1 /*
2 * arch/arm/kernel/kprobes-common.c
3 *
4 * Copyright (C) 2011 Jon Medhurst <tixy@yxit.co.uk>.
5 *
6 * Some contents moved here from arch/arm/include/asm/kprobes-arm.c which is
7 * Copyright (C) 2006, 2007 Motorola Inc.
8 *
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License version 2 as
11 * published by the Free Software Foundation.
12 */
13
14 #include <linux/kernel.h>
15 #include <linux/kprobes.h>
16
17 #include "kprobes.h"
18
19
20 #ifndef find_str_pc_offset
21
22 /*
23 * For STR and STM instructions, an ARM core may choose to use either
24 * a +8 or a +12 displacement from the current instruction's address.
25 * Whichever value is chosen for a given core, it must be the same for
26 * both instructions and may not change. This function measures it.
27 */
28
29 int str_pc_offset;
30
find_str_pc_offset(void)31 void __init find_str_pc_offset(void)
32 {
33 int addr, scratch, ret;
34
35 __asm__ (
36 "sub %[ret], pc, #4 \n\t"
37 "str pc, %[addr] \n\t"
38 "ldr %[scr], %[addr] \n\t"
39 "sub %[ret], %[scr], %[ret] \n\t"
40 : [ret] "=r" (ret), [scr] "=r" (scratch), [addr] "+m" (addr));
41
42 str_pc_offset = ret;
43 }
44
45 #endif /* !find_str_pc_offset */
46
47
48 #ifndef test_load_write_pc_interworking
49
50 bool load_write_pc_interworks;
51
test_load_write_pc_interworking(void)52 void __init test_load_write_pc_interworking(void)
53 {
54 int arch = cpu_architecture();
55 BUG_ON(arch == CPU_ARCH_UNKNOWN);
56 load_write_pc_interworks = arch >= CPU_ARCH_ARMv5T;
57 }
58
59 #endif /* !test_load_write_pc_interworking */
60
61
62 #ifndef test_alu_write_pc_interworking
63
64 bool alu_write_pc_interworks;
65
test_alu_write_pc_interworking(void)66 void __init test_alu_write_pc_interworking(void)
67 {
68 int arch = cpu_architecture();
69 BUG_ON(arch == CPU_ARCH_UNKNOWN);
70 alu_write_pc_interworks = arch >= CPU_ARCH_ARMv7;
71 }
72
73 #endif /* !test_alu_write_pc_interworking */
74
75
arm_kprobe_decode_init(void)76 void __init arm_kprobe_decode_init(void)
77 {
78 find_str_pc_offset();
79 test_load_write_pc_interworking();
80 test_alu_write_pc_interworking();
81 }
82
83
__check_eq(unsigned long cpsr)84 static unsigned long __kprobes __check_eq(unsigned long cpsr)
85 {
86 return cpsr & PSR_Z_BIT;
87 }
88
__check_ne(unsigned long cpsr)89 static unsigned long __kprobes __check_ne(unsigned long cpsr)
90 {
91 return (~cpsr) & PSR_Z_BIT;
92 }
93
__check_cs(unsigned long cpsr)94 static unsigned long __kprobes __check_cs(unsigned long cpsr)
95 {
96 return cpsr & PSR_C_BIT;
97 }
98
__check_cc(unsigned long cpsr)99 static unsigned long __kprobes __check_cc(unsigned long cpsr)
100 {
101 return (~cpsr) & PSR_C_BIT;
102 }
103
__check_mi(unsigned long cpsr)104 static unsigned long __kprobes __check_mi(unsigned long cpsr)
105 {
106 return cpsr & PSR_N_BIT;
107 }
108
__check_pl(unsigned long cpsr)109 static unsigned long __kprobes __check_pl(unsigned long cpsr)
110 {
111 return (~cpsr) & PSR_N_BIT;
112 }
113
__check_vs(unsigned long cpsr)114 static unsigned long __kprobes __check_vs(unsigned long cpsr)
115 {
116 return cpsr & PSR_V_BIT;
117 }
118
__check_vc(unsigned long cpsr)119 static unsigned long __kprobes __check_vc(unsigned long cpsr)
120 {
121 return (~cpsr) & PSR_V_BIT;
122 }
123
__check_hi(unsigned long cpsr)124 static unsigned long __kprobes __check_hi(unsigned long cpsr)
125 {
126 cpsr &= ~(cpsr >> 1); /* PSR_C_BIT &= ~PSR_Z_BIT */
127 return cpsr & PSR_C_BIT;
128 }
129
__check_ls(unsigned long cpsr)130 static unsigned long __kprobes __check_ls(unsigned long cpsr)
131 {
132 cpsr &= ~(cpsr >> 1); /* PSR_C_BIT &= ~PSR_Z_BIT */
133 return (~cpsr) & PSR_C_BIT;
134 }
135
__check_ge(unsigned long cpsr)136 static unsigned long __kprobes __check_ge(unsigned long cpsr)
137 {
138 cpsr ^= (cpsr << 3); /* PSR_N_BIT ^= PSR_V_BIT */
139 return (~cpsr) & PSR_N_BIT;
140 }
141
__check_lt(unsigned long cpsr)142 static unsigned long __kprobes __check_lt(unsigned long cpsr)
143 {
144 cpsr ^= (cpsr << 3); /* PSR_N_BIT ^= PSR_V_BIT */
145 return cpsr & PSR_N_BIT;
146 }
147
__check_gt(unsigned long cpsr)148 static unsigned long __kprobes __check_gt(unsigned long cpsr)
149 {
150 unsigned long temp = cpsr ^ (cpsr << 3); /* PSR_N_BIT ^= PSR_V_BIT */
151 temp |= (cpsr << 1); /* PSR_N_BIT |= PSR_Z_BIT */
152 return (~temp) & PSR_N_BIT;
153 }
154
__check_le(unsigned long cpsr)155 static unsigned long __kprobes __check_le(unsigned long cpsr)
156 {
157 unsigned long temp = cpsr ^ (cpsr << 3); /* PSR_N_BIT ^= PSR_V_BIT */
158 temp |= (cpsr << 1); /* PSR_N_BIT |= PSR_Z_BIT */
159 return temp & PSR_N_BIT;
160 }
161
__check_al(unsigned long cpsr)162 static unsigned long __kprobes __check_al(unsigned long cpsr)
163 {
164 return true;
165 }
166
167 kprobe_check_cc * const kprobe_condition_checks[16] = {
168 &__check_eq, &__check_ne, &__check_cs, &__check_cc,
169 &__check_mi, &__check_pl, &__check_vs, &__check_vc,
170 &__check_hi, &__check_ls, &__check_ge, &__check_lt,
171 &__check_gt, &__check_le, &__check_al, &__check_al
172 };
173
174
kprobe_simulate_nop(struct kprobe * p,struct pt_regs * regs)175 void __kprobes kprobe_simulate_nop(struct kprobe *p, struct pt_regs *regs)
176 {
177 }
178
kprobe_emulate_none(struct kprobe * p,struct pt_regs * regs)179 void __kprobes kprobe_emulate_none(struct kprobe *p, struct pt_regs *regs)
180 {
181 p->ainsn.insn_fn();
182 }
183
simulate_ldm1stm1(struct kprobe * p,struct pt_regs * regs)184 static void __kprobes simulate_ldm1stm1(struct kprobe *p, struct pt_regs *regs)
185 {
186 kprobe_opcode_t insn = p->opcode;
187 int rn = (insn >> 16) & 0xf;
188 int lbit = insn & (1 << 20);
189 int wbit = insn & (1 << 21);
190 int ubit = insn & (1 << 23);
191 int pbit = insn & (1 << 24);
192 long *addr = (long *)regs->uregs[rn];
193 int reg_bit_vector;
194 int reg_count;
195
196 reg_count = 0;
197 reg_bit_vector = insn & 0xffff;
198 while (reg_bit_vector) {
199 reg_bit_vector &= (reg_bit_vector - 1);
200 ++reg_count;
201 }
202
203 if (!ubit)
204 addr -= reg_count;
205 addr += (!pbit == !ubit);
206
207 reg_bit_vector = insn & 0xffff;
208 while (reg_bit_vector) {
209 int reg = __ffs(reg_bit_vector);
210 reg_bit_vector &= (reg_bit_vector - 1);
211 if (lbit)
212 regs->uregs[reg] = *addr++;
213 else
214 *addr++ = regs->uregs[reg];
215 }
216
217 if (wbit) {
218 if (!ubit)
219 addr -= reg_count;
220 addr -= (!pbit == !ubit);
221 regs->uregs[rn] = (long)addr;
222 }
223 }
224
simulate_stm1_pc(struct kprobe * p,struct pt_regs * regs)225 static void __kprobes simulate_stm1_pc(struct kprobe *p, struct pt_regs *regs)
226 {
227 regs->ARM_pc = (long)p->addr + str_pc_offset;
228 simulate_ldm1stm1(p, regs);
229 regs->ARM_pc = (long)p->addr + 4;
230 }
231
simulate_ldm1_pc(struct kprobe * p,struct pt_regs * regs)232 static void __kprobes simulate_ldm1_pc(struct kprobe *p, struct pt_regs *regs)
233 {
234 simulate_ldm1stm1(p, regs);
235 load_write_pc(regs->ARM_pc, regs);
236 }
237
238 static void __kprobes
emulate_generic_r0_12_noflags(struct kprobe * p,struct pt_regs * regs)239 emulate_generic_r0_12_noflags(struct kprobe *p, struct pt_regs *regs)
240 {
241 register void *rregs asm("r1") = regs;
242 register void *rfn asm("lr") = p->ainsn.insn_fn;
243
244 __asm__ __volatile__ (
245 "stmdb sp!, {%[regs], r11} \n\t"
246 "ldmia %[regs], {r0-r12} \n\t"
247 #if __LINUX_ARM_ARCH__ >= 6
248 "blx %[fn] \n\t"
249 #else
250 "str %[fn], [sp, #-4]! \n\t"
251 "adr lr, 1f \n\t"
252 "ldr pc, [sp], #4 \n\t"
253 "1: \n\t"
254 #endif
255 "ldr lr, [sp], #4 \n\t" /* lr = regs */
256 "stmia lr, {r0-r12} \n\t"
257 "ldr r11, [sp], #4 \n\t"
258 : [regs] "=r" (rregs), [fn] "=r" (rfn)
259 : "0" (rregs), "1" (rfn)
260 : "r0", "r2", "r3", "r4", "r5", "r6", "r7",
261 "r8", "r9", "r10", "r12", "memory", "cc"
262 );
263 }
264
265 static void __kprobes
emulate_generic_r2_14_noflags(struct kprobe * p,struct pt_regs * regs)266 emulate_generic_r2_14_noflags(struct kprobe *p, struct pt_regs *regs)
267 {
268 emulate_generic_r0_12_noflags(p, (struct pt_regs *)(regs->uregs+2));
269 }
270
271 static void __kprobes
emulate_ldm_r3_15(struct kprobe * p,struct pt_regs * regs)272 emulate_ldm_r3_15(struct kprobe *p, struct pt_regs *regs)
273 {
274 emulate_generic_r0_12_noflags(p, (struct pt_regs *)(regs->uregs+3));
275 load_write_pc(regs->ARM_pc, regs);
276 }
277
278 enum kprobe_insn __kprobes
kprobe_decode_ldmstm(kprobe_opcode_t insn,struct arch_specific_insn * asi)279 kprobe_decode_ldmstm(kprobe_opcode_t insn, struct arch_specific_insn *asi)
280 {
281 kprobe_insn_handler_t *handler = 0;
282 unsigned reglist = insn & 0xffff;
283 int is_ldm = insn & 0x100000;
284 int rn = (insn >> 16) & 0xf;
285
286 if (rn <= 12 && (reglist & 0xe000) == 0) {
287 /* Instruction only uses registers in the range R0..R12 */
288 handler = emulate_generic_r0_12_noflags;
289
290 } else if (rn >= 2 && (reglist & 0x8003) == 0) {
291 /* Instruction only uses registers in the range R2..R14 */
292 rn -= 2;
293 reglist >>= 2;
294 handler = emulate_generic_r2_14_noflags;
295
296 } else if (rn >= 3 && (reglist & 0x0007) == 0) {
297 /* Instruction only uses registers in the range R3..R15 */
298 if (is_ldm && (reglist & 0x8000)) {
299 rn -= 3;
300 reglist >>= 3;
301 handler = emulate_ldm_r3_15;
302 }
303 }
304
305 if (handler) {
306 /* We can emulate the instruction in (possibly) modified form */
307 asi->insn[0] = (insn & 0xfff00000) | (rn << 16) | reglist;
308 asi->insn_handler = handler;
309 return INSN_GOOD;
310 }
311
312 /* Fallback to slower simulation... */
313 if (reglist & 0x8000)
314 handler = is_ldm ? simulate_ldm1_pc : simulate_stm1_pc;
315 else
316 handler = simulate_ldm1stm1;
317 asi->insn_handler = handler;
318 return INSN_GOOD_NO_SLOT;
319 }
320
321
322 /*
323 * Prepare an instruction slot to receive an instruction for emulating.
324 * This is done by placing a subroutine return after the location where the
325 * instruction will be placed. We also modify ARM instructions to be
326 * unconditional as the condition code will already be checked before any
327 * emulation handler is called.
328 */
329 static kprobe_opcode_t __kprobes
prepare_emulated_insn(kprobe_opcode_t insn,struct arch_specific_insn * asi,bool thumb)330 prepare_emulated_insn(kprobe_opcode_t insn, struct arch_specific_insn *asi,
331 bool thumb)
332 {
333 #ifdef CONFIG_THUMB2_KERNEL
334 if (thumb) {
335 u16 *thumb_insn = (u16 *)asi->insn;
336 thumb_insn[1] = 0x4770; /* Thumb bx lr */
337 thumb_insn[2] = 0x4770; /* Thumb bx lr */
338 return insn;
339 }
340 asi->insn[1] = 0xe12fff1e; /* ARM bx lr */
341 #else
342 asi->insn[1] = 0xe1a0f00e; /* mov pc, lr */
343 #endif
344 /* Make an ARM instruction unconditional */
345 if (insn < 0xe0000000)
346 insn = (insn | 0xe0000000) & ~0x10000000;
347 return insn;
348 }
349
350 /*
351 * Write a (probably modified) instruction into the slot previously prepared by
352 * prepare_emulated_insn
353 */
354 static void __kprobes
set_emulated_insn(kprobe_opcode_t insn,struct arch_specific_insn * asi,bool thumb)355 set_emulated_insn(kprobe_opcode_t insn, struct arch_specific_insn *asi,
356 bool thumb)
357 {
358 #ifdef CONFIG_THUMB2_KERNEL
359 if (thumb) {
360 u16 *ip = (u16 *)asi->insn;
361 if (is_wide_instruction(insn))
362 *ip++ = insn >> 16;
363 *ip++ = insn;
364 return;
365 }
366 #endif
367 asi->insn[0] = insn;
368 }
369
370 /*
371 * When we modify the register numbers encoded in an instruction to be emulated,
372 * the new values come from this define. For ARM and 32-bit Thumb instructions
373 * this gives...
374 *
375 * bit position 16 12 8 4 0
376 * ---------------+---+---+---+---+---+
377 * register r2 r0 r1 -- r3
378 */
379 #define INSN_NEW_BITS 0x00020103
380
381 /* Each nibble has same value as that at INSN_NEW_BITS bit 16 */
382 #define INSN_SAMEAS16_BITS 0x22222222
383
384 /*
385 * Validate and modify each of the registers encoded in an instruction.
386 *
387 * Each nibble in regs contains a value from enum decode_reg_type. For each
388 * non-zero value, the corresponding nibble in pinsn is validated and modified
389 * according to the type.
390 */
decode_regs(kprobe_opcode_t * pinsn,u32 regs)391 static bool __kprobes decode_regs(kprobe_opcode_t* pinsn, u32 regs)
392 {
393 kprobe_opcode_t insn = *pinsn;
394 kprobe_opcode_t mask = 0xf; /* Start at least significant nibble */
395
396 for (; regs != 0; regs >>= 4, mask <<= 4) {
397
398 kprobe_opcode_t new_bits = INSN_NEW_BITS;
399
400 switch (regs & 0xf) {
401
402 case REG_TYPE_NONE:
403 /* Nibble not a register, skip to next */
404 continue;
405
406 case REG_TYPE_ANY:
407 /* Any register is allowed */
408 break;
409
410 case REG_TYPE_SAMEAS16:
411 /* Replace register with same as at bit position 16 */
412 new_bits = INSN_SAMEAS16_BITS;
413 break;
414
415 case REG_TYPE_SP:
416 /* Only allow SP (R13) */
417 if ((insn ^ 0xdddddddd) & mask)
418 goto reject;
419 break;
420
421 case REG_TYPE_PC:
422 /* Only allow PC (R15) */
423 if ((insn ^ 0xffffffff) & mask)
424 goto reject;
425 break;
426
427 case REG_TYPE_NOSP:
428 /* Reject SP (R13) */
429 if (((insn ^ 0xdddddddd) & mask) == 0)
430 goto reject;
431 break;
432
433 case REG_TYPE_NOSPPC:
434 case REG_TYPE_NOSPPCX:
435 /* Reject SP and PC (R13 and R15) */
436 if (((insn ^ 0xdddddddd) & 0xdddddddd & mask) == 0)
437 goto reject;
438 break;
439
440 case REG_TYPE_NOPCWB:
441 if (!is_writeback(insn))
442 break; /* No writeback, so any register is OK */
443 /* fall through... */
444 case REG_TYPE_NOPC:
445 case REG_TYPE_NOPCX:
446 /* Reject PC (R15) */
447 if (((insn ^ 0xffffffff) & mask) == 0)
448 goto reject;
449 break;
450 }
451
452 /* Replace value of nibble with new register number... */
453 insn &= ~mask;
454 insn |= new_bits & mask;
455 }
456
457 *pinsn = insn;
458 return true;
459
460 reject:
461 return false;
462 }
463
464 static const int decode_struct_sizes[NUM_DECODE_TYPES] = {
465 [DECODE_TYPE_TABLE] = sizeof(struct decode_table),
466 [DECODE_TYPE_CUSTOM] = sizeof(struct decode_custom),
467 [DECODE_TYPE_SIMULATE] = sizeof(struct decode_simulate),
468 [DECODE_TYPE_EMULATE] = sizeof(struct decode_emulate),
469 [DECODE_TYPE_OR] = sizeof(struct decode_or),
470 [DECODE_TYPE_REJECT] = sizeof(struct decode_reject)
471 };
472
473 /*
474 * kprobe_decode_insn operates on data tables in order to decode an ARM
475 * architecture instruction onto which a kprobe has been placed.
476 *
477 * These instruction decoding tables are a concatenation of entries each
478 * of which consist of one of the following structs:
479 *
480 * decode_table
481 * decode_custom
482 * decode_simulate
483 * decode_emulate
484 * decode_or
485 * decode_reject
486 *
487 * Each of these starts with a struct decode_header which has the following
488 * fields:
489 *
490 * type_regs
491 * mask
492 * value
493 *
494 * The least significant DECODE_TYPE_BITS of type_regs contains a value
495 * from enum decode_type, this indicates which of the decode_* structs
496 * the entry contains. The value DECODE_TYPE_END indicates the end of the
497 * table.
498 *
499 * When the table is parsed, each entry is checked in turn to see if it
500 * matches the instruction to be decoded using the test:
501 *
502 * (insn & mask) == value
503 *
504 * If no match is found before the end of the table is reached then decoding
505 * fails with INSN_REJECTED.
506 *
507 * When a match is found, decode_regs() is called to validate and modify each
508 * of the registers encoded in the instruction; the data it uses to do this
509 * is (type_regs >> DECODE_TYPE_BITS). A validation failure will cause decoding
510 * to fail with INSN_REJECTED.
511 *
512 * Once the instruction has passed the above tests, further processing
513 * depends on the type of the table entry's decode struct.
514 *
515 */
516 int __kprobes
kprobe_decode_insn(kprobe_opcode_t insn,struct arch_specific_insn * asi,const union decode_item * table,bool thumb)517 kprobe_decode_insn(kprobe_opcode_t insn, struct arch_specific_insn *asi,
518 const union decode_item *table, bool thumb)
519 {
520 const struct decode_header *h = (struct decode_header *)table;
521 const struct decode_header *next;
522 bool matched = false;
523
524 insn = prepare_emulated_insn(insn, asi, thumb);
525
526 for (;; h = next) {
527 enum decode_type type = h->type_regs.bits & DECODE_TYPE_MASK;
528 u32 regs = h->type_regs.bits >> DECODE_TYPE_BITS;
529
530 if (type == DECODE_TYPE_END)
531 return INSN_REJECTED;
532
533 next = (struct decode_header *)
534 ((uintptr_t)h + decode_struct_sizes[type]);
535
536 if (!matched && (insn & h->mask.bits) != h->value.bits)
537 continue;
538
539 if (!decode_regs(&insn, regs))
540 return INSN_REJECTED;
541
542 switch (type) {
543
544 case DECODE_TYPE_TABLE: {
545 struct decode_table *d = (struct decode_table *)h;
546 next = (struct decode_header *)d->table.table;
547 break;
548 }
549
550 case DECODE_TYPE_CUSTOM: {
551 struct decode_custom *d = (struct decode_custom *)h;
552 return (*d->decoder.decoder)(insn, asi);
553 }
554
555 case DECODE_TYPE_SIMULATE: {
556 struct decode_simulate *d = (struct decode_simulate *)h;
557 asi->insn_handler = d->handler.handler;
558 return INSN_GOOD_NO_SLOT;
559 }
560
561 case DECODE_TYPE_EMULATE: {
562 struct decode_emulate *d = (struct decode_emulate *)h;
563 asi->insn_handler = d->handler.handler;
564 set_emulated_insn(insn, asi, thumb);
565 return INSN_GOOD;
566 }
567
568 case DECODE_TYPE_OR:
569 matched = true;
570 break;
571
572 case DECODE_TYPE_REJECT:
573 default:
574 return INSN_REJECTED;
575 }
576 }
577 }
578