1 /*
2 * Utility functions for x86 operand and address decoding
3 *
4 * Copyright (C) Intel Corporation 2017
5 */
6 #include <linux/kernel.h>
7 #include <linux/string.h>
8 #include <linux/ratelimit.h>
9 #include <linux/mmu_context.h>
10 #include <asm/desc_defs.h>
11 #include <asm/desc.h>
12 #include <asm/inat.h>
13 #include <asm/insn.h>
14 #include <asm/insn-eval.h>
15 #include <asm/ldt.h>
16 #include <asm/msr.h>
17 #include <asm/vm86.h>
18
19 #undef pr_fmt
20 #define pr_fmt(fmt) "insn: " fmt
21
22 enum reg_type {
23 REG_TYPE_RM = 0,
24 REG_TYPE_REG,
25 REG_TYPE_INDEX,
26 REG_TYPE_BASE,
27 };
28
29 /**
30 * is_string_insn() - Determine if instruction is a string instruction
31 * @insn: Instruction containing the opcode to inspect
32 *
33 * Returns:
34 *
35 * true if the instruction, determined by the opcode, is any of the
36 * string instructions as defined in the Intel Software Development manual.
37 * False otherwise.
38 */
is_string_insn(struct insn * insn)39 static bool is_string_insn(struct insn *insn)
40 {
41 /* All string instructions have a 1-byte opcode. */
42 if (insn->opcode.nbytes != 1)
43 return false;
44
45 switch (insn->opcode.bytes[0]) {
46 case 0x6c ... 0x6f: /* INS, OUTS */
47 case 0xa4 ... 0xa7: /* MOVS, CMPS */
48 case 0xaa ... 0xaf: /* STOS, LODS, SCAS */
49 return true;
50 default:
51 return false;
52 }
53 }
54
55 /**
56 * insn_has_rep_prefix() - Determine if instruction has a REP prefix
57 * @insn: Instruction containing the prefix to inspect
58 *
59 * Returns:
60 *
61 * true if the instruction has a REP prefix, false if not.
62 */
insn_has_rep_prefix(struct insn * insn)63 bool insn_has_rep_prefix(struct insn *insn)
64 {
65 insn_byte_t p;
66
67 insn_get_prefixes(insn);
68
69 for_each_insn_prefix(insn, p) {
70 if (p == 0xf2 || p == 0xf3)
71 return true;
72 }
73
74 return false;
75 }
76
77 /**
78 * get_seg_reg_override_idx() - obtain segment register override index
79 * @insn: Valid instruction with segment override prefixes
80 *
81 * Inspect the instruction prefixes in @insn and find segment overrides, if any.
82 *
83 * Returns:
84 *
85 * A constant identifying the segment register to use, among CS, SS, DS,
86 * ES, FS, or GS. INAT_SEG_REG_DEFAULT is returned if no segment override
87 * prefixes were found.
88 *
89 * -EINVAL in case of error.
90 */
get_seg_reg_override_idx(struct insn * insn)91 static int get_seg_reg_override_idx(struct insn *insn)
92 {
93 int idx = INAT_SEG_REG_DEFAULT;
94 int num_overrides = 0;
95 insn_byte_t p;
96
97 insn_get_prefixes(insn);
98
99 /* Look for any segment override prefixes. */
100 for_each_insn_prefix(insn, p) {
101 insn_attr_t attr;
102
103 attr = inat_get_opcode_attribute(p);
104 switch (attr) {
105 case INAT_MAKE_PREFIX(INAT_PFX_CS):
106 idx = INAT_SEG_REG_CS;
107 num_overrides++;
108 break;
109 case INAT_MAKE_PREFIX(INAT_PFX_SS):
110 idx = INAT_SEG_REG_SS;
111 num_overrides++;
112 break;
113 case INAT_MAKE_PREFIX(INAT_PFX_DS):
114 idx = INAT_SEG_REG_DS;
115 num_overrides++;
116 break;
117 case INAT_MAKE_PREFIX(INAT_PFX_ES):
118 idx = INAT_SEG_REG_ES;
119 num_overrides++;
120 break;
121 case INAT_MAKE_PREFIX(INAT_PFX_FS):
122 idx = INAT_SEG_REG_FS;
123 num_overrides++;
124 break;
125 case INAT_MAKE_PREFIX(INAT_PFX_GS):
126 idx = INAT_SEG_REG_GS;
127 num_overrides++;
128 break;
129 /* No default action needed. */
130 }
131 }
132
133 /* More than one segment override prefix leads to undefined behavior. */
134 if (num_overrides > 1)
135 return -EINVAL;
136
137 return idx;
138 }
139
140 /**
141 * check_seg_overrides() - check if segment override prefixes are allowed
142 * @insn: Valid instruction with segment override prefixes
143 * @regoff: Operand offset, in pt_regs, for which the check is performed
144 *
145 * For a particular register used in register-indirect addressing, determine if
146 * segment override prefixes can be used. Specifically, no overrides are allowed
147 * for rDI if used with a string instruction.
148 *
149 * Returns:
150 *
151 * True if segment override prefixes can be used with the register indicated
152 * in @regoff. False if otherwise.
153 */
check_seg_overrides(struct insn * insn,int regoff)154 static bool check_seg_overrides(struct insn *insn, int regoff)
155 {
156 if (regoff == offsetof(struct pt_regs, di) && is_string_insn(insn))
157 return false;
158
159 return true;
160 }
161
162 /**
163 * resolve_default_seg() - resolve default segment register index for an operand
164 * @insn: Instruction with opcode and address size. Must be valid.
165 * @regs: Register values as seen when entering kernel mode
166 * @off: Operand offset, in pt_regs, for which resolution is needed
167 *
168 * Resolve the default segment register index associated with the instruction
169 * operand register indicated by @off. Such index is resolved based on defaults
170 * described in the Intel Software Development Manual.
171 *
172 * Returns:
173 *
174 * If in protected mode, a constant identifying the segment register to use,
175 * among CS, SS, ES or DS. If in long mode, INAT_SEG_REG_IGNORE.
176 *
177 * -EINVAL in case of error.
178 */
resolve_default_seg(struct insn * insn,struct pt_regs * regs,int off)179 static int resolve_default_seg(struct insn *insn, struct pt_regs *regs, int off)
180 {
181 if (any_64bit_mode(regs))
182 return INAT_SEG_REG_IGNORE;
183 /*
184 * Resolve the default segment register as described in Section 3.7.4
185 * of the Intel Software Development Manual Vol. 1:
186 *
187 * + DS for all references involving r[ABCD]X, and rSI.
188 * + If used in a string instruction, ES for rDI. Otherwise, DS.
189 * + AX, CX and DX are not valid register operands in 16-bit address
190 * encodings but are valid for 32-bit and 64-bit encodings.
191 * + -EDOM is reserved to identify for cases in which no register
192 * is used (i.e., displacement-only addressing). Use DS.
193 * + SS for rSP or rBP.
194 * + CS for rIP.
195 */
196
197 switch (off) {
198 case offsetof(struct pt_regs, ax):
199 case offsetof(struct pt_regs, cx):
200 case offsetof(struct pt_regs, dx):
201 /* Need insn to verify address size. */
202 if (insn->addr_bytes == 2)
203 return -EINVAL;
204
205 fallthrough;
206
207 case -EDOM:
208 case offsetof(struct pt_regs, bx):
209 case offsetof(struct pt_regs, si):
210 return INAT_SEG_REG_DS;
211
212 case offsetof(struct pt_regs, di):
213 if (is_string_insn(insn))
214 return INAT_SEG_REG_ES;
215 return INAT_SEG_REG_DS;
216
217 case offsetof(struct pt_regs, bp):
218 case offsetof(struct pt_regs, sp):
219 return INAT_SEG_REG_SS;
220
221 case offsetof(struct pt_regs, ip):
222 return INAT_SEG_REG_CS;
223
224 default:
225 return -EINVAL;
226 }
227 }
228
229 /**
230 * resolve_seg_reg() - obtain segment register index
231 * @insn: Instruction with operands
232 * @regs: Register values as seen when entering kernel mode
233 * @regoff: Operand offset, in pt_regs, used to determine segment register
234 *
235 * Determine the segment register associated with the operands and, if
236 * applicable, prefixes and the instruction pointed by @insn.
237 *
238 * The segment register associated to an operand used in register-indirect
239 * addressing depends on:
240 *
241 * a) Whether running in long mode (in such a case segments are ignored, except
242 * if FS or GS are used).
243 *
244 * b) Whether segment override prefixes can be used. Certain instructions and
245 * registers do not allow override prefixes.
246 *
247 * c) Whether segment overrides prefixes are found in the instruction prefixes.
248 *
249 * d) If there are not segment override prefixes or they cannot be used, the
250 * default segment register associated with the operand register is used.
251 *
252 * The function checks first if segment override prefixes can be used with the
253 * operand indicated by @regoff. If allowed, obtain such overridden segment
254 * register index. Lastly, if not prefixes were found or cannot be used, resolve
255 * the segment register index to use based on the defaults described in the
256 * Intel documentation. In long mode, all segment register indexes will be
257 * ignored, except if overrides were found for FS or GS. All these operations
258 * are done using helper functions.
259 *
260 * The operand register, @regoff, is represented as the offset from the base of
261 * pt_regs.
262 *
263 * As stated, the main use of this function is to determine the segment register
264 * index based on the instruction, its operands and prefixes. Hence, @insn
265 * must be valid. However, if @regoff indicates rIP, we don't need to inspect
266 * @insn at all as in this case CS is used in all cases. This case is checked
267 * before proceeding further.
268 *
269 * Please note that this function does not return the value in the segment
270 * register (i.e., the segment selector) but our defined index. The segment
271 * selector needs to be obtained using get_segment_selector() and passing the
272 * segment register index resolved by this function.
273 *
274 * Returns:
275 *
276 * An index identifying the segment register to use, among CS, SS, DS,
277 * ES, FS, or GS. INAT_SEG_REG_IGNORE is returned if running in long mode.
278 *
279 * -EINVAL in case of error.
280 */
resolve_seg_reg(struct insn * insn,struct pt_regs * regs,int regoff)281 static int resolve_seg_reg(struct insn *insn, struct pt_regs *regs, int regoff)
282 {
283 int idx;
284
285 /*
286 * In the unlikely event of having to resolve the segment register
287 * index for rIP, do it first. Segment override prefixes should not
288 * be used. Hence, it is not necessary to inspect the instruction,
289 * which may be invalid at this point.
290 */
291 if (regoff == offsetof(struct pt_regs, ip)) {
292 if (any_64bit_mode(regs))
293 return INAT_SEG_REG_IGNORE;
294 else
295 return INAT_SEG_REG_CS;
296 }
297
298 if (!insn)
299 return -EINVAL;
300
301 if (!check_seg_overrides(insn, regoff))
302 return resolve_default_seg(insn, regs, regoff);
303
304 idx = get_seg_reg_override_idx(insn);
305 if (idx < 0)
306 return idx;
307
308 if (idx == INAT_SEG_REG_DEFAULT)
309 return resolve_default_seg(insn, regs, regoff);
310
311 /*
312 * In long mode, segment override prefixes are ignored, except for
313 * overrides for FS and GS.
314 */
315 if (any_64bit_mode(regs)) {
316 if (idx != INAT_SEG_REG_FS &&
317 idx != INAT_SEG_REG_GS)
318 idx = INAT_SEG_REG_IGNORE;
319 }
320
321 return idx;
322 }
323
324 /**
325 * get_segment_selector() - obtain segment selector
326 * @regs: Register values as seen when entering kernel mode
327 * @seg_reg_idx: Segment register index to use
328 *
329 * Obtain the segment selector from any of the CS, SS, DS, ES, FS, GS segment
330 * registers. In CONFIG_X86_32, the segment is obtained from either pt_regs or
331 * kernel_vm86_regs as applicable. In CONFIG_X86_64, CS and SS are obtained
332 * from pt_regs. DS, ES, FS and GS are obtained by reading the actual CPU
333 * registers. This done for only for completeness as in CONFIG_X86_64 segment
334 * registers are ignored.
335 *
336 * Returns:
337 *
338 * Value of the segment selector, including null when running in
339 * long mode.
340 *
341 * -EINVAL on error.
342 */
get_segment_selector(struct pt_regs * regs,int seg_reg_idx)343 static short get_segment_selector(struct pt_regs *regs, int seg_reg_idx)
344 {
345 unsigned short sel;
346
347 #ifdef CONFIG_X86_64
348 switch (seg_reg_idx) {
349 case INAT_SEG_REG_IGNORE:
350 return 0;
351 case INAT_SEG_REG_CS:
352 return (unsigned short)(regs->cs & 0xffff);
353 case INAT_SEG_REG_SS:
354 return (unsigned short)(regs->ss & 0xffff);
355 case INAT_SEG_REG_DS:
356 savesegment(ds, sel);
357 return sel;
358 case INAT_SEG_REG_ES:
359 savesegment(es, sel);
360 return sel;
361 case INAT_SEG_REG_FS:
362 savesegment(fs, sel);
363 return sel;
364 case INAT_SEG_REG_GS:
365 savesegment(gs, sel);
366 return sel;
367 default:
368 return -EINVAL;
369 }
370 #else /* CONFIG_X86_32 */
371 struct kernel_vm86_regs *vm86regs = (struct kernel_vm86_regs *)regs;
372
373 if (v8086_mode(regs)) {
374 switch (seg_reg_idx) {
375 case INAT_SEG_REG_CS:
376 return (unsigned short)(regs->cs & 0xffff);
377 case INAT_SEG_REG_SS:
378 return (unsigned short)(regs->ss & 0xffff);
379 case INAT_SEG_REG_DS:
380 return vm86regs->ds;
381 case INAT_SEG_REG_ES:
382 return vm86regs->es;
383 case INAT_SEG_REG_FS:
384 return vm86regs->fs;
385 case INAT_SEG_REG_GS:
386 return vm86regs->gs;
387 case INAT_SEG_REG_IGNORE:
388 default:
389 return -EINVAL;
390 }
391 }
392
393 switch (seg_reg_idx) {
394 case INAT_SEG_REG_CS:
395 return (unsigned short)(regs->cs & 0xffff);
396 case INAT_SEG_REG_SS:
397 return (unsigned short)(regs->ss & 0xffff);
398 case INAT_SEG_REG_DS:
399 return (unsigned short)(regs->ds & 0xffff);
400 case INAT_SEG_REG_ES:
401 return (unsigned short)(regs->es & 0xffff);
402 case INAT_SEG_REG_FS:
403 return (unsigned short)(regs->fs & 0xffff);
404 case INAT_SEG_REG_GS:
405 savesegment(gs, sel);
406 return sel;
407 case INAT_SEG_REG_IGNORE:
408 default:
409 return -EINVAL;
410 }
411 #endif /* CONFIG_X86_64 */
412 }
413
414 static const int pt_regoff[] = {
415 offsetof(struct pt_regs, ax),
416 offsetof(struct pt_regs, cx),
417 offsetof(struct pt_regs, dx),
418 offsetof(struct pt_regs, bx),
419 offsetof(struct pt_regs, sp),
420 offsetof(struct pt_regs, bp),
421 offsetof(struct pt_regs, si),
422 offsetof(struct pt_regs, di),
423 #ifdef CONFIG_X86_64
424 offsetof(struct pt_regs, r8),
425 offsetof(struct pt_regs, r9),
426 offsetof(struct pt_regs, r10),
427 offsetof(struct pt_regs, r11),
428 offsetof(struct pt_regs, r12),
429 offsetof(struct pt_regs, r13),
430 offsetof(struct pt_regs, r14),
431 offsetof(struct pt_regs, r15),
432 #else
433 offsetof(struct pt_regs, ds),
434 offsetof(struct pt_regs, es),
435 offsetof(struct pt_regs, fs),
436 offsetof(struct pt_regs, gs),
437 #endif
438 };
439
pt_regs_offset(struct pt_regs * regs,int regno)440 int pt_regs_offset(struct pt_regs *regs, int regno)
441 {
442 if ((unsigned)regno < ARRAY_SIZE(pt_regoff))
443 return pt_regoff[regno];
444 return -EDOM;
445 }
446
get_regno(struct insn * insn,enum reg_type type)447 static int get_regno(struct insn *insn, enum reg_type type)
448 {
449 int nr_registers = ARRAY_SIZE(pt_regoff);
450 int regno = 0;
451
452 /*
453 * Don't possibly decode a 32-bit instructions as
454 * reading a 64-bit-only register.
455 */
456 if (IS_ENABLED(CONFIG_X86_64) && !insn->x86_64)
457 nr_registers -= 8;
458
459 switch (type) {
460 case REG_TYPE_RM:
461 regno = X86_MODRM_RM(insn->modrm.value);
462
463 /*
464 * ModRM.mod == 0 and ModRM.rm == 5 means a 32-bit displacement
465 * follows the ModRM byte.
466 */
467 if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5)
468 return -EDOM;
469
470 if (X86_REX_B(insn->rex_prefix.value))
471 regno += 8;
472 break;
473
474 case REG_TYPE_REG:
475 regno = X86_MODRM_REG(insn->modrm.value);
476
477 if (X86_REX_R(insn->rex_prefix.value))
478 regno += 8;
479 break;
480
481 case REG_TYPE_INDEX:
482 regno = X86_SIB_INDEX(insn->sib.value);
483 if (X86_REX_X(insn->rex_prefix.value))
484 regno += 8;
485
486 /*
487 * If ModRM.mod != 3 and SIB.index = 4 the scale*index
488 * portion of the address computation is null. This is
489 * true only if REX.X is 0. In such a case, the SIB index
490 * is used in the address computation.
491 */
492 if (X86_MODRM_MOD(insn->modrm.value) != 3 && regno == 4)
493 return -EDOM;
494 break;
495
496 case REG_TYPE_BASE:
497 regno = X86_SIB_BASE(insn->sib.value);
498 /*
499 * If ModRM.mod is 0 and SIB.base == 5, the base of the
500 * register-indirect addressing is 0. In this case, a
501 * 32-bit displacement follows the SIB byte.
502 */
503 if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5)
504 return -EDOM;
505
506 if (X86_REX_B(insn->rex_prefix.value))
507 regno += 8;
508 break;
509
510 default:
511 pr_err_ratelimited("invalid register type: %d\n", type);
512 return -EINVAL;
513 }
514
515 if (regno >= nr_registers) {
516 WARN_ONCE(1, "decoded an instruction with an invalid register");
517 return -EINVAL;
518 }
519 return regno;
520 }
521
get_reg_offset(struct insn * insn,struct pt_regs * regs,enum reg_type type)522 static int get_reg_offset(struct insn *insn, struct pt_regs *regs,
523 enum reg_type type)
524 {
525 int regno = get_regno(insn, type);
526
527 if (regno < 0)
528 return regno;
529
530 return pt_regs_offset(regs, regno);
531 }
532
533 /**
534 * get_reg_offset_16() - Obtain offset of register indicated by instruction
535 * @insn: Instruction containing ModRM byte
536 * @regs: Register values as seen when entering kernel mode
537 * @offs1: Offset of the first operand register
538 * @offs2: Offset of the second operand register, if applicable
539 *
540 * Obtain the offset, in pt_regs, of the registers indicated by the ModRM byte
541 * in @insn. This function is to be used with 16-bit address encodings. The
542 * @offs1 and @offs2 will be written with the offset of the two registers
543 * indicated by the instruction. In cases where any of the registers is not
544 * referenced by the instruction, the value will be set to -EDOM.
545 *
546 * Returns:
547 *
548 * 0 on success, -EINVAL on error.
549 */
get_reg_offset_16(struct insn * insn,struct pt_regs * regs,int * offs1,int * offs2)550 static int get_reg_offset_16(struct insn *insn, struct pt_regs *regs,
551 int *offs1, int *offs2)
552 {
553 /*
554 * 16-bit addressing can use one or two registers. Specifics of
555 * encodings are given in Table 2-1. "16-Bit Addressing Forms with the
556 * ModR/M Byte" of the Intel Software Development Manual.
557 */
558 static const int regoff1[] = {
559 offsetof(struct pt_regs, bx),
560 offsetof(struct pt_regs, bx),
561 offsetof(struct pt_regs, bp),
562 offsetof(struct pt_regs, bp),
563 offsetof(struct pt_regs, si),
564 offsetof(struct pt_regs, di),
565 offsetof(struct pt_regs, bp),
566 offsetof(struct pt_regs, bx),
567 };
568
569 static const int regoff2[] = {
570 offsetof(struct pt_regs, si),
571 offsetof(struct pt_regs, di),
572 offsetof(struct pt_regs, si),
573 offsetof(struct pt_regs, di),
574 -EDOM,
575 -EDOM,
576 -EDOM,
577 -EDOM,
578 };
579
580 if (!offs1 || !offs2)
581 return -EINVAL;
582
583 /* Operand is a register, use the generic function. */
584 if (X86_MODRM_MOD(insn->modrm.value) == 3) {
585 *offs1 = insn_get_modrm_rm_off(insn, regs);
586 *offs2 = -EDOM;
587 return 0;
588 }
589
590 *offs1 = regoff1[X86_MODRM_RM(insn->modrm.value)];
591 *offs2 = regoff2[X86_MODRM_RM(insn->modrm.value)];
592
593 /*
594 * If ModRM.mod is 0 and ModRM.rm is 110b, then we use displacement-
595 * only addressing. This means that no registers are involved in
596 * computing the effective address. Thus, ensure that the first
597 * register offset is invalid. The second register offset is already
598 * invalid under the aforementioned conditions.
599 */
600 if ((X86_MODRM_MOD(insn->modrm.value) == 0) &&
601 (X86_MODRM_RM(insn->modrm.value) == 6))
602 *offs1 = -EDOM;
603
604 return 0;
605 }
606
607 /**
608 * get_desc() - Obtain contents of a segment descriptor
609 * @out: Segment descriptor contents on success
610 * @sel: Segment selector
611 *
612 * Given a segment selector, obtain a pointer to the segment descriptor.
613 * Both global and local descriptor tables are supported.
614 *
615 * Returns:
616 *
617 * True on success, false on failure.
618 *
619 * NULL on error.
620 */
get_desc(struct desc_struct * out,unsigned short sel)621 static bool get_desc(struct desc_struct *out, unsigned short sel)
622 {
623 struct desc_ptr gdt_desc = {0, 0};
624 unsigned long desc_base;
625
626 #ifdef CONFIG_MODIFY_LDT_SYSCALL
627 if ((sel & SEGMENT_TI_MASK) == SEGMENT_LDT) {
628 bool success = false;
629 struct ldt_struct *ldt;
630
631 /* Bits [15:3] contain the index of the desired entry. */
632 sel >>= 3;
633
634 /*
635 * If we're not in a valid context with a real (not just lazy)
636 * user mm, then don't even try.
637 */
638 if (!nmi_uaccess_okay())
639 return false;
640
641 mutex_lock(¤t->mm->context.lock);
642 ldt = current->mm->context.ldt;
643 if (ldt && sel < ldt->nr_entries) {
644 *out = ldt->entries[sel];
645 success = true;
646 }
647
648 mutex_unlock(¤t->mm->context.lock);
649
650 return success;
651 }
652 #endif
653 native_store_gdt(&gdt_desc);
654
655 /*
656 * Segment descriptors have a size of 8 bytes. Thus, the index is
657 * multiplied by 8 to obtain the memory offset of the desired descriptor
658 * from the base of the GDT. As bits [15:3] of the segment selector
659 * contain the index, it can be regarded as multiplied by 8 already.
660 * All that remains is to clear bits [2:0].
661 */
662 desc_base = sel & ~(SEGMENT_RPL_MASK | SEGMENT_TI_MASK);
663
664 if (desc_base > gdt_desc.size)
665 return false;
666
667 *out = *(struct desc_struct *)(gdt_desc.address + desc_base);
668 return true;
669 }
670
671 /**
672 * insn_get_seg_base() - Obtain base address of segment descriptor.
673 * @regs: Register values as seen when entering kernel mode
674 * @seg_reg_idx: Index of the segment register pointing to seg descriptor
675 *
676 * Obtain the base address of the segment as indicated by the segment descriptor
677 * pointed by the segment selector. The segment selector is obtained from the
678 * input segment register index @seg_reg_idx.
679 *
680 * Returns:
681 *
682 * In protected mode, base address of the segment. Zero in long mode,
683 * except when FS or GS are used. In virtual-8086 mode, the segment
684 * selector shifted 4 bits to the right.
685 *
686 * -1L in case of error.
687 */
insn_get_seg_base(struct pt_regs * regs,int seg_reg_idx)688 unsigned long insn_get_seg_base(struct pt_regs *regs, int seg_reg_idx)
689 {
690 struct desc_struct desc;
691 short sel;
692
693 sel = get_segment_selector(regs, seg_reg_idx);
694 if (sel < 0)
695 return -1L;
696
697 if (v8086_mode(regs))
698 /*
699 * Base is simply the segment selector shifted 4
700 * bits to the right.
701 */
702 return (unsigned long)(sel << 4);
703
704 if (any_64bit_mode(regs)) {
705 /*
706 * Only FS or GS will have a base address, the rest of
707 * the segments' bases are forced to 0.
708 */
709 unsigned long base;
710
711 if (seg_reg_idx == INAT_SEG_REG_FS) {
712 rdmsrq(MSR_FS_BASE, base);
713 } else if (seg_reg_idx == INAT_SEG_REG_GS) {
714 /*
715 * swapgs was called at the kernel entry point. Thus,
716 * MSR_KERNEL_GS_BASE will have the user-space GS base.
717 */
718 if (user_mode(regs))
719 rdmsrq(MSR_KERNEL_GS_BASE, base);
720 else
721 rdmsrq(MSR_GS_BASE, base);
722 } else {
723 base = 0;
724 }
725 return base;
726 }
727
728 /* In protected mode the segment selector cannot be null. */
729 if (!sel)
730 return -1L;
731
732 if (!get_desc(&desc, sel))
733 return -1L;
734
735 return get_desc_base(&desc);
736 }
737
738 /**
739 * get_seg_limit() - Obtain the limit of a segment descriptor
740 * @regs: Register values as seen when entering kernel mode
741 * @seg_reg_idx: Index of the segment register pointing to seg descriptor
742 *
743 * Obtain the limit of the segment as indicated by the segment descriptor
744 * pointed by the segment selector. The segment selector is obtained from the
745 * input segment register index @seg_reg_idx.
746 *
747 * Returns:
748 *
749 * In protected mode, the limit of the segment descriptor in bytes.
750 * In long mode and virtual-8086 mode, segment limits are not enforced. Thus,
751 * limit is returned as -1L to imply a limit-less segment.
752 *
753 * Zero is returned on error.
754 */
get_seg_limit(struct pt_regs * regs,int seg_reg_idx)755 static unsigned long get_seg_limit(struct pt_regs *regs, int seg_reg_idx)
756 {
757 struct desc_struct desc;
758 unsigned long limit;
759 short sel;
760
761 sel = get_segment_selector(regs, seg_reg_idx);
762 if (sel < 0)
763 return 0;
764
765 if (any_64bit_mode(regs) || v8086_mode(regs))
766 return -1L;
767
768 if (!sel)
769 return 0;
770
771 if (!get_desc(&desc, sel))
772 return 0;
773
774 /*
775 * If the granularity bit is set, the limit is given in multiples
776 * of 4096. This also means that the 12 least significant bits are
777 * not tested when checking the segment limits. In practice,
778 * this means that the segment ends in (limit << 12) + 0xfff.
779 */
780 limit = get_desc_limit(&desc);
781 if (desc.g)
782 limit = (limit << 12) + 0xfff;
783
784 return limit;
785 }
786
787 /**
788 * insn_get_code_seg_params() - Obtain code segment parameters
789 * @regs: Structure with register values as seen when entering kernel mode
790 *
791 * Obtain address and operand sizes of the code segment. It is obtained from the
792 * selector contained in the CS register in regs. In protected mode, the default
793 * address is determined by inspecting the L and D bits of the segment
794 * descriptor. In virtual-8086 mode, the default is always two bytes for both
795 * address and operand sizes.
796 *
797 * Returns:
798 *
799 * An int containing ORed-in default parameters on success.
800 *
801 * -EINVAL on error.
802 */
insn_get_code_seg_params(struct pt_regs * regs)803 int insn_get_code_seg_params(struct pt_regs *regs)
804 {
805 struct desc_struct desc;
806 short sel;
807
808 if (v8086_mode(regs))
809 /* Address and operand size are both 16-bit. */
810 return INSN_CODE_SEG_PARAMS(2, 2);
811
812 sel = get_segment_selector(regs, INAT_SEG_REG_CS);
813 if (sel < 0)
814 return sel;
815
816 if (!get_desc(&desc, sel))
817 return -EINVAL;
818
819 /*
820 * The most significant byte of the Type field of the segment descriptor
821 * determines whether a segment contains data or code. If this is a data
822 * segment, return error.
823 */
824 if (!(desc.type & BIT(3)))
825 return -EINVAL;
826
827 switch ((desc.l << 1) | desc.d) {
828 case 0: /*
829 * Legacy mode. CS.L=0, CS.D=0. Address and operand size are
830 * both 16-bit.
831 */
832 return INSN_CODE_SEG_PARAMS(2, 2);
833 case 1: /*
834 * Legacy mode. CS.L=0, CS.D=1. Address and operand size are
835 * both 32-bit.
836 */
837 return INSN_CODE_SEG_PARAMS(4, 4);
838 case 2: /*
839 * IA-32e 64-bit mode. CS.L=1, CS.D=0. Address size is 64-bit;
840 * operand size is 32-bit.
841 */
842 return INSN_CODE_SEG_PARAMS(4, 8);
843 case 3: /* Invalid setting. CS.L=1, CS.D=1 */
844 fallthrough;
845 default:
846 return -EINVAL;
847 }
848 }
849
850 /**
851 * insn_get_modrm_rm_off() - Obtain register in r/m part of the ModRM byte
852 * @insn: Instruction containing the ModRM byte
853 * @regs: Register values as seen when entering kernel mode
854 *
855 * Returns:
856 *
857 * The register indicated by the r/m part of the ModRM byte. The
858 * register is obtained as an offset from the base of pt_regs. In specific
859 * cases, the returned value can be -EDOM to indicate that the particular value
860 * of ModRM does not refer to a register and shall be ignored.
861 */
insn_get_modrm_rm_off(struct insn * insn,struct pt_regs * regs)862 int insn_get_modrm_rm_off(struct insn *insn, struct pt_regs *regs)
863 {
864 return get_reg_offset(insn, regs, REG_TYPE_RM);
865 }
866
867 /**
868 * insn_get_modrm_reg_off() - Obtain register in reg part of the ModRM byte
869 * @insn: Instruction containing the ModRM byte
870 * @regs: Register values as seen when entering kernel mode
871 *
872 * Returns:
873 *
874 * The register indicated by the reg part of the ModRM byte. The
875 * register is obtained as an offset from the base of pt_regs.
876 */
insn_get_modrm_reg_off(struct insn * insn,struct pt_regs * regs)877 int insn_get_modrm_reg_off(struct insn *insn, struct pt_regs *regs)
878 {
879 return get_reg_offset(insn, regs, REG_TYPE_REG);
880 }
881
882 /**
883 * insn_get_modrm_reg_ptr() - Obtain register pointer based on ModRM byte
884 * @insn: Instruction containing the ModRM byte
885 * @regs: Register values as seen when entering kernel mode
886 *
887 * Returns:
888 *
889 * The register indicated by the reg part of the ModRM byte.
890 * The register is obtained as a pointer within pt_regs.
891 */
insn_get_modrm_reg_ptr(struct insn * insn,struct pt_regs * regs)892 unsigned long *insn_get_modrm_reg_ptr(struct insn *insn, struct pt_regs *regs)
893 {
894 int offset;
895
896 offset = insn_get_modrm_reg_off(insn, regs);
897 if (offset < 0)
898 return NULL;
899 return (void *)regs + offset;
900 }
901
902 /**
903 * get_seg_base_limit() - obtain base address and limit of a segment
904 * @insn: Instruction. Must be valid.
905 * @regs: Register values as seen when entering kernel mode
906 * @regoff: Operand offset, in pt_regs, used to resolve segment descriptor
907 * @base: Obtained segment base
908 * @limit: Obtained segment limit
909 *
910 * Obtain the base address and limit of the segment associated with the operand
911 * @regoff and, if any or allowed, override prefixes in @insn. This function is
912 * different from insn_get_seg_base() as the latter does not resolve the segment
913 * associated with the instruction operand. If a limit is not needed (e.g.,
914 * when running in long mode), @limit can be NULL.
915 *
916 * Returns:
917 *
918 * 0 on success. @base and @limit will contain the base address and of the
919 * resolved segment, respectively.
920 *
921 * -EINVAL on error.
922 */
get_seg_base_limit(struct insn * insn,struct pt_regs * regs,int regoff,unsigned long * base,unsigned long * limit)923 static int get_seg_base_limit(struct insn *insn, struct pt_regs *regs,
924 int regoff, unsigned long *base,
925 unsigned long *limit)
926 {
927 int seg_reg_idx;
928
929 if (!base)
930 return -EINVAL;
931
932 seg_reg_idx = resolve_seg_reg(insn, regs, regoff);
933 if (seg_reg_idx < 0)
934 return seg_reg_idx;
935
936 *base = insn_get_seg_base(regs, seg_reg_idx);
937 if (*base == -1L)
938 return -EINVAL;
939
940 if (!limit)
941 return 0;
942
943 *limit = get_seg_limit(regs, seg_reg_idx);
944 if (!(*limit))
945 return -EINVAL;
946
947 return 0;
948 }
949
950 /**
951 * get_eff_addr_reg() - Obtain effective address from register operand
952 * @insn: Instruction. Must be valid.
953 * @regs: Register values as seen when entering kernel mode
954 * @regoff: Obtained operand offset, in pt_regs, with the effective address
955 * @eff_addr: Obtained effective address
956 *
957 * Obtain the effective address stored in the register operand as indicated by
958 * the ModRM byte. This function is to be used only with register addressing
959 * (i.e., ModRM.mod is 3). The effective address is saved in @eff_addr. The
960 * register operand, as an offset from the base of pt_regs, is saved in @regoff;
961 * such offset can then be used to resolve the segment associated with the
962 * operand. This function can be used with any of the supported address sizes
963 * in x86.
964 *
965 * Returns:
966 *
967 * 0 on success. @eff_addr will have the effective address stored in the
968 * operand indicated by ModRM. @regoff will have such operand as an offset from
969 * the base of pt_regs.
970 *
971 * -EINVAL on error.
972 */
get_eff_addr_reg(struct insn * insn,struct pt_regs * regs,int * regoff,long * eff_addr)973 static int get_eff_addr_reg(struct insn *insn, struct pt_regs *regs,
974 int *regoff, long *eff_addr)
975 {
976 int ret;
977
978 ret = insn_get_modrm(insn);
979 if (ret)
980 return ret;
981
982 if (X86_MODRM_MOD(insn->modrm.value) != 3)
983 return -EINVAL;
984
985 *regoff = get_reg_offset(insn, regs, REG_TYPE_RM);
986 if (*regoff < 0)
987 return -EINVAL;
988
989 /* Ignore bytes that are outside the address size. */
990 if (insn->addr_bytes == 2)
991 *eff_addr = regs_get_register(regs, *regoff) & 0xffff;
992 else if (insn->addr_bytes == 4)
993 *eff_addr = regs_get_register(regs, *regoff) & 0xffffffff;
994 else /* 64-bit address */
995 *eff_addr = regs_get_register(regs, *regoff);
996
997 return 0;
998 }
999
1000 /**
1001 * get_eff_addr_modrm() - Obtain referenced effective address via ModRM
1002 * @insn: Instruction. Must be valid.
1003 * @regs: Register values as seen when entering kernel mode
1004 * @regoff: Obtained operand offset, in pt_regs, associated with segment
1005 * @eff_addr: Obtained effective address
1006 *
1007 * Obtain the effective address referenced by the ModRM byte of @insn. After
1008 * identifying the registers involved in the register-indirect memory reference,
1009 * its value is obtained from the operands in @regs. The computed address is
1010 * stored @eff_addr. Also, the register operand that indicates the associated
1011 * segment is stored in @regoff, this parameter can later be used to determine
1012 * such segment.
1013 *
1014 * Returns:
1015 *
1016 * 0 on success. @eff_addr will have the referenced effective address. @regoff
1017 * will have a register, as an offset from the base of pt_regs, that can be used
1018 * to resolve the associated segment.
1019 *
1020 * -EINVAL on error.
1021 */
get_eff_addr_modrm(struct insn * insn,struct pt_regs * regs,int * regoff,long * eff_addr)1022 static int get_eff_addr_modrm(struct insn *insn, struct pt_regs *regs,
1023 int *regoff, long *eff_addr)
1024 {
1025 long tmp;
1026 int ret;
1027
1028 if (insn->addr_bytes != 8 && insn->addr_bytes != 4)
1029 return -EINVAL;
1030
1031 ret = insn_get_modrm(insn);
1032 if (ret)
1033 return ret;
1034
1035 if (X86_MODRM_MOD(insn->modrm.value) > 2)
1036 return -EINVAL;
1037
1038 *regoff = get_reg_offset(insn, regs, REG_TYPE_RM);
1039
1040 /*
1041 * -EDOM means that we must ignore the address_offset. In such a case,
1042 * in 64-bit mode the effective address relative to the rIP of the
1043 * following instruction.
1044 */
1045 if (*regoff == -EDOM) {
1046 if (any_64bit_mode(regs))
1047 tmp = regs->ip + insn->length;
1048 else
1049 tmp = 0;
1050 } else if (*regoff < 0) {
1051 return -EINVAL;
1052 } else {
1053 tmp = regs_get_register(regs, *regoff);
1054 }
1055
1056 if (insn->addr_bytes == 4) {
1057 int addr32 = (int)(tmp & 0xffffffff) + insn->displacement.value;
1058
1059 *eff_addr = addr32 & 0xffffffff;
1060 } else {
1061 *eff_addr = tmp + insn->displacement.value;
1062 }
1063
1064 return 0;
1065 }
1066
1067 /**
1068 * get_eff_addr_modrm_16() - Obtain referenced effective address via ModRM
1069 * @insn: Instruction. Must be valid.
1070 * @regs: Register values as seen when entering kernel mode
1071 * @regoff: Obtained operand offset, in pt_regs, associated with segment
1072 * @eff_addr: Obtained effective address
1073 *
1074 * Obtain the 16-bit effective address referenced by the ModRM byte of @insn.
1075 * After identifying the registers involved in the register-indirect memory
1076 * reference, its value is obtained from the operands in @regs. The computed
1077 * address is stored @eff_addr. Also, the register operand that indicates
1078 * the associated segment is stored in @regoff, this parameter can later be used
1079 * to determine such segment.
1080 *
1081 * Returns:
1082 *
1083 * 0 on success. @eff_addr will have the referenced effective address. @regoff
1084 * will have a register, as an offset from the base of pt_regs, that can be used
1085 * to resolve the associated segment.
1086 *
1087 * -EINVAL on error.
1088 */
get_eff_addr_modrm_16(struct insn * insn,struct pt_regs * regs,int * regoff,short * eff_addr)1089 static int get_eff_addr_modrm_16(struct insn *insn, struct pt_regs *regs,
1090 int *regoff, short *eff_addr)
1091 {
1092 int addr_offset1, addr_offset2, ret;
1093 short addr1 = 0, addr2 = 0, displacement;
1094
1095 if (insn->addr_bytes != 2)
1096 return -EINVAL;
1097
1098 insn_get_modrm(insn);
1099
1100 if (!insn->modrm.nbytes)
1101 return -EINVAL;
1102
1103 if (X86_MODRM_MOD(insn->modrm.value) > 2)
1104 return -EINVAL;
1105
1106 ret = get_reg_offset_16(insn, regs, &addr_offset1, &addr_offset2);
1107 if (ret < 0)
1108 return -EINVAL;
1109
1110 /*
1111 * Don't fail on invalid offset values. They might be invalid because
1112 * they cannot be used for this particular value of ModRM. Instead, use
1113 * them in the computation only if they contain a valid value.
1114 */
1115 if (addr_offset1 != -EDOM)
1116 addr1 = regs_get_register(regs, addr_offset1) & 0xffff;
1117
1118 if (addr_offset2 != -EDOM)
1119 addr2 = regs_get_register(regs, addr_offset2) & 0xffff;
1120
1121 displacement = insn->displacement.value & 0xffff;
1122 *eff_addr = addr1 + addr2 + displacement;
1123
1124 /*
1125 * The first operand register could indicate to use of either SS or DS
1126 * registers to obtain the segment selector. The second operand
1127 * register can only indicate the use of DS. Thus, the first operand
1128 * will be used to obtain the segment selector.
1129 */
1130 *regoff = addr_offset1;
1131
1132 return 0;
1133 }
1134
1135 /**
1136 * get_eff_addr_sib() - Obtain referenced effective address via SIB
1137 * @insn: Instruction. Must be valid.
1138 * @regs: Register values as seen when entering kernel mode
1139 * @base_offset: Obtained operand offset, in pt_regs, associated with segment
1140 * @eff_addr: Obtained effective address
1141 *
1142 * Obtain the effective address referenced by the SIB byte of @insn. After
1143 * identifying the registers involved in the indexed, register-indirect memory
1144 * reference, its value is obtained from the operands in @regs. The computed
1145 * address is stored @eff_addr. Also, the register operand that indicates the
1146 * associated segment is stored in @base_offset; this parameter can later be
1147 * used to determine such segment.
1148 *
1149 * Returns:
1150 *
1151 * 0 on success. @eff_addr will have the referenced effective address.
1152 * @base_offset will have a register, as an offset from the base of pt_regs,
1153 * that can be used to resolve the associated segment.
1154 *
1155 * Negative value on error.
1156 */
get_eff_addr_sib(struct insn * insn,struct pt_regs * regs,int * base_offset,long * eff_addr)1157 static int get_eff_addr_sib(struct insn *insn, struct pt_regs *regs,
1158 int *base_offset, long *eff_addr)
1159 {
1160 long base, indx;
1161 int indx_offset;
1162 int ret;
1163
1164 if (insn->addr_bytes != 8 && insn->addr_bytes != 4)
1165 return -EINVAL;
1166
1167 ret = insn_get_modrm(insn);
1168 if (ret)
1169 return ret;
1170
1171 if (!insn->modrm.nbytes)
1172 return -EINVAL;
1173
1174 if (X86_MODRM_MOD(insn->modrm.value) > 2)
1175 return -EINVAL;
1176
1177 ret = insn_get_sib(insn);
1178 if (ret)
1179 return ret;
1180
1181 if (!insn->sib.nbytes)
1182 return -EINVAL;
1183
1184 *base_offset = get_reg_offset(insn, regs, REG_TYPE_BASE);
1185 indx_offset = get_reg_offset(insn, regs, REG_TYPE_INDEX);
1186
1187 /*
1188 * Negative values in the base and index offset means an error when
1189 * decoding the SIB byte. Except -EDOM, which means that the registers
1190 * should not be used in the address computation.
1191 */
1192 if (*base_offset == -EDOM)
1193 base = 0;
1194 else if (*base_offset < 0)
1195 return -EINVAL;
1196 else
1197 base = regs_get_register(regs, *base_offset);
1198
1199 if (indx_offset == -EDOM)
1200 indx = 0;
1201 else if (indx_offset < 0)
1202 return -EINVAL;
1203 else
1204 indx = regs_get_register(regs, indx_offset);
1205
1206 if (insn->addr_bytes == 4) {
1207 int addr32, base32, idx32;
1208
1209 base32 = base & 0xffffffff;
1210 idx32 = indx & 0xffffffff;
1211
1212 addr32 = base32 + idx32 * (1 << X86_SIB_SCALE(insn->sib.value));
1213 addr32 += insn->displacement.value;
1214
1215 *eff_addr = addr32 & 0xffffffff;
1216 } else {
1217 *eff_addr = base + indx * (1 << X86_SIB_SCALE(insn->sib.value));
1218 *eff_addr += insn->displacement.value;
1219 }
1220
1221 return 0;
1222 }
1223
1224 /**
1225 * get_addr_ref_16() - Obtain the 16-bit address referred by instruction
1226 * @insn: Instruction containing ModRM byte and displacement
1227 * @regs: Register values as seen when entering kernel mode
1228 *
1229 * This function is to be used with 16-bit address encodings. Obtain the memory
1230 * address referred by the instruction's ModRM and displacement bytes. Also, the
1231 * segment used as base is determined by either any segment override prefixes in
1232 * @insn or the default segment of the registers involved in the address
1233 * computation. In protected mode, segment limits are enforced.
1234 *
1235 * Returns:
1236 *
1237 * Linear address referenced by the instruction operands on success.
1238 *
1239 * -1L on error.
1240 */
get_addr_ref_16(struct insn * insn,struct pt_regs * regs)1241 static void __user *get_addr_ref_16(struct insn *insn, struct pt_regs *regs)
1242 {
1243 unsigned long linear_addr = -1L, seg_base, seg_limit;
1244 int ret, regoff;
1245 short eff_addr;
1246 long tmp;
1247
1248 if (insn_get_displacement(insn))
1249 goto out;
1250
1251 if (insn->addr_bytes != 2)
1252 goto out;
1253
1254 if (X86_MODRM_MOD(insn->modrm.value) == 3) {
1255 ret = get_eff_addr_reg(insn, regs, ®off, &tmp);
1256 if (ret)
1257 goto out;
1258
1259 eff_addr = tmp;
1260 } else {
1261 ret = get_eff_addr_modrm_16(insn, regs, ®off, &eff_addr);
1262 if (ret)
1263 goto out;
1264 }
1265
1266 ret = get_seg_base_limit(insn, regs, regoff, &seg_base, &seg_limit);
1267 if (ret)
1268 goto out;
1269
1270 /*
1271 * Before computing the linear address, make sure the effective address
1272 * is within the limits of the segment. In virtual-8086 mode, segment
1273 * limits are not enforced. In such a case, the segment limit is -1L to
1274 * reflect this fact.
1275 */
1276 if ((unsigned long)(eff_addr & 0xffff) > seg_limit)
1277 goto out;
1278
1279 linear_addr = (unsigned long)(eff_addr & 0xffff) + seg_base;
1280
1281 /* Limit linear address to 20 bits */
1282 if (v8086_mode(regs))
1283 linear_addr &= 0xfffff;
1284
1285 out:
1286 return (void __user *)linear_addr;
1287 }
1288
1289 /**
1290 * get_addr_ref_32() - Obtain a 32-bit linear address
1291 * @insn: Instruction with ModRM, SIB bytes and displacement
1292 * @regs: Register values as seen when entering kernel mode
1293 *
1294 * This function is to be used with 32-bit address encodings to obtain the
1295 * linear memory address referred by the instruction's ModRM, SIB,
1296 * displacement bytes and segment base address, as applicable. If in protected
1297 * mode, segment limits are enforced.
1298 *
1299 * Returns:
1300 *
1301 * Linear address referenced by instruction and registers on success.
1302 *
1303 * -1L on error.
1304 */
get_addr_ref_32(struct insn * insn,struct pt_regs * regs)1305 static void __user *get_addr_ref_32(struct insn *insn, struct pt_regs *regs)
1306 {
1307 unsigned long linear_addr = -1L, seg_base, seg_limit;
1308 int eff_addr, regoff;
1309 long tmp;
1310 int ret;
1311
1312 if (insn->addr_bytes != 4)
1313 goto out;
1314
1315 if (X86_MODRM_MOD(insn->modrm.value) == 3) {
1316 ret = get_eff_addr_reg(insn, regs, ®off, &tmp);
1317 if (ret)
1318 goto out;
1319
1320 eff_addr = tmp;
1321
1322 } else {
1323 if (insn->sib.nbytes) {
1324 ret = get_eff_addr_sib(insn, regs, ®off, &tmp);
1325 if (ret)
1326 goto out;
1327
1328 eff_addr = tmp;
1329 } else {
1330 ret = get_eff_addr_modrm(insn, regs, ®off, &tmp);
1331 if (ret)
1332 goto out;
1333
1334 eff_addr = tmp;
1335 }
1336 }
1337
1338 ret = get_seg_base_limit(insn, regs, regoff, &seg_base, &seg_limit);
1339 if (ret)
1340 goto out;
1341
1342 /*
1343 * In protected mode, before computing the linear address, make sure
1344 * the effective address is within the limits of the segment.
1345 * 32-bit addresses can be used in long and virtual-8086 modes if an
1346 * address override prefix is used. In such cases, segment limits are
1347 * not enforced. When in virtual-8086 mode, the segment limit is -1L
1348 * to reflect this situation.
1349 *
1350 * After computed, the effective address is treated as an unsigned
1351 * quantity.
1352 */
1353 if (!any_64bit_mode(regs) && ((unsigned int)eff_addr > seg_limit))
1354 goto out;
1355
1356 /*
1357 * Even though 32-bit address encodings are allowed in virtual-8086
1358 * mode, the address range is still limited to [0x-0xffff].
1359 */
1360 if (v8086_mode(regs) && (eff_addr & ~0xffff))
1361 goto out;
1362
1363 /*
1364 * Data type long could be 64 bits in size. Ensure that our 32-bit
1365 * effective address is not sign-extended when computing the linear
1366 * address.
1367 */
1368 linear_addr = (unsigned long)(eff_addr & 0xffffffff) + seg_base;
1369
1370 /* Limit linear address to 20 bits */
1371 if (v8086_mode(regs))
1372 linear_addr &= 0xfffff;
1373
1374 out:
1375 return (void __user *)linear_addr;
1376 }
1377
1378 /**
1379 * get_addr_ref_64() - Obtain a 64-bit linear address
1380 * @insn: Instruction struct with ModRM and SIB bytes and displacement
1381 * @regs: Structure with register values as seen when entering kernel mode
1382 *
1383 * This function is to be used with 64-bit address encodings to obtain the
1384 * linear memory address referred by the instruction's ModRM, SIB,
1385 * displacement bytes and segment base address, as applicable.
1386 *
1387 * Returns:
1388 *
1389 * Linear address referenced by instruction and registers on success.
1390 *
1391 * -1L on error.
1392 */
1393 #ifndef CONFIG_X86_64
get_addr_ref_64(struct insn * insn,struct pt_regs * regs)1394 static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs)
1395 {
1396 return (void __user *)-1L;
1397 }
1398 #else
get_addr_ref_64(struct insn * insn,struct pt_regs * regs)1399 static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs)
1400 {
1401 unsigned long linear_addr = -1L, seg_base;
1402 int regoff, ret;
1403 long eff_addr;
1404
1405 if (insn->addr_bytes != 8)
1406 goto out;
1407
1408 if (X86_MODRM_MOD(insn->modrm.value) == 3) {
1409 ret = get_eff_addr_reg(insn, regs, ®off, &eff_addr);
1410 if (ret)
1411 goto out;
1412
1413 } else {
1414 if (insn->sib.nbytes) {
1415 ret = get_eff_addr_sib(insn, regs, ®off, &eff_addr);
1416 if (ret)
1417 goto out;
1418 } else {
1419 ret = get_eff_addr_modrm(insn, regs, ®off, &eff_addr);
1420 if (ret)
1421 goto out;
1422 }
1423
1424 }
1425
1426 ret = get_seg_base_limit(insn, regs, regoff, &seg_base, NULL);
1427 if (ret)
1428 goto out;
1429
1430 linear_addr = (unsigned long)eff_addr + seg_base;
1431
1432 out:
1433 return (void __user *)linear_addr;
1434 }
1435 #endif /* CONFIG_X86_64 */
1436
1437 /**
1438 * insn_get_addr_ref() - Obtain the linear address referred by instruction
1439 * @insn: Instruction structure containing ModRM byte and displacement
1440 * @regs: Structure with register values as seen when entering kernel mode
1441 *
1442 * Obtain the linear address referred by the instruction's ModRM, SIB and
1443 * displacement bytes, and segment base, as applicable. In protected mode,
1444 * segment limits are enforced.
1445 *
1446 * Returns:
1447 *
1448 * Linear address referenced by instruction and registers on success.
1449 *
1450 * -1L on error.
1451 */
insn_get_addr_ref(struct insn * insn,struct pt_regs * regs)1452 void __user *insn_get_addr_ref(struct insn *insn, struct pt_regs *regs)
1453 {
1454 if (!insn || !regs)
1455 return (void __user *)-1L;
1456
1457 if (insn_get_opcode(insn))
1458 return (void __user *)-1L;
1459
1460 switch (insn->addr_bytes) {
1461 case 2:
1462 return get_addr_ref_16(insn, regs);
1463 case 4:
1464 return get_addr_ref_32(insn, regs);
1465 case 8:
1466 return get_addr_ref_64(insn, regs);
1467 default:
1468 return (void __user *)-1L;
1469 }
1470 }
1471
insn_get_effective_ip(struct pt_regs * regs,unsigned long * ip)1472 int insn_get_effective_ip(struct pt_regs *regs, unsigned long *ip)
1473 {
1474 unsigned long seg_base = 0;
1475
1476 /*
1477 * If not in user-space long mode, a custom code segment could be in
1478 * use. This is true in protected mode (if the process defined a local
1479 * descriptor table), or virtual-8086 mode. In most of the cases
1480 * seg_base will be zero as in USER_CS.
1481 */
1482 if (!user_64bit_mode(regs)) {
1483 seg_base = insn_get_seg_base(regs, INAT_SEG_REG_CS);
1484 if (seg_base == -1L)
1485 return -EINVAL;
1486 }
1487
1488 *ip = seg_base + regs->ip;
1489
1490 return 0;
1491 }
1492
1493 /**
1494 * insn_fetch_from_user() - Copy instruction bytes from user-space memory
1495 * @regs: Structure with register values as seen when entering kernel mode
1496 * @buf: Array to store the fetched instruction
1497 *
1498 * Gets the linear address of the instruction and copies the instruction bytes
1499 * to the buf.
1500 *
1501 * Returns:
1502 *
1503 * - number of instruction bytes copied.
1504 * - 0 if nothing was copied.
1505 * - -EINVAL if the linear address of the instruction could not be calculated
1506 */
insn_fetch_from_user(struct pt_regs * regs,unsigned char buf[MAX_INSN_SIZE])1507 int insn_fetch_from_user(struct pt_regs *regs, unsigned char buf[MAX_INSN_SIZE])
1508 {
1509 unsigned long ip;
1510 int not_copied;
1511
1512 if (insn_get_effective_ip(regs, &ip))
1513 return -EINVAL;
1514
1515 not_copied = copy_from_user(buf, (void __user *)ip, MAX_INSN_SIZE);
1516
1517 return MAX_INSN_SIZE - not_copied;
1518 }
1519
1520 /**
1521 * insn_fetch_from_user_inatomic() - Copy instruction bytes from user-space memory
1522 * while in atomic code
1523 * @regs: Structure with register values as seen when entering kernel mode
1524 * @buf: Array to store the fetched instruction
1525 *
1526 * Gets the linear address of the instruction and copies the instruction bytes
1527 * to the buf. This function must be used in atomic context.
1528 *
1529 * Returns:
1530 *
1531 * - number of instruction bytes copied.
1532 * - 0 if nothing was copied.
1533 * - -EINVAL if the linear address of the instruction could not be calculated.
1534 */
insn_fetch_from_user_inatomic(struct pt_regs * regs,unsigned char buf[MAX_INSN_SIZE])1535 int insn_fetch_from_user_inatomic(struct pt_regs *regs, unsigned char buf[MAX_INSN_SIZE])
1536 {
1537 unsigned long ip;
1538 int not_copied;
1539
1540 if (insn_get_effective_ip(regs, &ip))
1541 return -EINVAL;
1542
1543 not_copied = __copy_from_user_inatomic(buf, (void __user *)ip, MAX_INSN_SIZE);
1544
1545 return MAX_INSN_SIZE - not_copied;
1546 }
1547
1548 /**
1549 * insn_decode_from_regs() - Decode an instruction
1550 * @insn: Structure to store decoded instruction
1551 * @regs: Structure with register values as seen when entering kernel mode
1552 * @buf: Buffer containing the instruction bytes
1553 * @buf_size: Number of instruction bytes available in buf
1554 *
1555 * Decodes the instruction provided in buf and stores the decoding results in
1556 * insn. Also determines the correct address and operand sizes.
1557 *
1558 * Returns:
1559 *
1560 * True if instruction was decoded, False otherwise.
1561 */
insn_decode_from_regs(struct insn * insn,struct pt_regs * regs,unsigned char buf[MAX_INSN_SIZE],int buf_size)1562 bool insn_decode_from_regs(struct insn *insn, struct pt_regs *regs,
1563 unsigned char buf[MAX_INSN_SIZE], int buf_size)
1564 {
1565 int seg_defs;
1566
1567 insn_init(insn, buf, buf_size, user_64bit_mode(regs));
1568
1569 /*
1570 * Override the default operand and address sizes with what is specified
1571 * in the code segment descriptor. The instruction decoder only sets
1572 * the address size it to either 4 or 8 address bytes and does nothing
1573 * for the operand bytes. This OK for most of the cases, but we could
1574 * have special cases where, for instance, a 16-bit code segment
1575 * descriptor is used.
1576 * If there is an address override prefix, the instruction decoder
1577 * correctly updates these values, even for 16-bit defaults.
1578 */
1579 seg_defs = insn_get_code_seg_params(regs);
1580 if (seg_defs == -EINVAL)
1581 return false;
1582
1583 insn->addr_bytes = INSN_CODE_SEG_ADDR_SZ(seg_defs);
1584 insn->opnd_bytes = INSN_CODE_SEG_OPND_SZ(seg_defs);
1585
1586 if (insn_get_length(insn))
1587 return false;
1588
1589 if (buf_size < insn->length)
1590 return false;
1591
1592 return true;
1593 }
1594
1595 /**
1596 * insn_decode_mmio() - Decode a MMIO instruction
1597 * @insn: Structure to store decoded instruction
1598 * @bytes: Returns size of memory operand
1599 *
1600 * Decodes instruction that used for Memory-mapped I/O.
1601 *
1602 * Returns:
1603 *
1604 * Type of the instruction. Size of the memory operand is stored in
1605 * @bytes. If decode failed, INSN_MMIO_DECODE_FAILED returned.
1606 */
insn_decode_mmio(struct insn * insn,int * bytes)1607 enum insn_mmio_type insn_decode_mmio(struct insn *insn, int *bytes)
1608 {
1609 enum insn_mmio_type type = INSN_MMIO_DECODE_FAILED;
1610
1611 *bytes = 0;
1612
1613 if (insn_get_opcode(insn))
1614 return INSN_MMIO_DECODE_FAILED;
1615
1616 switch (insn->opcode.bytes[0]) {
1617 case 0x88: /* MOV m8,r8 */
1618 *bytes = 1;
1619 fallthrough;
1620 case 0x89: /* MOV m16/m32/m64, r16/m32/m64 */
1621 if (!*bytes)
1622 *bytes = insn->opnd_bytes;
1623 type = INSN_MMIO_WRITE;
1624 break;
1625
1626 case 0xc6: /* MOV m8, imm8 */
1627 *bytes = 1;
1628 fallthrough;
1629 case 0xc7: /* MOV m16/m32/m64, imm16/imm32/imm64 */
1630 if (!*bytes)
1631 *bytes = insn->opnd_bytes;
1632 type = INSN_MMIO_WRITE_IMM;
1633 break;
1634
1635 case 0x8a: /* MOV r8, m8 */
1636 *bytes = 1;
1637 fallthrough;
1638 case 0x8b: /* MOV r16/r32/r64, m16/m32/m64 */
1639 if (!*bytes)
1640 *bytes = insn->opnd_bytes;
1641 type = INSN_MMIO_READ;
1642 break;
1643
1644 case 0xa4: /* MOVS m8, m8 */
1645 *bytes = 1;
1646 fallthrough;
1647 case 0xa5: /* MOVS m16/m32/m64, m16/m32/m64 */
1648 if (!*bytes)
1649 *bytes = insn->opnd_bytes;
1650 type = INSN_MMIO_MOVS;
1651 break;
1652
1653 case 0x0f: /* Two-byte instruction */
1654 switch (insn->opcode.bytes[1]) {
1655 case 0xb6: /* MOVZX r16/r32/r64, m8 */
1656 *bytes = 1;
1657 fallthrough;
1658 case 0xb7: /* MOVZX r32/r64, m16 */
1659 if (!*bytes)
1660 *bytes = 2;
1661 type = INSN_MMIO_READ_ZERO_EXTEND;
1662 break;
1663
1664 case 0xbe: /* MOVSX r16/r32/r64, m8 */
1665 *bytes = 1;
1666 fallthrough;
1667 case 0xbf: /* MOVSX r32/r64, m16 */
1668 if (!*bytes)
1669 *bytes = 2;
1670 type = INSN_MMIO_READ_SIGN_EXTEND;
1671 break;
1672 }
1673 break;
1674 }
1675
1676 return type;
1677 }
1678
1679 /*
1680 * Recognise typical NOP patterns for both 32bit and 64bit.
1681 *
1682 * Notably:
1683 * - NOP, but not: REP NOP aka PAUSE
1684 * - NOPL
1685 * - MOV %reg, %reg
1686 * - LEA 0(%reg),%reg
1687 * - JMP +0
1688 *
1689 * Must not have false-positives; instructions identified as a NOP might be
1690 * emulated as a NOP (uprobe) or Run Length Encoded in a larger NOP
1691 * (alternatives).
1692 *
1693 * False-negatives are fine; need not be exhaustive.
1694 */
insn_is_nop(struct insn * insn)1695 bool insn_is_nop(struct insn *insn)
1696 {
1697 u8 b3 = 0, x3 = 0, r3 = 0;
1698 u8 b4 = 0, x4 = 0, r4 = 0, m = 0;
1699 u8 modrm, modrm_mod, modrm_reg, modrm_rm;
1700 u8 sib = 0, sib_scale, sib_index, sib_base;
1701 u8 nrex, rex;
1702 u8 p, rep = 0;
1703
1704 if ((nrex = insn->rex_prefix.nbytes)) {
1705 rex = insn->rex_prefix.bytes[nrex-1];
1706
1707 r3 = !!X86_REX_R(rex);
1708 x3 = !!X86_REX_X(rex);
1709 b3 = !!X86_REX_B(rex);
1710 if (nrex > 1) {
1711 r4 = !!X86_REX2_R(rex);
1712 x4 = !!X86_REX2_X(rex);
1713 b4 = !!X86_REX2_B(rex);
1714 m = !!X86_REX2_M(rex);
1715 }
1716
1717 } else if (insn->vex_prefix.nbytes) {
1718 /*
1719 * Ignore VEX encoded NOPs
1720 */
1721 return false;
1722 }
1723
1724 if (insn->modrm.nbytes) {
1725 modrm = insn->modrm.bytes[0];
1726 modrm_mod = X86_MODRM_MOD(modrm);
1727 modrm_reg = X86_MODRM_REG(modrm) + 8*r3 + 16*r4;
1728 modrm_rm = X86_MODRM_RM(modrm) + 8*b3 + 16*b4;
1729 modrm = 1;
1730 }
1731
1732 if (insn->sib.nbytes) {
1733 sib = insn->sib.bytes[0];
1734 sib_scale = X86_SIB_SCALE(sib);
1735 sib_index = X86_SIB_INDEX(sib) + 8*x3 + 16*x4;
1736 sib_base = X86_SIB_BASE(sib) + 8*b3 + 16*b4;
1737 sib = 1;
1738
1739 modrm_rm = sib_base;
1740 }
1741
1742 for_each_insn_prefix(insn, p) {
1743 if (p == 0xf3) /* REPE */
1744 rep = 1;
1745 }
1746
1747 /*
1748 * Opcode map munging:
1749 *
1750 * REX2: 0 - single byte opcode
1751 * 1 - 0f second byte opcode
1752 */
1753 switch (m) {
1754 case 0: break;
1755 case 1: insn->opcode.value <<= 8;
1756 insn->opcode.value |= 0x0f;
1757 break;
1758 default:
1759 return false;
1760 }
1761
1762 switch (insn->opcode.bytes[0]) {
1763 case 0x0f: /* 2nd byte */
1764 break;
1765
1766 case 0x89: /* MOV */
1767 if (modrm_mod != 3) /* register-direct */
1768 return false;
1769
1770 /* native size */
1771 if (insn->opnd_bytes != 4 * (1 + insn->x86_64))
1772 return false;
1773
1774 return modrm_reg == modrm_rm; /* MOV %reg, %reg */
1775
1776 case 0x8d: /* LEA */
1777 if (modrm_mod == 0 || modrm_mod == 3) /* register-indirect with disp */
1778 return false;
1779
1780 /* native size */
1781 if (insn->opnd_bytes != 4 * (1 + insn->x86_64))
1782 return false;
1783
1784 if (insn->displacement.value != 0)
1785 return false;
1786
1787 if (sib && (sib_scale != 0 || sib_index != 4)) /* (%reg, %eiz, 1) */
1788 return false;
1789
1790 for_each_insn_prefix(insn, p) {
1791 if (p != 0x3e) /* DS */
1792 return false;
1793 }
1794
1795 return modrm_reg == modrm_rm; /* LEA 0(%reg), %reg */
1796
1797 case 0x90: /* NOP */
1798 if (b3 || b4) /* XCHG %r{8,16,24},%rax */
1799 return false;
1800
1801 if (rep) /* REP NOP := PAUSE */
1802 return false;
1803
1804 return true;
1805
1806 case 0xe9: /* JMP.d32 */
1807 case 0xeb: /* JMP.d8 */
1808 return insn->immediate.value == 0; /* JMP +0 */
1809
1810 default:
1811 return false;
1812 }
1813
1814 switch (insn->opcode.bytes[1]) {
1815 case 0x1f:
1816 return modrm_reg == 0; /* 0f 1f /0 -- NOPL */
1817
1818 default:
1819 return false;
1820 }
1821 }
1822