f82077cb71
Changes in 4.9.337
mm/khugepaged: fix GUP-fast interaction by sending IPI
mm/khugepaged: invoke MMU notifiers in shmem/file collapse paths
block: unhash blkdev part inode when the part is deleted
ASoC: ops: Check bounds for second channel in snd_soc_put_volsw_sx()
can: sja1000: fix size of OCR_MODE_MASK define
ASoC: ops: Correct bounds check for second channel on SX controls
udf: Discard preallocation before extending file with a hole
udf: Drop unused arguments of udf_delete_aext()
udf: Fix preallocation discarding at indirect extent boundary
udf: Do not bother looking for prealloc extents if i_lenExtents matches i_size
udf: Fix extending file within last block
usb: gadget: uvc: Prevent buffer overflow in setup handler
USB: serial: cp210x: add Kamstrup RF sniffer PIDs
Bluetooth: L2CAP: Fix u8 overflow
net: loopback: use NET_NAME_PREDICTABLE for name_assign_type
drivers: soc: ti: knav_qmss_queue: Mark knav_acc_firmwares as static
arm: dts: spear600: Fix clcd interrupt
soc: ti: smartreflex: Fix PM disable depth imbalance in omap_sr_probe
ARM: dts: dove: Fix assigned-addresses for every PCIe Root Port
ARM: dts: armada-370: Fix assigned-addresses for every PCIe Root Port
ARM: dts: armada-xp: Fix assigned-addresses for every PCIe Root Port
ARM: dts: armada-375: Fix assigned-addresses for every PCIe Root Port
ARM: dts: armada-38x: Fix assigned-addresses for every PCIe Root Port
ARM: dts: armada-39x: Fix assigned-addresses for every PCIe Root Port
ARM: mmp: fix timer_read delay
pstore: Avoid kcore oops by vmap()ing with VM_IOREMAP
cpuidle: dt: Return the correct numbers of parsed idle states
alpha: fix syscall entry in !AUDUT_SYSCALL case
PM: hibernate: Fix mistake in kerneldoc comment
fs: don't audit the capability check in simple_xattr_list()
perf: Fix possible memleak in pmu_dev_alloc()
timerqueue: Use rb_entry_safe() in timerqueue_getnext()
ocfs2: fix memory leak in ocfs2_stack_glue_init()
MIPS: vpe-mt: fix possible memory leak while module exiting
MIPS: vpe-cmp: fix possible memory leak while module exiting
PNP: fix name memory leak in pnp_alloc_dev()
irqchip: gic-pm: Use pm_runtime_resume_and_get() in gic_probe()
libfs: add DEFINE_SIMPLE_ATTRIBUTE_SIGNED for signed value
lib/notifier-error-inject: fix error when writing -errno to debugfs file
rapidio: fix possible name leaks when rio_add_device() fails
rapidio: rio: fix possible name leak in rio_register_mport()
ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage()
uprobes/x86: Allow to probe a NOP instruction with 0x66 prefix
x86/xen: Fix memory leak in xen_init_lock_cpu()
MIPS: BCM63xx: Add check for NULL for clk in clk_enable
fs: sysv: Fix sysv_nblocks() returns wrong value
rapidio: fix possible UAF when kfifo_alloc() fails
eventfd: change int to __u64 in eventfd_signal() ifndef CONFIG_EVENTFD
hfs: Fix OOB Write in hfs_asc2mac
rapidio: devices: fix missing put_device in mport_cdev_open
wifi: ath9k: hif_usb: fix memory leak of urbs in ath9k_hif_usb_dealloc_tx_urbs()
wifi: ath9k: hif_usb: Fix use-after-free in ath9k_hif_usb_reg_in_cb()
media: i2c: ad5820: Fix error path
media: vivid: fix compose size exceed boundary
mtd: Fix device name leak when register device failed in add_mtd_device()
ASoC: pxa: fix null-pointer dereference in filter()
regulator: core: fix unbalanced of node refcount in regulator_dev_lookup()
ima: Fix misuse of dereference of pointer in template_desc_init_fields()
wifi: ath10k: Fix return value in ath10k_pci_init()
mtd: lpddr2_nvm: Fix possible null-ptr-deref
Input: elants_i2c - properly handle the reset GPIO when power is off
media: solo6x10: fix possible memory leak in solo_sysfs_init()
media: platform: exynos4-is: Fix error handling in fimc_md_init()
HID: hid-sensor-custom: set fixed size for custom attributes
ALSA: seq: fix undefined behavior in bit shift for SNDRV_SEQ_FILTER_USE_EVENT
clk: rockchip: Fix memory leak in rockchip_clk_register_pll()
mtd: maps: pxa2xx-flash: fix memory leak in probe
media: imon: fix a race condition in send_packet()
pinctrl: pinconf-generic: add missing of_node_put()
media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()
NFSv4.2: Fix a memory stomp in decode_attr_security_label
NFSv4: Fix a deadlock between nfs4_open_recover_helper() and delegreturn
ALSA: asihpi: fix missing pci_disable_device()
drm/radeon: Fix PCI device refcount leak in radeon_atrm_get_bios()
drm/amdgpu: Fix PCI device refcount leak in amdgpu_atrm_get_bios()
ASoC: pcm512x: Fix PM disable depth imbalance in pcm512x_probe
bonding: uninitialized variable in bond_miimon_inspect()
regulator: core: fix module refcount leak in set_supply()
media: saa7164: fix missing pci_disable_device()
ALSA: mts64: fix possible null-ptr-defer in snd_mts64_interrupt
SUNRPC: Fix missing release socket in rpc_sockname()
mmc: moxart: fix return value check of mmc_add_host()
mmc: mxcmmc: fix return value check of mmc_add_host()
mmc: rtsx_usb_sdmmc: fix return value check of mmc_add_host()
mmc: toshsd: fix return value check of mmc_add_host()
mmc: vub300: fix return value check of mmc_add_host()
mmc: via-sdmmc: fix return value check of mmc_add_host()
mmc: wbsd: fix return value check of mmc_add_host()
mmc: mmci: fix return value check of mmc_add_host()
media: c8sectpfe: Add of_node_put() when breaking out of loop
media: coda: Add check for dcoda_iram_alloc
media: coda: Add check for kmalloc
wifi: rtl8xxxu: Add __packed to struct rtl8723bu_c2h
wifi: brcmfmac: Fix error return code in brcmf_sdio_download_firmware()
blktrace: Fix output non-blktrace event when blk_classic option enabled
net: vmw_vsock: vmci: Check memcpy_from_msg()
net: defxx: Fix missing err handling in dfx_init()
drivers: net: qlcnic: Fix potential memory leak in qlcnic_sriov_init()
ethernet: s2io: don't call dev_kfree_skb() under spin_lock_irqsave()
net: farsync: Fix kmemleak when rmmods farsync
net/tunnel: wait until all sk_user_data reader finish before releasing the sock
net: apple: mace: don't call dev_kfree_skb() under spin_lock_irqsave()
net: apple: bmac: don't call dev_kfree_skb() under spin_lock_irqsave()
net: emaclite: don't call dev_kfree_skb() under spin_lock_irqsave()
net: ethernet: dnet: don't call dev_kfree_skb() under spin_lock_irqsave()
hamradio: don't call dev_kfree_skb() under spin_lock_irqsave()
net: amd: lance: don't call dev_kfree_skb() under spin_lock_irqsave()
ntb_netdev: Use dev_kfree_skb_any() in interrupt context
Bluetooth: btusb: don't call kfree_skb() under spin_lock_irqsave()
Bluetooth: hci_qca: don't call kfree_skb() under spin_lock_irqsave()
Bluetooth: hci_h5: don't call kfree_skb() under spin_lock_irqsave()
Bluetooth: hci_bcsp: don't call kfree_skb() under spin_lock_irqsave()
Bluetooth: hci_core: don't call kfree_skb() under spin_lock_irqsave()
stmmac: fix potential division by 0
scsi: hpsa: Fix error handling in hpsa_add_sas_host()
scsi: hpsa: Fix possible memory leak in hpsa_add_sas_device()
scsi: fcoe: Fix possible name leak when device_register() fails
scsi: ipr: Fix WARNING in ipr_init()
scsi: fcoe: Fix transport not deattached when fcoe_if_init() fails
scsi: snic: Fix possible UAF in snic_tgt_create()
orangefs: Fix sysfs not cleanup when dev init failed
crypto: img-hash - Fix variable dereferenced before check 'hdev->req'
hwrng: amd - Fix PCI device refcount leak
hwrng: geode - Fix PCI device refcount leak
IB/IPoIB: Fix queue count inconsistency for PKEY child interfaces
drivers: dio: fix possible memory leak in dio_init()
vfio: platform: Do not pass return buffer to ACPI _RST method
uio: uio_dmem_genirq: Fix missing unlock in irq configuration
uio: uio_dmem_genirq: Fix deadlock between irq config and handling
usb: fotg210-udc: Fix ages old endianness issues
staging: vme_user: Fix possible UAF in tsi148_dma_list_add
serial: amba-pl011: avoid SBSA UART accessing DMACR register
serial: pch: Fix PCI device refcount leak in pch_request_dma()
serial: sunsab: Fix error handling in sunsab_init()
misc: tifm: fix possible memory leak in tifm_7xx1_switch_media()
misc: sgi-gru: fix use-after-free error in gru_set_context_option, gru_fault and gru_handle_user_call_os
cxl: fix possible null-ptr-deref in cxl_guest_init_afu|adapter()
cxl: fix possible null-ptr-deref in cxl_pci_init_afu|adapter()
drivers: mcb: fix resource leak in mcb_probe()
mcb: mcb-parse: fix error handing in chameleon_parse_gdd()
chardev: fix error handling in cdev_device_add()
i2c: pxa-pci: fix missing pci_disable_device() on error in ce4100_i2c_probe
staging: rtl8192u: Fix use after free in ieee80211_rx()
staging: rtl8192e: Fix potential use-after-free in rtllib_rx_Monitor()
vme: Fix error not catched in fake_init()
i2c: ismt: Fix an out-of-bounds bug in ismt_access()
usb: storage: Add check for kcalloc
fbdev: ssd1307fb: Drop optional dependency
fbdev: pm2fb: fix missing pci_disable_device()
fbdev: via: Fix error in via_core_init()
fbdev: vermilion: decrease reference count in error path
fbdev: uvesafb: Fixes an error handling path in uvesafb_probe()
HSI: omap_ssi_core: fix unbalanced pm_runtime_disable()
HSI: omap_ssi_core: fix possible memory leak in ssi_probe()
power: supply: fix residue sysfs file in error handle route of __power_supply_register()
HSI: omap_ssi_core: Fix error handling in ssi_init()
include/uapi/linux/swab: Fix potentially missing __always_inline
rtc: snvs: Allow a time difference on clock register read
iommu/fsl_pamu: Fix resource leak in fsl_pamu_probe()
macintosh: fix possible memory leak in macio_add_one_device()
macintosh/macio-adb: check the return value of ioremap()
powerpc/52xx: Fix a resource leak in an error handling path
powerpc/perf: callchain validate kernel stack pointer bounds
powerpc/83xx/mpc832x_rdb: call platform_device_put() in error case in of_fsl_spi_probe()
powerpc/hv-gpci: Fix hv_gpci event list
selftests/powerpc: Fix resource leaks
rtc: st-lpc: Add missing clk_disable_unprepare in st_rtc_probe()
nfsd: under NFSv4.1, fix double svc_xprt_put on rpc_create failure
mISDN: hfcsusb: don't call dev_kfree_skb/kfree_skb() under spin_lock_irqsave()
mISDN: hfcpci: don't call dev_kfree_skb/kfree_skb() under spin_lock_irqsave()
mISDN: hfcmulti: don't call dev_kfree_skb/kfree_skb() under spin_lock_irqsave()
nfc: pn533: Clear nfc_target before being used
r6040: Fix kmemleak in probe and remove
openvswitch: Fix flow lookup to use unmasked key
skbuff: Account for tail adjustment during pull operations
net_sched: reject TCF_EM_SIMPLE case for complex ematch module
myri10ge: Fix an error handling path in myri10ge_probe()
net: stream: purge sk_error_queue in sk_stream_kill_queues()
binfmt_misc: fix shift-out-of-bounds in check_special_flags
fs: jfs: fix shift-out-of-bounds in dbAllocAG
udf: Avoid double brelse() in udf_rename()
fs: jfs: fix shift-out-of-bounds in dbDiscardAG
ACPICA: Fix error code path in acpi_ds_call_control_method()
nilfs2: fix shift-out-of-bounds/overflow in nilfs_sb2_bad_offset()
acct: fix potential integer overflow in encode_comp_t()
hfs: fix OOB Read in __hfs_brec_find
wifi: ath9k: verify the expected usb_endpoints are present
wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out
ipmi: fix memleak when unload ipmi driver
net: ethernet: ti: Fix return type of netcp_ndo_start_xmit()
hamradio: baycom_epp: Fix return type of baycom_send_packet()
wifi: brcmfmac: Fix potential shift-out-of-bounds in brcmf_fw_alloc_request()
igb: Do not free q_vector unless new one was allocated
s390/ctcm: Fix return type of ctc{mp,}m_tx()
s390/netiucv: Fix return type of netiucv_tx()
s390/lcs: Fix return type of lcs_start_xmit()
drm/sti: Use drm_mode_copy()
md/raid1: stop mdx_raid1 thread when raid1 array run failed
mrp: introduce active flags to prevent UAF when applicant uninit
ppp: associate skb with a device at tx
media: dvb-frontends: fix leak of memory fw
media: dvb-usb: fix memory leak in dvb_usb_adapter_init()
blk-mq: fix possible memleak when register 'hctx' failed
mmc: f-sdh30: Add quirks for broken timeout clock capability
media: si470x: Fix use-after-free in si470x_int_in_callback()
clk: st: Fix memory leak in st_of_quadfs_setup()
drm/fsl-dcu: Fix return type of fsl_dcu_drm_connector_mode_valid()
drm/sti: Fix return type of sti_{dvo,hda,hdmi}_connector_mode_valid()
orangefs: Fix kmemleak in orangefs_prepare_debugfs_help_string()
ASoC: mediatek: mt8173-rt5650-rt5514: fix refcount leak in mt8173_rt5650_rt5514_dev_probe()
ASoC: wm8994: Fix potential deadlock
ASoC: rockchip: spdif: Add missing clk_disable_unprepare() in rk_spdif_runtime_resume()
ASoC: rt5670: Remove unbalanced pm_runtime_put()
HID: wacom: Ensure bootloader PID is usable in hidraw mode
reiserfs: Add missing calls to reiserfs_security_free()
iio: adc: ad_sigma_delta: do not use internal iio_dev lock
gcov: add support for checksum field
powerpc/rtas: avoid scheduling in rtas_os_term()
HID: plantronics: Additional PIDs for double volume key presses quirk
hfsplus: fix bug causing custom uid and gid being unable to be assigned with mount
ALSA: line6: correct midi status byte when receiving data from podxt
ALSA: line6: fix stack overflow in line6_midi_transmit
pnode: terminate at peers of source
md: fix a crash in mempool_free
mmc: vub300: fix warning - do not call blocking ops when !TASK_RUNNING
media: stv0288: use explicitly signed char
ktest.pl minconfig: Unset configs instead of just removing them
ARM: ux500: do not directly dereference __iomem
dm cache: Fix ABBA deadlock between shrink_slab and dm_cache_metadata_abort
dm thin: Use last transaction's pmd->root when commit failed
dm thin: Fix UAF in run_timer_softirq()
dm cache: Fix UAF in destroy()
dm cache: set needs_check flag after aborting metadata
tracing: Fix infinite loop in tracing_read_pipe on overflowed print_trace_line
ARM: 9256/1: NWFPE: avoid compiler-generated __aeabi_uldivmod
media: dvb-core: Fix double free in dvb_register_device()
cifs: fix confusing debug message
PCI/sysfs: Fix double free in error path
crypto: n2 - add missing hash statesize
iommu/amd: Fix ivrs_acpihid cmdline parsing code
parisc: led: Fix potential null-ptr-deref in start_task()
device_cgroup: Roll back to original exceptions after copy failure
drm/connector: send hotplug uevent on connector cleanup
drm/vmwgfx: Validate the box size for the snooped cursor
ext4: add inode table check in __ext4_get_inode_loc to aovid possible infinite loop
ext4: fix undefined behavior in bit shift for ext4_check_flag_values
ext4: fix bug_on in __es_tree_search caused by bad boot loader inode
ext4: init quota for 'old.inode' in 'ext4_rename'
ext4: fix error code return to user-space in ext4_get_branch()
ext4: avoid BUG_ON when creating xattrs
ext4: initialize quota before expanding inode in setproject ioctl
Linux 4.9.337
Change-Id: I923e3fef499ae1688b25c70a1a805b55a9f4f027
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
1008 lines
32 KiB
C
1008 lines
32 KiB
C
/*
|
|
* User-space Probes (UProbes) for x86
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 2 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, write to the Free Software
|
|
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
|
|
*
|
|
* Copyright (C) IBM Corporation, 2008-2011
|
|
* Authors:
|
|
* Srikar Dronamraju
|
|
* Jim Keniston
|
|
*/
|
|
#include <linux/kernel.h>
|
|
#include <linux/sched.h>
|
|
#include <linux/ptrace.h>
|
|
#include <linux/uprobes.h>
|
|
#include <linux/uaccess.h>
|
|
|
|
#include <linux/kdebug.h>
|
|
#include <asm/processor.h>
|
|
#include <asm/insn.h>
|
|
#include <asm/mmu_context.h>
|
|
|
|
/* Post-execution fixups. */
|
|
|
|
/* Adjust IP back to vicinity of actual insn */
|
|
#define UPROBE_FIX_IP 0x01
|
|
|
|
/* Adjust the return address of a call insn */
|
|
#define UPROBE_FIX_CALL 0x02
|
|
|
|
/* Instruction will modify TF, don't change it */
|
|
#define UPROBE_FIX_SETF 0x04
|
|
|
|
#define UPROBE_FIX_RIP_SI 0x08
|
|
#define UPROBE_FIX_RIP_DI 0x10
|
|
#define UPROBE_FIX_RIP_BX 0x20
|
|
#define UPROBE_FIX_RIP_MASK \
|
|
(UPROBE_FIX_RIP_SI | UPROBE_FIX_RIP_DI | UPROBE_FIX_RIP_BX)
|
|
|
|
#define UPROBE_TRAP_NR UINT_MAX
|
|
|
|
/* Adaptations for mhiramat x86 decoder v14. */
|
|
#define OPCODE1(insn) ((insn)->opcode.bytes[0])
|
|
#define OPCODE2(insn) ((insn)->opcode.bytes[1])
|
|
#define OPCODE3(insn) ((insn)->opcode.bytes[2])
|
|
#define MODRM_REG(insn) X86_MODRM_REG((insn)->modrm.value)
|
|
|
|
#define W(row, b0, b1, b2, b3, b4, b5, b6, b7, b8, b9, ba, bb, bc, bd, be, bf)\
|
|
(((b0##UL << 0x0)|(b1##UL << 0x1)|(b2##UL << 0x2)|(b3##UL << 0x3) | \
|
|
(b4##UL << 0x4)|(b5##UL << 0x5)|(b6##UL << 0x6)|(b7##UL << 0x7) | \
|
|
(b8##UL << 0x8)|(b9##UL << 0x9)|(ba##UL << 0xa)|(bb##UL << 0xb) | \
|
|
(bc##UL << 0xc)|(bd##UL << 0xd)|(be##UL << 0xe)|(bf##UL << 0xf)) \
|
|
<< (row % 32))
|
|
|
|
/*
|
|
* Good-instruction tables for 32-bit apps. This is non-const and volatile
|
|
* to keep gcc from statically optimizing it out, as variable_test_bit makes
|
|
* some versions of gcc to think only *(unsigned long*) is used.
|
|
*
|
|
* Opcodes we'll probably never support:
|
|
* 6c-6f - ins,outs. SEGVs if used in userspace
|
|
* e4-e7 - in,out imm. SEGVs if used in userspace
|
|
* ec-ef - in,out acc. SEGVs if used in userspace
|
|
* cc - int3. SIGTRAP if used in userspace
|
|
* ce - into. Not used in userspace - no kernel support to make it useful. SEGVs
|
|
* (why we support bound (62) then? it's similar, and similarly unused...)
|
|
* f1 - int1. SIGTRAP if used in userspace
|
|
* f4 - hlt. SEGVs if used in userspace
|
|
* fa - cli. SEGVs if used in userspace
|
|
* fb - sti. SEGVs if used in userspace
|
|
*
|
|
* Opcodes which need some work to be supported:
|
|
* 07,17,1f - pop es/ss/ds
|
|
* Normally not used in userspace, but would execute if used.
|
|
* Can cause GP or stack exception if tries to load wrong segment descriptor.
|
|
* We hesitate to run them under single step since kernel's handling
|
|
* of userspace single-stepping (TF flag) is fragile.
|
|
* We can easily refuse to support push es/cs/ss/ds (06/0e/16/1e)
|
|
* on the same grounds that they are never used.
|
|
* cd - int N.
|
|
* Used by userspace for "int 80" syscall entry. (Other "int N"
|
|
* cause GP -> SEGV since their IDT gates don't allow calls from CPL 3).
|
|
* Not supported since kernel's handling of userspace single-stepping
|
|
* (TF flag) is fragile.
|
|
* cf - iret. Normally not used in userspace. Doesn't SEGV unless arguments are bad
|
|
*/
|
|
#if defined(CONFIG_X86_32) || defined(CONFIG_IA32_EMULATION)
|
|
static volatile u32 good_insns_32[256 / 32] = {
|
|
/* 0 1 2 3 4 5 6 7 8 9 a b c d e f */
|
|
/* ---------------------------------------------- */
|
|
W(0x00, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1) | /* 00 */
|
|
W(0x10, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0) , /* 10 */
|
|
W(0x20, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* 20 */
|
|
W(0x30, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* 30 */
|
|
W(0x40, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* 40 */
|
|
W(0x50, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* 50 */
|
|
W(0x60, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0) | /* 60 */
|
|
W(0x70, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* 70 */
|
|
W(0x80, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* 80 */
|
|
W(0x90, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* 90 */
|
|
W(0xa0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* a0 */
|
|
W(0xb0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* b0 */
|
|
W(0xc0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0) | /* c0 */
|
|
W(0xd0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* d0 */
|
|
W(0xe0, 1, 1, 1, 1, 0, 0, 0, 0, 1, 1, 1, 1, 0, 0, 0, 0) | /* e0 */
|
|
W(0xf0, 1, 0, 1, 1, 0, 1, 1, 1, 1, 1, 0, 0, 1, 1, 1, 1) /* f0 */
|
|
/* ---------------------------------------------- */
|
|
/* 0 1 2 3 4 5 6 7 8 9 a b c d e f */
|
|
};
|
|
#else
|
|
#define good_insns_32 NULL
|
|
#endif
|
|
|
|
/* Good-instruction tables for 64-bit apps.
|
|
*
|
|
* Genuinely invalid opcodes:
|
|
* 06,07 - formerly push/pop es
|
|
* 0e - formerly push cs
|
|
* 16,17 - formerly push/pop ss
|
|
* 1e,1f - formerly push/pop ds
|
|
* 27,2f,37,3f - formerly daa/das/aaa/aas
|
|
* 60,61 - formerly pusha/popa
|
|
* 62 - formerly bound. EVEX prefix for AVX512 (not yet supported)
|
|
* 82 - formerly redundant encoding of Group1
|
|
* 9a - formerly call seg:ofs
|
|
* ce - formerly into
|
|
* d4,d5 - formerly aam/aad
|
|
* d6 - formerly undocumented salc
|
|
* ea - formerly jmp seg:ofs
|
|
*
|
|
* Opcodes we'll probably never support:
|
|
* 6c-6f - ins,outs. SEGVs if used in userspace
|
|
* e4-e7 - in,out imm. SEGVs if used in userspace
|
|
* ec-ef - in,out acc. SEGVs if used in userspace
|
|
* cc - int3. SIGTRAP if used in userspace
|
|
* f1 - int1. SIGTRAP if used in userspace
|
|
* f4 - hlt. SEGVs if used in userspace
|
|
* fa - cli. SEGVs if used in userspace
|
|
* fb - sti. SEGVs if used in userspace
|
|
*
|
|
* Opcodes which need some work to be supported:
|
|
* cd - int N.
|
|
* Used by userspace for "int 80" syscall entry. (Other "int N"
|
|
* cause GP -> SEGV since their IDT gates don't allow calls from CPL 3).
|
|
* Not supported since kernel's handling of userspace single-stepping
|
|
* (TF flag) is fragile.
|
|
* cf - iret. Normally not used in userspace. Doesn't SEGV unless arguments are bad
|
|
*/
|
|
#if defined(CONFIG_X86_64)
|
|
static volatile u32 good_insns_64[256 / 32] = {
|
|
/* 0 1 2 3 4 5 6 7 8 9 a b c d e f */
|
|
/* ---------------------------------------------- */
|
|
W(0x00, 1, 1, 1, 1, 1, 1, 0, 0, 1, 1, 1, 1, 1, 1, 0, 1) | /* 00 */
|
|
W(0x10, 1, 1, 1, 1, 1, 1, 0, 0, 1, 1, 1, 1, 1, 1, 0, 0) , /* 10 */
|
|
W(0x20, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0) | /* 20 */
|
|
W(0x30, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0) , /* 30 */
|
|
W(0x40, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* 40 */
|
|
W(0x50, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* 50 */
|
|
W(0x60, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0) | /* 60 */
|
|
W(0x70, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* 70 */
|
|
W(0x80, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* 80 */
|
|
W(0x90, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1) , /* 90 */
|
|
W(0xa0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* a0 */
|
|
W(0xb0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* b0 */
|
|
W(0xc0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0) | /* c0 */
|
|
W(0xd0, 1, 1, 1, 1, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* d0 */
|
|
W(0xe0, 1, 1, 1, 1, 0, 0, 0, 0, 1, 1, 0, 1, 0, 0, 0, 0) | /* e0 */
|
|
W(0xf0, 1, 0, 1, 1, 0, 1, 1, 1, 1, 1, 0, 0, 1, 1, 1, 1) /* f0 */
|
|
/* ---------------------------------------------- */
|
|
/* 0 1 2 3 4 5 6 7 8 9 a b c d e f */
|
|
};
|
|
#else
|
|
#define good_insns_64 NULL
|
|
#endif
|
|
|
|
/* Using this for both 64-bit and 32-bit apps.
|
|
* Opcodes we don't support:
|
|
* 0f 00 - SLDT/STR/LLDT/LTR/VERR/VERW/-/- group. System insns
|
|
* 0f 01 - SGDT/SIDT/LGDT/LIDT/SMSW/-/LMSW/INVLPG group.
|
|
* Also encodes tons of other system insns if mod=11.
|
|
* Some are in fact non-system: xend, xtest, rdtscp, maybe more
|
|
* 0f 05 - syscall
|
|
* 0f 06 - clts (CPL0 insn)
|
|
* 0f 07 - sysret
|
|
* 0f 08 - invd (CPL0 insn)
|
|
* 0f 09 - wbinvd (CPL0 insn)
|
|
* 0f 0b - ud2
|
|
* 0f 30 - wrmsr (CPL0 insn) (then why rdmsr is allowed, it's also CPL0 insn?)
|
|
* 0f 34 - sysenter
|
|
* 0f 35 - sysexit
|
|
* 0f 37 - getsec
|
|
* 0f 78 - vmread (Intel VMX. CPL0 insn)
|
|
* 0f 79 - vmwrite (Intel VMX. CPL0 insn)
|
|
* Note: with prefixes, these two opcodes are
|
|
* extrq/insertq/AVX512 convert vector ops.
|
|
* 0f ae - group15: [f]xsave,[f]xrstor,[v]{ld,st}mxcsr,clflush[opt],
|
|
* {rd,wr}{fs,gs}base,{s,l,m}fence.
|
|
* Why? They are all user-executable.
|
|
*/
|
|
static volatile u32 good_2byte_insns[256 / 32] = {
|
|
/* 0 1 2 3 4 5 6 7 8 9 a b c d e f */
|
|
/* ---------------------------------------------- */
|
|
W(0x00, 0, 0, 1, 1, 1, 0, 0, 0, 0, 0, 1, 0, 1, 1, 1, 1) | /* 00 */
|
|
W(0x10, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* 10 */
|
|
W(0x20, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* 20 */
|
|
W(0x30, 0, 1, 1, 1, 0, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1) , /* 30 */
|
|
W(0x40, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* 40 */
|
|
W(0x50, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* 50 */
|
|
W(0x60, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* 60 */
|
|
W(0x70, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 1, 1, 1, 1, 1, 1) , /* 70 */
|
|
W(0x80, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* 80 */
|
|
W(0x90, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* 90 */
|
|
W(0xa0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1) | /* a0 */
|
|
W(0xb0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* b0 */
|
|
W(0xc0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* c0 */
|
|
W(0xd0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) , /* d0 */
|
|
W(0xe0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) | /* e0 */
|
|
W(0xf0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1) /* f0 */
|
|
/* ---------------------------------------------- */
|
|
/* 0 1 2 3 4 5 6 7 8 9 a b c d e f */
|
|
};
|
|
#undef W
|
|
|
|
/*
|
|
* opcodes we may need to refine support for:
|
|
*
|
|
* 0f - 2-byte instructions: For many of these instructions, the validity
|
|
* depends on the prefix and/or the reg field. On such instructions, we
|
|
* just consider the opcode combination valid if it corresponds to any
|
|
* valid instruction.
|
|
*
|
|
* 8f - Group 1 - only reg = 0 is OK
|
|
* c6-c7 - Group 11 - only reg = 0 is OK
|
|
* d9-df - fpu insns with some illegal encodings
|
|
* f2, f3 - repnz, repz prefixes. These are also the first byte for
|
|
* certain floating-point instructions, such as addsd.
|
|
*
|
|
* fe - Group 4 - only reg = 0 or 1 is OK
|
|
* ff - Group 5 - only reg = 0-6 is OK
|
|
*
|
|
* others -- Do we need to support these?
|
|
*
|
|
* 0f - (floating-point?) prefetch instructions
|
|
* 07, 17, 1f - pop es, pop ss, pop ds
|
|
* 26, 2e, 36, 3e - es:, cs:, ss:, ds: segment prefixes --
|
|
* but 64 and 65 (fs: and gs:) seem to be used, so we support them
|
|
* 67 - addr16 prefix
|
|
* ce - into
|
|
* f0 - lock prefix
|
|
*/
|
|
|
|
/*
|
|
* TODO:
|
|
* - Where necessary, examine the modrm byte and allow only valid instructions
|
|
* in the different Groups and fpu instructions.
|
|
*/
|
|
|
|
static bool is_prefix_bad(struct insn *insn)
|
|
{
|
|
insn_byte_t p;
|
|
int i;
|
|
|
|
for_each_insn_prefix(insn, i, p) {
|
|
switch (p) {
|
|
case 0x26: /* INAT_PFX_ES */
|
|
case 0x2E: /* INAT_PFX_CS */
|
|
case 0x36: /* INAT_PFX_DS */
|
|
case 0x3E: /* INAT_PFX_SS */
|
|
case 0xF0: /* INAT_PFX_LOCK */
|
|
return true;
|
|
}
|
|
}
|
|
return false;
|
|
}
|
|
|
|
static int uprobe_init_insn(struct arch_uprobe *auprobe, struct insn *insn, bool x86_64)
|
|
{
|
|
u32 volatile *good_insns;
|
|
|
|
insn_init(insn, auprobe->insn, sizeof(auprobe->insn), x86_64);
|
|
/* has the side-effect of processing the entire instruction */
|
|
insn_get_length(insn);
|
|
if (!insn_complete(insn))
|
|
return -ENOEXEC;
|
|
|
|
if (is_prefix_bad(insn))
|
|
return -ENOTSUPP;
|
|
|
|
/* We should not singlestep on the exception masking instructions */
|
|
if (insn_masking_exception(insn))
|
|
return -ENOTSUPP;
|
|
|
|
if (x86_64)
|
|
good_insns = good_insns_64;
|
|
else
|
|
good_insns = good_insns_32;
|
|
|
|
if (test_bit(OPCODE1(insn), (unsigned long *)good_insns))
|
|
return 0;
|
|
|
|
if (insn->opcode.nbytes == 2) {
|
|
if (test_bit(OPCODE2(insn), (unsigned long *)good_2byte_insns))
|
|
return 0;
|
|
}
|
|
|
|
return -ENOTSUPP;
|
|
}
|
|
|
|
#ifdef CONFIG_X86_64
|
|
/*
|
|
* If arch_uprobe->insn doesn't use rip-relative addressing, return
|
|
* immediately. Otherwise, rewrite the instruction so that it accesses
|
|
* its memory operand indirectly through a scratch register. Set
|
|
* defparam->fixups accordingly. (The contents of the scratch register
|
|
* will be saved before we single-step the modified instruction,
|
|
* and restored afterward).
|
|
*
|
|
* We do this because a rip-relative instruction can access only a
|
|
* relatively small area (+/- 2 GB from the instruction), and the XOL
|
|
* area typically lies beyond that area. At least for instructions
|
|
* that store to memory, we can't execute the original instruction
|
|
* and "fix things up" later, because the misdirected store could be
|
|
* disastrous.
|
|
*
|
|
* Some useful facts about rip-relative instructions:
|
|
*
|
|
* - There's always a modrm byte with bit layout "00 reg 101".
|
|
* - There's never a SIB byte.
|
|
* - The displacement is always 4 bytes.
|
|
* - REX.B=1 bit in REX prefix, which normally extends r/m field,
|
|
* has no effect on rip-relative mode. It doesn't make modrm byte
|
|
* with r/m=101 refer to register 1101 = R13.
|
|
*/
|
|
static void riprel_analyze(struct arch_uprobe *auprobe, struct insn *insn)
|
|
{
|
|
u8 *cursor;
|
|
u8 reg;
|
|
u8 reg2;
|
|
|
|
if (!insn_rip_relative(insn))
|
|
return;
|
|
|
|
/*
|
|
* insn_rip_relative() would have decoded rex_prefix, vex_prefix, modrm.
|
|
* Clear REX.b bit (extension of MODRM.rm field):
|
|
* we want to encode low numbered reg, not r8+.
|
|
*/
|
|
if (insn->rex_prefix.nbytes) {
|
|
cursor = auprobe->insn + insn_offset_rex_prefix(insn);
|
|
/* REX byte has 0100wrxb layout, clearing REX.b bit */
|
|
*cursor &= 0xfe;
|
|
}
|
|
/*
|
|
* Similar treatment for VEX3/EVEX prefix.
|
|
* TODO: add XOP treatment when insn decoder supports them
|
|
*/
|
|
if (insn->vex_prefix.nbytes >= 3) {
|
|
/*
|
|
* vex2: c5 rvvvvLpp (has no b bit)
|
|
* vex3/xop: c4/8f rxbmmmmm wvvvvLpp
|
|
* evex: 62 rxbR00mm wvvvv1pp zllBVaaa
|
|
* Setting VEX3.b (setting because it has inverted meaning).
|
|
* Setting EVEX.x since (in non-SIB encoding) EVEX.x
|
|
* is the 4th bit of MODRM.rm, and needs the same treatment.
|
|
* For VEX3-encoded insns, VEX3.x value has no effect in
|
|
* non-SIB encoding, the change is superfluous but harmless.
|
|
*/
|
|
cursor = auprobe->insn + insn_offset_vex_prefix(insn) + 1;
|
|
*cursor |= 0x60;
|
|
}
|
|
|
|
/*
|
|
* Convert from rip-relative addressing to register-relative addressing
|
|
* via a scratch register.
|
|
*
|
|
* This is tricky since there are insns with modrm byte
|
|
* which also use registers not encoded in modrm byte:
|
|
* [i]div/[i]mul: implicitly use dx:ax
|
|
* shift ops: implicitly use cx
|
|
* cmpxchg: implicitly uses ax
|
|
* cmpxchg8/16b: implicitly uses dx:ax and bx:cx
|
|
* Encoding: 0f c7/1 modrm
|
|
* The code below thinks that reg=1 (cx), chooses si as scratch.
|
|
* mulx: implicitly uses dx: mulx r/m,r1,r2 does r1:r2 = dx * r/m.
|
|
* First appeared in Haswell (BMI2 insn). It is vex-encoded.
|
|
* Example where none of bx,cx,dx can be used as scratch reg:
|
|
* c4 e2 63 f6 0d disp32 mulx disp32(%rip),%ebx,%ecx
|
|
* [v]pcmpistri: implicitly uses cx, xmm0
|
|
* [v]pcmpistrm: implicitly uses xmm0
|
|
* [v]pcmpestri: implicitly uses ax, dx, cx, xmm0
|
|
* [v]pcmpestrm: implicitly uses ax, dx, xmm0
|
|
* Evil SSE4.2 string comparison ops from hell.
|
|
* maskmovq/[v]maskmovdqu: implicitly uses (ds:rdi) as destination.
|
|
* Encoding: 0f f7 modrm, 66 0f f7 modrm, vex-encoded: c5 f9 f7 modrm.
|
|
* Store op1, byte-masked by op2 msb's in each byte, to (ds:rdi).
|
|
* AMD says it has no 3-operand form (vex.vvvv must be 1111)
|
|
* and that it can have only register operands, not mem
|
|
* (its modrm byte must have mode=11).
|
|
* If these restrictions will ever be lifted,
|
|
* we'll need code to prevent selection of di as scratch reg!
|
|
*
|
|
* Summary: I don't know any insns with modrm byte which
|
|
* use SI register implicitly. DI register is used only
|
|
* by one insn (maskmovq) and BX register is used
|
|
* only by one too (cmpxchg8b).
|
|
* BP is stack-segment based (may be a problem?).
|
|
* AX, DX, CX are off-limits (many implicit users).
|
|
* SP is unusable (it's stack pointer - think about "pop mem";
|
|
* also, rsp+disp32 needs sib encoding -> insn length change).
|
|
*/
|
|
|
|
reg = MODRM_REG(insn); /* Fetch modrm.reg */
|
|
reg2 = 0xff; /* Fetch vex.vvvv */
|
|
if (insn->vex_prefix.nbytes)
|
|
reg2 = insn->vex_prefix.bytes[2];
|
|
/*
|
|
* TODO: add XOP vvvv reading.
|
|
*
|
|
* vex.vvvv field is in bits 6-3, bits are inverted.
|
|
* But in 32-bit mode, high-order bit may be ignored.
|
|
* Therefore, let's consider only 3 low-order bits.
|
|
*/
|
|
reg2 = ((reg2 >> 3) & 0x7) ^ 0x7;
|
|
/*
|
|
* Register numbering is ax,cx,dx,bx, sp,bp,si,di, r8..r15.
|
|
*
|
|
* Choose scratch reg. Order is important: must not select bx
|
|
* if we can use si (cmpxchg8b case!)
|
|
*/
|
|
if (reg != 6 && reg2 != 6) {
|
|
reg2 = 6;
|
|
auprobe->defparam.fixups |= UPROBE_FIX_RIP_SI;
|
|
} else if (reg != 7 && reg2 != 7) {
|
|
reg2 = 7;
|
|
auprobe->defparam.fixups |= UPROBE_FIX_RIP_DI;
|
|
/* TODO (paranoia): force maskmovq to not use di */
|
|
} else {
|
|
reg2 = 3;
|
|
auprobe->defparam.fixups |= UPROBE_FIX_RIP_BX;
|
|
}
|
|
/*
|
|
* Point cursor at the modrm byte. The next 4 bytes are the
|
|
* displacement. Beyond the displacement, for some instructions,
|
|
* is the immediate operand.
|
|
*/
|
|
cursor = auprobe->insn + insn_offset_modrm(insn);
|
|
/*
|
|
* Change modrm from "00 reg 101" to "10 reg reg2". Example:
|
|
* 89 05 disp32 mov %eax,disp32(%rip) becomes
|
|
* 89 86 disp32 mov %eax,disp32(%rsi)
|
|
*/
|
|
*cursor = 0x80 | (reg << 3) | reg2;
|
|
}
|
|
|
|
static inline unsigned long *
|
|
scratch_reg(struct arch_uprobe *auprobe, struct pt_regs *regs)
|
|
{
|
|
if (auprobe->defparam.fixups & UPROBE_FIX_RIP_SI)
|
|
return ®s->si;
|
|
if (auprobe->defparam.fixups & UPROBE_FIX_RIP_DI)
|
|
return ®s->di;
|
|
return ®s->bx;
|
|
}
|
|
|
|
/*
|
|
* If we're emulating a rip-relative instruction, save the contents
|
|
* of the scratch register and store the target address in that register.
|
|
*/
|
|
static void riprel_pre_xol(struct arch_uprobe *auprobe, struct pt_regs *regs)
|
|
{
|
|
if (auprobe->defparam.fixups & UPROBE_FIX_RIP_MASK) {
|
|
struct uprobe_task *utask = current->utask;
|
|
unsigned long *sr = scratch_reg(auprobe, regs);
|
|
|
|
utask->autask.saved_scratch_register = *sr;
|
|
*sr = utask->vaddr + auprobe->defparam.ilen;
|
|
}
|
|
}
|
|
|
|
static void riprel_post_xol(struct arch_uprobe *auprobe, struct pt_regs *regs)
|
|
{
|
|
if (auprobe->defparam.fixups & UPROBE_FIX_RIP_MASK) {
|
|
struct uprobe_task *utask = current->utask;
|
|
unsigned long *sr = scratch_reg(auprobe, regs);
|
|
|
|
*sr = utask->autask.saved_scratch_register;
|
|
}
|
|
}
|
|
#else /* 32-bit: */
|
|
/*
|
|
* No RIP-relative addressing on 32-bit
|
|
*/
|
|
static void riprel_analyze(struct arch_uprobe *auprobe, struct insn *insn)
|
|
{
|
|
}
|
|
static void riprel_pre_xol(struct arch_uprobe *auprobe, struct pt_regs *regs)
|
|
{
|
|
}
|
|
static void riprel_post_xol(struct arch_uprobe *auprobe, struct pt_regs *regs)
|
|
{
|
|
}
|
|
#endif /* CONFIG_X86_64 */
|
|
|
|
struct uprobe_xol_ops {
|
|
bool (*emulate)(struct arch_uprobe *, struct pt_regs *);
|
|
int (*pre_xol)(struct arch_uprobe *, struct pt_regs *);
|
|
int (*post_xol)(struct arch_uprobe *, struct pt_regs *);
|
|
void (*abort)(struct arch_uprobe *, struct pt_regs *);
|
|
};
|
|
|
|
static inline int sizeof_long(struct pt_regs *regs)
|
|
{
|
|
/*
|
|
* Check registers for mode as in_xxx_syscall() does not apply here.
|
|
*/
|
|
return user_64bit_mode(regs) ? 8 : 4;
|
|
}
|
|
|
|
static int default_pre_xol_op(struct arch_uprobe *auprobe, struct pt_regs *regs)
|
|
{
|
|
riprel_pre_xol(auprobe, regs);
|
|
return 0;
|
|
}
|
|
|
|
static int push_ret_address(struct pt_regs *regs, unsigned long ip)
|
|
{
|
|
unsigned long new_sp = regs->sp - sizeof_long(regs);
|
|
|
|
if (copy_to_user((void __user *)new_sp, &ip, sizeof_long(regs)))
|
|
return -EFAULT;
|
|
|
|
regs->sp = new_sp;
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* We have to fix things up as follows:
|
|
*
|
|
* Typically, the new ip is relative to the copied instruction. We need
|
|
* to make it relative to the original instruction (FIX_IP). Exceptions
|
|
* are return instructions and absolute or indirect jump or call instructions.
|
|
*
|
|
* If the single-stepped instruction was a call, the return address that
|
|
* is atop the stack is the address following the copied instruction. We
|
|
* need to make it the address following the original instruction (FIX_CALL).
|
|
*
|
|
* If the original instruction was a rip-relative instruction such as
|
|
* "movl %edx,0xnnnn(%rip)", we have instead executed an equivalent
|
|
* instruction using a scratch register -- e.g., "movl %edx,0xnnnn(%rsi)".
|
|
* We need to restore the contents of the scratch register
|
|
* (FIX_RIP_reg).
|
|
*/
|
|
static int default_post_xol_op(struct arch_uprobe *auprobe, struct pt_regs *regs)
|
|
{
|
|
struct uprobe_task *utask = current->utask;
|
|
|
|
riprel_post_xol(auprobe, regs);
|
|
if (auprobe->defparam.fixups & UPROBE_FIX_IP) {
|
|
long correction = utask->vaddr - utask->xol_vaddr;
|
|
regs->ip += correction;
|
|
} else if (auprobe->defparam.fixups & UPROBE_FIX_CALL) {
|
|
regs->sp += sizeof_long(regs); /* Pop incorrect return address */
|
|
if (push_ret_address(regs, utask->vaddr + auprobe->defparam.ilen))
|
|
return -ERESTART;
|
|
}
|
|
/* popf; tell the caller to not touch TF */
|
|
if (auprobe->defparam.fixups & UPROBE_FIX_SETF)
|
|
utask->autask.saved_tf = true;
|
|
|
|
return 0;
|
|
}
|
|
|
|
static void default_abort_op(struct arch_uprobe *auprobe, struct pt_regs *regs)
|
|
{
|
|
riprel_post_xol(auprobe, regs);
|
|
}
|
|
|
|
static const struct uprobe_xol_ops default_xol_ops = {
|
|
.pre_xol = default_pre_xol_op,
|
|
.post_xol = default_post_xol_op,
|
|
.abort = default_abort_op,
|
|
};
|
|
|
|
static bool branch_is_call(struct arch_uprobe *auprobe)
|
|
{
|
|
return auprobe->branch.opc1 == 0xe8;
|
|
}
|
|
|
|
#define CASE_COND \
|
|
COND(70, 71, XF(OF)) \
|
|
COND(72, 73, XF(CF)) \
|
|
COND(74, 75, XF(ZF)) \
|
|
COND(78, 79, XF(SF)) \
|
|
COND(7a, 7b, XF(PF)) \
|
|
COND(76, 77, XF(CF) || XF(ZF)) \
|
|
COND(7c, 7d, XF(SF) != XF(OF)) \
|
|
COND(7e, 7f, XF(ZF) || XF(SF) != XF(OF))
|
|
|
|
#define COND(op_y, op_n, expr) \
|
|
case 0x ## op_y: DO((expr) != 0) \
|
|
case 0x ## op_n: DO((expr) == 0)
|
|
|
|
#define XF(xf) (!!(flags & X86_EFLAGS_ ## xf))
|
|
|
|
static bool is_cond_jmp_opcode(u8 opcode)
|
|
{
|
|
switch (opcode) {
|
|
#define DO(expr) \
|
|
return true;
|
|
CASE_COND
|
|
#undef DO
|
|
|
|
default:
|
|
return false;
|
|
}
|
|
}
|
|
|
|
static bool check_jmp_cond(struct arch_uprobe *auprobe, struct pt_regs *regs)
|
|
{
|
|
unsigned long flags = regs->flags;
|
|
|
|
switch (auprobe->branch.opc1) {
|
|
#define DO(expr) \
|
|
return expr;
|
|
CASE_COND
|
|
#undef DO
|
|
|
|
default: /* not a conditional jmp */
|
|
return true;
|
|
}
|
|
}
|
|
|
|
#undef XF
|
|
#undef COND
|
|
#undef CASE_COND
|
|
|
|
static bool branch_emulate_op(struct arch_uprobe *auprobe, struct pt_regs *regs)
|
|
{
|
|
unsigned long new_ip = regs->ip += auprobe->branch.ilen;
|
|
unsigned long offs = (long)auprobe->branch.offs;
|
|
|
|
if (branch_is_call(auprobe)) {
|
|
/*
|
|
* If it fails we execute this (mangled, see the comment in
|
|
* branch_clear_offset) insn out-of-line. In the likely case
|
|
* this should trigger the trap, and the probed application
|
|
* should die or restart the same insn after it handles the
|
|
* signal, arch_uprobe_post_xol() won't be even called.
|
|
*
|
|
* But there is corner case, see the comment in ->post_xol().
|
|
*/
|
|
if (push_ret_address(regs, new_ip))
|
|
return false;
|
|
} else if (!check_jmp_cond(auprobe, regs)) {
|
|
offs = 0;
|
|
}
|
|
|
|
regs->ip = new_ip + offs;
|
|
return true;
|
|
}
|
|
|
|
static int branch_post_xol_op(struct arch_uprobe *auprobe, struct pt_regs *regs)
|
|
{
|
|
BUG_ON(!branch_is_call(auprobe));
|
|
/*
|
|
* We can only get here if branch_emulate_op() failed to push the ret
|
|
* address _and_ another thread expanded our stack before the (mangled)
|
|
* "call" insn was executed out-of-line. Just restore ->sp and restart.
|
|
* We could also restore ->ip and try to call branch_emulate_op() again.
|
|
*/
|
|
regs->sp += sizeof_long(regs);
|
|
return -ERESTART;
|
|
}
|
|
|
|
static void branch_clear_offset(struct arch_uprobe *auprobe, struct insn *insn)
|
|
{
|
|
/*
|
|
* Turn this insn into "call 1f; 1:", this is what we will execute
|
|
* out-of-line if ->emulate() fails. We only need this to generate
|
|
* a trap, so that the probed task receives the correct signal with
|
|
* the properly filled siginfo.
|
|
*
|
|
* But see the comment in ->post_xol(), in the unlikely case it can
|
|
* succeed. So we need to ensure that the new ->ip can not fall into
|
|
* the non-canonical area and trigger #GP.
|
|
*
|
|
* We could turn it into (say) "pushf", but then we would need to
|
|
* divorce ->insn[] and ->ixol[]. We need to preserve the 1st byte
|
|
* of ->insn[] for set_orig_insn().
|
|
*/
|
|
memset(auprobe->insn + insn_offset_immediate(insn),
|
|
0, insn->immediate.nbytes);
|
|
}
|
|
|
|
static const struct uprobe_xol_ops branch_xol_ops = {
|
|
.emulate = branch_emulate_op,
|
|
.post_xol = branch_post_xol_op,
|
|
};
|
|
|
|
/* Returns -ENOSYS if branch_xol_ops doesn't handle this insn */
|
|
static int branch_setup_xol_ops(struct arch_uprobe *auprobe, struct insn *insn)
|
|
{
|
|
u8 opc1 = OPCODE1(insn);
|
|
insn_byte_t p;
|
|
int i;
|
|
|
|
switch (opc1) {
|
|
case 0xeb: /* jmp 8 */
|
|
case 0xe9: /* jmp 32 */
|
|
break;
|
|
case 0x90: /* prefix* + nop; same as jmp with .offs = 0 */
|
|
goto setup;
|
|
|
|
case 0xe8: /* call relative */
|
|
branch_clear_offset(auprobe, insn);
|
|
break;
|
|
|
|
case 0x0f:
|
|
if (insn->opcode.nbytes != 2)
|
|
return -ENOSYS;
|
|
/*
|
|
* If it is a "near" conditional jmp, OPCODE2() - 0x10 matches
|
|
* OPCODE1() of the "short" jmp which checks the same condition.
|
|
*/
|
|
opc1 = OPCODE2(insn) - 0x10;
|
|
default:
|
|
if (!is_cond_jmp_opcode(opc1))
|
|
return -ENOSYS;
|
|
}
|
|
|
|
/*
|
|
* 16-bit overrides such as CALLW (66 e8 nn nn) are not supported.
|
|
* Intel and AMD behavior differ in 64-bit mode: Intel ignores 66 prefix.
|
|
* No one uses these insns, reject any branch insns with such prefix.
|
|
*/
|
|
for_each_insn_prefix(insn, i, p) {
|
|
if (p == 0x66)
|
|
return -ENOTSUPP;
|
|
}
|
|
|
|
setup:
|
|
auprobe->branch.opc1 = opc1;
|
|
auprobe->branch.ilen = insn->length;
|
|
auprobe->branch.offs = insn->immediate.value;
|
|
|
|
auprobe->ops = &branch_xol_ops;
|
|
return 0;
|
|
}
|
|
|
|
/**
|
|
* arch_uprobe_analyze_insn - instruction analysis including validity and fixups.
|
|
* @mm: the probed address space.
|
|
* @arch_uprobe: the probepoint information.
|
|
* @addr: virtual address at which to install the probepoint
|
|
* Return 0 on success or a -ve number on error.
|
|
*/
|
|
int arch_uprobe_analyze_insn(struct arch_uprobe *auprobe, struct mm_struct *mm, unsigned long addr)
|
|
{
|
|
struct insn insn;
|
|
u8 fix_ip_or_call = UPROBE_FIX_IP;
|
|
int ret;
|
|
|
|
ret = uprobe_init_insn(auprobe, &insn, is_64bit_mm(mm));
|
|
if (ret)
|
|
return ret;
|
|
|
|
ret = branch_setup_xol_ops(auprobe, &insn);
|
|
if (ret != -ENOSYS)
|
|
return ret;
|
|
|
|
/*
|
|
* Figure out which fixups default_post_xol_op() will need to perform,
|
|
* and annotate defparam->fixups accordingly.
|
|
*/
|
|
switch (OPCODE1(&insn)) {
|
|
case 0x9d: /* popf */
|
|
auprobe->defparam.fixups |= UPROBE_FIX_SETF;
|
|
break;
|
|
case 0xc3: /* ret or lret -- ip is correct */
|
|
case 0xcb:
|
|
case 0xc2:
|
|
case 0xca:
|
|
case 0xea: /* jmp absolute -- ip is correct */
|
|
fix_ip_or_call = 0;
|
|
break;
|
|
case 0x9a: /* call absolute - Fix return addr, not ip */
|
|
fix_ip_or_call = UPROBE_FIX_CALL;
|
|
break;
|
|
case 0xff:
|
|
switch (MODRM_REG(&insn)) {
|
|
case 2: case 3: /* call or lcall, indirect */
|
|
fix_ip_or_call = UPROBE_FIX_CALL;
|
|
break;
|
|
case 4: case 5: /* jmp or ljmp, indirect */
|
|
fix_ip_or_call = 0;
|
|
break;
|
|
}
|
|
/* fall through */
|
|
default:
|
|
riprel_analyze(auprobe, &insn);
|
|
}
|
|
|
|
auprobe->defparam.ilen = insn.length;
|
|
auprobe->defparam.fixups |= fix_ip_or_call;
|
|
|
|
auprobe->ops = &default_xol_ops;
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* arch_uprobe_pre_xol - prepare to execute out of line.
|
|
* @auprobe: the probepoint information.
|
|
* @regs: reflects the saved user state of current task.
|
|
*/
|
|
int arch_uprobe_pre_xol(struct arch_uprobe *auprobe, struct pt_regs *regs)
|
|
{
|
|
struct uprobe_task *utask = current->utask;
|
|
|
|
if (auprobe->ops->pre_xol) {
|
|
int err = auprobe->ops->pre_xol(auprobe, regs);
|
|
if (err)
|
|
return err;
|
|
}
|
|
|
|
regs->ip = utask->xol_vaddr;
|
|
utask->autask.saved_trap_nr = current->thread.trap_nr;
|
|
current->thread.trap_nr = UPROBE_TRAP_NR;
|
|
|
|
utask->autask.saved_tf = !!(regs->flags & X86_EFLAGS_TF);
|
|
regs->flags |= X86_EFLAGS_TF;
|
|
if (test_tsk_thread_flag(current, TIF_BLOCKSTEP))
|
|
set_task_blockstep(current, false);
|
|
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* If xol insn itself traps and generates a signal(Say,
|
|
* SIGILL/SIGSEGV/etc), then detect the case where a singlestepped
|
|
* instruction jumps back to its own address. It is assumed that anything
|
|
* like do_page_fault/do_trap/etc sets thread.trap_nr != -1.
|
|
*
|
|
* arch_uprobe_pre_xol/arch_uprobe_post_xol save/restore thread.trap_nr,
|
|
* arch_uprobe_xol_was_trapped() simply checks that ->trap_nr is not equal to
|
|
* UPROBE_TRAP_NR == -1 set by arch_uprobe_pre_xol().
|
|
*/
|
|
bool arch_uprobe_xol_was_trapped(struct task_struct *t)
|
|
{
|
|
if (t->thread.trap_nr != UPROBE_TRAP_NR)
|
|
return true;
|
|
|
|
return false;
|
|
}
|
|
|
|
/*
|
|
* Called after single-stepping. To avoid the SMP problems that can
|
|
* occur when we temporarily put back the original opcode to
|
|
* single-step, we single-stepped a copy of the instruction.
|
|
*
|
|
* This function prepares to resume execution after the single-step.
|
|
*/
|
|
int arch_uprobe_post_xol(struct arch_uprobe *auprobe, struct pt_regs *regs)
|
|
{
|
|
struct uprobe_task *utask = current->utask;
|
|
bool send_sigtrap = utask->autask.saved_tf;
|
|
int err = 0;
|
|
|
|
WARN_ON_ONCE(current->thread.trap_nr != UPROBE_TRAP_NR);
|
|
current->thread.trap_nr = utask->autask.saved_trap_nr;
|
|
|
|
if (auprobe->ops->post_xol) {
|
|
err = auprobe->ops->post_xol(auprobe, regs);
|
|
if (err) {
|
|
/*
|
|
* Restore ->ip for restart or post mortem analysis.
|
|
* ->post_xol() must not return -ERESTART unless this
|
|
* is really possible.
|
|
*/
|
|
regs->ip = utask->vaddr;
|
|
if (err == -ERESTART)
|
|
err = 0;
|
|
send_sigtrap = false;
|
|
}
|
|
}
|
|
/*
|
|
* arch_uprobe_pre_xol() doesn't save the state of TIF_BLOCKSTEP
|
|
* so we can get an extra SIGTRAP if we do not clear TF. We need
|
|
* to examine the opcode to make it right.
|
|
*/
|
|
if (send_sigtrap)
|
|
send_sig(SIGTRAP, current, 0);
|
|
|
|
if (!utask->autask.saved_tf)
|
|
regs->flags &= ~X86_EFLAGS_TF;
|
|
|
|
return err;
|
|
}
|
|
|
|
/* callback routine for handling exceptions. */
|
|
int arch_uprobe_exception_notify(struct notifier_block *self, unsigned long val, void *data)
|
|
{
|
|
struct die_args *args = data;
|
|
struct pt_regs *regs = args->regs;
|
|
int ret = NOTIFY_DONE;
|
|
|
|
/* We are only interested in userspace traps */
|
|
if (regs && !user_mode(regs))
|
|
return NOTIFY_DONE;
|
|
|
|
switch (val) {
|
|
case DIE_INT3:
|
|
if (uprobe_pre_sstep_notifier(regs))
|
|
ret = NOTIFY_STOP;
|
|
|
|
break;
|
|
|
|
case DIE_DEBUG:
|
|
if (uprobe_post_sstep_notifier(regs))
|
|
ret = NOTIFY_STOP;
|
|
|
|
default:
|
|
break;
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
/*
|
|
* This function gets called when XOL instruction either gets trapped or
|
|
* the thread has a fatal signal. Reset the instruction pointer to its
|
|
* probed address for the potential restart or for post mortem analysis.
|
|
*/
|
|
void arch_uprobe_abort_xol(struct arch_uprobe *auprobe, struct pt_regs *regs)
|
|
{
|
|
struct uprobe_task *utask = current->utask;
|
|
|
|
if (auprobe->ops->abort)
|
|
auprobe->ops->abort(auprobe, regs);
|
|
|
|
current->thread.trap_nr = utask->autask.saved_trap_nr;
|
|
regs->ip = utask->vaddr;
|
|
/* clear TF if it was set by us in arch_uprobe_pre_xol() */
|
|
if (!utask->autask.saved_tf)
|
|
regs->flags &= ~X86_EFLAGS_TF;
|
|
}
|
|
|
|
static bool __skip_sstep(struct arch_uprobe *auprobe, struct pt_regs *regs)
|
|
{
|
|
if (auprobe->ops->emulate)
|
|
return auprobe->ops->emulate(auprobe, regs);
|
|
return false;
|
|
}
|
|
|
|
bool arch_uprobe_skip_sstep(struct arch_uprobe *auprobe, struct pt_regs *regs)
|
|
{
|
|
bool ret = __skip_sstep(auprobe, regs);
|
|
if (ret && (regs->flags & X86_EFLAGS_TF))
|
|
send_sig(SIGTRAP, current, 0);
|
|
return ret;
|
|
}
|
|
|
|
unsigned long
|
|
arch_uretprobe_hijack_return_addr(unsigned long trampoline_vaddr, struct pt_regs *regs)
|
|
{
|
|
int rasize = sizeof_long(regs), nleft;
|
|
unsigned long orig_ret_vaddr = 0; /* clear high bits for 32-bit apps */
|
|
|
|
if (copy_from_user(&orig_ret_vaddr, (void __user *)regs->sp, rasize))
|
|
return -1;
|
|
|
|
/* check whether address has been already hijacked */
|
|
if (orig_ret_vaddr == trampoline_vaddr)
|
|
return orig_ret_vaddr;
|
|
|
|
nleft = copy_to_user((void __user *)regs->sp, &trampoline_vaddr, rasize);
|
|
if (likely(!nleft))
|
|
return orig_ret_vaddr;
|
|
|
|
if (nleft != rasize) {
|
|
pr_err("uprobe: return address clobbered: pid=%d, %%sp=%#lx, "
|
|
"%%ip=%#lx\n", current->pid, regs->sp, regs->ip);
|
|
|
|
force_sig(SIGSEGV, current);
|
|
}
|
|
|
|
return -1;
|
|
}
|
|
|
|
bool arch_uretprobe_is_alive(struct return_instance *ret, enum rp_check ctx,
|
|
struct pt_regs *regs)
|
|
{
|
|
if (ctx == RP_CHECK_CALL) /* sp was just decremented by "call" insn */
|
|
return regs->sp < ret->stack;
|
|
else
|
|
return regs->sp <= ret->stack;
|
|
}
|