be used
1086 * to resolve the associated segment.
1087 *
1088 * -EINVAL on error.
1089 */
get_eff_addr_modrm_16(struct insn * insn,struct pt_regs * regs,int * regoff,short * eff_addr)1090 static int get_eff_addr_modrm_16(struct insn *insn, struct pt_regs *regs,
1091 int *regoff, short *eff_addr)
1092 {
1093 int addr_offset1, addr_offset2, ret;
1094 short addr1 = 0, addr2 = 0, displacement;
1095
1096 if (insn->addr_bytes != 2)
1097 return -EINVAL;
1098
1099 insn_get_modrm(insn);
1100
1101 if (!insn->modrm.nbytes)
1102 return -EINVAL;
1103
1104 if (X86_MODRM_MOD(insn->modrm.value) > 2)
1105 return -EINVAL;
1106
1107 ret = get_reg_offset_16(insn, regs, &addr_offset1, &addr_offset2);
1108 if (ret < 0)
1109 return -EINVAL;
1110
1111 /*
1112 * Don't fail on invalid offset values. They might be invalid because
1113 * they cannot be used for this particular value of ModRM. Instead, use
1114 * them in the computation only if they contain a valid value.
1115 */
1116 if (addr_offset1 != -EDOM)
1117 addr1 = regs_get_register(regs, addr_offset1) & 0xffff;
1118
1119 if (addr_offset2 != -EDOM)
1120 addr2 = regs_get_register(regs, addr_offset2) & 0xffff;
1121
1122 displacement = insn->displacement.value & 0xffff;
1123 *eff_addr = addr1 + addr2 + displacement;
1124
1125 /*
1126 * The first operand register could indicate to use of either SS or DS
1127 * registers to obtain the segment selector. The second operand
1128 * register can only indicate the use of DS. Thus, the first operand
1129 * will be used to obtain the segment selector.
1130 */
1131 *regoff = addr_offset1;
1132
1133 return 0;
1134 }
1135
1136 /**
1137 * get_eff_addr_sib() - Obtain referenced effective address via SIB
1138 * @insn: Instruction. Must be valid.
1139 * @regs: Register values as seen when entering kernel mode
1140 * @base_offset: Obtained operand offset, in pt_regs, associated with segment
1141 * @eff_addr: Obtained effective address
1142 *
1143 * Obtain the effective address referenced by the SIB byte of @insn. After
1144 * identifying the registers involved in the indexed, register-indirect memory
1145 * reference, its value is obtained from the operands in @regs. The computed
1146 * address is stored @eff_addr. Also, the register operand that indicates the
1147 * associated segment is stored in @base_offset; this parameter can later be
1148 * used to determine such segment.
1149 *
1150 * Returns:
1151 *
1152 * 0 on success. @eff_addr will have the referenced effective address.
1153 * @base_offset will have a register, as an offset from the base of pt_regs,
1154 * that can be used to resolve the associated segment.
1155 *
1156 * Negative value on error.
1157 */
get_eff_addr_sib(struct insn * insn,struct pt_regs * regs,int * base_offset,long * eff_addr)1158 static int get_eff_addr_sib(struct insn *insn, struct pt_regs *regs,
1159 int *base_offset, long *eff_addr)
1160 {
1161 long base, indx;
1162 int indx_offset;
1163 int ret;
1164
1165 if (insn->addr_bytes != 8 && insn->addr_bytes != 4)
1166 return -EINVAL;
1167
1168 ret = insn_get_modrm(insn);
1169 if (ret)
1170 return ret;
1171
1172 if (!insn->modrm.nbytes)
1173 return -EINVAL;
1174
1175 if (X86_MODRM_MOD(insn->modrm.value) > 2)
1176 return -EINVAL;
1177
1178 ret = insn_get_sib(insn);
1179 if (ret)
1180 return ret;
1181
1182 if (!insn->sib.nbytes)
1183 return -EINVAL;
1184
1185 *base_offset = get_reg_offset(insn, regs, REG_TYPE_BASE);
1186 indx_offset = get_reg_offset(insn, regs, REG_TYPE_INDEX);
1187
1188 /*
1189 * Negative values in the base and index offset means an error when
1190 * decoding the SIB byte. Except -EDOM, which means that the registers
1191 * should not be used in the address computation.
1192 */
1193 if (*base_offset == -EDOM)
1194 base = 0;
1195 else if (*base_offset < 0)
1196 return -EINVAL;
1197 else
1198 base = regs_get_register(regs, *base_offset);
1199
1200 if (indx_offset == -EDOM)
1201 indx = 0;
1202 else if (indx_offset < 0)
1203 return -EINVAL;
1204 else
1205 indx = regs_get_register(regs, indx_offset);
1206
1207 if (insn->addr_bytes == 4) {
1208 int addr32, base32, idx32;
1209
1210 base32 = base & 0xffffffff;
1211 idx32 = indx & 0xffffffff;
1212
1213 addr32 = base32 + idx32 * (1 << X86_SIB_SCALE(insn->sib.value));
1214 addr32 += insn->displacement.value;
1215
1216 *eff_addr = addr32 & 0xffffffff;
1217 } else {
1218 *eff_addr = base + indx * (1 << X86_SIB_SCALE(insn->sib.value));
1219 *eff_addr += insn->displacement.value;
1220 }
1221
1222 return 0;
1223 }
1224
1225 /**
1226 * get_addr_ref_16() - Obtain the 16-bit address referred by instruction
1227 * @insn: Instruction containing ModRM byte and displacement
1228 * @regs: Register values as seen when entering kernel mode
1229 *
1230 * This function is to be used with 16-bit address encodings. Obtain the memory
1231 * address referred by the instruction's ModRM and displacement bytes. Also, the
1232 * segment used as base is determined by either any segment override prefixes in
1233 * @insn or the default segment of the registers involved in the address
1234 * computation. In protected mode, segment limits are enforced.
1235 *
1236 * Returns:
1237 *
1238 * Linear address referenced by the instruction operands on success.
1239 *
1240 * -1L on error.
1241 */
get_addr_ref_16(struct insn * insn,struct pt_regs * regs)1242 static void __user *get_addr_ref_16(struct insn *insn, struct pt_regs *regs)
1243 {
1244 unsigned long linear_addr = -1L, seg_base, seg_limit;
1245 int ret, regoff;
1246 short eff_addr;
1247 long tmp;
1248
1249 if (insn_get_displacement(insn))
1250 goto out;
1251
1252 if (insn->addr_bytes != 2)
1253 goto out;
1254
1255 if (X86_MODRM_MOD(insn->modrm.value) == 3) {
1256 ret = get_eff_addr_reg(insn, regs, ®off, &tmp);
1257 if (ret)
1258 goto out;
1259
1260 eff_addr = tmp;
1261 } else {
1262 ret = get_eff_addr_modrm_16(insn, regs, ®off, &eff_addr);
1263 if (ret)
1264 goto out;
1265 }
1266
1267 ret = get_seg_base_limit(insn, regs, regoff, &seg_base, &seg_limit);
1268 if (ret)
1269 goto out;
1270
1271 /*
1272 * Before computing the linear address, make sure the effective address
1273 * is within the limits of the segment. In virtual-8086 mode, segment
1274 * limits are not enforced. In such a case, the segment limit is -1L to
1275 * reflect this fact.
1276 */
1277 if ((unsigned long)(eff_addr & 0xffff) > seg_limit)
1278 goto out;
1279
1280 linear_addr = (unsigned long)(eff_addr & 0xffff) + seg_base;
1281
1282 /* Limit linear address to 20 bits */
1283 if (v8086_mode(regs))
1284 linear_addr &= 0xfffff;
1285
1286 out:
1287 return (void __user *)linear_addr;
1288 }
1289
1290 /**
1291 * get_addr_ref_32() - Obtain a 32-bit linear address
1292 * @insn: Instruction with ModRM, SIB bytes and displacement
1293 * @regs: Register values as seen when entering kernel mode
1294 *
1295 * This function is to be used with 32-bit address encodings to obtain the
1296 * linear memory address referred by the instruction's ModRM, SIB,
1297 * displacement bytes and segment base address, as applicable. If in protected
1298 * mode, segment limits are enforced.
1299 *
1300 * Returns:
1301 *
1302 * Linear address referenced by instruction and registers on success.
1303 *
1304 * -1L on error.
1305 */
get_addr_ref_32(struct insn * insn,struct pt_regs * regs)1306 static void __user *get_addr_ref_32(struct insn *insn, struct pt_regs *regs)
1307 {
1308 unsigned long linear_addr = -1L, seg_base, seg_limit;
1309 int eff_addr, regoff;
1310 long tmp;
1311 int ret;
1312
1313 if (insn->addr_bytes != 4)
1314 goto out;
1315
1316 if (X86_MODRM_MOD(insn->modrm.value) == 3) {
1317 ret = get_eff_addr_reg(insn, regs, ®off, &tmp);
1318 if (ret)
1319 goto out;
1320
1321 eff_addr = tmp;
1322
1323 } else {
1324 if (insn->sib.nbytes) {
1325 ret = get_eff_addr_sib(insn, regs, ®off, &tmp);
1326 if (ret)
1327 goto out;
1328
1329 eff_addr = tmp;
1330 } else {
1331 ret = get_eff_addr_modrm(insn, regs, ®off, &tmp);
1332 if (ret)
1333 goto out;
1334
1335 eff_addr = tmp;
1336 }
1337 }
1338
1339 ret = get_seg_base_limit(insn, regs, regoff, &seg_base, &seg_limit);
1340 if (ret)
1341 goto out;
1342
1343 /*
1344 * In protected mode, before computing the linear address, make sure
1345 * the effective address is within the limits of the segment.
1346 * 32-bit addresses can be used in long and virtual-8086 modes if an
1347 * address override prefix is used. In such cases, segment limits are
1348 * not enforced. When in virtual-8086 mode, the segment limit is -1L
1349 * to reflect this situation.
1350 *
1351 * After computed, the effective address is treated as an unsigned
1352 * quantity.
1353 */
1354 if (!any_64bit_mode(regs) && ((unsigned int)eff_addr > seg_limit))
1355 goto out;
1356
1357 /*
1358 * Even though 32-bit address encodings are allowed in virtual-8086
1359 * mode, the address range is still limited to [0x-0xffff].
1360 */
1361 if (v8086_mode(regs) && (eff_addr & ~0xffff))
1362 goto out;
1363
1364 /*
1365 * Data type long could be 64 bits in size. Ensure that our 32-bit
1366 * effective address is not sign-extended when computing the linear
1367 * address.
1368 */
1369 linear_addr = (unsigned long)(eff_addr & 0xffffffff) + seg_base;
1370
1371 /* Limit linear address to 20 bits */
1372 if (v8086_mode(regs))
1373 linear_addr &= 0xfffff;
1374
1375 out:
1376 return (void __user *)linear_addr;
1377 }
1378
1379 /**
1380 * get_addr_ref_64() - Obtain a 64-bit linear address
1381 * @insn: Instruction struct with ModRM and SIB bytes and displacement
1382 * @regs: Structure with register values as seen when entering kernel mode
1383 *
1384 * This function is to be used with 64-bit address encodings to obtain the
1385 * linear memory address referred by the instruction's ModRM, SIB,
1386 * displacement bytes and segment base address, as applicable.
1387 *
1388 * Returns:
1389 *
1390 * Linear address referenced by instruction and registers on success.
1391 *
1392 * -1L on error.
1393 */
1394 #ifndef CONFIG_X86_64
get_addr_ref_64(struct insn * insn,struct pt_regs * regs)1395 static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs)
1396 {
1397 return (void __user *)-1L;
1398 }
1399 #else
get_addr_ref_64(struct insn * insn,struct pt_regs * regs)1400 static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs)
1401 {
1402 unsigned long linear_addr = -1L, seg_base;
1403 int regoff, ret;
1404 long eff_addr;
1405
1406 if (insn->addr_bytes != 8)
1407 goto out;
1408
1409 if (X86_MODRM_MOD(insn->modrm.value) == 3) {
1410 ret = get_eff_addr_reg(insn, regs, ®off, &eff_addr);
1411 if (ret)
1412 goto out;
1413
1414 } else {
1415 if (insn->sib.nbytes) {
1416 ret = get_eff_addr_sib(insn, regs, ®off, &eff_addr);
1417 if (ret)
1418 goto out;
1419 } else {
1420 ret = get_eff_addr_modrm(insn, regs, ®off, &eff_addr);
1421 if (ret)
1422 goto out;
1423 }
1424
1425 }
1426
1427 ret = get_seg_base_limit(insn, regs, regoff, &seg_base, NULL);
1428 if (ret)
1429 goto out;
1430
1431 linear_addr = (unsigned long)eff_addr + seg_base;
1432
1433 out:
1434 return (void __user *)linear_addr;
1435 }
1436 #endif /* CONFIG_X86_64 */
1437
1438 /**
1439 * insn_get_addr_ref() - Obtain the linear address referred by instruction
1440 * @insn: Instruction structure containing ModRM byte and displacement
1441 * @regs: Structure with register values as seen when entering kernel mode
1442 *
1443 * Obtain the linear address referred by the instruction's ModRM, SIB and
1444 * displacement bytes, and segment base, as applicable. In protected mode,
1445 * segment limits are enforced.
1446 *
1447 * Returns:
1448 *
1449 * Linear address referenced by instruction and registers on success.
1450 *
1451 * -1L on error.
1452 */
insn_get_addr_ref(struct insn * insn,struct pt_regs * regs)1453 void __user *insn_get_addr_ref(struct insn *insn, struct pt_regs *regs)
1454 {
1455 if (!insn || !regs)
1456 return (void __user *)-1L;
1457
1458 if (insn_get_opcode(insn))
1459 return (void __user *)-1L;
1460
1461 switch (insn->addr_bytes) {
1462 case 2:
1463 return get_addr_ref_16(insn, regs);
1464 case 4:
1465 return get_addr_ref_32(insn, regs);
1466 case 8:
1467 return get_addr_ref_64(insn, regs);
1468 default:
1469 return (void __user *)-1L;
1470 }
1471 }
1472
insn_get_effective_ip(struct pt_regs * regs,unsigned long * ip)1473 int insn_get_effective_ip(struct pt_regs *regs, unsigned long *ip)
1474 {
1475 unsigned long seg_base = 0;
1476
1477 /*
1478 * If not in user-space long mode, a custom code segment could be in
1479 * use. This is true in protected mode (if the process defined a local
1480 * descriptor table), or virtual-8086 mode. In most of the cases
1481 * seg_base will be zero as in USER_CS.
1482 */
1483 if (!user_64bit_mode(regs)) {
1484 seg_base = insn_get_seg_base(regs, INAT_SEG_REG_CS);
1485 if (seg_base == -1L)
1486 return -EINVAL;
1487 }
1488
1489 *ip = seg_base + regs->ip;
1490
1491 return 0;
1492 }
1493
1494 /**
1495 * insn_fetch_from_user() - Copy instruction bytes from user-space memory
1496 * @regs: Structure with register values as seen when entering kernel mode
1497 * @buf: Array to store the fetched instruction
1498 *
1499 * Gets the linear address of the instruction and copies the instruction bytes
1500 * to the buf.
1501 *
1502 * Returns:
1503 *
1504 * - number of instruction bytes copied.
1505 * - 0 if nothing was copied.
1506 * - -EINVAL if the linear address of the instruction could not be calculated
1507 */
insn_fetch_from_user(struct pt_regs * regs,unsigned char buf[MAX_INSN_SIZE])1508 int insn_fetch_from_user(struct pt_regs *regs, unsigned char buf[MAX_INSN_SIZE])
1509 {
1510 unsigned long ip;
1511 int not_copied;
1512
1513 if (insn_get_effective_ip(regs, &ip))
1514 return -EINVAL;
1515
1516 not_copied = copy_from_user(buf, (void __user *)ip, MAX_INSN_SIZE);
1517
1518 return MAX_INSN_SIZE - not_copied;
1519 }
1520
1521 /**
1522 * insn_fetch_from_user_inatomic() - Copy instruction bytes from user-space memory
1523 * while in atomic code
1524 * @regs: Structure with register values as seen when entering kernel mode
1525 * @buf: Array to store the fetched instruction
1526 *
1527 * Gets the linear address of the instruction and copies the instruction bytes
1528 * to the buf. This function must be used in atomic context.
1529 *
1530 * Returns:
1531 *
1532 * - number of instruction bytes copied.
1533 * - 0 if nothing was copied.
1534 * - -EINVAL if the linear address of the instruction could not be calculated.
1535 */
insn_fetch_from_user_inatomic(struct pt_regs * regs,unsigned char buf[MAX_INSN_SIZE])1536 int insn_fetch_from_user_inatomic(struct pt_regs *regs, unsigned char buf[MAX_INSN_SIZE])
1537 {
1538 unsigned long ip;
1539 int not_copied;
1540
1541 if (insn_get_effective_ip(regs, &ip))
1542 return -EINVAL;
1543
1544 not_copied = __copy_from_user_inatomic(buf, (void __user *)ip, MAX_INSN_SIZE);
1545
1546 return MAX_INSN_SIZE - not_copied;
1547 }
1548
1549 /**
1550 * insn_decode_from_regs() - Decode an instruction
1551 * @insn: Structure to store decoded instruction
1552 * @regs: Structure with register values as seen when entering kernel mode
1553 * @buf: Buffer containing the instruction bytes
1554 * @buf_size: Number of instruction bytes available in buf
1555 *
1556 * Decodes the instruction provided in buf and stores the decoding results in
1557 * insn. Also determines the correct address and operand sizes.
1558 *
1559 * Returns:
1560 *
1561 * True if instruction was decoded, False otherwise.
1562 */
insn_decode_from_regs(struct insn * insn,struct pt_regs * regs,unsigned char buf[MAX_INSN_SIZE],int buf_size)1563 bool insn_decode_from_regs(struct insn *insn, struct pt_regs *regs,
1564 unsigned char buf[MAX_INSN_SIZE], int buf_size)
1565 {
1566 int seg_defs;
1567
1568 insn_init(insn, buf, buf_size, user_64bit_mode(regs));
1569
1570 /*
1571 * Override the default operand and address sizes with what is specified
1572 * in the code segment descriptor. The instruction decoder only sets
1573 * the address size it to either 4 or 8 address bytes and does nothing
1574 * for the operand bytes. This OK for most of the cases, but we could
1575 * have special cases where, for instance, a 16-bit code segment
1576 * descriptor is used.
1577 * If there is an address override prefix, the instruction decoder
1578 * correctly updates these values, even for 16-bit defaults.
1579 */
1580 seg_defs = insn_get_code_seg_params(regs);
1581 if (seg_defs == -EINVAL)
1582 return false;
1583
1584 insn->addr_bytes = INSN_CODE_SEG_ADDR_SZ(seg_defs);
1585 insn->opnd_bytes = INSN_CODE_SEG_OPND_SZ(seg_defs);
1586
1587 if (insn_get_length(insn))
1588 return false;
1589
1590 if (buf_size < insn->length)
1591 return false;
1592
1593 return true;
1594 }
1595
1596 /**
1597 * insn_decode_mmio() - Decode a MMIO instruction
1598 * @insn: Structure to store decoded instruction
1599 * @bytes: Returns size of memory operand
1600 *
1601 * Decodes instruction that used for Memory-mapped I/O.
1602 *
1603 * Returns:
1604 *
1605 * Type of the instruction. Size of the memory operand is stored in
1606 * @bytes. If decode failed, INSN_MMIO_DECODE_FAILED returned.
1607 */
insn_decode_mmio(struct insn * insn,int * bytes)1608 enum insn_mmio_type insn_decode_mmio(struct insn *insn, int *bytes)
1609 {
1610 enum insn_mmio_type type = INSN_MMIO_DECODE_FAILED;
1611
1612 *bytes = 0;
1613
1614 if (insn_get_opcode(insn))
1615 return INSN_MMIO_DECODE_FAILED;
1616
1617 switch (insn->opcode.bytes[0]) {
1618 case 0x88: /* MOV m8,r8 */
1619 *bytes = 1;
1620 fallthrough;
1621 case 0x89: /* MOV m16/m32/m64, r16/m32/m64 */
1622 if (!*bytes)
1623 *bytes = insn->opnd_bytes;
1624 type = INSN_MMIO_WRITE;
1625 break;
1626
1627 case 0xc6: /* MOV m8, imm8 */
1628 *bytes = 1;
1629 fallthrough;
1630 case 0xc7: /* MOV m16/m32/m64, imm16/imm32/imm64 */
1631 if (!*bytes)
1632 *bytes = insn->opnd_bytes;
1633 type = INSN_MMIO_WRITE_IMM;
1634 break;
1635
1636 case 0x8a: /* MOV r8, m8 */
1637 *bytes = 1;
1638 fallthrough;
1639 case 0x8b: /* MOV r16/r32/r64, m16/m32/m64 */
1640 if (!*bytes)
1641 *bytes = insn->opnd_bytes;
1642 type = INSN_MMIO_READ;
1643 break;
1644
1645 case 0xa4: /* MOVS m8, m8 */
1646 *bytes = 1;
1647 fallthrough;
1648 case 0xa5: /* MOVS m16/m32/m64, m16/m32/m64 */
1649 if (!*bytes)
1650 *bytes = insn->opnd_bytes;
1651 type = INSN_MMIO_MOVS;
1652 break;
1653
1654 case 0x0f: /* Two-byte instruction */
1655 switch (insn->opcode.bytes[1]) {
1656 case 0xb6: /* MOVZX r16/r32/r64, m8 */
1657 *bytes = 1;
1658 fallthrough;
1659 case 0xb7: /* MOVZX r32/r64, m16 */
1660 if (!*bytes)
1661 *bytes = 2;
1662 type = INSN_MMIO_READ_ZERO_EXTEND;
1663 break;
1664
1665 case 0xbe: /* MOVSX r16/r32/r64, m8 */
1666 *bytes = 1;
1667 fallthrough;
1668 case 0xbf: /* MOVSX r32/r64, m16 */
1669 if (!*bytes)
1670 *bytes = 2;
1671 type = INSN_MMIO_READ_SIGN_EXTEND;
1672 break;
1673 }
1674 break;
1675 }
1676
1677 return type;
1678 }
1679