1/* 2 * Utility functions for x86 operand and address decoding 3 * 4 * Copyright (C) Intel Corporation 2017 5 */ 6#include <linux/kernel.h> 7#include <linux/string.h> 8#include <linux/ratelimit.h> 9#include <linux/mmu_context.h> 10#include <asm/desc_defs.h> 11#include <asm/desc.h> 12#include <asm/inat.h> 13#include <asm/insn.h> 14#include <asm/insn-eval.h> 15#include <asm/ldt.h> 16#include <asm/vm86.h> 17 18#undef pr_fmt 19#define pr_fmt(fmt) "insn: " fmt 20 21enum reg_type { 22 REG_TYPE_RM = 0, 23 REG_TYPE_REG, 24 REG_TYPE_INDEX, 25 REG_TYPE_BASE, 26}; 27 28/** 29 * is_string_insn() - Determine if instruction is a string instruction 30 * @insn: Instruction containing the opcode to inspect 31 * 32 * Returns: 33 * 34 * true if the instruction, determined by the opcode, is any of the 35 * string instructions as defined in the Intel Software Development manual. 36 * False otherwise. 37 */ 38static bool is_string_insn(struct insn *insn) 39{ 40 insn_get_opcode(insn); 41 42 /* All string instructions have a 1-byte opcode. */ 43 if (insn->opcode.nbytes != 1) 44 return false; 45 46 switch (insn->opcode.bytes[0]) { 47 case 0x6c ... 0x6f: /* INS, OUTS */ 48 case 0xa4 ... 0xa7: /* MOVS, CMPS */ 49 case 0xaa ... 0xaf: /* STOS, LODS, SCAS */ 50 return true; 51 default: 52 return false; 53 } 54} 55 56/** 57 * insn_has_rep_prefix() - Determine if instruction has a REP prefix 58 * @insn: Instruction containing the prefix to inspect 59 * 60 * Returns: 61 * 62 * true if the instruction has a REP prefix, false if not. 63 */ 64bool insn_has_rep_prefix(struct insn *insn) 65{ 66 insn_byte_t p; 67 int i; 68 69 insn_get_prefixes(insn); 70 71 for_each_insn_prefix(insn, i, p) { 72 if (p == 0xf2 || p == 0xf3) 73 return true; 74 } 75 76 return false; 77} 78 79/** 80 * get_seg_reg_override_idx() - obtain segment register override index 81 * @insn: Valid instruction with segment override prefixes 82 * 83 * Inspect the instruction prefixes in @insn and find segment overrides, if any. 84 * 85 * Returns: 86 * 87 * A constant identifying the segment register to use, among CS, SS, DS, 88 * ES, FS, or GS. INAT_SEG_REG_DEFAULT is returned if no segment override 89 * prefixes were found. 90 * 91 * -EINVAL in case of error. 92 */ 93static int get_seg_reg_override_idx(struct insn *insn) 94{ 95 int idx = INAT_SEG_REG_DEFAULT; 96 int num_overrides = 0, i; 97 insn_byte_t p; 98 99 insn_get_prefixes(insn); 100 101 /* Look for any segment override prefixes. */ 102 for_each_insn_prefix(insn, i, p) { 103 insn_attr_t attr; 104 105 attr = inat_get_opcode_attribute(p); 106 switch (attr) { 107 case INAT_MAKE_PREFIX(INAT_PFX_CS): 108 idx = INAT_SEG_REG_CS; 109 num_overrides++; 110 break; 111 case INAT_MAKE_PREFIX(INAT_PFX_SS): 112 idx = INAT_SEG_REG_SS; 113 num_overrides++; 114 break; 115 case INAT_MAKE_PREFIX(INAT_PFX_DS): 116 idx = INAT_SEG_REG_DS; 117 num_overrides++; 118 break; 119 case INAT_MAKE_PREFIX(INAT_PFX_ES): 120 idx = INAT_SEG_REG_ES; 121 num_overrides++; 122 break; 123 case INAT_MAKE_PREFIX(INAT_PFX_FS): 124 idx = INAT_SEG_REG_FS; 125 num_overrides++; 126 break; 127 case INAT_MAKE_PREFIX(INAT_PFX_GS): 128 idx = INAT_SEG_REG_GS; 129 num_overrides++; 130 break; 131 /* No default action needed. */ 132 } 133 } 134 135 /* More than one segment override prefix leads to undefined behavior. */ 136 if (num_overrides > 1) 137 return -EINVAL; 138 139 return idx; 140} 141 142/** 143 * check_seg_overrides() - check if segment override prefixes are allowed 144 * @insn: Valid instruction with segment override prefixes 145 * @regoff: Operand offset, in pt_regs, for which the check is performed 146 * 147 * For a particular register used in register-indirect addressing, determine if 148 * segment override prefixes can be used. Specifically, no overrides are allowed 149 * for rDI if used with a string instruction. 150 * 151 * Returns: 152 * 153 * True if segment override prefixes can be used with the register indicated 154 * in @regoff. False if otherwise. 155 */ 156static bool check_seg_overrides(struct insn *insn, int regoff) 157{ 158 if (regoff == offsetof(struct pt_regs, di) && is_string_insn(insn)) 159 return false; 160 161 return true; 162} 163 164/** 165 * resolve_default_seg() - resolve default segment register index for an operand 166 * @insn: Instruction with opcode and address size. Must be valid. 167 * @regs: Register values as seen when entering kernel mode 168 * @off: Operand offset, in pt_regs, for which resolution is needed 169 * 170 * Resolve the default segment register index associated with the instruction 171 * operand register indicated by @off. Such index is resolved based on defaults 172 * described in the Intel Software Development Manual. 173 * 174 * Returns: 175 * 176 * If in protected mode, a constant identifying the segment register to use, 177 * among CS, SS, ES or DS. If in long mode, INAT_SEG_REG_IGNORE. 178 * 179 * -EINVAL in case of error. 180 */ 181static int resolve_default_seg(struct insn *insn, struct pt_regs *regs, int off) 182{ 183 if (any_64bit_mode(regs)) 184 return INAT_SEG_REG_IGNORE; 185 /* 186 * Resolve the default segment register as described in Section 3.7.4 187 * of the Intel Software Development Manual Vol. 1: 188 * 189 * + DS for all references involving r[ABCD]X, and rSI. 190 * + If used in a string instruction, ES for rDI. Otherwise, DS. 191 * + AX, CX and DX are not valid register operands in 16-bit address 192 * encodings but are valid for 32-bit and 64-bit encodings. 193 * + -EDOM is reserved to identify for cases in which no register 194 * is used (i.e., displacement-only addressing). Use DS. 195 * + SS for rSP or rBP. 196 * + CS for rIP. 197 */ 198 199 switch (off) { 200 case offsetof(struct pt_regs, ax): 201 case offsetof(struct pt_regs, cx): 202 case offsetof(struct pt_regs, dx): 203 /* Need insn to verify address size. */ 204 if (insn->addr_bytes == 2) 205 return -EINVAL; 206 207 fallthrough; 208 209 case -EDOM: 210 case offsetof(struct pt_regs, bx): 211 case offsetof(struct pt_regs, si): 212 return INAT_SEG_REG_DS; 213 214 case offsetof(struct pt_regs, di): 215 if (is_string_insn(insn)) 216 return INAT_SEG_REG_ES; 217 return INAT_SEG_REG_DS; 218 219 case offsetof(struct pt_regs, bp): 220 case offsetof(struct pt_regs, sp): 221 return INAT_SEG_REG_SS; 222 223 case offsetof(struct pt_regs, ip): 224 return INAT_SEG_REG_CS; 225 226 default: 227 return -EINVAL; 228 } 229} 230 231/** 232 * resolve_seg_reg() - obtain segment register index 233 * @insn: Instruction with operands 234 * @regs: Register values as seen when entering kernel mode 235 * @regoff: Operand offset, in pt_regs, used to deterimine segment register 236 * 237 * Determine the segment register associated with the operands and, if 238 * applicable, prefixes and the instruction pointed by @insn. 239 * 240 * The segment register associated to an operand used in register-indirect 241 * addressing depends on: 242 * 243 * a) Whether running in long mode (in such a case segments are ignored, except 244 * if FS or GS are used). 245 * 246 * b) Whether segment override prefixes can be used. Certain instructions and 247 * registers do not allow override prefixes. 248 * 249 * c) Whether segment overrides prefixes are found in the instruction prefixes. 250 * 251 * d) If there are not segment override prefixes or they cannot be used, the 252 * default segment register associated with the operand register is used. 253 * 254 * The function checks first if segment override prefixes can be used with the 255 * operand indicated by @regoff. If allowed, obtain such overridden segment 256 * register index. Lastly, if not prefixes were found or cannot be used, resolve 257 * the segment register index to use based on the defaults described in the 258 * Intel documentation. In long mode, all segment register indexes will be 259 * ignored, except if overrides were found for FS or GS. All these operations 260 * are done using helper functions. 261 * 262 * The operand register, @regoff, is represented as the offset from the base of 263 * pt_regs. 264 * 265 * As stated, the main use of this function is to determine the segment register 266 * index based on the instruction, its operands and prefixes. Hence, @insn 267 * must be valid. However, if @regoff indicates rIP, we don't need to inspect 268 * @insn at all as in this case CS is used in all cases. This case is checked 269 * before proceeding further. 270 * 271 * Please note that this function does not return the value in the segment 272 * register (i.e., the segment selector) but our defined index. The segment 273 * selector needs to be obtained using get_segment_selector() and passing the 274 * segment register index resolved by this function. 275 * 276 * Returns: 277 * 278 * An index identifying the segment register to use, among CS, SS, DS, 279 * ES, FS, or GS. INAT_SEG_REG_IGNORE is returned if running in long mode. 280 * 281 * -EINVAL in case of error. 282 */ 283static int resolve_seg_reg(struct insn *insn, struct pt_regs *regs, int regoff) 284{ 285 int idx; 286 287 /* 288 * In the unlikely event of having to resolve the segment register 289 * index for rIP, do it first. Segment override prefixes should not 290 * be used. Hence, it is not necessary to inspect the instruction, 291 * which may be invalid at this point. 292 */ 293 if (regoff == offsetof(struct pt_regs, ip)) { 294 if (any_64bit_mode(regs)) 295 return INAT_SEG_REG_IGNORE; 296 else 297 return INAT_SEG_REG_CS; 298 } 299 300 if (!insn) 301 return -EINVAL; 302 303 if (!check_seg_overrides(insn, regoff)) 304 return resolve_default_seg(insn, regs, regoff); 305 306 idx = get_seg_reg_override_idx(insn); 307 if (idx < 0) 308 return idx; 309 310 if (idx == INAT_SEG_REG_DEFAULT) 311 return resolve_default_seg(insn, regs, regoff); 312 313 /* 314 * In long mode, segment override prefixes are ignored, except for 315 * overrides for FS and GS. 316 */ 317 if (any_64bit_mode(regs)) { 318 if (idx != INAT_SEG_REG_FS && 319 idx != INAT_SEG_REG_GS) 320 idx = INAT_SEG_REG_IGNORE; 321 } 322 323 return idx; 324} 325 326/** 327 * get_segment_selector() - obtain segment selector 328 * @regs: Register values as seen when entering kernel mode 329 * @seg_reg_idx: Segment register index to use 330 * 331 * Obtain the segment selector from any of the CS, SS, DS, ES, FS, GS segment 332 * registers. In CONFIG_X86_32, the segment is obtained from either pt_regs or 333 * kernel_vm86_regs as applicable. In CONFIG_X86_64, CS and SS are obtained 334 * from pt_regs. DS, ES, FS and GS are obtained by reading the actual CPU 335 * registers. This done for only for completeness as in CONFIG_X86_64 segment 336 * registers are ignored. 337 * 338 * Returns: 339 * 340 * Value of the segment selector, including null when running in 341 * long mode. 342 * 343 * -EINVAL on error. 344 */ 345static short get_segment_selector(struct pt_regs *regs, int seg_reg_idx) 346{ 347#ifdef CONFIG_X86_64 348 unsigned short sel; 349 350 switch (seg_reg_idx) { 351 case INAT_SEG_REG_IGNORE: 352 return 0; 353 case INAT_SEG_REG_CS: 354 return (unsigned short)(regs->cs & 0xffff); 355 case INAT_SEG_REG_SS: 356 return (unsigned short)(regs->ss & 0xffff); 357 case INAT_SEG_REG_DS: 358 savesegment(ds, sel); 359 return sel; 360 case INAT_SEG_REG_ES: 361 savesegment(es, sel); 362 return sel; 363 case INAT_SEG_REG_FS: 364 savesegment(fs, sel); 365 return sel; 366 case INAT_SEG_REG_GS: 367 savesegment(gs, sel); 368 return sel; 369 default: 370 return -EINVAL; 371 } 372#else /* CONFIG_X86_32 */ 373 struct kernel_vm86_regs *vm86regs = (struct kernel_vm86_regs *)regs; 374 375 if (v8086_mode(regs)) { 376 switch (seg_reg_idx) { 377 case INAT_SEG_REG_CS: 378 return (unsigned short)(regs->cs & 0xffff); 379 case INAT_SEG_REG_SS: 380 return (unsigned short)(regs->ss & 0xffff); 381 case INAT_SEG_REG_DS: 382 return vm86regs->ds; 383 case INAT_SEG_REG_ES: 384 return vm86regs->es; 385 case INAT_SEG_REG_FS: 386 return vm86regs->fs; 387 case INAT_SEG_REG_GS: 388 return vm86regs->gs; 389 case INAT_SEG_REG_IGNORE: 390 default: 391 return -EINVAL; 392 } 393 } 394 395 switch (seg_reg_idx) { 396 case INAT_SEG_REG_CS: 397 return (unsigned short)(regs->cs & 0xffff); 398 case INAT_SEG_REG_SS: 399 return (unsigned short)(regs->ss & 0xffff); 400 case INAT_SEG_REG_DS: 401 return (unsigned short)(regs->ds & 0xffff); 402 case INAT_SEG_REG_ES: 403 return (unsigned short)(regs->es & 0xffff); 404 case INAT_SEG_REG_FS: 405 return (unsigned short)(regs->fs & 0xffff); 406 case INAT_SEG_REG_GS: 407 /* 408 * GS may or may not be in regs as per CONFIG_X86_32_LAZY_GS. 409 * The macro below takes care of both cases. 410 */ 411 return get_user_gs(regs); 412 case INAT_SEG_REG_IGNORE: 413 default: 414 return -EINVAL; 415 } 416#endif /* CONFIG_X86_64 */ 417} 418 419static int get_reg_offset(struct insn *insn, struct pt_regs *regs, 420 enum reg_type type) 421{ 422 int regno = 0; 423 424 static const int regoff[] = { 425 offsetof(struct pt_regs, ax), 426 offsetof(struct pt_regs, cx), 427 offsetof(struct pt_regs, dx), 428 offsetof(struct pt_regs, bx), 429 offsetof(struct pt_regs, sp), 430 offsetof(struct pt_regs, bp), 431 offsetof(struct pt_regs, si), 432 offsetof(struct pt_regs, di), 433#ifdef CONFIG_X86_64 434 offsetof(struct pt_regs, r8), 435 offsetof(struct pt_regs, r9), 436 offsetof(struct pt_regs, r10), 437 offsetof(struct pt_regs, r11), 438 offsetof(struct pt_regs, r12), 439 offsetof(struct pt_regs, r13), 440 offsetof(struct pt_regs, r14), 441 offsetof(struct pt_regs, r15), 442#endif 443 }; 444 int nr_registers = ARRAY_SIZE(regoff); 445 /* 446 * Don't possibly decode a 32-bit instructions as 447 * reading a 64-bit-only register. 448 */ 449 if (IS_ENABLED(CONFIG_X86_64) && !insn->x86_64) 450 nr_registers -= 8; 451 452 switch (type) { 453 case REG_TYPE_RM: 454 regno = X86_MODRM_RM(insn->modrm.value); 455 456 /* 457 * ModRM.mod == 0 and ModRM.rm == 5 means a 32-bit displacement 458 * follows the ModRM byte. 459 */ 460 if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5) 461 return -EDOM; 462 463 if (X86_REX_B(insn->rex_prefix.value)) 464 regno += 8; 465 break; 466 467 case REG_TYPE_REG: 468 regno = X86_MODRM_REG(insn->modrm.value); 469 470 if (X86_REX_R(insn->rex_prefix.value)) 471 regno += 8; 472 break; 473 474 case REG_TYPE_INDEX: 475 regno = X86_SIB_INDEX(insn->sib.value); 476 if (X86_REX_X(insn->rex_prefix.value)) 477 regno += 8; 478 479 /* 480 * If ModRM.mod != 3 and SIB.index = 4 the scale*index 481 * portion of the address computation is null. This is 482 * true only if REX.X is 0. In such a case, the SIB index 483 * is used in the address computation. 484 */ 485 if (X86_MODRM_MOD(insn->modrm.value) != 3 && regno == 4) 486 return -EDOM; 487 break; 488 489 case REG_TYPE_BASE: 490 regno = X86_SIB_BASE(insn->sib.value); 491 /* 492 * If ModRM.mod is 0 and SIB.base == 5, the base of the 493 * register-indirect addressing is 0. In this case, a 494 * 32-bit displacement follows the SIB byte. 495 */ 496 if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5) 497 return -EDOM; 498 499 if (X86_REX_B(insn->rex_prefix.value)) 500 regno += 8; 501 break; 502 503 default: 504 pr_err_ratelimited("invalid register type: %d\n", type); 505 return -EINVAL; 506 } 507 508 if (regno >= nr_registers) { 509 WARN_ONCE(1, "decoded an instruction with an invalid register"); 510 return -EINVAL; 511 } 512 return regoff[regno]; 513} 514 515/** 516 * get_reg_offset_16() - Obtain offset of register indicated by instruction 517 * @insn: Instruction containing ModRM byte 518 * @regs: Register values as seen when entering kernel mode 519 * @offs1: Offset of the first operand register 520 * @offs2: Offset of the second opeand register, if applicable 521 * 522 * Obtain the offset, in pt_regs, of the registers indicated by the ModRM byte 523 * in @insn. This function is to be used with 16-bit address encodings. The 524 * @offs1 and @offs2 will be written with the offset of the two registers 525 * indicated by the instruction. In cases where any of the registers is not 526 * referenced by the instruction, the value will be set to -EDOM. 527 * 528 * Returns: 529 * 530 * 0 on success, -EINVAL on error. 531 */ 532static int get_reg_offset_16(struct insn *insn, struct pt_regs *regs, 533 int *offs1, int *offs2) 534{ 535 /* 536 * 16-bit addressing can use one or two registers. Specifics of 537 * encodings are given in Table 2-1. "16-Bit Addressing Forms with the 538 * ModR/M Byte" of the Intel Software Development Manual. 539 */ 540 static const int regoff1[] = { 541 offsetof(struct pt_regs, bx), 542 offsetof(struct pt_regs, bx), 543 offsetof(struct pt_regs, bp), 544 offsetof(struct pt_regs, bp), 545 offsetof(struct pt_regs, si), 546 offsetof(struct pt_regs, di), 547 offsetof(struct pt_regs, bp), 548 offsetof(struct pt_regs, bx), 549 }; 550 551 static const int regoff2[] = { 552 offsetof(struct pt_regs, si), 553 offsetof(struct pt_regs, di), 554 offsetof(struct pt_regs, si), 555 offsetof(struct pt_regs, di), 556 -EDOM, 557 -EDOM, 558 -EDOM, 559 -EDOM, 560 }; 561 562 if (!offs1 || !offs2) 563 return -EINVAL; 564 565 /* Operand is a register, use the generic function. */ 566 if (X86_MODRM_MOD(insn->modrm.value) == 3) { 567 *offs1 = insn_get_modrm_rm_off(insn, regs); 568 *offs2 = -EDOM; 569 return 0; 570 } 571 572 *offs1 = regoff1[X86_MODRM_RM(insn->modrm.value)]; 573 *offs2 = regoff2[X86_MODRM_RM(insn->modrm.value)]; 574 575 /* 576 * If ModRM.mod is 0 and ModRM.rm is 110b, then we use displacement- 577 * only addressing. This means that no registers are involved in 578 * computing the effective address. Thus, ensure that the first 579 * register offset is invalild. The second register offset is already 580 * invalid under the aforementioned conditions. 581 */ 582 if ((X86_MODRM_MOD(insn->modrm.value) == 0) && 583 (X86_MODRM_RM(insn->modrm.value) == 6)) 584 *offs1 = -EDOM; 585 586 return 0; 587} 588 589/** 590 * get_desc() - Obtain contents of a segment descriptor 591 * @out: Segment descriptor contents on success 592 * @sel: Segment selector 593 * 594 * Given a segment selector, obtain a pointer to the segment descriptor. 595 * Both global and local descriptor tables are supported. 596 * 597 * Returns: 598 * 599 * True on success, false on failure. 600 * 601 * NULL on error. 602 */ 603static bool get_desc(struct desc_struct *out, unsigned short sel) 604{ 605 struct desc_ptr gdt_desc = {0, 0}; 606 unsigned long desc_base; 607 608#ifdef CONFIG_MODIFY_LDT_SYSCALL 609 if ((sel & SEGMENT_TI_MASK) == SEGMENT_LDT) { 610 bool success = false; 611 struct ldt_struct *ldt; 612 613 /* Bits [15:3] contain the index of the desired entry. */ 614 sel >>= 3; 615 616 mutex_lock(¤t->active_mm->context.lock); 617 ldt = current->active_mm->context.ldt; 618 if (ldt && sel < ldt->nr_entries) { 619 *out = ldt->entries[sel]; 620 success = true; 621 } 622 623 mutex_unlock(¤t->active_mm->context.lock); 624 625 return success; 626 } 627#endif 628 native_store_gdt(&gdt_desc); 629 630 /* 631 * Segment descriptors have a size of 8 bytes. Thus, the index is 632 * multiplied by 8 to obtain the memory offset of the desired descriptor 633 * from the base of the GDT. As bits [15:3] of the segment selector 634 * contain the index, it can be regarded as multiplied by 8 already. 635 * All that remains is to clear bits [2:0]. 636 */ 637 desc_base = sel & ~(SEGMENT_RPL_MASK | SEGMENT_TI_MASK); 638 639 if (desc_base > gdt_desc.size) 640 return false; 641 642 *out = *(struct desc_struct *)(gdt_desc.address + desc_base); 643 return true; 644} 645 646/** 647 * insn_get_seg_base() - Obtain base address of segment descriptor. 648 * @regs: Register values as seen when entering kernel mode 649 * @seg_reg_idx: Index of the segment register pointing to seg descriptor 650 * 651 * Obtain the base address of the segment as indicated by the segment descriptor 652 * pointed by the segment selector. The segment selector is obtained from the 653 * input segment register index @seg_reg_idx. 654 * 655 * Returns: 656 * 657 * In protected mode, base address of the segment. Zero in long mode, 658 * except when FS or GS are used. In virtual-8086 mode, the segment 659 * selector shifted 4 bits to the right. 660 * 661 * -1L in case of error. 662 */ 663unsigned long insn_get_seg_base(struct pt_regs *regs, int seg_reg_idx) 664{ 665 struct desc_struct desc; 666 short sel; 667 668 sel = get_segment_selector(regs, seg_reg_idx); 669 if (sel < 0) 670 return -1L; 671 672 if (v8086_mode(regs)) 673 /* 674 * Base is simply the segment selector shifted 4 675 * bits to the right. 676 */ 677 return (unsigned long)(sel << 4); 678 679 if (any_64bit_mode(regs)) { 680 /* 681 * Only FS or GS will have a base address, the rest of 682 * the segments' bases are forced to 0. 683 */ 684 unsigned long base; 685 686 if (seg_reg_idx == INAT_SEG_REG_FS) { 687 rdmsrl(MSR_FS_BASE, base); 688 } else if (seg_reg_idx == INAT_SEG_REG_GS) { 689 /* 690 * swapgs was called at the kernel entry point. Thus, 691 * MSR_KERNEL_GS_BASE will have the user-space GS base. 692 */ 693 if (user_mode(regs)) 694 rdmsrl(MSR_KERNEL_GS_BASE, base); 695 else 696 rdmsrl(MSR_GS_BASE, base); 697 } else { 698 base = 0; 699 } 700 return base; 701 } 702 703 /* In protected mode the segment selector cannot be null. */ 704 if (!sel) 705 return -1L; 706 707 if (!get_desc(&desc, sel)) 708 return -1L; 709 710 return get_desc_base(&desc); 711} 712 713/** 714 * get_seg_limit() - Obtain the limit of a segment descriptor 715 * @regs: Register values as seen when entering kernel mode 716 * @seg_reg_idx: Index of the segment register pointing to seg descriptor 717 * 718 * Obtain the limit of the segment as indicated by the segment descriptor 719 * pointed by the segment selector. The segment selector is obtained from the 720 * input segment register index @seg_reg_idx. 721 * 722 * Returns: 723 * 724 * In protected mode, the limit of the segment descriptor in bytes. 725 * In long mode and virtual-8086 mode, segment limits are not enforced. Thus, 726 * limit is returned as -1L to imply a limit-less segment. 727 * 728 * Zero is returned on error. 729 */ 730static unsigned long get_seg_limit(struct pt_regs *regs, int seg_reg_idx) 731{ 732 struct desc_struct desc; 733 unsigned long limit; 734 short sel; 735 736 sel = get_segment_selector(regs, seg_reg_idx); 737 if (sel < 0) 738 return 0; 739 740 if (any_64bit_mode(regs) || v8086_mode(regs)) 741 return -1L; 742 743 if (!sel) 744 return 0; 745 746 if (!get_desc(&desc, sel)) 747 return 0; 748 749 /* 750 * If the granularity bit is set, the limit is given in multiples 751 * of 4096. This also means that the 12 least significant bits are 752 * not tested when checking the segment limits. In practice, 753 * this means that the segment ends in (limit << 12) + 0xfff. 754 */ 755 limit = get_desc_limit(&desc); 756 if (desc.g) 757 limit = (limit << 12) + 0xfff; 758 759 return limit; 760} 761 762/** 763 * insn_get_code_seg_params() - Obtain code segment parameters 764 * @regs: Structure with register values as seen when entering kernel mode 765 * 766 * Obtain address and operand sizes of the code segment. It is obtained from the 767 * selector contained in the CS register in regs. In protected mode, the default 768 * address is determined by inspecting the L and D bits of the segment 769 * descriptor. In virtual-8086 mode, the default is always two bytes for both 770 * address and operand sizes. 771 * 772 * Returns: 773 * 774 * An int containing ORed-in default parameters on success. 775 * 776 * -EINVAL on error. 777 */ 778int insn_get_code_seg_params(struct pt_regs *regs) 779{ 780 struct desc_struct desc; 781 short sel; 782 783 if (v8086_mode(regs)) 784 /* Address and operand size are both 16-bit. */ 785 return INSN_CODE_SEG_PARAMS(2, 2); 786 787 sel = get_segment_selector(regs, INAT_SEG_REG_CS); 788 if (sel < 0) 789 return sel; 790 791 if (!get_desc(&desc, sel)) 792 return -EINVAL; 793 794 /* 795 * The most significant byte of the Type field of the segment descriptor 796 * determines whether a segment contains data or code. If this is a data 797 * segment, return error. 798 */ 799 if (!(desc.type & BIT(3))) 800 return -EINVAL; 801 802 switch ((desc.l << 1) | desc.d) { 803 case 0: /* 804 * Legacy mode. CS.L=0, CS.D=0. Address and operand size are 805 * both 16-bit. 806 */ 807 return INSN_CODE_SEG_PARAMS(2, 2); 808 case 1: /* 809 * Legacy mode. CS.L=0, CS.D=1. Address and operand size are 810 * both 32-bit. 811 */ 812 return INSN_CODE_SEG_PARAMS(4, 4); 813 case 2: /* 814 * IA-32e 64-bit mode. CS.L=1, CS.D=0. Address size is 64-bit; 815 * operand size is 32-bit. 816 */ 817 return INSN_CODE_SEG_PARAMS(4, 8); 818 case 3: /* Invalid setting. CS.L=1, CS.D=1 */ 819 fallthrough; 820 default: 821 return -EINVAL; 822 } 823} 824 825/** 826 * insn_get_modrm_rm_off() - Obtain register in r/m part of the ModRM byte 827 * @insn: Instruction containing the ModRM byte 828 * @regs: Register values as seen when entering kernel mode 829 * 830 * Returns: 831 * 832 * The register indicated by the r/m part of the ModRM byte. The 833 * register is obtained as an offset from the base of pt_regs. In specific 834 * cases, the returned value can be -EDOM to indicate that the particular value 835 * of ModRM does not refer to a register and shall be ignored. 836 */ 837int insn_get_modrm_rm_off(struct insn *insn, struct pt_regs *regs) 838{ 839 return get_reg_offset(insn, regs, REG_TYPE_RM); 840} 841 842/** 843 * insn_get_modrm_reg_off() - Obtain register in reg part of the ModRM byte 844 * @insn: Instruction containing the ModRM byte 845 * @regs: Register values as seen when entering kernel mode 846 * 847 * Returns: 848 * 849 * The register indicated by the reg part of the ModRM byte. The 850 * register is obtained as an offset from the base of pt_regs. 851 */ 852int insn_get_modrm_reg_off(struct insn *insn, struct pt_regs *regs) 853{ 854 return get_reg_offset(insn, regs, REG_TYPE_REG); 855} 856 857/** 858 * get_seg_base_limit() - obtain base address and limit of a segment 859 * @insn: Instruction. Must be valid. 860 * @regs: Register values as seen when entering kernel mode 861 * @regoff: Operand offset, in pt_regs, used to resolve segment descriptor 862 * @base: Obtained segment base 863 * @limit: Obtained segment limit 864 * 865 * Obtain the base address and limit of the segment associated with the operand 866 * @regoff and, if any or allowed, override prefixes in @insn. This function is 867 * different from insn_get_seg_base() as the latter does not resolve the segment 868 * associated with the instruction operand. If a limit is not needed (e.g., 869 * when running in long mode), @limit can be NULL. 870 * 871 * Returns: 872 * 873 * 0 on success. @base and @limit will contain the base address and of the 874 * resolved segment, respectively. 875 * 876 * -EINVAL on error. 877 */ 878static int get_seg_base_limit(struct insn *insn, struct pt_regs *regs, 879 int regoff, unsigned long *base, 880 unsigned long *limit) 881{ 882 int seg_reg_idx; 883 884 if (!base) 885 return -EINVAL; 886 887 seg_reg_idx = resolve_seg_reg(insn, regs, regoff); 888 if (seg_reg_idx < 0) 889 return seg_reg_idx; 890 891 *base = insn_get_seg_base(regs, seg_reg_idx); 892 if (*base == -1L) 893 return -EINVAL; 894 895 if (!limit) 896 return 0; 897 898 *limit = get_seg_limit(regs, seg_reg_idx); 899 if (!(*limit)) 900 return -EINVAL; 901 902 return 0; 903} 904 905/** 906 * get_eff_addr_reg() - Obtain effective address from register operand 907 * @insn: Instruction. Must be valid. 908 * @regs: Register values as seen when entering kernel mode 909 * @regoff: Obtained operand offset, in pt_regs, with the effective address 910 * @eff_addr: Obtained effective address 911 * 912 * Obtain the effective address stored in the register operand as indicated by 913 * the ModRM byte. This function is to be used only with register addressing 914 * (i.e., ModRM.mod is 3). The effective address is saved in @eff_addr. The 915 * register operand, as an offset from the base of pt_regs, is saved in @regoff; 916 * such offset can then be used to resolve the segment associated with the 917 * operand. This function can be used with any of the supported address sizes 918 * in x86. 919 * 920 * Returns: 921 * 922 * 0 on success. @eff_addr will have the effective address stored in the 923 * operand indicated by ModRM. @regoff will have such operand as an offset from 924 * the base of pt_regs. 925 * 926 * -EINVAL on error. 927 */ 928static int get_eff_addr_reg(struct insn *insn, struct pt_regs *regs, 929 int *regoff, long *eff_addr) 930{ 931 int ret; 932 933 ret = insn_get_modrm(insn); 934 if (ret) 935 return ret; 936 937 if (X86_MODRM_MOD(insn->modrm.value) != 3) 938 return -EINVAL; 939 940 *regoff = get_reg_offset(insn, regs, REG_TYPE_RM); 941 if (*regoff < 0) 942 return -EINVAL; 943 944 /* Ignore bytes that are outside the address size. */ 945 if (insn->addr_bytes == 2) 946 *eff_addr = regs_get_register(regs, *regoff) & 0xffff; 947 else if (insn->addr_bytes == 4) 948 *eff_addr = regs_get_register(regs, *regoff) & 0xffffffff; 949 else /* 64-bit address */ 950 *eff_addr = regs_get_register(regs, *regoff); 951 952 return 0; 953} 954 955/** 956 * get_eff_addr_modrm() - Obtain referenced effective address via ModRM 957 * @insn: Instruction. Must be valid. 958 * @regs: Register values as seen when entering kernel mode 959 * @regoff: Obtained operand offset, in pt_regs, associated with segment 960 * @eff_addr: Obtained effective address 961 * 962 * Obtain the effective address referenced by the ModRM byte of @insn. After 963 * identifying the registers involved in the register-indirect memory reference, 964 * its value is obtained from the operands in @regs. The computed address is 965 * stored @eff_addr. Also, the register operand that indicates the associated 966 * segment is stored in @regoff, this parameter can later be used to determine 967 * such segment. 968 * 969 * Returns: 970 * 971 * 0 on success. @eff_addr will have the referenced effective address. @regoff 972 * will have a register, as an offset from the base of pt_regs, that can be used 973 * to resolve the associated segment. 974 * 975 * -EINVAL on error. 976 */ 977static int get_eff_addr_modrm(struct insn *insn, struct pt_regs *regs, 978 int *regoff, long *eff_addr) 979{ 980 long tmp; 981 int ret; 982 983 if (insn->addr_bytes != 8 && insn->addr_bytes != 4) 984 return -EINVAL; 985 986 ret = insn_get_modrm(insn); 987 if (ret) 988 return ret; 989 990 if (X86_MODRM_MOD(insn->modrm.value) > 2) 991 return -EINVAL; 992 993 *regoff = get_reg_offset(insn, regs, REG_TYPE_RM); 994 995 /* 996 * -EDOM means that we must ignore the address_offset. In such a case, 997 * in 64-bit mode the effective address relative to the rIP of the 998 * following instruction. 999 */ 1000 if (*regoff == -EDOM) { 1001 if (any_64bit_mode(regs)) 1002 tmp = regs->ip + insn->length; 1003 else 1004 tmp = 0; 1005 } else if (*regoff < 0) { 1006 return -EINVAL; 1007 } else { 1008 tmp = regs_get_register(regs, *regoff); 1009 } 1010 1011 if (insn->addr_bytes == 4) { 1012 int addr32 = (int)(tmp & 0xffffffff) + insn->displacement.value; 1013 1014 *eff_addr = addr32 & 0xffffffff; 1015 } else { 1016 *eff_addr = tmp + insn->displacement.value; 1017 } 1018 1019 return 0; 1020} 1021 1022/** 1023 * get_eff_addr_modrm_16() - Obtain referenced effective address via ModRM 1024 * @insn: Instruction. Must be valid. 1025 * @regs: Register values as seen when entering kernel mode 1026 * @regoff: Obtained operand offset, in pt_regs, associated with segment 1027 * @eff_addr: Obtained effective address 1028 * 1029 * Obtain the 16-bit effective address referenced by the ModRM byte of @insn. 1030 * After identifying the registers involved in the register-indirect memory 1031 * reference, its value is obtained from the operands in @regs. The computed 1032 * address is stored @eff_addr. Also, the register operand that indicates 1033 * the associated segment is stored in @regoff, this parameter can later be used 1034 * to determine such segment. 1035 * 1036 * Returns: 1037 * 1038 * 0 on success. @eff_addr will have the referenced effective address. @regoff 1039 * will have a register, as an offset from the base of pt_regs, that can be used 1040 * to resolve the associated segment. 1041 * 1042 * -EINVAL on error. 1043 */ 1044static int get_eff_addr_modrm_16(struct insn *insn, struct pt_regs *regs, 1045 int *regoff, short *eff_addr) 1046{ 1047 int addr_offset1, addr_offset2, ret; 1048 short addr1 = 0, addr2 = 0, displacement; 1049 1050 if (insn->addr_bytes != 2) 1051 return -EINVAL; 1052 1053 insn_get_modrm(insn); 1054 1055 if (!insn->modrm.nbytes) 1056 return -EINVAL; 1057 1058 if (X86_MODRM_MOD(insn->modrm.value) > 2) 1059 return -EINVAL; 1060 1061 ret = get_reg_offset_16(insn, regs, &addr_offset1, &addr_offset2); 1062 if (ret < 0) 1063 return -EINVAL; 1064 1065 /* 1066 * Don't fail on invalid offset values. They might be invalid because 1067 * they cannot be used for this particular value of ModRM. Instead, use 1068 * them in the computation only if they contain a valid value. 1069 */ 1070 if (addr_offset1 != -EDOM) 1071 addr1 = regs_get_register(regs, addr_offset1) & 0xffff; 1072 1073 if (addr_offset2 != -EDOM) 1074 addr2 = regs_get_register(regs, addr_offset2) & 0xffff; 1075 1076 displacement = insn->displacement.value & 0xffff; 1077 *eff_addr = addr1 + addr2 + displacement; 1078 1079 /* 1080 * The first operand register could indicate to use of either SS or DS 1081 * registers to obtain the segment selector. The second operand 1082 * register can only indicate the use of DS. Thus, the first operand 1083 * will be used to obtain the segment selector. 1084 */ 1085 *regoff = addr_offset1; 1086 1087 return 0; 1088} 1089 1090/** 1091 * get_eff_addr_sib() - Obtain referenced effective address via SIB 1092 * @insn: Instruction. Must be valid. 1093 * @regs: Register values as seen when entering kernel mode 1094 * @regoff: Obtained operand offset, in pt_regs, associated with segment 1095 * @eff_addr: Obtained effective address 1096 * 1097 * Obtain the effective address referenced by the SIB byte of @insn. After 1098 * identifying the registers involved in the indexed, register-indirect memory 1099 * reference, its value is obtained from the operands in @regs. The computed 1100 * address is stored @eff_addr. Also, the register operand that indicates the 1101 * associated segment is stored in @regoff, this parameter can later be used to 1102 * determine such segment. 1103 * 1104 * Returns: 1105 * 1106 * 0 on success. @eff_addr will have the referenced effective address. 1107 * @base_offset will have a register, as an offset from the base of pt_regs, 1108 * that can be used to resolve the associated segment. 1109 * 1110 * Negative value on error. 1111 */ 1112static int get_eff_addr_sib(struct insn *insn, struct pt_regs *regs, 1113 int *base_offset, long *eff_addr) 1114{ 1115 long base, indx; 1116 int indx_offset; 1117 int ret; 1118 1119 if (insn->addr_bytes != 8 && insn->addr_bytes != 4) 1120 return -EINVAL; 1121 1122 ret = insn_get_modrm(insn); 1123 if (ret) 1124 return ret; 1125 1126 if (!insn->modrm.nbytes) 1127 return -EINVAL; 1128 1129 if (X86_MODRM_MOD(insn->modrm.value) > 2) 1130 return -EINVAL; 1131 1132 ret = insn_get_sib(insn); 1133 if (ret) 1134 return ret; 1135 1136 if (!insn->sib.nbytes) 1137 return -EINVAL; 1138 1139 *base_offset = get_reg_offset(insn, regs, REG_TYPE_BASE); 1140 indx_offset = get_reg_offset(insn, regs, REG_TYPE_INDEX); 1141 1142 /* 1143 * Negative values in the base and index offset means an error when 1144 * decoding the SIB byte. Except -EDOM, which means that the registers 1145 * should not be used in the address computation. 1146 */ 1147 if (*base_offset == -EDOM) 1148 base = 0; 1149 else if (*base_offset < 0) 1150 return -EINVAL; 1151 else 1152 base = regs_get_register(regs, *base_offset); 1153 1154 if (indx_offset == -EDOM) 1155 indx = 0; 1156 else if (indx_offset < 0) 1157 return -EINVAL; 1158 else 1159 indx = regs_get_register(regs, indx_offset); 1160 1161 if (insn->addr_bytes == 4) { 1162 int addr32, base32, idx32; 1163 1164 base32 = base & 0xffffffff; 1165 idx32 = indx & 0xffffffff; 1166 1167 addr32 = base32 + idx32 * (1 << X86_SIB_SCALE(insn->sib.value)); 1168 addr32 += insn->displacement.value; 1169 1170 *eff_addr = addr32 & 0xffffffff; 1171 } else { 1172 *eff_addr = base + indx * (1 << X86_SIB_SCALE(insn->sib.value)); 1173 *eff_addr += insn->displacement.value; 1174 } 1175 1176 return 0; 1177} 1178 1179/** 1180 * get_addr_ref_16() - Obtain the 16-bit address referred by instruction 1181 * @insn: Instruction containing ModRM byte and displacement 1182 * @regs: Register values as seen when entering kernel mode 1183 * 1184 * This function is to be used with 16-bit address encodings. Obtain the memory 1185 * address referred by the instruction's ModRM and displacement bytes. Also, the 1186 * segment used as base is determined by either any segment override prefixes in 1187 * @insn or the default segment of the registers involved in the address 1188 * computation. In protected mode, segment limits are enforced. 1189 * 1190 * Returns: 1191 * 1192 * Linear address referenced by the instruction operands on success. 1193 * 1194 * -1L on error. 1195 */ 1196static void __user *get_addr_ref_16(struct insn *insn, struct pt_regs *regs) 1197{ 1198 unsigned long linear_addr = -1L, seg_base, seg_limit; 1199 int ret, regoff; 1200 short eff_addr; 1201 long tmp; 1202 1203 if (insn_get_displacement(insn)) 1204 goto out; 1205 1206 if (insn->addr_bytes != 2) 1207 goto out; 1208 1209 if (X86_MODRM_MOD(insn->modrm.value) == 3) { 1210 ret = get_eff_addr_reg(insn, regs, ®off, &tmp); 1211 if (ret) 1212 goto out; 1213 1214 eff_addr = tmp; 1215 } else { 1216 ret = get_eff_addr_modrm_16(insn, regs, ®off, &eff_addr); 1217 if (ret) 1218 goto out; 1219 } 1220 1221 ret = get_seg_base_limit(insn, regs, regoff, &seg_base, &seg_limit); 1222 if (ret) 1223 goto out; 1224 1225 /* 1226 * Before computing the linear address, make sure the effective address 1227 * is within the limits of the segment. In virtual-8086 mode, segment 1228 * limits are not enforced. In such a case, the segment limit is -1L to 1229 * reflect this fact. 1230 */ 1231 if ((unsigned long)(eff_addr & 0xffff) > seg_limit) 1232 goto out; 1233 1234 linear_addr = (unsigned long)(eff_addr & 0xffff) + seg_base; 1235 1236 /* Limit linear address to 20 bits */ 1237 if (v8086_mode(regs)) 1238 linear_addr &= 0xfffff; 1239 1240out: 1241 return (void __user *)linear_addr; 1242} 1243 1244/** 1245 * get_addr_ref_32() - Obtain a 32-bit linear address 1246 * @insn: Instruction with ModRM, SIB bytes and displacement 1247 * @regs: Register values as seen when entering kernel mode 1248 * 1249 * This function is to be used with 32-bit address encodings to obtain the 1250 * linear memory address referred by the instruction's ModRM, SIB, 1251 * displacement bytes and segment base address, as applicable. If in protected 1252 * mode, segment limits are enforced. 1253 * 1254 * Returns: 1255 * 1256 * Linear address referenced by instruction and registers on success. 1257 * 1258 * -1L on error. 1259 */ 1260static void __user *get_addr_ref_32(struct insn *insn, struct pt_regs *regs) 1261{ 1262 unsigned long linear_addr = -1L, seg_base, seg_limit; 1263 int eff_addr, regoff; 1264 long tmp; 1265 int ret; 1266 1267 if (insn->addr_bytes != 4) 1268 goto out; 1269 1270 if (X86_MODRM_MOD(insn->modrm.value) == 3) { 1271 ret = get_eff_addr_reg(insn, regs, ®off, &tmp); 1272 if (ret) 1273 goto out; 1274 1275 eff_addr = tmp; 1276 1277 } else { 1278 if (insn->sib.nbytes) { 1279 ret = get_eff_addr_sib(insn, regs, ®off, &tmp); 1280 if (ret) 1281 goto out; 1282 1283 eff_addr = tmp; 1284 } else { 1285 ret = get_eff_addr_modrm(insn, regs, ®off, &tmp); 1286 if (ret) 1287 goto out; 1288 1289 eff_addr = tmp; 1290 } 1291 } 1292 1293 ret = get_seg_base_limit(insn, regs, regoff, &seg_base, &seg_limit); 1294 if (ret) 1295 goto out; 1296 1297 /* 1298 * In protected mode, before computing the linear address, make sure 1299 * the effective address is within the limits of the segment. 1300 * 32-bit addresses can be used in long and virtual-8086 modes if an 1301 * address override prefix is used. In such cases, segment limits are 1302 * not enforced. When in virtual-8086 mode, the segment limit is -1L 1303 * to reflect this situation. 1304 * 1305 * After computed, the effective address is treated as an unsigned 1306 * quantity. 1307 */ 1308 if (!any_64bit_mode(regs) && ((unsigned int)eff_addr > seg_limit)) 1309 goto out; 1310 1311 /* 1312 * Even though 32-bit address encodings are allowed in virtual-8086 1313 * mode, the address range is still limited to [0x-0xffff]. 1314 */ 1315 if (v8086_mode(regs) && (eff_addr & ~0xffff)) 1316 goto out; 1317 1318 /* 1319 * Data type long could be 64 bits in size. Ensure that our 32-bit 1320 * effective address is not sign-extended when computing the linear 1321 * address. 1322 */ 1323 linear_addr = (unsigned long)(eff_addr & 0xffffffff) + seg_base; 1324 1325 /* Limit linear address to 20 bits */ 1326 if (v8086_mode(regs)) 1327 linear_addr &= 0xfffff; 1328 1329out: 1330 return (void __user *)linear_addr; 1331} 1332 1333/** 1334 * get_addr_ref_64() - Obtain a 64-bit linear address 1335 * @insn: Instruction struct with ModRM and SIB bytes and displacement 1336 * @regs: Structure with register values as seen when entering kernel mode 1337 * 1338 * This function is to be used with 64-bit address encodings to obtain the 1339 * linear memory address referred by the instruction's ModRM, SIB, 1340 * displacement bytes and segment base address, as applicable. 1341 * 1342 * Returns: 1343 * 1344 * Linear address referenced by instruction and registers on success. 1345 * 1346 * -1L on error. 1347 */ 1348#ifndef CONFIG_X86_64 1349static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs) 1350{ 1351 return (void __user *)-1L; 1352} 1353#else 1354static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs) 1355{ 1356 unsigned long linear_addr = -1L, seg_base; 1357 int regoff, ret; 1358 long eff_addr; 1359 1360 if (insn->addr_bytes != 8) 1361 goto out; 1362 1363 if (X86_MODRM_MOD(insn->modrm.value) == 3) { 1364 ret = get_eff_addr_reg(insn, regs, ®off, &eff_addr); 1365 if (ret) 1366 goto out; 1367 1368 } else { 1369 if (insn->sib.nbytes) { 1370 ret = get_eff_addr_sib(insn, regs, ®off, &eff_addr); 1371 if (ret) 1372 goto out; 1373 } else { 1374 ret = get_eff_addr_modrm(insn, regs, ®off, &eff_addr); 1375 if (ret) 1376 goto out; 1377 } 1378 1379 } 1380 1381 ret = get_seg_base_limit(insn, regs, regoff, &seg_base, NULL); 1382 if (ret) 1383 goto out; 1384 1385 linear_addr = (unsigned long)eff_addr + seg_base; 1386 1387out: 1388 return (void __user *)linear_addr; 1389} 1390#endif /* CONFIG_X86_64 */ 1391 1392/** 1393 * insn_get_addr_ref() - Obtain the linear address referred by instruction 1394 * @insn: Instruction structure containing ModRM byte and displacement 1395 * @regs: Structure with register values as seen when entering kernel mode 1396 * 1397 * Obtain the linear address referred by the instruction's ModRM, SIB and 1398 * displacement bytes, and segment base, as applicable. In protected mode, 1399 * segment limits are enforced. 1400 * 1401 * Returns: 1402 * 1403 * Linear address referenced by instruction and registers on success. 1404 * 1405 * -1L on error. 1406 */ 1407void __user *insn_get_addr_ref(struct insn *insn, struct pt_regs *regs) 1408{ 1409 if (!insn || !regs) 1410 return (void __user *)-1L; 1411 1412 switch (insn->addr_bytes) { 1413 case 2: 1414 return get_addr_ref_16(insn, regs); 1415 case 4: 1416 return get_addr_ref_32(insn, regs); 1417 case 8: 1418 return get_addr_ref_64(insn, regs); 1419 default: 1420 return (void __user *)-1L; 1421 } 1422} 1423 1424unsigned long insn_get_effective_ip(struct pt_regs *regs) 1425{ 1426 unsigned long seg_base = 0; 1427 1428 /* 1429 * If not in user-space long mode, a custom code segment could be in 1430 * use. This is true in protected mode (if the process defined a local 1431 * descriptor table), or virtual-8086 mode. In most of the cases 1432 * seg_base will be zero as in USER_CS. 1433 */ 1434 if (!user_64bit_mode(regs)) { 1435 seg_base = insn_get_seg_base(regs, INAT_SEG_REG_CS); 1436 if (seg_base == -1L) 1437 return 0; 1438 } 1439 1440 return seg_base + regs->ip; 1441} 1442 1443/** 1444 * insn_fetch_from_user() - Copy instruction bytes from user-space memory 1445 * @regs: Structure with register values as seen when entering kernel mode 1446 * @buf: Array to store the fetched instruction 1447 * 1448 * Gets the linear address of the instruction and copies the instruction bytes 1449 * to the buf. 1450 * 1451 * Returns: 1452 * 1453 * Number of instruction bytes copied. 1454 * 1455 * 0 if nothing was copied. 1456 */ 1457int insn_fetch_from_user(struct pt_regs *regs, unsigned char buf[MAX_INSN_SIZE]) 1458{ 1459 unsigned long ip; 1460 int not_copied; 1461 1462 ip = insn_get_effective_ip(regs); 1463 if (!ip) 1464 return 0; 1465 1466 not_copied = copy_from_user(buf, (void __user *)ip, MAX_INSN_SIZE); 1467 1468 return MAX_INSN_SIZE - not_copied; 1469} 1470 1471/** 1472 * insn_fetch_from_user_inatomic() - Copy instruction bytes from user-space memory 1473 * while in atomic code 1474 * @regs: Structure with register values as seen when entering kernel mode 1475 * @buf: Array to store the fetched instruction 1476 * 1477 * Gets the linear address of the instruction and copies the instruction bytes 1478 * to the buf. This function must be used in atomic context. 1479 * 1480 * Returns: 1481 * 1482 * Number of instruction bytes copied. 1483 * 1484 * 0 if nothing was copied. 1485 */ 1486int insn_fetch_from_user_inatomic(struct pt_regs *regs, unsigned char buf[MAX_INSN_SIZE]) 1487{ 1488 unsigned long ip; 1489 int not_copied; 1490 1491 ip = insn_get_effective_ip(regs); 1492 if (!ip) 1493 return 0; 1494 1495 not_copied = __copy_from_user_inatomic(buf, (void __user *)ip, MAX_INSN_SIZE); 1496 1497 return MAX_INSN_SIZE - not_copied; 1498} 1499 1500/** 1501 * insn_decode_from_regs() - Decode an instruction 1502 * @insn: Structure to store decoded instruction 1503 * @regs: Structure with register values as seen when entering kernel mode 1504 * @buf: Buffer containing the instruction bytes 1505 * @buf_size: Number of instruction bytes available in buf 1506 * 1507 * Decodes the instruction provided in buf and stores the decoding results in 1508 * insn. Also determines the correct address and operand sizes. 1509 * 1510 * Returns: 1511 * 1512 * True if instruction was decoded, False otherwise. 1513 */ 1514bool insn_decode_from_regs(struct insn *insn, struct pt_regs *regs, 1515 unsigned char buf[MAX_INSN_SIZE], int buf_size) 1516{ 1517 int seg_defs; 1518 1519 insn_init(insn, buf, buf_size, user_64bit_mode(regs)); 1520 1521 /* 1522 * Override the default operand and address sizes with what is specified 1523 * in the code segment descriptor. The instruction decoder only sets 1524 * the address size it to either 4 or 8 address bytes and does nothing 1525 * for the operand bytes. This OK for most of the cases, but we could 1526 * have special cases where, for instance, a 16-bit code segment 1527 * descriptor is used. 1528 * If there is an address override prefix, the instruction decoder 1529 * correctly updates these values, even for 16-bit defaults. 1530 */ 1531 seg_defs = insn_get_code_seg_params(regs); 1532 if (seg_defs == -EINVAL) 1533 return false; 1534 1535 insn->addr_bytes = INSN_CODE_SEG_ADDR_SZ(seg_defs); 1536 insn->opnd_bytes = INSN_CODE_SEG_OPND_SZ(seg_defs); 1537 1538 if (insn_get_length(insn)) 1539 return false; 1540 1541 if (buf_size < insn->length) 1542 return false; 1543 1544 return true; 1545} 1546