/*1* Utility functions for x86 operand and address decoding2*3* Copyright (C) Intel Corporation 20174*/5#include <linux/kernel.h>6#include <linux/string.h>7#include <linux/ratelimit.h>8#include <linux/mmu_context.h>9#include <asm/desc_defs.h>10#include <asm/desc.h>11#include <asm/inat.h>12#include <asm/insn.h>13#include <asm/insn-eval.h>14#include <asm/ldt.h>15#include <asm/msr.h>16#include <asm/vm86.h>1718#undef pr_fmt19#define pr_fmt(fmt) "insn: " fmt2021enum reg_type {22REG_TYPE_RM = 0,23REG_TYPE_REG,24REG_TYPE_INDEX,25REG_TYPE_BASE,26};2728/**29* is_string_insn() - Determine if instruction is a string instruction30* @insn: Instruction containing the opcode to inspect31*32* Returns:33*34* true if the instruction, determined by the opcode, is any of the35* string instructions as defined in the Intel Software Development manual.36* False otherwise.37*/38static bool is_string_insn(struct insn *insn)39{40/* All string instructions have a 1-byte opcode. */41if (insn->opcode.nbytes != 1)42return false;4344switch (insn->opcode.bytes[0]) {45case 0x6c ... 0x6f: /* INS, OUTS */46case 0xa4 ... 0xa7: /* MOVS, CMPS */47case 0xaa ... 0xaf: /* STOS, LODS, SCAS */48return true;49default:50return false;51}52}5354/**55* insn_has_rep_prefix() - Determine if instruction has a REP prefix56* @insn: Instruction containing the prefix to inspect57*58* Returns:59*60* true if the instruction has a REP prefix, false if not.61*/62bool insn_has_rep_prefix(struct insn *insn)63{64insn_byte_t p;6566insn_get_prefixes(insn);6768for_each_insn_prefix(insn, p) {69if (p == 0xf2 || p == 0xf3)70return true;71}7273return false;74}7576/**77* get_seg_reg_override_idx() - obtain segment register override index78* @insn: Valid instruction with segment override prefixes79*80* Inspect the instruction prefixes in @insn and find segment overrides, if any.81*82* Returns:83*84* A constant identifying the segment register to use, among CS, SS, DS,85* ES, FS, or GS. INAT_SEG_REG_DEFAULT is returned if no segment override86* prefixes were found.87*88* -EINVAL in case of error.89*/90static int get_seg_reg_override_idx(struct insn *insn)91{92int idx = INAT_SEG_REG_DEFAULT;93int num_overrides = 0;94insn_byte_t p;9596insn_get_prefixes(insn);9798/* Look for any segment override prefixes. */99for_each_insn_prefix(insn, p) {100insn_attr_t attr;101102attr = inat_get_opcode_attribute(p);103switch (attr) {104case INAT_MAKE_PREFIX(INAT_PFX_CS):105idx = INAT_SEG_REG_CS;106num_overrides++;107break;108case INAT_MAKE_PREFIX(INAT_PFX_SS):109idx = INAT_SEG_REG_SS;110num_overrides++;111break;112case INAT_MAKE_PREFIX(INAT_PFX_DS):113idx = INAT_SEG_REG_DS;114num_overrides++;115break;116case INAT_MAKE_PREFIX(INAT_PFX_ES):117idx = INAT_SEG_REG_ES;118num_overrides++;119break;120case INAT_MAKE_PREFIX(INAT_PFX_FS):121idx = INAT_SEG_REG_FS;122num_overrides++;123break;124case INAT_MAKE_PREFIX(INAT_PFX_GS):125idx = INAT_SEG_REG_GS;126num_overrides++;127break;128/* No default action needed. */129}130}131132/* More than one segment override prefix leads to undefined behavior. */133if (num_overrides > 1)134return -EINVAL;135136return idx;137}138139/**140* check_seg_overrides() - check if segment override prefixes are allowed141* @insn: Valid instruction with segment override prefixes142* @regoff: Operand offset, in pt_regs, for which the check is performed143*144* For a particular register used in register-indirect addressing, determine if145* segment override prefixes can be used. Specifically, no overrides are allowed146* for rDI if used with a string instruction.147*148* Returns:149*150* True if segment override prefixes can be used with the register indicated151* in @regoff. False if otherwise.152*/153static bool check_seg_overrides(struct insn *insn, int regoff)154{155if (regoff == offsetof(struct pt_regs, di) && is_string_insn(insn))156return false;157158return true;159}160161/**162* resolve_default_seg() - resolve default segment register index for an operand163* @insn: Instruction with opcode and address size. Must be valid.164* @regs: Register values as seen when entering kernel mode165* @off: Operand offset, in pt_regs, for which resolution is needed166*167* Resolve the default segment register index associated with the instruction168* operand register indicated by @off. Such index is resolved based on defaults169* described in the Intel Software Development Manual.170*171* Returns:172*173* If in protected mode, a constant identifying the segment register to use,174* among CS, SS, ES or DS. If in long mode, INAT_SEG_REG_IGNORE.175*176* -EINVAL in case of error.177*/178static int resolve_default_seg(struct insn *insn, struct pt_regs *regs, int off)179{180if (any_64bit_mode(regs))181return INAT_SEG_REG_IGNORE;182/*183* Resolve the default segment register as described in Section 3.7.4184* of the Intel Software Development Manual Vol. 1:185*186* + DS for all references involving r[ABCD]X, and rSI.187* + If used in a string instruction, ES for rDI. Otherwise, DS.188* + AX, CX and DX are not valid register operands in 16-bit address189* encodings but are valid for 32-bit and 64-bit encodings.190* + -EDOM is reserved to identify for cases in which no register191* is used (i.e., displacement-only addressing). Use DS.192* + SS for rSP or rBP.193* + CS for rIP.194*/195196switch (off) {197case offsetof(struct pt_regs, ax):198case offsetof(struct pt_regs, cx):199case offsetof(struct pt_regs, dx):200/* Need insn to verify address size. */201if (insn->addr_bytes == 2)202return -EINVAL;203204fallthrough;205206case -EDOM:207case offsetof(struct pt_regs, bx):208case offsetof(struct pt_regs, si):209return INAT_SEG_REG_DS;210211case offsetof(struct pt_regs, di):212if (is_string_insn(insn))213return INAT_SEG_REG_ES;214return INAT_SEG_REG_DS;215216case offsetof(struct pt_regs, bp):217case offsetof(struct pt_regs, sp):218return INAT_SEG_REG_SS;219220case offsetof(struct pt_regs, ip):221return INAT_SEG_REG_CS;222223default:224return -EINVAL;225}226}227228/**229* resolve_seg_reg() - obtain segment register index230* @insn: Instruction with operands231* @regs: Register values as seen when entering kernel mode232* @regoff: Operand offset, in pt_regs, used to determine segment register233*234* Determine the segment register associated with the operands and, if235* applicable, prefixes and the instruction pointed by @insn.236*237* The segment register associated to an operand used in register-indirect238* addressing depends on:239*240* a) Whether running in long mode (in such a case segments are ignored, except241* if FS or GS are used).242*243* b) Whether segment override prefixes can be used. Certain instructions and244* registers do not allow override prefixes.245*246* c) Whether segment overrides prefixes are found in the instruction prefixes.247*248* d) If there are not segment override prefixes or they cannot be used, the249* default segment register associated with the operand register is used.250*251* The function checks first if segment override prefixes can be used with the252* operand indicated by @regoff. If allowed, obtain such overridden segment253* register index. Lastly, if not prefixes were found or cannot be used, resolve254* the segment register index to use based on the defaults described in the255* Intel documentation. In long mode, all segment register indexes will be256* ignored, except if overrides were found for FS or GS. All these operations257* are done using helper functions.258*259* The operand register, @regoff, is represented as the offset from the base of260* pt_regs.261*262* As stated, the main use of this function is to determine the segment register263* index based on the instruction, its operands and prefixes. Hence, @insn264* must be valid. However, if @regoff indicates rIP, we don't need to inspect265* @insn at all as in this case CS is used in all cases. This case is checked266* before proceeding further.267*268* Please note that this function does not return the value in the segment269* register (i.e., the segment selector) but our defined index. The segment270* selector needs to be obtained using get_segment_selector() and passing the271* segment register index resolved by this function.272*273* Returns:274*275* An index identifying the segment register to use, among CS, SS, DS,276* ES, FS, or GS. INAT_SEG_REG_IGNORE is returned if running in long mode.277*278* -EINVAL in case of error.279*/280static int resolve_seg_reg(struct insn *insn, struct pt_regs *regs, int regoff)281{282int idx;283284/*285* In the unlikely event of having to resolve the segment register286* index for rIP, do it first. Segment override prefixes should not287* be used. Hence, it is not necessary to inspect the instruction,288* which may be invalid at this point.289*/290if (regoff == offsetof(struct pt_regs, ip)) {291if (any_64bit_mode(regs))292return INAT_SEG_REG_IGNORE;293else294return INAT_SEG_REG_CS;295}296297if (!insn)298return -EINVAL;299300if (!check_seg_overrides(insn, regoff))301return resolve_default_seg(insn, regs, regoff);302303idx = get_seg_reg_override_idx(insn);304if (idx < 0)305return idx;306307if (idx == INAT_SEG_REG_DEFAULT)308return resolve_default_seg(insn, regs, regoff);309310/*311* In long mode, segment override prefixes are ignored, except for312* overrides for FS and GS.313*/314if (any_64bit_mode(regs)) {315if (idx != INAT_SEG_REG_FS &&316idx != INAT_SEG_REG_GS)317idx = INAT_SEG_REG_IGNORE;318}319320return idx;321}322323/**324* get_segment_selector() - obtain segment selector325* @regs: Register values as seen when entering kernel mode326* @seg_reg_idx: Segment register index to use327*328* Obtain the segment selector from any of the CS, SS, DS, ES, FS, GS segment329* registers. In CONFIG_X86_32, the segment is obtained from either pt_regs or330* kernel_vm86_regs as applicable. In CONFIG_X86_64, CS and SS are obtained331* from pt_regs. DS, ES, FS and GS are obtained by reading the actual CPU332* registers. This done for only for completeness as in CONFIG_X86_64 segment333* registers are ignored.334*335* Returns:336*337* Value of the segment selector, including null when running in338* long mode.339*340* -EINVAL on error.341*/342static short get_segment_selector(struct pt_regs *regs, int seg_reg_idx)343{344unsigned short sel;345346#ifdef CONFIG_X86_64347switch (seg_reg_idx) {348case INAT_SEG_REG_IGNORE:349return 0;350case INAT_SEG_REG_CS:351return (unsigned short)(regs->cs & 0xffff);352case INAT_SEG_REG_SS:353return (unsigned short)(regs->ss & 0xffff);354case INAT_SEG_REG_DS:355savesegment(ds, sel);356return sel;357case INAT_SEG_REG_ES:358savesegment(es, sel);359return sel;360case INAT_SEG_REG_FS:361savesegment(fs, sel);362return sel;363case INAT_SEG_REG_GS:364savesegment(gs, sel);365return sel;366default:367return -EINVAL;368}369#else /* CONFIG_X86_32 */370struct kernel_vm86_regs *vm86regs = (struct kernel_vm86_regs *)regs;371372if (v8086_mode(regs)) {373switch (seg_reg_idx) {374case INAT_SEG_REG_CS:375return (unsigned short)(regs->cs & 0xffff);376case INAT_SEG_REG_SS:377return (unsigned short)(regs->ss & 0xffff);378case INAT_SEG_REG_DS:379return vm86regs->ds;380case INAT_SEG_REG_ES:381return vm86regs->es;382case INAT_SEG_REG_FS:383return vm86regs->fs;384case INAT_SEG_REG_GS:385return vm86regs->gs;386case INAT_SEG_REG_IGNORE:387default:388return -EINVAL;389}390}391392switch (seg_reg_idx) {393case INAT_SEG_REG_CS:394return (unsigned short)(regs->cs & 0xffff);395case INAT_SEG_REG_SS:396return (unsigned short)(regs->ss & 0xffff);397case INAT_SEG_REG_DS:398return (unsigned short)(regs->ds & 0xffff);399case INAT_SEG_REG_ES:400return (unsigned short)(regs->es & 0xffff);401case INAT_SEG_REG_FS:402return (unsigned short)(regs->fs & 0xffff);403case INAT_SEG_REG_GS:404savesegment(gs, sel);405return sel;406case INAT_SEG_REG_IGNORE:407default:408return -EINVAL;409}410#endif /* CONFIG_X86_64 */411}412413static const int pt_regoff[] = {414offsetof(struct pt_regs, ax),415offsetof(struct pt_regs, cx),416offsetof(struct pt_regs, dx),417offsetof(struct pt_regs, bx),418offsetof(struct pt_regs, sp),419offsetof(struct pt_regs, bp),420offsetof(struct pt_regs, si),421offsetof(struct pt_regs, di),422#ifdef CONFIG_X86_64423offsetof(struct pt_regs, r8),424offsetof(struct pt_regs, r9),425offsetof(struct pt_regs, r10),426offsetof(struct pt_regs, r11),427offsetof(struct pt_regs, r12),428offsetof(struct pt_regs, r13),429offsetof(struct pt_regs, r14),430offsetof(struct pt_regs, r15),431#else432offsetof(struct pt_regs, ds),433offsetof(struct pt_regs, es),434offsetof(struct pt_regs, fs),435offsetof(struct pt_regs, gs),436#endif437};438439int pt_regs_offset(struct pt_regs *regs, int regno)440{441if ((unsigned)regno < ARRAY_SIZE(pt_regoff))442return pt_regoff[regno];443return -EDOM;444}445446static int get_regno(struct insn *insn, enum reg_type type)447{448int nr_registers = ARRAY_SIZE(pt_regoff);449int regno = 0;450451/*452* Don't possibly decode a 32-bit instructions as453* reading a 64-bit-only register.454*/455if (IS_ENABLED(CONFIG_X86_64) && !insn->x86_64)456nr_registers -= 8;457458switch (type) {459case REG_TYPE_RM:460regno = X86_MODRM_RM(insn->modrm.value);461462/*463* ModRM.mod == 0 and ModRM.rm == 5 means a 32-bit displacement464* follows the ModRM byte.465*/466if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5)467return -EDOM;468469if (X86_REX_B(insn->rex_prefix.value))470regno += 8;471break;472473case REG_TYPE_REG:474regno = X86_MODRM_REG(insn->modrm.value);475476if (X86_REX_R(insn->rex_prefix.value))477regno += 8;478break;479480case REG_TYPE_INDEX:481regno = X86_SIB_INDEX(insn->sib.value);482if (X86_REX_X(insn->rex_prefix.value))483regno += 8;484485/*486* If ModRM.mod != 3 and SIB.index = 4 the scale*index487* portion of the address computation is null. This is488* true only if REX.X is 0. In such a case, the SIB index489* is used in the address computation.490*/491if (X86_MODRM_MOD(insn->modrm.value) != 3 && regno == 4)492return -EDOM;493break;494495case REG_TYPE_BASE:496regno = X86_SIB_BASE(insn->sib.value);497/*498* If ModRM.mod is 0 and SIB.base == 5, the base of the499* register-indirect addressing is 0. In this case, a500* 32-bit displacement follows the SIB byte.501*/502if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5)503return -EDOM;504505if (X86_REX_B(insn->rex_prefix.value))506regno += 8;507break;508509default:510pr_err_ratelimited("invalid register type: %d\n", type);511return -EINVAL;512}513514if (regno >= nr_registers) {515WARN_ONCE(1, "decoded an instruction with an invalid register");516return -EINVAL;517}518return regno;519}520521static int get_reg_offset(struct insn *insn, struct pt_regs *regs,522enum reg_type type)523{524int regno = get_regno(insn, type);525526if (regno < 0)527return regno;528529return pt_regs_offset(regs, regno);530}531532/**533* get_reg_offset_16() - Obtain offset of register indicated by instruction534* @insn: Instruction containing ModRM byte535* @regs: Register values as seen when entering kernel mode536* @offs1: Offset of the first operand register537* @offs2: Offset of the second operand register, if applicable538*539* Obtain the offset, in pt_regs, of the registers indicated by the ModRM byte540* in @insn. This function is to be used with 16-bit address encodings. The541* @offs1 and @offs2 will be written with the offset of the two registers542* indicated by the instruction. In cases where any of the registers is not543* referenced by the instruction, the value will be set to -EDOM.544*545* Returns:546*547* 0 on success, -EINVAL on error.548*/549static int get_reg_offset_16(struct insn *insn, struct pt_regs *regs,550int *offs1, int *offs2)551{552/*553* 16-bit addressing can use one or two registers. Specifics of554* encodings are given in Table 2-1. "16-Bit Addressing Forms with the555* ModR/M Byte" of the Intel Software Development Manual.556*/557static const int regoff1[] = {558offsetof(struct pt_regs, bx),559offsetof(struct pt_regs, bx),560offsetof(struct pt_regs, bp),561offsetof(struct pt_regs, bp),562offsetof(struct pt_regs, si),563offsetof(struct pt_regs, di),564offsetof(struct pt_regs, bp),565offsetof(struct pt_regs, bx),566};567568static const int regoff2[] = {569offsetof(struct pt_regs, si),570offsetof(struct pt_regs, di),571offsetof(struct pt_regs, si),572offsetof(struct pt_regs, di),573-EDOM,574-EDOM,575-EDOM,576-EDOM,577};578579if (!offs1 || !offs2)580return -EINVAL;581582/* Operand is a register, use the generic function. */583if (X86_MODRM_MOD(insn->modrm.value) == 3) {584*offs1 = insn_get_modrm_rm_off(insn, regs);585*offs2 = -EDOM;586return 0;587}588589*offs1 = regoff1[X86_MODRM_RM(insn->modrm.value)];590*offs2 = regoff2[X86_MODRM_RM(insn->modrm.value)];591592/*593* If ModRM.mod is 0 and ModRM.rm is 110b, then we use displacement-594* only addressing. This means that no registers are involved in595* computing the effective address. Thus, ensure that the first596* register offset is invalid. The second register offset is already597* invalid under the aforementioned conditions.598*/599if ((X86_MODRM_MOD(insn->modrm.value) == 0) &&600(X86_MODRM_RM(insn->modrm.value) == 6))601*offs1 = -EDOM;602603return 0;604}605606/**607* get_desc() - Obtain contents of a segment descriptor608* @out: Segment descriptor contents on success609* @sel: Segment selector610*611* Given a segment selector, obtain a pointer to the segment descriptor.612* Both global and local descriptor tables are supported.613*614* Returns:615*616* True on success, false on failure.617*618* NULL on error.619*/620static bool get_desc(struct desc_struct *out, unsigned short sel)621{622struct desc_ptr gdt_desc = {0, 0};623unsigned long desc_base;624625#ifdef CONFIG_MODIFY_LDT_SYSCALL626if ((sel & SEGMENT_TI_MASK) == SEGMENT_LDT) {627bool success = false;628struct ldt_struct *ldt;629630/* Bits [15:3] contain the index of the desired entry. */631sel >>= 3;632633/*634* If we're not in a valid context with a real (not just lazy)635* user mm, then don't even try.636*/637if (!nmi_uaccess_okay())638return false;639640mutex_lock(¤t->mm->context.lock);641ldt = current->mm->context.ldt;642if (ldt && sel < ldt->nr_entries) {643*out = ldt->entries[sel];644success = true;645}646647mutex_unlock(¤t->mm->context.lock);648649return success;650}651#endif652native_store_gdt(&gdt_desc);653654/*655* Segment descriptors have a size of 8 bytes. Thus, the index is656* multiplied by 8 to obtain the memory offset of the desired descriptor657* from the base of the GDT. As bits [15:3] of the segment selector658* contain the index, it can be regarded as multiplied by 8 already.659* All that remains is to clear bits [2:0].660*/661desc_base = sel & ~(SEGMENT_RPL_MASK | SEGMENT_TI_MASK);662663if (desc_base > gdt_desc.size)664return false;665666*out = *(struct desc_struct *)(gdt_desc.address + desc_base);667return true;668}669670/**671* insn_get_seg_base() - Obtain base address of segment descriptor.672* @regs: Register values as seen when entering kernel mode673* @seg_reg_idx: Index of the segment register pointing to seg descriptor674*675* Obtain the base address of the segment as indicated by the segment descriptor676* pointed by the segment selector. The segment selector is obtained from the677* input segment register index @seg_reg_idx.678*679* Returns:680*681* In protected mode, base address of the segment. Zero in long mode,682* except when FS or GS are used. In virtual-8086 mode, the segment683* selector shifted 4 bits to the right.684*685* -1L in case of error.686*/687unsigned long insn_get_seg_base(struct pt_regs *regs, int seg_reg_idx)688{689struct desc_struct desc;690short sel;691692sel = get_segment_selector(regs, seg_reg_idx);693if (sel < 0)694return -1L;695696if (v8086_mode(regs))697/*698* Base is simply the segment selector shifted 4699* bits to the right.700*/701return (unsigned long)(sel << 4);702703if (any_64bit_mode(regs)) {704/*705* Only FS or GS will have a base address, the rest of706* the segments' bases are forced to 0.707*/708unsigned long base;709710if (seg_reg_idx == INAT_SEG_REG_FS) {711rdmsrq(MSR_FS_BASE, base);712} else if (seg_reg_idx == INAT_SEG_REG_GS) {713/*714* swapgs was called at the kernel entry point. Thus,715* MSR_KERNEL_GS_BASE will have the user-space GS base.716*/717if (user_mode(regs))718rdmsrq(MSR_KERNEL_GS_BASE, base);719else720rdmsrq(MSR_GS_BASE, base);721} else {722base = 0;723}724return base;725}726727/* In protected mode the segment selector cannot be null. */728if (!sel)729return -1L;730731if (!get_desc(&desc, sel))732return -1L;733734return get_desc_base(&desc);735}736737/**738* get_seg_limit() - Obtain the limit of a segment descriptor739* @regs: Register values as seen when entering kernel mode740* @seg_reg_idx: Index of the segment register pointing to seg descriptor741*742* Obtain the limit of the segment as indicated by the segment descriptor743* pointed by the segment selector. The segment selector is obtained from the744* input segment register index @seg_reg_idx.745*746* Returns:747*748* In protected mode, the limit of the segment descriptor in bytes.749* In long mode and virtual-8086 mode, segment limits are not enforced. Thus,750* limit is returned as -1L to imply a limit-less segment.751*752* Zero is returned on error.753*/754static unsigned long get_seg_limit(struct pt_regs *regs, int seg_reg_idx)755{756struct desc_struct desc;757unsigned long limit;758short sel;759760sel = get_segment_selector(regs, seg_reg_idx);761if (sel < 0)762return 0;763764if (any_64bit_mode(regs) || v8086_mode(regs))765return -1L;766767if (!sel)768return 0;769770if (!get_desc(&desc, sel))771return 0;772773/*774* If the granularity bit is set, the limit is given in multiples775* of 4096. This also means that the 12 least significant bits are776* not tested when checking the segment limits. In practice,777* this means that the segment ends in (limit << 12) + 0xfff.778*/779limit = get_desc_limit(&desc);780if (desc.g)781limit = (limit << 12) + 0xfff;782783return limit;784}785786/**787* insn_get_code_seg_params() - Obtain code segment parameters788* @regs: Structure with register values as seen when entering kernel mode789*790* Obtain address and operand sizes of the code segment. It is obtained from the791* selector contained in the CS register in regs. In protected mode, the default792* address is determined by inspecting the L and D bits of the segment793* descriptor. In virtual-8086 mode, the default is always two bytes for both794* address and operand sizes.795*796* Returns:797*798* An int containing ORed-in default parameters on success.799*800* -EINVAL on error.801*/802int insn_get_code_seg_params(struct pt_regs *regs)803{804struct desc_struct desc;805short sel;806807if (v8086_mode(regs))808/* Address and operand size are both 16-bit. */809return INSN_CODE_SEG_PARAMS(2, 2);810811sel = get_segment_selector(regs, INAT_SEG_REG_CS);812if (sel < 0)813return sel;814815if (!get_desc(&desc, sel))816return -EINVAL;817818/*819* The most significant byte of the Type field of the segment descriptor820* determines whether a segment contains data or code. If this is a data821* segment, return error.822*/823if (!(desc.type & BIT(3)))824return -EINVAL;825826switch ((desc.l << 1) | desc.d) {827case 0: /*828* Legacy mode. CS.L=0, CS.D=0. Address and operand size are829* both 16-bit.830*/831return INSN_CODE_SEG_PARAMS(2, 2);832case 1: /*833* Legacy mode. CS.L=0, CS.D=1. Address and operand size are834* both 32-bit.835*/836return INSN_CODE_SEG_PARAMS(4, 4);837case 2: /*838* IA-32e 64-bit mode. CS.L=1, CS.D=0. Address size is 64-bit;839* operand size is 32-bit.840*/841return INSN_CODE_SEG_PARAMS(4, 8);842case 3: /* Invalid setting. CS.L=1, CS.D=1 */843fallthrough;844default:845return -EINVAL;846}847}848849/**850* insn_get_modrm_rm_off() - Obtain register in r/m part of the ModRM byte851* @insn: Instruction containing the ModRM byte852* @regs: Register values as seen when entering kernel mode853*854* Returns:855*856* The register indicated by the r/m part of the ModRM byte. The857* register is obtained as an offset from the base of pt_regs. In specific858* cases, the returned value can be -EDOM to indicate that the particular value859* of ModRM does not refer to a register and shall be ignored.860*/861int insn_get_modrm_rm_off(struct insn *insn, struct pt_regs *regs)862{863return get_reg_offset(insn, regs, REG_TYPE_RM);864}865866/**867* insn_get_modrm_reg_off() - Obtain register in reg part of the ModRM byte868* @insn: Instruction containing the ModRM byte869* @regs: Register values as seen when entering kernel mode870*871* Returns:872*873* The register indicated by the reg part of the ModRM byte. The874* register is obtained as an offset from the base of pt_regs.875*/876int insn_get_modrm_reg_off(struct insn *insn, struct pt_regs *regs)877{878return get_reg_offset(insn, regs, REG_TYPE_REG);879}880881/**882* insn_get_modrm_reg_ptr() - Obtain register pointer based on ModRM byte883* @insn: Instruction containing the ModRM byte884* @regs: Register values as seen when entering kernel mode885*886* Returns:887*888* The register indicated by the reg part of the ModRM byte.889* The register is obtained as a pointer within pt_regs.890*/891unsigned long *insn_get_modrm_reg_ptr(struct insn *insn, struct pt_regs *regs)892{893int offset;894895offset = insn_get_modrm_reg_off(insn, regs);896if (offset < 0)897return NULL;898return (void *)regs + offset;899}900901/**902* get_seg_base_limit() - obtain base address and limit of a segment903* @insn: Instruction. Must be valid.904* @regs: Register values as seen when entering kernel mode905* @regoff: Operand offset, in pt_regs, used to resolve segment descriptor906* @base: Obtained segment base907* @limit: Obtained segment limit908*909* Obtain the base address and limit of the segment associated with the operand910* @regoff and, if any or allowed, override prefixes in @insn. This function is911* different from insn_get_seg_base() as the latter does not resolve the segment912* associated with the instruction operand. If a limit is not needed (e.g.,913* when running in long mode), @limit can be NULL.914*915* Returns:916*917* 0 on success. @base and @limit will contain the base address and of the918* resolved segment, respectively.919*920* -EINVAL on error.921*/922static int get_seg_base_limit(struct insn *insn, struct pt_regs *regs,923int regoff, unsigned long *base,924unsigned long *limit)925{926int seg_reg_idx;927928if (!base)929return -EINVAL;930931seg_reg_idx = resolve_seg_reg(insn, regs, regoff);932if (seg_reg_idx < 0)933return seg_reg_idx;934935*base = insn_get_seg_base(regs, seg_reg_idx);936if (*base == -1L)937return -EINVAL;938939if (!limit)940return 0;941942*limit = get_seg_limit(regs, seg_reg_idx);943if (!(*limit))944return -EINVAL;945946return 0;947}948949/**950* get_eff_addr_reg() - Obtain effective address from register operand951* @insn: Instruction. Must be valid.952* @regs: Register values as seen when entering kernel mode953* @regoff: Obtained operand offset, in pt_regs, with the effective address954* @eff_addr: Obtained effective address955*956* Obtain the effective address stored in the register operand as indicated by957* the ModRM byte. This function is to be used only with register addressing958* (i.e., ModRM.mod is 3). The effective address is saved in @eff_addr. The959* register operand, as an offset from the base of pt_regs, is saved in @regoff;960* such offset can then be used to resolve the segment associated with the961* operand. This function can be used with any of the supported address sizes962* in x86.963*964* Returns:965*966* 0 on success. @eff_addr will have the effective address stored in the967* operand indicated by ModRM. @regoff will have such operand as an offset from968* the base of pt_regs.969*970* -EINVAL on error.971*/972static int get_eff_addr_reg(struct insn *insn, struct pt_regs *regs,973int *regoff, long *eff_addr)974{975int ret;976977ret = insn_get_modrm(insn);978if (ret)979return ret;980981if (X86_MODRM_MOD(insn->modrm.value) != 3)982return -EINVAL;983984*regoff = get_reg_offset(insn, regs, REG_TYPE_RM);985if (*regoff < 0)986return -EINVAL;987988/* Ignore bytes that are outside the address size. */989if (insn->addr_bytes == 2)990*eff_addr = regs_get_register(regs, *regoff) & 0xffff;991else if (insn->addr_bytes == 4)992*eff_addr = regs_get_register(regs, *regoff) & 0xffffffff;993else /* 64-bit address */994*eff_addr = regs_get_register(regs, *regoff);995996return 0;997}998999/**1000* get_eff_addr_modrm() - Obtain referenced effective address via ModRM1001* @insn: Instruction. Must be valid.1002* @regs: Register values as seen when entering kernel mode1003* @regoff: Obtained operand offset, in pt_regs, associated with segment1004* @eff_addr: Obtained effective address1005*1006* Obtain the effective address referenced by the ModRM byte of @insn. After1007* identifying the registers involved in the register-indirect memory reference,1008* its value is obtained from the operands in @regs. The computed address is1009* stored @eff_addr. Also, the register operand that indicates the associated1010* segment is stored in @regoff, this parameter can later be used to determine1011* such segment.1012*1013* Returns:1014*1015* 0 on success. @eff_addr will have the referenced effective address. @regoff1016* will have a register, as an offset from the base of pt_regs, that can be used1017* to resolve the associated segment.1018*1019* -EINVAL on error.1020*/1021static int get_eff_addr_modrm(struct insn *insn, struct pt_regs *regs,1022int *regoff, long *eff_addr)1023{1024long tmp;1025int ret;10261027if (insn->addr_bytes != 8 && insn->addr_bytes != 4)1028return -EINVAL;10291030ret = insn_get_modrm(insn);1031if (ret)1032return ret;10331034if (X86_MODRM_MOD(insn->modrm.value) > 2)1035return -EINVAL;10361037*regoff = get_reg_offset(insn, regs, REG_TYPE_RM);10381039/*1040* -EDOM means that we must ignore the address_offset. In such a case,1041* in 64-bit mode the effective address relative to the rIP of the1042* following instruction.1043*/1044if (*regoff == -EDOM) {1045if (any_64bit_mode(regs))1046tmp = regs->ip + insn->length;1047else1048tmp = 0;1049} else if (*regoff < 0) {1050return -EINVAL;1051} else {1052tmp = regs_get_register(regs, *regoff);1053}10541055if (insn->addr_bytes == 4) {1056int addr32 = (int)(tmp & 0xffffffff) + insn->displacement.value;10571058*eff_addr = addr32 & 0xffffffff;1059} else {1060*eff_addr = tmp + insn->displacement.value;1061}10621063return 0;1064}10651066/**1067* get_eff_addr_modrm_16() - Obtain referenced effective address via ModRM1068* @insn: Instruction. Must be valid.1069* @regs: Register values as seen when entering kernel mode1070* @regoff: Obtained operand offset, in pt_regs, associated with segment1071* @eff_addr: Obtained effective address1072*1073* Obtain the 16-bit effective address referenced by the ModRM byte of @insn.1074* After identifying the registers involved in the register-indirect memory1075* reference, its value is obtained from the operands in @regs. The computed1076* address is stored @eff_addr. Also, the register operand that indicates1077* the associated segment is stored in @regoff, this parameter can later be used1078* to determine such segment.1079*1080* Returns:1081*1082* 0 on success. @eff_addr will have the referenced effective address. @regoff1083* will have a register, as an offset from the base of pt_regs, that can be used1084* to resolve the associated segment.1085*1086* -EINVAL on error.1087*/1088static int get_eff_addr_modrm_16(struct insn *insn, struct pt_regs *regs,1089int *regoff, short *eff_addr)1090{1091int addr_offset1, addr_offset2, ret;1092short addr1 = 0, addr2 = 0, displacement;10931094if (insn->addr_bytes != 2)1095return -EINVAL;10961097insn_get_modrm(insn);10981099if (!insn->modrm.nbytes)1100return -EINVAL;11011102if (X86_MODRM_MOD(insn->modrm.value) > 2)1103return -EINVAL;11041105ret = get_reg_offset_16(insn, regs, &addr_offset1, &addr_offset2);1106if (ret < 0)1107return -EINVAL;11081109/*1110* Don't fail on invalid offset values. They might be invalid because1111* they cannot be used for this particular value of ModRM. Instead, use1112* them in the computation only if they contain a valid value.1113*/1114if (addr_offset1 != -EDOM)1115addr1 = regs_get_register(regs, addr_offset1) & 0xffff;11161117if (addr_offset2 != -EDOM)1118addr2 = regs_get_register(regs, addr_offset2) & 0xffff;11191120displacement = insn->displacement.value & 0xffff;1121*eff_addr = addr1 + addr2 + displacement;11221123/*1124* The first operand register could indicate to use of either SS or DS1125* registers to obtain the segment selector. The second operand1126* register can only indicate the use of DS. Thus, the first operand1127* will be used to obtain the segment selector.1128*/1129*regoff = addr_offset1;11301131return 0;1132}11331134/**1135* get_eff_addr_sib() - Obtain referenced effective address via SIB1136* @insn: Instruction. Must be valid.1137* @regs: Register values as seen when entering kernel mode1138* @base_offset: Obtained operand offset, in pt_regs, associated with segment1139* @eff_addr: Obtained effective address1140*1141* Obtain the effective address referenced by the SIB byte of @insn. After1142* identifying the registers involved in the indexed, register-indirect memory1143* reference, its value is obtained from the operands in @regs. The computed1144* address is stored @eff_addr. Also, the register operand that indicates the1145* associated segment is stored in @base_offset; this parameter can later be1146* used to determine such segment.1147*1148* Returns:1149*1150* 0 on success. @eff_addr will have the referenced effective address.1151* @base_offset will have a register, as an offset from the base of pt_regs,1152* that can be used to resolve the associated segment.1153*1154* Negative value on error.1155*/1156static int get_eff_addr_sib(struct insn *insn, struct pt_regs *regs,1157int *base_offset, long *eff_addr)1158{1159long base, indx;1160int indx_offset;1161int ret;11621163if (insn->addr_bytes != 8 && insn->addr_bytes != 4)1164return -EINVAL;11651166ret = insn_get_modrm(insn);1167if (ret)1168return ret;11691170if (!insn->modrm.nbytes)1171return -EINVAL;11721173if (X86_MODRM_MOD(insn->modrm.value) > 2)1174return -EINVAL;11751176ret = insn_get_sib(insn);1177if (ret)1178return ret;11791180if (!insn->sib.nbytes)1181return -EINVAL;11821183*base_offset = get_reg_offset(insn, regs, REG_TYPE_BASE);1184indx_offset = get_reg_offset(insn, regs, REG_TYPE_INDEX);11851186/*1187* Negative values in the base and index offset means an error when1188* decoding the SIB byte. Except -EDOM, which means that the registers1189* should not be used in the address computation.1190*/1191if (*base_offset == -EDOM)1192base = 0;1193else if (*base_offset < 0)1194return -EINVAL;1195else1196base = regs_get_register(regs, *base_offset);11971198if (indx_offset == -EDOM)1199indx = 0;1200else if (indx_offset < 0)1201return -EINVAL;1202else1203indx = regs_get_register(regs, indx_offset);12041205if (insn->addr_bytes == 4) {1206int addr32, base32, idx32;12071208base32 = base & 0xffffffff;1209idx32 = indx & 0xffffffff;12101211addr32 = base32 + idx32 * (1 << X86_SIB_SCALE(insn->sib.value));1212addr32 += insn->displacement.value;12131214*eff_addr = addr32 & 0xffffffff;1215} else {1216*eff_addr = base + indx * (1 << X86_SIB_SCALE(insn->sib.value));1217*eff_addr += insn->displacement.value;1218}12191220return 0;1221}12221223/**1224* get_addr_ref_16() - Obtain the 16-bit address referred by instruction1225* @insn: Instruction containing ModRM byte and displacement1226* @regs: Register values as seen when entering kernel mode1227*1228* This function is to be used with 16-bit address encodings. Obtain the memory1229* address referred by the instruction's ModRM and displacement bytes. Also, the1230* segment used as base is determined by either any segment override prefixes in1231* @insn or the default segment of the registers involved in the address1232* computation. In protected mode, segment limits are enforced.1233*1234* Returns:1235*1236* Linear address referenced by the instruction operands on success.1237*1238* -1L on error.1239*/1240static void __user *get_addr_ref_16(struct insn *insn, struct pt_regs *regs)1241{1242unsigned long linear_addr = -1L, seg_base, seg_limit;1243int ret, regoff;1244short eff_addr;1245long tmp;12461247if (insn_get_displacement(insn))1248goto out;12491250if (insn->addr_bytes != 2)1251goto out;12521253if (X86_MODRM_MOD(insn->modrm.value) == 3) {1254ret = get_eff_addr_reg(insn, regs, ®off, &tmp);1255if (ret)1256goto out;12571258eff_addr = tmp;1259} else {1260ret = get_eff_addr_modrm_16(insn, regs, ®off, &eff_addr);1261if (ret)1262goto out;1263}12641265ret = get_seg_base_limit(insn, regs, regoff, &seg_base, &seg_limit);1266if (ret)1267goto out;12681269/*1270* Before computing the linear address, make sure the effective address1271* is within the limits of the segment. In virtual-8086 mode, segment1272* limits are not enforced. In such a case, the segment limit is -1L to1273* reflect this fact.1274*/1275if ((unsigned long)(eff_addr & 0xffff) > seg_limit)1276goto out;12771278linear_addr = (unsigned long)(eff_addr & 0xffff) + seg_base;12791280/* Limit linear address to 20 bits */1281if (v8086_mode(regs))1282linear_addr &= 0xfffff;12831284out:1285return (void __user *)linear_addr;1286}12871288/**1289* get_addr_ref_32() - Obtain a 32-bit linear address1290* @insn: Instruction with ModRM, SIB bytes and displacement1291* @regs: Register values as seen when entering kernel mode1292*1293* This function is to be used with 32-bit address encodings to obtain the1294* linear memory address referred by the instruction's ModRM, SIB,1295* displacement bytes and segment base address, as applicable. If in protected1296* mode, segment limits are enforced.1297*1298* Returns:1299*1300* Linear address referenced by instruction and registers on success.1301*1302* -1L on error.1303*/1304static void __user *get_addr_ref_32(struct insn *insn, struct pt_regs *regs)1305{1306unsigned long linear_addr = -1L, seg_base, seg_limit;1307int eff_addr, regoff;1308long tmp;1309int ret;13101311if (insn->addr_bytes != 4)1312goto out;13131314if (X86_MODRM_MOD(insn->modrm.value) == 3) {1315ret = get_eff_addr_reg(insn, regs, ®off, &tmp);1316if (ret)1317goto out;13181319eff_addr = tmp;13201321} else {1322if (insn->sib.nbytes) {1323ret = get_eff_addr_sib(insn, regs, ®off, &tmp);1324if (ret)1325goto out;13261327eff_addr = tmp;1328} else {1329ret = get_eff_addr_modrm(insn, regs, ®off, &tmp);1330if (ret)1331goto out;13321333eff_addr = tmp;1334}1335}13361337ret = get_seg_base_limit(insn, regs, regoff, &seg_base, &seg_limit);1338if (ret)1339goto out;13401341/*1342* In protected mode, before computing the linear address, make sure1343* the effective address is within the limits of the segment.1344* 32-bit addresses can be used in long and virtual-8086 modes if an1345* address override prefix is used. In such cases, segment limits are1346* not enforced. When in virtual-8086 mode, the segment limit is -1L1347* to reflect this situation.1348*1349* After computed, the effective address is treated as an unsigned1350* quantity.1351*/1352if (!any_64bit_mode(regs) && ((unsigned int)eff_addr > seg_limit))1353goto out;13541355/*1356* Even though 32-bit address encodings are allowed in virtual-80861357* mode, the address range is still limited to [0x-0xffff].1358*/1359if (v8086_mode(regs) && (eff_addr & ~0xffff))1360goto out;13611362/*1363* Data type long could be 64 bits in size. Ensure that our 32-bit1364* effective address is not sign-extended when computing the linear1365* address.1366*/1367linear_addr = (unsigned long)(eff_addr & 0xffffffff) + seg_base;13681369/* Limit linear address to 20 bits */1370if (v8086_mode(regs))1371linear_addr &= 0xfffff;13721373out:1374return (void __user *)linear_addr;1375}13761377/**1378* get_addr_ref_64() - Obtain a 64-bit linear address1379* @insn: Instruction struct with ModRM and SIB bytes and displacement1380* @regs: Structure with register values as seen when entering kernel mode1381*1382* This function is to be used with 64-bit address encodings to obtain the1383* linear memory address referred by the instruction's ModRM, SIB,1384* displacement bytes and segment base address, as applicable.1385*1386* Returns:1387*1388* Linear address referenced by instruction and registers on success.1389*1390* -1L on error.1391*/1392#ifndef CONFIG_X86_641393static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs)1394{1395return (void __user *)-1L;1396}1397#else1398static void __user *get_addr_ref_64(struct insn *insn, struct pt_regs *regs)1399{1400unsigned long linear_addr = -1L, seg_base;1401int regoff, ret;1402long eff_addr;14031404if (insn->addr_bytes != 8)1405goto out;14061407if (X86_MODRM_MOD(insn->modrm.value) == 3) {1408ret = get_eff_addr_reg(insn, regs, ®off, &eff_addr);1409if (ret)1410goto out;14111412} else {1413if (insn->sib.nbytes) {1414ret = get_eff_addr_sib(insn, regs, ®off, &eff_addr);1415if (ret)1416goto out;1417} else {1418ret = get_eff_addr_modrm(insn, regs, ®off, &eff_addr);1419if (ret)1420goto out;1421}14221423}14241425ret = get_seg_base_limit(insn, regs, regoff, &seg_base, NULL);1426if (ret)1427goto out;14281429linear_addr = (unsigned long)eff_addr + seg_base;14301431out:1432return (void __user *)linear_addr;1433}1434#endif /* CONFIG_X86_64 */14351436/**1437* insn_get_addr_ref() - Obtain the linear address referred by instruction1438* @insn: Instruction structure containing ModRM byte and displacement1439* @regs: Structure with register values as seen when entering kernel mode1440*1441* Obtain the linear address referred by the instruction's ModRM, SIB and1442* displacement bytes, and segment base, as applicable. In protected mode,1443* segment limits are enforced.1444*1445* Returns:1446*1447* Linear address referenced by instruction and registers on success.1448*1449* -1L on error.1450*/1451void __user *insn_get_addr_ref(struct insn *insn, struct pt_regs *regs)1452{1453if (!insn || !regs)1454return (void __user *)-1L;14551456if (insn_get_opcode(insn))1457return (void __user *)-1L;14581459switch (insn->addr_bytes) {1460case 2:1461return get_addr_ref_16(insn, regs);1462case 4:1463return get_addr_ref_32(insn, regs);1464case 8:1465return get_addr_ref_64(insn, regs);1466default:1467return (void __user *)-1L;1468}1469}14701471int insn_get_effective_ip(struct pt_regs *regs, unsigned long *ip)1472{1473unsigned long seg_base = 0;14741475/*1476* If not in user-space long mode, a custom code segment could be in1477* use. This is true in protected mode (if the process defined a local1478* descriptor table), or virtual-8086 mode. In most of the cases1479* seg_base will be zero as in USER_CS.1480*/1481if (!user_64bit_mode(regs)) {1482seg_base = insn_get_seg_base(regs, INAT_SEG_REG_CS);1483if (seg_base == -1L)1484return -EINVAL;1485}14861487*ip = seg_base + regs->ip;14881489return 0;1490}14911492/**1493* insn_fetch_from_user() - Copy instruction bytes from user-space memory1494* @regs: Structure with register values as seen when entering kernel mode1495* @buf: Array to store the fetched instruction1496*1497* Gets the linear address of the instruction and copies the instruction bytes1498* to the buf.1499*1500* Returns:1501*1502* - number of instruction bytes copied.1503* - 0 if nothing was copied.1504* - -EINVAL if the linear address of the instruction could not be calculated1505*/1506int insn_fetch_from_user(struct pt_regs *regs, unsigned char buf[MAX_INSN_SIZE])1507{1508unsigned long ip;1509int not_copied;15101511if (insn_get_effective_ip(regs, &ip))1512return -EINVAL;15131514not_copied = copy_from_user(buf, (void __user *)ip, MAX_INSN_SIZE);15151516return MAX_INSN_SIZE - not_copied;1517}15181519/**1520* insn_fetch_from_user_inatomic() - Copy instruction bytes from user-space memory1521* while in atomic code1522* @regs: Structure with register values as seen when entering kernel mode1523* @buf: Array to store the fetched instruction1524*1525* Gets the linear address of the instruction and copies the instruction bytes1526* to the buf. This function must be used in atomic context.1527*1528* Returns:1529*1530* - number of instruction bytes copied.1531* - 0 if nothing was copied.1532* - -EINVAL if the linear address of the instruction could not be calculated.1533*/1534int insn_fetch_from_user_inatomic(struct pt_regs *regs, unsigned char buf[MAX_INSN_SIZE])1535{1536unsigned long ip;1537int not_copied;15381539if (insn_get_effective_ip(regs, &ip))1540return -EINVAL;15411542not_copied = __copy_from_user_inatomic(buf, (void __user *)ip, MAX_INSN_SIZE);15431544return MAX_INSN_SIZE - not_copied;1545}15461547/**1548* insn_decode_from_regs() - Decode an instruction1549* @insn: Structure to store decoded instruction1550* @regs: Structure with register values as seen when entering kernel mode1551* @buf: Buffer containing the instruction bytes1552* @buf_size: Number of instruction bytes available in buf1553*1554* Decodes the instruction provided in buf and stores the decoding results in1555* insn. Also determines the correct address and operand sizes.1556*1557* Returns:1558*1559* True if instruction was decoded, False otherwise.1560*/1561bool insn_decode_from_regs(struct insn *insn, struct pt_regs *regs,1562unsigned char buf[MAX_INSN_SIZE], int buf_size)1563{1564int seg_defs;15651566insn_init(insn, buf, buf_size, user_64bit_mode(regs));15671568/*1569* Override the default operand and address sizes with what is specified1570* in the code segment descriptor. The instruction decoder only sets1571* the address size it to either 4 or 8 address bytes and does nothing1572* for the operand bytes. This OK for most of the cases, but we could1573* have special cases where, for instance, a 16-bit code segment1574* descriptor is used.1575* If there is an address override prefix, the instruction decoder1576* correctly updates these values, even for 16-bit defaults.1577*/1578seg_defs = insn_get_code_seg_params(regs);1579if (seg_defs == -EINVAL)1580return false;15811582insn->addr_bytes = INSN_CODE_SEG_ADDR_SZ(seg_defs);1583insn->opnd_bytes = INSN_CODE_SEG_OPND_SZ(seg_defs);15841585if (insn_get_length(insn))1586return false;15871588if (buf_size < insn->length)1589return false;15901591return true;1592}15931594/**1595* insn_decode_mmio() - Decode a MMIO instruction1596* @insn: Structure to store decoded instruction1597* @bytes: Returns size of memory operand1598*1599* Decodes instruction that used for Memory-mapped I/O.1600*1601* Returns:1602*1603* Type of the instruction. Size of the memory operand is stored in1604* @bytes. If decode failed, INSN_MMIO_DECODE_FAILED returned.1605*/1606enum insn_mmio_type insn_decode_mmio(struct insn *insn, int *bytes)1607{1608enum insn_mmio_type type = INSN_MMIO_DECODE_FAILED;16091610*bytes = 0;16111612if (insn_get_opcode(insn))1613return INSN_MMIO_DECODE_FAILED;16141615switch (insn->opcode.bytes[0]) {1616case 0x88: /* MOV m8,r8 */1617*bytes = 1;1618fallthrough;1619case 0x89: /* MOV m16/m32/m64, r16/m32/m64 */1620if (!*bytes)1621*bytes = insn->opnd_bytes;1622type = INSN_MMIO_WRITE;1623break;16241625case 0xc6: /* MOV m8, imm8 */1626*bytes = 1;1627fallthrough;1628case 0xc7: /* MOV m16/m32/m64, imm16/imm32/imm64 */1629if (!*bytes)1630*bytes = insn->opnd_bytes;1631type = INSN_MMIO_WRITE_IMM;1632break;16331634case 0x8a: /* MOV r8, m8 */1635*bytes = 1;1636fallthrough;1637case 0x8b: /* MOV r16/r32/r64, m16/m32/m64 */1638if (!*bytes)1639*bytes = insn->opnd_bytes;1640type = INSN_MMIO_READ;1641break;16421643case 0xa4: /* MOVS m8, m8 */1644*bytes = 1;1645fallthrough;1646case 0xa5: /* MOVS m16/m32/m64, m16/m32/m64 */1647if (!*bytes)1648*bytes = insn->opnd_bytes;1649type = INSN_MMIO_MOVS;1650break;16511652case 0x0f: /* Two-byte instruction */1653switch (insn->opcode.bytes[1]) {1654case 0xb6: /* MOVZX r16/r32/r64, m8 */1655*bytes = 1;1656fallthrough;1657case 0xb7: /* MOVZX r32/r64, m16 */1658if (!*bytes)1659*bytes = 2;1660type = INSN_MMIO_READ_ZERO_EXTEND;1661break;16621663case 0xbe: /* MOVSX r16/r32/r64, m8 */1664*bytes = 1;1665fallthrough;1666case 0xbf: /* MOVSX r32/r64, m16 */1667if (!*bytes)1668*bytes = 2;1669type = INSN_MMIO_READ_SIGN_EXTEND;1670break;1671}1672break;1673}16741675return type;1676}16771678/*1679* Recognise typical NOP patterns for both 32bit and 64bit.1680*1681* Notably:1682* - NOP, but not: REP NOP aka PAUSE1683* - NOPL1684* - MOV %reg, %reg1685* - LEA 0(%reg),%reg1686* - JMP +01687*1688* Must not have false-positives; instructions identified as a NOP might be1689* emulated as a NOP (uprobe) or Run Length Encoded in a larger NOP1690* (alternatives).1691*1692* False-negatives are fine; need not be exhaustive.1693*/1694bool insn_is_nop(struct insn *insn)1695{1696u8 b3 = 0, x3 = 0, r3 = 0;1697u8 b4 = 0, x4 = 0, r4 = 0, m = 0;1698u8 modrm, modrm_mod, modrm_reg, modrm_rm;1699u8 sib = 0, sib_scale, sib_index, sib_base;1700u8 nrex, rex;1701u8 p, rep = 0;17021703if ((nrex = insn->rex_prefix.nbytes)) {1704rex = insn->rex_prefix.bytes[nrex-1];17051706r3 = !!X86_REX_R(rex);1707x3 = !!X86_REX_X(rex);1708b3 = !!X86_REX_B(rex);1709if (nrex > 1) {1710r4 = !!X86_REX2_R(rex);1711x4 = !!X86_REX2_X(rex);1712b4 = !!X86_REX2_B(rex);1713m = !!X86_REX2_M(rex);1714}17151716} else if (insn->vex_prefix.nbytes) {1717/*1718* Ignore VEX encoded NOPs1719*/1720return false;1721}17221723if (insn->modrm.nbytes) {1724modrm = insn->modrm.bytes[0];1725modrm_mod = X86_MODRM_MOD(modrm);1726modrm_reg = X86_MODRM_REG(modrm) + 8*r3 + 16*r4;1727modrm_rm = X86_MODRM_RM(modrm) + 8*b3 + 16*b4;1728modrm = 1;1729}17301731if (insn->sib.nbytes) {1732sib = insn->sib.bytes[0];1733sib_scale = X86_SIB_SCALE(sib);1734sib_index = X86_SIB_INDEX(sib) + 8*x3 + 16*x4;1735sib_base = X86_SIB_BASE(sib) + 8*b3 + 16*b4;1736sib = 1;17371738modrm_rm = sib_base;1739}17401741for_each_insn_prefix(insn, p) {1742if (p == 0xf3) /* REPE */1743rep = 1;1744}17451746/*1747* Opcode map munging:1748*1749* REX2: 0 - single byte opcode1750* 1 - 0f second byte opcode1751*/1752switch (m) {1753case 0: break;1754case 1: insn->opcode.value <<= 8;1755insn->opcode.value |= 0x0f;1756break;1757default:1758return false;1759}17601761switch (insn->opcode.bytes[0]) {1762case 0x0f: /* 2nd byte */1763break;17641765case 0x89: /* MOV */1766if (modrm_mod != 3) /* register-direct */1767return false;17681769/* native size */1770if (insn->opnd_bytes != 4 * (1 + insn->x86_64))1771return false;17721773return modrm_reg == modrm_rm; /* MOV %reg, %reg */17741775case 0x8d: /* LEA */1776if (modrm_mod == 0 || modrm_mod == 3) /* register-indirect with disp */1777return false;17781779/* native size */1780if (insn->opnd_bytes != 4 * (1 + insn->x86_64))1781return false;17821783if (insn->displacement.value != 0)1784return false;17851786if (sib && (sib_scale != 0 || sib_index != 4)) /* (%reg, %eiz, 1) */1787return false;17881789for_each_insn_prefix(insn, p) {1790if (p != 0x3e) /* DS */1791return false;1792}17931794return modrm_reg == modrm_rm; /* LEA 0(%reg), %reg */17951796case 0x90: /* NOP */1797if (b3 || b4) /* XCHG %r{8,16,24},%rax */1798return false;17991800if (rep) /* REP NOP := PAUSE */1801return false;18021803return true;18041805case 0xe9: /* JMP.d32 */1806case 0xeb: /* JMP.d8 */1807return insn->immediate.value == 0; /* JMP +0 */18081809default:1810return false;1811}18121813switch (insn->opcode.bytes[1]) {1814case 0x1f:1815return modrm_reg == 0; /* 0f 1f /0 -- NOPL */18161817default:1818return false;1819}1820}182118221823