Branch data Line data Source code
1 : : /*
2 : : * Utility functions for x86 operand and address decoding
3 : : *
4 : : * Copyright (C) Intel Corporation 2017
5 : : */
6 : : #include <linux/kernel.h>
7 : : #include <linux/string.h>
8 : : #include <linux/ratelimit.h>
9 : : #include <linux/mmu_context.h>
10 : : #include <asm/desc_defs.h>
11 : : #include <asm/desc.h>
12 : : #include <asm/inat.h>
13 : : #include <asm/insn.h>
14 : : #include <asm/insn-eval.h>
15 : : #include <asm/ldt.h>
16 : : #include <asm/vm86.h>
17 : :
18 : : #undef pr_fmt
19 : : #define pr_fmt(fmt) "insn: " fmt
20 : :
21 : : enum reg_type {
22 : : REG_TYPE_RM = 0,
23 : : REG_TYPE_INDEX,
24 : : REG_TYPE_BASE,
25 : : };
26 : :
27 : : /**
28 : : * is_string_insn() - Determine if instruction is a string instruction
29 : : * @insn: Instruction containing the opcode to inspect
30 : : *
31 : : * Returns:
32 : : *
33 : : * true if the instruction, determined by the opcode, is any of the
34 : : * string instructions as defined in the Intel Software Development manual.
35 : : * False otherwise.
36 : : */
37 : 0 : static bool is_string_insn(struct insn *insn)
38 : : {
39 : 0 : insn_get_opcode(insn);
40 : :
41 : : /* All string instructions have a 1-byte opcode. */
42 [ # # ]: 0 : if (insn->opcode.nbytes != 1)
43 : : return false;
44 : :
45 [ # # ]: 0 : switch (insn->opcode.bytes[0]) {
46 : : case 0x6c ... 0x6f: /* INS, OUTS */
47 : : case 0xa4 ... 0xa7: /* MOVS, CMPS */
48 : : case 0xaa ... 0xaf: /* STOS, LODS, SCAS */
49 : : return true;
50 : 0 : default:
51 : 0 : return false;
52 : : }
53 : : }
54 : :
55 : : /**
56 : : * get_seg_reg_override_idx() - obtain segment register override index
57 : : * @insn: Valid instruction with segment override prefixes
58 : : *
59 : : * Inspect the instruction prefixes in @insn and find segment overrides, if any.
60 : : *
61 : : * Returns:
62 : : *
63 : : * A constant identifying the segment register to use, among CS, SS, DS,
64 : : * ES, FS, or GS. INAT_SEG_REG_DEFAULT is returned if no segment override
65 : : * prefixes were found.
66 : : *
67 : : * -EINVAL in case of error.
68 : : */
69 : 0 : static int get_seg_reg_override_idx(struct insn *insn)
70 : : {
71 : 0 : int idx = INAT_SEG_REG_DEFAULT;
72 : 0 : int num_overrides = 0, i;
73 : :
74 : 0 : insn_get_prefixes(insn);
75 : :
76 : : /* Look for any segment override prefixes. */
77 [ # # ]: 0 : for (i = 0; i < insn->prefixes.nbytes; i++) {
78 : 0 : insn_attr_t attr;
79 : :
80 : 0 : attr = inat_get_opcode_attribute(insn->prefixes.bytes[i]);
81 [ # # # # : 0 : switch (attr) {
# # # ]
82 : 0 : case INAT_MAKE_PREFIX(INAT_PFX_CS):
83 : 0 : idx = INAT_SEG_REG_CS;
84 : 0 : num_overrides++;
85 : 0 : break;
86 : 0 : case INAT_MAKE_PREFIX(INAT_PFX_SS):
87 : 0 : idx = INAT_SEG_REG_SS;
88 : 0 : num_overrides++;
89 : 0 : break;
90 : 0 : case INAT_MAKE_PREFIX(INAT_PFX_DS):
91 : 0 : idx = INAT_SEG_REG_DS;
92 : 0 : num_overrides++;
93 : 0 : break;
94 : 0 : case INAT_MAKE_PREFIX(INAT_PFX_ES):
95 : 0 : idx = INAT_SEG_REG_ES;
96 : 0 : num_overrides++;
97 : 0 : break;
98 : 0 : case INAT_MAKE_PREFIX(INAT_PFX_FS):
99 : 0 : idx = INAT_SEG_REG_FS;
100 : 0 : num_overrides++;
101 : 0 : break;
102 : 0 : case INAT_MAKE_PREFIX(INAT_PFX_GS):
103 : 0 : idx = INAT_SEG_REG_GS;
104 : 0 : num_overrides++;
105 : 0 : break;
106 : : /* No default action needed. */
107 : : }
108 : 0 : }
109 : :
110 : : /* More than one segment override prefix leads to undefined behavior. */
111 [ # # ]: 0 : if (num_overrides > 1)
112 : 0 : return -EINVAL;
113 : :
114 : : return idx;
115 : : }
116 : :
117 : : /**
118 : : * check_seg_overrides() - check if segment override prefixes are allowed
119 : : * @insn: Valid instruction with segment override prefixes
120 : : * @regoff: Operand offset, in pt_regs, for which the check is performed
121 : : *
122 : : * For a particular register used in register-indirect addressing, determine if
123 : : * segment override prefixes can be used. Specifically, no overrides are allowed
124 : : * for rDI if used with a string instruction.
125 : : *
126 : : * Returns:
127 : : *
128 : : * True if segment override prefixes can be used with the register indicated
129 : : * in @regoff. False if otherwise.
130 : : */
131 : 0 : static bool check_seg_overrides(struct insn *insn, int regoff)
132 : : {
133 [ # # ]: 0 : if (regoff == offsetof(struct pt_regs, di) && is_string_insn(insn))
134 : 0 : return false;
135 : :
136 : : return true;
137 : : }
138 : :
139 : : /**
140 : : * resolve_default_seg() - resolve default segment register index for an operand
141 : : * @insn: Instruction with opcode and address size. Must be valid.
142 : : * @regs: Register values as seen when entering kernel mode
143 : : * @off: Operand offset, in pt_regs, for which resolution is needed
144 : : *
145 : : * Resolve the default segment register index associated with the instruction
146 : : * operand register indicated by @off. Such index is resolved based on defaults
147 : : * described in the Intel Software Development Manual.
148 : : *
149 : : * Returns:
150 : : *
151 : : * If in protected mode, a constant identifying the segment register to use,
152 : : * among CS, SS, ES or DS. If in long mode, INAT_SEG_REG_IGNORE.
153 : : *
154 : : * -EINVAL in case of error.
155 : : */
156 : 0 : static int resolve_default_seg(struct insn *insn, struct pt_regs *regs, int off)
157 : : {
158 [ # # # # ]: 0 : if (any_64bit_mode(regs))
159 : : return INAT_SEG_REG_IGNORE;
160 : : /*
161 : : * Resolve the default segment register as described in Section 3.7.4
162 : : * of the Intel Software Development Manual Vol. 1:
163 : : *
164 : : * + DS for all references involving r[ABCD]X, and rSI.
165 : : * + If used in a string instruction, ES for rDI. Otherwise, DS.
166 : : * + AX, CX and DX are not valid register operands in 16-bit address
167 : : * encodings but are valid for 32-bit and 64-bit encodings.
168 : : * + -EDOM is reserved to identify for cases in which no register
169 : : * is used (i.e., displacement-only addressing). Use DS.
170 : : * + SS for rSP or rBP.
171 : : * + CS for rIP.
172 : : */
173 : :
174 [ # # # # : 0 : switch (off) {
# # ]
175 : 0 : case offsetof(struct pt_regs, ax):
176 : : case offsetof(struct pt_regs, cx):
177 : : case offsetof(struct pt_regs, dx):
178 : : /* Need insn to verify address size. */
179 [ # # ]: 0 : if (insn->addr_bytes == 2)
180 : 0 : return -EINVAL;
181 : :
182 : : /* fall through */
183 : :
184 : : case -EDOM:
185 : : case offsetof(struct pt_regs, bx):
186 : : case offsetof(struct pt_regs, si):
187 : : return INAT_SEG_REG_DS;
188 : :
189 : 0 : case offsetof(struct pt_regs, di):
190 [ # # ]: 0 : if (is_string_insn(insn))
191 : 0 : return INAT_SEG_REG_ES;
192 : : return INAT_SEG_REG_DS;
193 : :
194 : 0 : case offsetof(struct pt_regs, bp):
195 : : case offsetof(struct pt_regs, sp):
196 : 0 : return INAT_SEG_REG_SS;
197 : :
198 : 0 : case offsetof(struct pt_regs, ip):
199 : 0 : return INAT_SEG_REG_CS;
200 : :
201 : 0 : default:
202 : 0 : return -EINVAL;
203 : : }
204 : : }
205 : :
206 : : /**
207 : : * resolve_seg_reg() - obtain segment register index
208 : : * @insn: Instruction with operands
209 : : * @regs: Register values as seen when entering kernel mode
210 : : * @regoff: Operand offset, in pt_regs, used to deterimine segment register
211 : : *
212 : : * Determine the segment register associated with the operands and, if
213 : : * applicable, prefixes and the instruction pointed by @insn.
214 : : *
215 : : * The segment register associated to an operand used in register-indirect
216 : : * addressing depends on:
217 : : *
218 : : * a) Whether running in long mode (in such a case segments are ignored, except
219 : : * if FS or GS are used).
220 : : *
221 : : * b) Whether segment override prefixes can be used. Certain instructions and
222 : : * registers do not allow override prefixes.
223 : : *
224 : : * c) Whether segment overrides prefixes are found in the instruction prefixes.
225 : : *
226 : : * d) If there are not segment override prefixes or they cannot be used, the
227 : : * default segment register associated with the operand register is used.
228 : : *
229 : : * The function checks first if segment override prefixes can be used with the
230 : : * operand indicated by @regoff. If allowed, obtain such overridden segment
231 : : * register index. Lastly, if not prefixes were found or cannot be used, resolve
232 : : * the segment register index to use based on the defaults described in the
233 : : * Intel documentation. In long mode, all segment register indexes will be
234 : : * ignored, except if overrides were found for FS or GS. All these operations
235 : : * are done using helper functions.
236 : : *
237 : : * The operand register, @regoff, is represented as the offset from the base of
238 : : * pt_regs.
239 : : *
240 : : * As stated, the main use of this function is to determine the segment register
241 : : * index based on the instruction, its operands and prefixes. Hence, @insn
242 : : * must be valid. However, if @regoff indicates rIP, we don't need to inspect
243 : : * @insn at all as in this case CS is used in all cases. This case is checked
244 : : * before proceeding further.
245 : : *
246 : : * Please note that this function does not return the value in the segment
247 : : * register (i.e., the segment selector) but our defined index. The segment
248 : : * selector needs to be obtained using get_segment_selector() and passing the
249 : : * segment register index resolved by this function.
250 : : *
251 : : * Returns:
252 : : *
253 : : * An index identifying the segment register to use, among CS, SS, DS,
254 : : * ES, FS, or GS. INAT_SEG_REG_IGNORE is returned if running in long mode.
255 : : *
256 : : * -EINVAL in case of error.
257 : : */
258 : 0 : static int resolve_seg_reg(struct insn *insn, struct pt_regs *regs, int regoff)
259 : : {
260 : 0 : int idx;
261 : :
262 : : /*
263 : : * In the unlikely event of having to resolve the segment register
264 : : * index for rIP, do it first. Segment override prefixes should not
265 : : * be used. Hence, it is not necessary to inspect the instruction,
266 : : * which may be invalid at this point.
267 : : */
268 [ # # ]: 0 : if (regoff == offsetof(struct pt_regs, ip)) {
269 [ # # # # ]: 0 : if (any_64bit_mode(regs))
270 : : return INAT_SEG_REG_IGNORE;
271 : : else
272 : 0 : return INAT_SEG_REG_CS;
273 : : }
274 : :
275 [ # # ]: 0 : if (!insn)
276 : : return -EINVAL;
277 : :
278 [ # # ]: 0 : if (!check_seg_overrides(insn, regoff))
279 : 0 : return resolve_default_seg(insn, regs, regoff);
280 : :
281 : 0 : idx = get_seg_reg_override_idx(insn);
282 [ # # ]: 0 : if (idx < 0)
283 : : return idx;
284 : :
285 [ # # ]: 0 : if (idx == INAT_SEG_REG_DEFAULT)
286 : 0 : return resolve_default_seg(insn, regs, regoff);
287 : :
288 : : /*
289 : : * In long mode, segment override prefixes are ignored, except for
290 : : * overrides for FS and GS.
291 : : */
292 [ # # # # ]: 0 : if (any_64bit_mode(regs)) {
293 [ # # ]: 0 : if (idx != INAT_SEG_REG_FS &&
294 : : idx != INAT_SEG_REG_GS)
295 : 0 : idx = INAT_SEG_REG_IGNORE;
296 : : }
297 : :
298 : : return idx;
299 : : }
300 : :
301 : : /**
302 : : * get_segment_selector() - obtain segment selector
303 : : * @regs: Register values as seen when entering kernel mode
304 : : * @seg_reg_idx: Segment register index to use
305 : : *
306 : : * Obtain the segment selector from any of the CS, SS, DS, ES, FS, GS segment
307 : : * registers. In CONFIG_X86_32, the segment is obtained from either pt_regs or
308 : : * kernel_vm86_regs as applicable. In CONFIG_X86_64, CS and SS are obtained
309 : : * from pt_regs. DS, ES, FS and GS are obtained by reading the actual CPU
310 : : * registers. This done for only for completeness as in CONFIG_X86_64 segment
311 : : * registers are ignored.
312 : : *
313 : : * Returns:
314 : : *
315 : : * Value of the segment selector, including null when running in
316 : : * long mode.
317 : : *
318 : : * -EINVAL on error.
319 : : */
320 : 0 : static short get_segment_selector(struct pt_regs *regs, int seg_reg_idx)
321 : : {
322 : : #ifdef CONFIG_X86_64
323 : 0 : unsigned short sel;
324 : :
325 : 0 : switch (seg_reg_idx) {
326 : : case INAT_SEG_REG_IGNORE:
327 : : return 0;
328 : : case INAT_SEG_REG_CS:
329 : 0 : return (unsigned short)(regs->cs & 0xffff);
330 : : case INAT_SEG_REG_SS:
331 : : return (unsigned short)(regs->ss & 0xffff);
332 : : case INAT_SEG_REG_DS:
333 : : savesegment(ds, sel);
334 : : return sel;
335 : : case INAT_SEG_REG_ES:
336 : : savesegment(es, sel);
337 : : return sel;
338 : : case INAT_SEG_REG_FS:
339 : : savesegment(fs, sel);
340 : : return sel;
341 : : case INAT_SEG_REG_GS:
342 : : savesegment(gs, sel);
343 : : return sel;
344 : : default:
345 : : return -EINVAL;
346 : : }
347 : : #else /* CONFIG_X86_32 */
348 : : struct kernel_vm86_regs *vm86regs = (struct kernel_vm86_regs *)regs;
349 : :
350 : : if (v8086_mode(regs)) {
351 : : switch (seg_reg_idx) {
352 : : case INAT_SEG_REG_CS:
353 : : return (unsigned short)(regs->cs & 0xffff);
354 : : case INAT_SEG_REG_SS:
355 : : return (unsigned short)(regs->ss & 0xffff);
356 : : case INAT_SEG_REG_DS:
357 : : return vm86regs->ds;
358 : : case INAT_SEG_REG_ES:
359 : : return vm86regs->es;
360 : : case INAT_SEG_REG_FS:
361 : : return vm86regs->fs;
362 : : case INAT_SEG_REG_GS:
363 : : return vm86regs->gs;
364 : : case INAT_SEG_REG_IGNORE:
365 : : /* fall through */
366 : : default:
367 : : return -EINVAL;
368 : : }
369 : : }
370 : :
371 : : switch (seg_reg_idx) {
372 : : case INAT_SEG_REG_CS:
373 : : return (unsigned short)(regs->cs & 0xffff);
374 : : case INAT_SEG_REG_SS:
375 : : return (unsigned short)(regs->ss & 0xffff);
376 : : case INAT_SEG_REG_DS:
377 : : return (unsigned short)(regs->ds & 0xffff);
378 : : case INAT_SEG_REG_ES:
379 : : return (unsigned short)(regs->es & 0xffff);
380 : : case INAT_SEG_REG_FS:
381 : : return (unsigned short)(regs->fs & 0xffff);
382 : : case INAT_SEG_REG_GS:
383 : : /*
384 : : * GS may or may not be in regs as per CONFIG_X86_32_LAZY_GS.
385 : : * The macro below takes care of both cases.
386 : : */
387 : : return get_user_gs(regs);
388 : : case INAT_SEG_REG_IGNORE:
389 : : /* fall through */
390 : : default:
391 : : return -EINVAL;
392 : : }
393 : : #endif /* CONFIG_X86_64 */
394 : : }
395 : :
396 : : static int get_reg_offset(struct insn *insn, struct pt_regs *regs,
397 : : enum reg_type type)
398 : : {
399 : : int regno = 0;
400 : :
401 : : static const int regoff[] = {
402 : : offsetof(struct pt_regs, ax),
403 : : offsetof(struct pt_regs, cx),
404 : : offsetof(struct pt_regs, dx),
405 : : offsetof(struct pt_regs, bx),
406 : : offsetof(struct pt_regs, sp),
407 : : offsetof(struct pt_regs, bp),
408 : : offsetof(struct pt_regs, si),
409 : : offsetof(struct pt_regs, di),
410 : : #ifdef CONFIG_X86_64
411 : : offsetof(struct pt_regs, r8),
412 : : offsetof(struct pt_regs, r9),
413 : : offsetof(struct pt_regs, r10),
414 : : offsetof(struct pt_regs, r11),
415 : : offsetof(struct pt_regs, r12),
416 : : offsetof(struct pt_regs, r13),
417 : : offsetof(struct pt_regs, r14),
418 : : offsetof(struct pt_regs, r15),
419 : : #endif
420 : : };
421 : : int nr_registers = ARRAY_SIZE(regoff);
422 : : /*
423 : : * Don't possibly decode a 32-bit instructions as
424 : : * reading a 64-bit-only register.
425 : : */
426 : : if (IS_ENABLED(CONFIG_X86_64) && !insn->x86_64)
427 : : nr_registers -= 8;
428 : :
429 : : switch (type) {
430 : : case REG_TYPE_RM:
431 : : regno = X86_MODRM_RM(insn->modrm.value);
432 : :
433 : : /*
434 : : * ModRM.mod == 0 and ModRM.rm == 5 means a 32-bit displacement
435 : : * follows the ModRM byte.
436 : : */
437 : : if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5)
438 : : return -EDOM;
439 : :
440 : : if (X86_REX_B(insn->rex_prefix.value))
441 : : regno += 8;
442 : : break;
443 : :
444 : : case REG_TYPE_INDEX:
445 : : regno = X86_SIB_INDEX(insn->sib.value);
446 : : if (X86_REX_X(insn->rex_prefix.value))
447 : : regno += 8;
448 : :
449 : : /*
450 : : * If ModRM.mod != 3 and SIB.index = 4 the scale*index
451 : : * portion of the address computation is null. This is
452 : : * true only if REX.X is 0. In such a case, the SIB index
453 : : * is used in the address computation.
454 : : */
455 : : if (X86_MODRM_MOD(insn->modrm.value) != 3 && regno == 4)
456 : : return -EDOM;
457 : : break;
458 : :
459 : : case REG_TYPE_BASE:
460 : : regno = X86_SIB_BASE(insn->sib.value);
461 : : /*
462 : : * If ModRM.mod is 0 and SIB.base == 5, the base of the
463 : : * register-indirect addressing is 0. In this case, a
464 : : * 32-bit displacement follows the SIB byte.
465 : : */
466 : : if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5)
467 : : return -EDOM;
468 : :
469 : : if (X86_REX_B(insn->rex_prefix.value))
470 : : regno += 8;
471 : : break;
472 : :
473 : : default:
474 : : pr_err_ratelimited("invalid register type: %d\n", type);
475 : : return -EINVAL;
476 : : }
477 : :
478 : : if (regno >= nr_registers) {
479 : : WARN_ONCE(1, "decoded an instruction with an invalid register");
480 : : return -EINVAL;
481 : : }
482 : : return regoff[regno];
483 : : }
484 : :
485 : : /**
486 : : * get_reg_offset_16() - Obtain offset of register indicated by instruction
487 : : * @insn: Instruction containing ModRM byte
488 : : * @regs: Register values as seen when entering kernel mode
489 : : * @offs1: Offset of the first operand register
490 : : * @offs2: Offset of the second opeand register, if applicable
491 : : *
492 : : * Obtain the offset, in pt_regs, of the registers indicated by the ModRM byte
493 : : * in @insn. This function is to be used with 16-bit address encodings. The
494 : : * @offs1 and @offs2 will be written with the offset of the two registers
495 : : * indicated by the instruction. In cases where any of the registers is not
496 : : * referenced by the instruction, the value will be set to -EDOM.
497 : : *
498 : : * Returns:
499 : : *
500 : : * 0 on success, -EINVAL on error.
501 : : */
502 : : static int get_reg_offset_16(struct insn *insn, struct pt_regs *regs,
503 : : int *offs1, int *offs2)
504 : : {
505 : : /*
506 : : * 16-bit addressing can use one or two registers. Specifics of
507 : : * encodings are given in Table 2-1. "16-Bit Addressing Forms with the
508 : : * ModR/M Byte" of the Intel Software Development Manual.
509 : : */
510 : : static const int regoff1[] = {
511 : : offsetof(struct pt_regs, bx),
512 : : offsetof(struct pt_regs, bx),
513 : : offsetof(struct pt_regs, bp),
514 : : offsetof(struct pt_regs, bp),
515 : : offsetof(struct pt_regs, si),
516 : : offsetof(struct pt_regs, di),
517 : : offsetof(struct pt_regs, bp),
518 : : offsetof(struct pt_regs, bx),
519 : : };
520 : :
521 : : static const int regoff2[] = {
522 : : offsetof(struct pt_regs, si),
523 : : offsetof(struct pt_regs, di),
524 : : offsetof(struct pt_regs, si),
525 : : offsetof(struct pt_regs, di),
526 : : -EDOM,
527 : : -EDOM,
528 : : -EDOM,
529 : : -EDOM,
530 : : };
531 : :
532 : : if (!offs1 || !offs2)
533 : : return -EINVAL;
534 : :
535 : : /* Operand is a register, use the generic function. */
536 : : if (X86_MODRM_MOD(insn->modrm.value) == 3) {
537 : : *offs1 = insn_get_modrm_rm_off(insn, regs);
538 : : *offs2 = -EDOM;
539 : : return 0;
540 : : }
541 : :
542 : : *offs1 = regoff1[X86_MODRM_RM(insn->modrm.value)];
543 : : *offs2 = regoff2[X86_MODRM_RM(insn->modrm.value)];
544 : :
545 : : /*
546 : : * If ModRM.mod is 0 and ModRM.rm is 110b, then we use displacement-
547 : : * only addressing. This means that no registers are involved in
548 : : * computing the effective address. Thus, ensure that the first
549 : : * register offset is invalild. The second register offset is already
550 : : * invalid under the aforementioned conditions.
551 : : */
552 : : if ((X86_MODRM_MOD(insn->modrm.value) == 0) &&
553 : : (X86_MODRM_RM(insn->modrm.value) == 6))
554 : : *offs1 = -EDOM;
555 : :
556 : : return 0;
557 : : }
558 : :
559 : : /**
560 : : * get_desc() - Obtain contents of a segment descriptor
561 : : * @out: Segment descriptor contents on success
562 : : * @sel: Segment selector
563 : : *
564 : : * Given a segment selector, obtain a pointer to the segment descriptor.
565 : : * Both global and local descriptor tables are supported.
566 : : *
567 : : * Returns:
568 : : *
569 : : * True on success, false on failure.
570 : : *
571 : : * NULL on error.
572 : : */
573 : 0 : static bool get_desc(struct desc_struct *out, unsigned short sel)
574 : : {
575 : 0 : struct desc_ptr gdt_desc = {0, 0};
576 : 0 : unsigned long desc_base;
577 : :
578 : : #ifdef CONFIG_MODIFY_LDT_SYSCALL
579 [ # # ]: 0 : if ((sel & SEGMENT_TI_MASK) == SEGMENT_LDT) {
580 : 0 : bool success = false;
581 : 0 : struct ldt_struct *ldt;
582 : :
583 : : /* Bits [15:3] contain the index of the desired entry. */
584 : 0 : sel >>= 3;
585 : :
586 : 0 : mutex_lock(¤t->active_mm->context.lock);
587 [ # # ]: 0 : ldt = current->active_mm->context.ldt;
588 [ # # # # ]: 0 : if (ldt && sel < ldt->nr_entries) {
589 : 0 : *out = ldt->entries[sel];
590 : 0 : success = true;
591 : : }
592 : :
593 : 0 : mutex_unlock(¤t->active_mm->context.lock);
594 : :
595 : 0 : return success;
596 : : }
597 : : #endif
598 : 0 : native_store_gdt(&gdt_desc);
599 : :
600 : : /*
601 : : * Segment descriptors have a size of 8 bytes. Thus, the index is
602 : : * multiplied by 8 to obtain the memory offset of the desired descriptor
603 : : * from the base of the GDT. As bits [15:3] of the segment selector
604 : : * contain the index, it can be regarded as multiplied by 8 already.
605 : : * All that remains is to clear bits [2:0].
606 : : */
607 : 0 : desc_base = sel & ~(SEGMENT_RPL_MASK | SEGMENT_TI_MASK);
608 : :
609 [ # # ]: 0 : if (desc_base > gdt_desc.size)
610 : : return false;
611 : :
612 : 0 : *out = *(struct desc_struct *)(gdt_desc.address + desc_base);
613 : 0 : return true;
614 : : }
615 : :
616 : : /**
617 : : * insn_get_seg_base() - Obtain base address of segment descriptor.
618 : : * @regs: Register values as seen when entering kernel mode
619 : : * @seg_reg_idx: Index of the segment register pointing to seg descriptor
620 : : *
621 : : * Obtain the base address of the segment as indicated by the segment descriptor
622 : : * pointed by the segment selector. The segment selector is obtained from the
623 : : * input segment register index @seg_reg_idx.
624 : : *
625 : : * Returns:
626 : : *
627 : : * In protected mode, base address of the segment. Zero in long mode,
628 : : * except when FS or GS are used. In virtual-8086 mode, the segment
629 : : * selector shifted 4 bits to the right.
630 : : *
631 : : * -1L in case of error.
632 : : */
633 : 0 : unsigned long insn_get_seg_base(struct pt_regs *regs, int seg_reg_idx)
634 : : {
635 : 0 : struct desc_struct desc;
636 : 0 : short sel;
637 : :
638 : 0 : sel = get_segment_selector(regs, seg_reg_idx);
639 [ # # ]: 0 : if (sel < 0)
640 : : return -1L;
641 : :
642 [ # # ]: 0 : if (v8086_mode(regs))
643 : : /*
644 : : * Base is simply the segment selector shifted 4
645 : : * bits to the right.
646 : : */
647 : : return (unsigned long)(sel << 4);
648 : :
649 [ # # # # ]: 0 : if (any_64bit_mode(regs)) {
650 : : /*
651 : : * Only FS or GS will have a base address, the rest of
652 : : * the segments' bases are forced to 0.
653 : : */
654 : 0 : unsigned long base;
655 : :
656 [ # # ]: 0 : if (seg_reg_idx == INAT_SEG_REG_FS) {
657 : 0 : rdmsrl(MSR_FS_BASE, base);
658 [ # # ]: 0 : } else if (seg_reg_idx == INAT_SEG_REG_GS) {
659 : : /*
660 : : * swapgs was called at the kernel entry point. Thus,
661 : : * MSR_KERNEL_GS_BASE will have the user-space GS base.
662 : : */
663 [ # # ]: 0 : if (user_mode(regs))
664 : 0 : rdmsrl(MSR_KERNEL_GS_BASE, base);
665 : : else
666 : 0 : rdmsrl(MSR_GS_BASE, base);
667 : : } else {
668 : : base = 0;
669 : : }
670 : 0 : return base;
671 : : }
672 : :
673 : : /* In protected mode the segment selector cannot be null. */
674 [ # # ]: 0 : if (!sel)
675 : : return -1L;
676 : :
677 [ # # ]: 0 : if (!get_desc(&desc, sel))
678 : : return -1L;
679 : :
680 : 0 : return get_desc_base(&desc);
681 : : }
682 : :
683 : : /**
684 : : * get_seg_limit() - Obtain the limit of a segment descriptor
685 : : * @regs: Register values as seen when entering kernel mode
686 : : * @seg_reg_idx: Index of the segment register pointing to seg descriptor
687 : : *
688 : : * Obtain the limit of the segment as indicated by the segment descriptor
689 : : * pointed by the segment selector. The segment selector is obtained from the
690 : : * input segment register index @seg_reg_idx.
691 : : *
692 : : * Returns:
693 : : *
694 : : * In protected mode, the limit of the segment descriptor in bytes.
695 : : * In long mode and virtual-8086 mode, segment limits are not enforced. Thus,
696 : : * limit is returned as -1L to imply a limit-less segment.
697 : : *
698 : : * Zero is returned on error.
699 : : */
700 : 0 : static unsigned long get_seg_limit(struct pt_regs *regs, int seg_reg_idx)
701 : : {
702 : 0 : struct desc_struct desc;
703 : 0 : unsigned long limit;
704 : 0 : short sel;
705 : :
706 : 0 : sel = get_segment_selector(regs, seg_reg_idx);
707 [ # # ]: 0 : if (sel < 0)
708 : : return 0;
709 : :
710 [ # # # # ]: 0 : if (any_64bit_mode(regs) || v8086_mode(regs))
711 : : return -1L;
712 : :
713 [ # # ]: 0 : if (!sel)
714 : : return 0;
715 : :
716 [ # # ]: 0 : if (!get_desc(&desc, sel))
717 : : return 0;
718 : :
719 : : /*
720 : : * If the granularity bit is set, the limit is given in multiples
721 : : * of 4096. This also means that the 12 least significant bits are
722 : : * not tested when checking the segment limits. In practice,
723 : : * this means that the segment ends in (limit << 12) + 0xfff.
724 : : */
725 [ # # ]: 0 : limit = get_desc_limit(&desc);
726 [ # # ]: 0 : if (desc.g)
727 : 0 : limit = (limit << 12) + 0xfff;
728 : :
729 : : return limit;
730 : : }
731 : :
732 : : /**
733 : : * insn_get_code_seg_params() - Obtain code segment parameters
734 : : * @regs: Structure with register values as seen when entering kernel mode
735 : : *
736 : : * Obtain address and operand sizes of the code segment. It is obtained from the
737 : : * selector contained in the CS register in regs. In protected mode, the default
738 : : * address is determined by inspecting the L and D bits of the segment
739 : : * descriptor. In virtual-8086 mode, the default is always two bytes for both
740 : : * address and operand sizes.
741 : : *
742 : : * Returns:
743 : : *
744 : : * An int containing ORed-in default parameters on success.
745 : : *
746 : : * -EINVAL on error.
747 : : */
748 : 0 : int insn_get_code_seg_params(struct pt_regs *regs)
749 : : {
750 : 0 : struct desc_struct desc;
751 : 0 : short sel;
752 : :
753 [ # # ]: 0 : if (v8086_mode(regs))
754 : : /* Address and operand size are both 16-bit. */
755 : : return INSN_CODE_SEG_PARAMS(2, 2);
756 : :
757 : 0 : sel = get_segment_selector(regs, INAT_SEG_REG_CS);
758 [ # # ]: 0 : if (sel < 0)
759 : 0 : return sel;
760 : :
761 [ # # ]: 0 : if (!get_desc(&desc, sel))
762 : : return -EINVAL;
763 : :
764 : : /*
765 : : * The most significant byte of the Type field of the segment descriptor
766 : : * determines whether a segment contains data or code. If this is a data
767 : : * segment, return error.
768 : : */
769 [ # # ]: 0 : if (!(desc.type & BIT(3)))
770 : : return -EINVAL;
771 : :
772 [ # # ]: 0 : switch ((desc.l << 1) | desc.d) {
773 : : case 0: /*
774 : : * Legacy mode. CS.L=0, CS.D=0. Address and operand size are
775 : : * both 16-bit.
776 : : */
777 : : return INSN_CODE_SEG_PARAMS(2, 2);
778 : : case 1: /*
779 : : * Legacy mode. CS.L=0, CS.D=1. Address and operand size are
780 : : * both 32-bit.
781 : : */
782 : : return INSN_CODE_SEG_PARAMS(4, 4);
783 : : case 2: /*
784 : : * IA-32e 64-bit mode. CS.L=1, CS.D=0. Address size is 64-bit;
785 : : * operand size is 32-bit.
786 : : */
787 : : return INSN_CODE_SEG_PARAMS(4, 8);
788 : : case 3: /* Invalid setting. CS.L=1, CS.D=1 */
789 : : /* fall through */
790 : : default:
791 : : return -EINVAL;
792 : : }
793 : : }
794 : :
795 : : /**
796 : : * insn_get_modrm_rm_off() - Obtain register in r/m part of the ModRM byte
797 : : * @insn: Instruction containing the ModRM byte
798 : : * @regs: Register values as seen when entering kernel mode
799 : : *
800 : : * Returns:
801 : : *
802 : : * The register indicated by the r/m part of the ModRM byte. The
803 : : * register is obtained as an offset from the base of pt_regs. In specific
804 : : * cases, the returned value can be -EDOM to indicate that the particular value
805 : : * of ModRM does not refer to a register and shall be ignored.
806 : : */
807 : 0 : int insn_get_modrm_rm_off(struct insn *insn, struct pt_regs *regs)
808 : : {
809 : 0 : return get_reg_offset(insn, regs, REG_TYPE_RM);
810 : : }
811 : :
812 : : /**
813 : : * get_seg_base_limit() - obtain base address and limit of a segment
814 : : * @insn: Instruction. Must be valid.
815 : : * @regs: Register values as seen when entering kernel mode
816 : : * @regoff: Operand offset, in pt_regs, used to resolve segment descriptor
817 : : * @base: Obtained segment base
818 : : * @limit: Obtained segment limit
819 : : *
820 : : * Obtain the base address and limit of the segment associated with the operand
821 : : * @regoff and, if any or allowed, override prefixes in @insn. This function is
822 : : * different from insn_get_seg_base() as the latter does not resolve the segment
823 : : * associated with the instruction operand. If a limit is not needed (e.g.,
824 : : * when running in long mode), @limit can be NULL.
825 : : *
826 : : * Returns:
827 : : *
828 : : * 0 on success. @base and @limit will contain the base address and of the
829 : : * resolved segment, respectively.
830 : : *
831 : : * -EINVAL on error.
832 : : */
833 : 0 : static int get_seg_base_limit(struct insn *insn, struct pt_regs *regs,
834 : : int regoff, unsigned long *base,
835 : : unsigned long *limit)
836 : : {
837 : 0 : int seg_reg_idx;
838 : :
839 [ # # ]: 0 : if (!base)
840 : : return -EINVAL;
841 : :
842 : 0 : seg_reg_idx = resolve_seg_reg(insn, regs, regoff);
843 [ # # ]: 0 : if (seg_reg_idx < 0)
844 : : return seg_reg_idx;
845 : :
846 : 0 : *base = insn_get_seg_base(regs, seg_reg_idx);
847 [ # # ]: 0 : if (*base == -1L)
848 : : return -EINVAL;
849 : :
850 [ # # ]: 0 : if (!limit)
851 : : return 0;
852 : :
853 : 0 : *limit = get_seg_limit(regs, seg_reg_idx);
854 [ # # ]: 0 : if (!(*limit))
855 : 0 : return -EINVAL;
856 : :
857 : : return 0;
858 : : }
859 : :
860 : : /**
861 : : * get_eff_addr_reg() - Obtain effective address from register operand
862 : : * @insn: Instruction. Must be valid.
863 : : * @regs: Register values as seen when entering kernel mode
864 : : * @regoff: Obtained operand offset, in pt_regs, with the effective address
865 : : * @eff_addr: Obtained effective address
866 : : *
867 : : * Obtain the effective address stored in the register operand as indicated by
868 : : * the ModRM byte. This function is to be used only with register addressing
869 : : * (i.e., ModRM.mod is 3). The effective address is saved in @eff_addr. The
870 : : * register operand, as an offset from the base of pt_regs, is saved in @regoff;
871 : : * such offset can then be used to resolve the segment associated with the
872 : : * operand. This function can be used with any of the supported address sizes
873 : : * in x86.
874 : : *
875 : : * Returns:
876 : : *
877 : : * 0 on success. @eff_addr will have the effective address stored in the
878 : : * operand indicated by ModRM. @regoff will have such operand as an offset from
879 : : * the base of pt_regs.
880 : : *
881 : : * -EINVAL on error.
882 : : */
883 : 0 : static int get_eff_addr_reg(struct insn *insn, struct pt_regs *regs,
884 : : int *regoff, long *eff_addr)
885 : : {
886 : 0 : insn_get_modrm(insn);
887 : :
888 [ # # ]: 0 : if (!insn->modrm.nbytes)
889 : : return -EINVAL;
890 : :
891 [ # # ]: 0 : if (X86_MODRM_MOD(insn->modrm.value) != 3)
892 : : return -EINVAL;
893 : :
894 : 0 : *regoff = get_reg_offset(insn, regs, REG_TYPE_RM);
895 [ # # ]: 0 : if (*regoff < 0)
896 : : return -EINVAL;
897 : :
898 : : /* Ignore bytes that are outside the address size. */
899 [ # # ]: 0 : if (insn->addr_bytes == 2)
900 [ # # ]: 0 : *eff_addr = regs_get_register(regs, *regoff) & 0xffff;
901 [ # # ]: 0 : else if (insn->addr_bytes == 4)
902 [ # # ]: 0 : *eff_addr = regs_get_register(regs, *regoff) & 0xffffffff;
903 : : else /* 64-bit address */
904 [ # # ]: 0 : *eff_addr = regs_get_register(regs, *regoff);
905 : :
906 : : return 0;
907 : : }
908 : :
909 : : /**
910 : : * get_eff_addr_modrm() - Obtain referenced effective address via ModRM
911 : : * @insn: Instruction. Must be valid.
912 : : * @regs: Register values as seen when entering kernel mode
913 : : * @regoff: Obtained operand offset, in pt_regs, associated with segment
914 : : * @eff_addr: Obtained effective address
915 : : *
916 : : * Obtain the effective address referenced by the ModRM byte of @insn. After
917 : : * identifying the registers involved in the register-indirect memory reference,
918 : : * its value is obtained from the operands in @regs. The computed address is
919 : : * stored @eff_addr. Also, the register operand that indicates the associated
920 : : * segment is stored in @regoff, this parameter can later be used to determine
921 : : * such segment.
922 : : *
923 : : * Returns:
924 : : *
925 : : * 0 on success. @eff_addr will have the referenced effective address. @regoff
926 : : * will have a register, as an offset from the base of pt_regs, that can be used
927 : : * to resolve the associated segment.
928 : : *
929 : : * -EINVAL on error.
930 : : */
931 : 0 : static int get_eff_addr_modrm(struct insn *insn, struct pt_regs *regs,
932 : : int *regoff, long *eff_addr)
933 : : {
934 : 0 : long tmp;
935 : :
936 [ # # ]: 0 : if (insn->addr_bytes != 8 && insn->addr_bytes != 4)
937 : : return -EINVAL;
938 : :
939 : 0 : insn_get_modrm(insn);
940 : :
941 [ # # ]: 0 : if (!insn->modrm.nbytes)
942 : : return -EINVAL;
943 : :
944 [ # # ]: 0 : if (X86_MODRM_MOD(insn->modrm.value) > 2)
945 : : return -EINVAL;
946 : :
947 : 0 : *regoff = get_reg_offset(insn, regs, REG_TYPE_RM);
948 : :
949 : : /*
950 : : * -EDOM means that we must ignore the address_offset. In such a case,
951 : : * in 64-bit mode the effective address relative to the rIP of the
952 : : * following instruction.
953 : : */
954 [ # # ]: 0 : if (*regoff == -EDOM) {
955 [ # # # # ]: 0 : if (any_64bit_mode(regs))
956 : 0 : tmp = regs->ip + insn->length;
957 : : else
958 : : tmp = 0;
959 [ # # ]: 0 : } else if (*regoff < 0) {
960 : : return -EINVAL;
961 : : } else {
962 [ # # ]: 0 : tmp = regs_get_register(regs, *regoff);
963 : : }
964 : :
965 [ # # ]: 0 : if (insn->addr_bytes == 4) {
966 : 0 : int addr32 = (int)(tmp & 0xffffffff) + insn->displacement.value;
967 : :
968 : 0 : *eff_addr = addr32 & 0xffffffff;
969 : : } else {
970 : 0 : *eff_addr = tmp + insn->displacement.value;
971 : : }
972 : :
973 : : return 0;
974 : : }
975 : :
976 : : /**
977 : : * get_eff_addr_modrm_16() - Obtain referenced effective address via ModRM
978 : : * @insn: Instruction. Must be valid.
979 : : * @regs: Register values as seen when entering kernel mode
980 : : * @regoff: Obtained operand offset, in pt_regs, associated with segment
981 : : * @eff_addr: Obtained effective address
982 : : *
983 : : * Obtain the 16-bit effective address referenced by the ModRM byte of @insn.
984 : : * After identifying the registers involved in the register-indirect memory
985 : : * reference, its value is obtained from the operands in @regs. The computed
986 : : * address is stored @eff_addr. Also, the register operand that indicates
987 : : * the associated segment is stored in @regoff, this parameter can later be used
988 : : * to determine such segment.
989 : : *
990 : : * Returns:
991 : : *
992 : : * 0 on success. @eff_addr will have the referenced effective address. @regoff
993 : : * will have a register, as an offset from the base of pt_regs, that can be used
994 : : * to resolve the associated segment.
995 : : *
996 : : * -EINVAL on error.
997 : : */
998 : 0 : static int get_eff_addr_modrm_16(struct insn *insn, struct pt_regs *regs,
999 : : int *regoff, short *eff_addr)
1000 : : {
1001 : 0 : int addr_offset1, addr_offset2, ret;
1002 : 0 : short addr1 = 0, addr2 = 0, displacement;
1003 : :
1004 [ # # ]: 0 : if (insn->addr_bytes != 2)
1005 : : return -EINVAL;
1006 : :
1007 : 0 : insn_get_modrm(insn);
1008 : :
1009 [ # # ]: 0 : if (!insn->modrm.nbytes)
1010 : : return -EINVAL;
1011 : :
1012 [ # # ]: 0 : if (X86_MODRM_MOD(insn->modrm.value) > 2)
1013 : : return -EINVAL;
1014 : :
1015 : 0 : ret = get_reg_offset_16(insn, regs, &addr_offset1, &addr_offset2);
1016 [ # # ]: 0 : if (ret < 0)
1017 : : return -EINVAL;
1018 : :
1019 : : /*
1020 : : * Don't fail on invalid offset values. They might be invalid because
1021 : : * they cannot be used for this particular value of ModRM. Instead, use
1022 : : * them in the computation only if they contain a valid value.
1023 : : */
1024 [ # # ]: 0 : if (addr_offset1 != -EDOM)
1025 [ # # ]: 0 : addr1 = regs_get_register(regs, addr_offset1) & 0xffff;
1026 : :
1027 [ # # ]: 0 : if (addr_offset2 != -EDOM)
1028 [ # # ]: 0 : addr2 = regs_get_register(regs, addr_offset2) & 0xffff;
1029 : :
1030 : 0 : displacement = insn->displacement.value & 0xffff;
1031 : 0 : *eff_addr = addr1 + addr2 + displacement;
1032 : :
1033 : : /*
1034 : : * The first operand register could indicate to use of either SS or DS
1035 : : * registers to obtain the segment selector. The second operand
1036 : : * register can only indicate the use of DS. Thus, the first operand
1037 : : * will be used to obtain the segment selector.
1038 : : */
1039 : 0 : *regoff = addr_offset1;
1040 : :
1041 : 0 : return 0;
1042 : : }
1043 : :
1044 : : /**
1045 : : * get_eff_addr_sib() - Obtain referenced effective address via SIB
1046 : : * @insn: Instruction. Must be valid.
1047 : : * @regs: Register values as seen when entering kernel mode
1048 : : * @regoff: Obtained operand offset, in pt_regs, associated with segment
1049 : : * @eff_addr: Obtained effective address
1050 : : *
1051 : : * Obtain the effective address referenced by the SIB byte of @insn. After
1052 : : * identifying the registers involved in the indexed, register-indirect memory
1053 : : * reference, its value is obtained from the operands in @regs. The computed
1054 : : * address is stored @eff_addr. Also, the register operand that indicates the
1055 : : * associated segment is stored in @regoff, this parameter can later be used to
1056 : : * determine such segment.
1057 : : *
1058 : : * Returns:
1059 : : *
1060 : : * 0 on success. @eff_addr will have the referenced effective address.
1061 : : * @base_offset will have a register, as an offset from the base of pt_regs,
1062 : : * that can be used to resolve the associated segment.
1063 : : *
1064 : : * -EINVAL on error.
1065 : : */
1066 : 0 : static int get_eff_addr_sib(struct insn *insn, struct pt_regs *regs,
1067 : : int *base_offset, long *eff_addr)
1068 : : {
1069 : 0 : long base, indx;
1070 : 0 : int indx_offset;
1071 : :
1072 [ # # ]: 0 : if (insn->addr_bytes != 8 && insn->addr_bytes != 4)
1073 : : return -EINVAL;
1074 : :
1075 : 0 : insn_get_modrm(insn);
1076 : :
1077 [ # # ]: 0 : if (!insn->modrm.nbytes)
1078 : : return -EINVAL;
1079 : :
1080 [ # # ]: 0 : if (X86_MODRM_MOD(insn->modrm.value) > 2)
1081 : : return -EINVAL;
1082 : :
1083 : 0 : insn_get_sib(insn);
1084 : :
1085 [ # # ]: 0 : if (!insn->sib.nbytes)
1086 : : return -EINVAL;
1087 : :
1088 : 0 : *base_offset = get_reg_offset(insn, regs, REG_TYPE_BASE);
1089 : 0 : indx_offset = get_reg_offset(insn, regs, REG_TYPE_INDEX);
1090 : :
1091 : : /*
1092 : : * Negative values in the base and index offset means an error when
1093 : : * decoding the SIB byte. Except -EDOM, which means that the registers
1094 : : * should not be used in the address computation.
1095 : : */
1096 [ # # ]: 0 : if (*base_offset == -EDOM)
1097 : : base = 0;
1098 [ # # ]: 0 : else if (*base_offset < 0)
1099 : : return -EINVAL;
1100 : : else
1101 [ # # ]: 0 : base = regs_get_register(regs, *base_offset);
1102 : :
1103 [ # # ]: 0 : if (indx_offset == -EDOM)
1104 : : indx = 0;
1105 [ # # ]: 0 : else if (indx_offset < 0)
1106 : : return -EINVAL;
1107 : : else
1108 [ # # ]: 0 : indx = regs_get_register(regs, indx_offset);
1109 : :
1110 [ # # ]: 0 : if (insn->addr_bytes == 4) {
1111 : 0 : int addr32, base32, idx32;
1112 : :
1113 : 0 : base32 = base & 0xffffffff;
1114 : 0 : idx32 = indx & 0xffffffff;
1115 : :
1116 : 0 : addr32 = base32 + idx32 * (1 << X86_SIB_SCALE(insn->sib.value));
1117 : 0 : addr32 += insn->displacement.value;
1118 : :
1119 : 0 : *eff_addr = addr32 & 0xffffffff;
1120 : : } else {
1121 : 0 : *eff_addr = base + indx * (1 << X86_SIB_SCALE(insn->sib.value));
1122 : 0 : *eff_addr += insn->displacement.value;
1123 : : }
1124 : :
1125 : : return 0;
1126 : : }
1127 : :
1128 : : /**
1129 : : * get_addr_ref_16() - Obtain the 16-bit address referred by instruction
1130 : : * @insn: Instruction containing ModRM byte and displacement
1131 : : * @regs: Register values as seen when entering kernel mode
1132 : : *
1133 : : * This function is to be used with 16-bit address encodings. Obtain the memory
1134 : : * address referred by the instruction's ModRM and displacement bytes. Also, the
1135 : : * segment used as base is determined by either any segment override prefixes in
1136 : : * @insn or the default segment of the registers involved in the address
1137 : : * computation. In protected mode, segment limits are enforced.
1138 : : *
1139 : : * Returns:
1140 : : *
1141 : : * Linear address referenced by the instruction operands on success.
1142 : : *
1143 : : * -1L on error.
1144 : : */
1145 : 0 : static void __user *get_addr_ref_16(struct insn *insn, struct pt_regs *regs)
1146 : : {
1147 : 0 : unsigned long linear_addr = -1L, seg_base, seg_limit;
1148 : 0 : int ret, regoff;
1149 : 0 : short eff_addr;
1150 : 0 : long tmp;
1151 : :
1152 : 0 : insn_get_modrm(insn);
1153 : 0 : insn_get_displacement(insn);
1154 : :
1155 [ # # ]: 0 : if (insn->addr_bytes != 2)
1156 : 0 : goto out;
1157 : :
1158 [ # # ]: 0 : if (X86_MODRM_MOD(insn->modrm.value) == 3) {
1159 : 0 : ret = get_eff_addr_reg(insn, regs, ®off, &tmp);
1160 [ # # ]: 0 : if (ret)
1161 : 0 : goto out;
1162 : :
1163 : 0 : eff_addr = tmp;
1164 : : } else {
1165 : 0 : ret = get_eff_addr_modrm_16(insn, regs, ®off, &eff_addr);
1166 [ # # ]: 0 : if (ret)
1167 : 0 : goto out;
1168 : : }
1169 : :
1170 : 0 : ret = get_seg_base_limit(insn, regs, regoff, &seg_base, &seg_limit);
1171 [ # # ]: 0 : if (ret)
1172 : 0 : goto out;
1173 : :
1174 : : /*
1175 : : * Before computing the linear address, make sure the effective address
1176 : : * is within the limits of the segment. In virtual-8086 mode, segment
1177 : : * limits are not enforced. In such a case, the segment limit is -1L to
1178 : : * reflect this fact.
1179 : : */
1180 [ # # ]: 0 : if ((unsigned long)(eff_addr & 0xffff) > seg_limit)
1181 : 0 : goto out;
1182 : :
1183 : 0 : linear_addr = (unsigned long)(eff_addr & 0xffff) + seg_base;
1184 : :
1185 : : /* Limit linear address to 20 bits */
1186 : 0 : if (v8086_mode(regs))
1187 : : linear_addr &= 0xfffff;
1188 : :
1189 : 0 : out:
1190 : 0 : return (void __user *)linear_addr;
1191 : : }
1192 : :
1193 : : /**
1194 : : * get_addr_ref_32() - Obtain a 32-bit linear address
1195 : : * @insn: Instruction with ModRM, SIB bytes and displacement
1196 : : * @regs: Register values as seen when entering kernel mode
1197 : : *
1198 : : * This function is to be used with 32-bit address encodings to obtain the
1199 : : * linear memory address referred by the instruction's ModRM, SIB,
1200 : : * displacement bytes and segment base address, as applicable. If in protected
1201 : : * mode, segment limits are enforced.
1202 : : *
1203 : : * Returns:
1204 : : *
1205 : : * Linear address referenced by instruction and registers on success.
1206 : : *
1207 : : * -1L on error.
1208 : : */
1209 : 0 : static void __user *get_addr_ref_32(struct insn *insn, struct pt_regs *regs)
1210 : : {
1211 : 0 : unsigned long linear_addr = -1L, seg_base, seg_limit;
1212 : 0 : int eff_addr, regoff;
1213 : 0 : long tmp;
1214 : 0 : int ret;
1215 : :
1216 [ # # ]: 0 : if (insn->addr_bytes != 4)
1217 : 0 : goto out;
1218 : :
1219 [ # # ]: 0 : if (X86_MODRM_MOD(insn->modrm.value) == 3) {
1220 : 0 : ret = get_eff_addr_reg(insn, regs, ®off, &tmp);
1221 [ # # ]: 0 : if (ret)
1222 : 0 : goto out;
1223 : :
1224 : 0 : eff_addr = tmp;
1225 : :
1226 : : } else {
1227 [ # # ]: 0 : if (insn->sib.nbytes) {
1228 : 0 : ret = get_eff_addr_sib(insn, regs, ®off, &tmp);
1229 [ # # ]: 0 : if (ret)
1230 : 0 : goto out;
1231 : :
1232 : 0 : eff_addr = tmp;
1233 : : } else {
1234 : 0 : ret = get_eff_addr_modrm(insn, regs, ®off, &tmp);
1235 [ # # ]: 0 : if (ret)
1236 : 0 : goto out;
1237 : :
1238 : 0 : eff_addr = tmp;
1239 : : }
1240 : : }
1241 : :
1242 : 0 : ret = get_seg_base_limit(insn, regs, regoff, &seg_base, &seg_limit);
1243 [ # # ]: 0 : if (ret)
1244 : 0 : goto out;
1245 : :
1246 : : /*
1247 : : * In protected mode, before computing the linear address, make sure
1248 : : * the effective address is within the limits of the segment.
1249 : : * 32-bit addresses can be used in long and virtual-8086 modes if an
1250 : : * address override prefix is used. In such cases, segment limits are
1251 : : * not enforced. When in virtual-8086 mode, the segment limit is -1L
1252 : : * to reflect this situation.
1253 : : *
1254 : : * After computed, the effective address is treated as an unsigned
1255 : : * quantity.
1256 : : */
1257 [ # # # # : 0 : if (!any_64bit_mode(regs) && ((unsigned int)eff_addr > seg_limit))
# # ]
1258 : 0 : goto out;
1259 : :
1260 : : /*
1261 : : * Even though 32-bit address encodings are allowed in virtual-8086
1262 : : * mode, the address range is still limited to [0x-0xffff].
1263 : : */
1264 : 0 : if (v8086_mode(regs) && (eff_addr & ~0xffff))
1265 : : goto out;
1266 : :
1267 : : /*
1268 : : * Data type long could be 64 bits in size. Ensure that our 32-bit
1269 : : * effective address is not sign-extended when computing the linear
1270 : : * address.
1271 : : */
1272 : 0 : linear_addr = (unsigned long)(eff_addr & 0xffffffff) + seg_base;
1273 : :
1274 : : /* Limit linear address to 20 bits */
1275 : 0 : if (v8086_mode(regs))
1276 : : linear_addr &= 0xfffff;
1277 : :
1278 : 0 : out:
1279 : 0 : return (void __user *)linear_addr;
1280 : : }
1281 : :
1282 : : /**
1283 : : * get_addr_ref_64() - Obtain a 64-bit linear address
1284 : : * @insn: Instruction struct with ModRM and SIB bytes and displacement
1285 : : * @regs: Structure with register values as seen when entering kernel mode
1286 : : *
1287 : : * This function is to be used with 64-bit address encodings to obtain the
1288 : : * linear memory address referred by the instruction's ModRM, SIB,
1289 : : * displacement bytes and segment base address, as applicable.
1290 : : *
1291 : : * Returns:
1292 : : *
1293 : : * Linear address referenced by instruction and registers on success.
1294 : : *
1295 : : * -1L on error.
1296 : : */
1297 : : #ifndef CONFIG_X86_64
1298 : : static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs)
1299 : : {
1300 : : return (void __user *)-1L;
1301 : : }
1302 : : #else
1303 : 0 : static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs)
1304 : : {
1305 : 0 : unsigned long linear_addr = -1L, seg_base;
1306 : 0 : int regoff, ret;
1307 : 0 : long eff_addr;
1308 : :
1309 [ # # ]: 0 : if (insn->addr_bytes != 8)
1310 : 0 : goto out;
1311 : :
1312 [ # # ]: 0 : if (X86_MODRM_MOD(insn->modrm.value) == 3) {
1313 : 0 : ret = get_eff_addr_reg(insn, regs, ®off, &eff_addr);
1314 [ # # ]: 0 : if (ret)
1315 : 0 : goto out;
1316 : :
1317 : : } else {
1318 [ # # ]: 0 : if (insn->sib.nbytes) {
1319 : 0 : ret = get_eff_addr_sib(insn, regs, ®off, &eff_addr);
1320 [ # # ]: 0 : if (ret)
1321 : 0 : goto out;
1322 : : } else {
1323 : 0 : ret = get_eff_addr_modrm(insn, regs, ®off, &eff_addr);
1324 [ # # ]: 0 : if (ret)
1325 : 0 : goto out;
1326 : : }
1327 : :
1328 : : }
1329 : :
1330 : 0 : ret = get_seg_base_limit(insn, regs, regoff, &seg_base, NULL);
1331 [ # # ]: 0 : if (ret)
1332 : 0 : goto out;
1333 : :
1334 : 0 : linear_addr = (unsigned long)eff_addr + seg_base;
1335 : :
1336 : 0 : out:
1337 : 0 : return (void __user *)linear_addr;
1338 : : }
1339 : : #endif /* CONFIG_X86_64 */
1340 : :
1341 : : /**
1342 : : * insn_get_addr_ref() - Obtain the linear address referred by instruction
1343 : : * @insn: Instruction structure containing ModRM byte and displacement
1344 : : * @regs: Structure with register values as seen when entering kernel mode
1345 : : *
1346 : : * Obtain the linear address referred by the instruction's ModRM, SIB and
1347 : : * displacement bytes, and segment base, as applicable. In protected mode,
1348 : : * segment limits are enforced.
1349 : : *
1350 : : * Returns:
1351 : : *
1352 : : * Linear address referenced by instruction and registers on success.
1353 : : *
1354 : : * -1L on error.
1355 : : */
1356 : 0 : void __user *insn_get_addr_ref(struct insn *insn, struct pt_regs *regs)
1357 : : {
1358 [ # # ]: 0 : if (!insn || !regs)
1359 : : return (void __user *)-1L;
1360 : :
1361 [ # # # # ]: 0 : switch (insn->addr_bytes) {
1362 : 0 : case 2:
1363 : 0 : return get_addr_ref_16(insn, regs);
1364 : 0 : case 4:
1365 : 0 : return get_addr_ref_32(insn, regs);
1366 : 0 : case 8:
1367 : 0 : return get_addr_ref_64(insn, regs);
1368 : : default:
1369 : : return (void __user *)-1L;
1370 : : }
1371 : : }
|