~hc/RK356X_SDK_RELEASE.git

..	..	@@ -1,6 +1,6 @@
1	1	/*
2		- * umip.c Emulation for instruction protected by the Intel User-Mode
3		- * Instruction Prevention feature
	2	+ * umip.c Emulation for instruction protected by the User-Mode Instruction
	3	+ * Prevention feature
4	4	*
5	5	* Copyright (c) 2017, Intel Corporation.
6	6	* Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
..	..	@@ -18,10 +18,10 @@
18	18
19	19	/** DOC: Emulation for User-Mode Instruction Prevention (UMIP)
20	20	*
21		- * The feature User-Mode Instruction Prevention present in recent Intel
22		- * processor prevents a group of instructions (sgdt, sidt, sldt, smsw, and str)
23		- * from being executed with CPL > 0. Otherwise, a general protection fault is
24		- * issued.
	21	+ * User-Mode Instruction Prevention is a security feature present in recent
	22	+ * x86 processors that, when enabled, prevents a group of instructions (SGDT,
	23	+ * SIDT, SLDT, SMSW and STR) from being run in user mode by issuing a general
	24	+ * protection fault if the instruction is executed with CPL > 0.
25	25	*
26	26	* Rather than relaying to the user space the general protection fault caused by
27	27	* the UMIP-protected instructions (in the form of a SIGSEGV signal), it can be
..	..	@@ -36,8 +36,8 @@
36	36	* DOSEMU2) rely on this subset of instructions to function.
37	37	*
38	38	* The instructions protected by UMIP can be split in two groups. Those which
39		- * return a kernel memory address (sgdt and sidt) and those which return a
40		- * value (sldt, str and smsw).
	39	+ * return a kernel memory address (SGDT and SIDT) and those which return a
	40	+ * value (SLDT, STR and SMSW).
41	41	*
42	42	* For the instructions that return a kernel memory address, applications
43	43	* such as WineHQ rely on the result being located in the kernel memory space,
..	..	@@ -45,15 +45,14 @@
45	45	* value that, lies close to the top of the kernel memory. The limit for the GDT
46	46	* and the IDT are set to zero.
47	47	*
48		- * Given that sldt and str are not commonly used in programs that run on WineHQ
49		- * or DOSEMU2, they are not emulated.
50		- *
51		- * The instruction smsw is emulated to return the value that the register CR0
	48	+ * The instruction SMSW is emulated to return the value that the register CR0
52	49	* has at boot time as set in the head_32.
	50	+ * SLDT and STR are emulated to return the values that the kernel programmatically
	51	+ * assigns:
	52	+ * - SLDT returns (GDT_ENTRY_LDT * 8) if an LDT has been set, 0 if not.
	53	+ * - STR returns (GDT_ENTRY_TSS * 8).
53	54	*
54		- * Also, emulation is provided only for 32-bit processes; 64-bit processes
55		- * that attempt to use the instructions that UMIP protects will receive the
56		- * SIGSEGV signal issued as a consequence of the general protection fault.
	55	+ * Emulation is provided for both 32-bit and 64-bit processes.
57	56	*
58	57	* Care is taken to appropriately emulate the results when segmentation is
59	58	* used. That is, rather than relying on USER_DS and USER_CS, the function
..	..	@@ -63,17 +62,18 @@
63	62	* application uses a local descriptor table.
64	63	*/
65	64
66		-#define UMIP_DUMMY_GDT_BASE 0xfffe0000
67		-#define UMIP_DUMMY_IDT_BASE 0xffff0000
	65	+#define UMIP_DUMMY_GDT_BASE 0xfffffffffffe0000ULL
	66	+#define UMIP_DUMMY_IDT_BASE 0xffffffffffff0000ULL
68	67
69	68	/*
70	69	* The SGDT and SIDT instructions store the contents of the global descriptor
71	70	* table and interrupt table registers, respectively. The destination is a
72	71	* memory operand of X+2 bytes. X bytes are used to store the base address of
73		- * the table and 2 bytes are used to store the limit. In 32-bit processes, the
74		- * only processes for which emulation is provided, X has a value of 4.
	72	+ * the table and 2 bytes are used to store the limit. In 32-bit processes X
	73	+ * has a value of 4, in 64-bit processes X has a value of 8.
75	74	*/
76		-#define UMIP_GDT_IDT_BASE_SIZE 4
	75	+#define UMIP_GDT_IDT_BASE_SIZE_64BIT 8
	76	+#define UMIP_GDT_IDT_BASE_SIZE_32BIT 4
77	77	#define UMIP_GDT_IDT_LIMIT_SIZE 2
78	78
79	79	#define UMIP_INST_SGDT 0 /* 0F 01 /0 */
..	..	@@ -82,7 +82,7 @@
82	82	#define UMIP_INST_SLDT 3 /* 0F 00 /0 */
83	83	#define UMIP_INST_STR 4 /* 0F 00 /1 */
84	84
85		-const char * const umip_insns[5] = {
	85	+static const char * const umip_insns[5] = {
86	86	[UMIP_INST_SGDT] = "SGDT",
87	87	[UMIP_INST_SIDT] = "SIDT",
88	88	[UMIP_INST_SMSW] = "SMSW",
..	..	@@ -92,7 +92,7 @@
92	92
93	93	#define umip_pr_err(regs, fmt, ...) \
94	94	umip_printk(regs, KERN_ERR, fmt, ##__VA_ARGS__)
95		-#define umip_pr_warning(regs, fmt, ...) \
	95	+#define umip_pr_warn(regs, fmt, ...) \
96	96	umip_printk(regs, KERN_WARNING, fmt, ##__VA_ARGS__)
97	97
98	98	/**
..	..	@@ -189,6 +189,7 @@
189	189	* @umip_inst: A constant indicating the instruction to emulate
190	190	* @data: Buffer into which the dummy result is stored
191	191	* @data_size: Size of the emulated result
	192	+ * @x86_64: true if process is 64-bit, false otherwise
192	193	*
193	194	* Emulate an instruction protected by UMIP and provide a dummy result. The
194	195	* result of the emulation is saved in @data. The size of the results depends
..	..	@@ -202,11 +203,8 @@
202	203	* 0 on success, -EINVAL on error while emulating.
203	204	*/
204	205	static int emulate_umip_insn(struct insn *insn, int umip_inst,
205		- unsigned char data, int data_size)
	206	+ unsigned char data, int data_size, bool x86_64)
206	207	{
207		- unsigned long dummy_base_addr, dummy_value;
208		- unsigned short dummy_limit = 0;
209		-
210	208	if (!data \|\| !data_size \|\| !insn)
211	209	return -EINVAL;
212	210	/*
..	..	@@ -219,6 +217,9 @@
219	217	* is always returned irrespective of the operand size.
220	218	*/
221	219	if (umip_inst == UMIP_INST_SGDT \|\| umip_inst == UMIP_INST_SIDT) {
	220	+ u64 dummy_base_addr;
	221	+ u16 dummy_limit = 0;
	222	+
222	223	/* SGDT and SIDT do not use registers operands. */
223	224	if (X86_MODRM_MOD(insn->modrm.value) == 3)
224	225	return -EINVAL;
..	..	@@ -228,21 +229,50 @@
228	229	else
229	230	dummy_base_addr = UMIP_DUMMY_IDT_BASE;
230	231
231		- *data_size = UMIP_GDT_IDT_LIMIT_SIZE + UMIP_GDT_IDT_BASE_SIZE;
	232	+ /*
	233	+ * 64-bit processes use the entire dummy base address.
	234	+ * 32-bit processes use the lower 32 bits of the base address.
	235	+ * dummy_base_addr is always 64 bits, but we memcpy the correct
	236	+ * number of bytes from it to the destination.
	237	+ */
	238	+ if (x86_64)
	239	+ *data_size = UMIP_GDT_IDT_BASE_SIZE_64BIT;
	240	+ else
	241	+ *data_size = UMIP_GDT_IDT_BASE_SIZE_32BIT;
232	242
233		- memcpy(data + 2, &dummy_base_addr, UMIP_GDT_IDT_BASE_SIZE);
	243	+ memcpy(data + 2, &dummy_base_addr, *data_size);
	244	+
	245	+ *data_size += UMIP_GDT_IDT_LIMIT_SIZE;
234	246	memcpy(data, &dummy_limit, UMIP_GDT_IDT_LIMIT_SIZE);
235	247
236		- } else if (umip_inst == UMIP_INST_SMSW) {
237		- dummy_value = CR0_STATE;
	248	+ } else if (umip_inst == UMIP_INST_SMSW \|\| umip_inst == UMIP_INST_SLDT \|\|
	249	+ umip_inst == UMIP_INST_STR) {
	250	+ unsigned long dummy_value;
	251	+
	252	+ if (umip_inst == UMIP_INST_SMSW) {
	253	+ dummy_value = CR0_STATE;
	254	+ } else if (umip_inst == UMIP_INST_STR) {
	255	+ dummy_value = GDT_ENTRY_TSS * 8;
	256	+ } else if (umip_inst == UMIP_INST_SLDT) {
	257	+#ifdef CONFIG_MODIFY_LDT_SYSCALL
	258	+ down_read(&current->mm->context.ldt_usr_sem);
	259	+ if (current->mm->context.ldt)
	260	+ dummy_value = GDT_ENTRY_LDT * 8;
	261	+ else
	262	+ dummy_value = 0;
	263	+ up_read(&current->mm->context.ldt_usr_sem);
	264	+#else
	265	+ dummy_value = 0;
	266	+#endif
	267	+ }
238	268
239	269	/*
240		- * Even though the CR0 register has 4 bytes, the number
	270	+ * For these 3 instructions, the number
241	271	* of bytes to be copied in the result buffer is determined
242	272	* by whether the operand is a register or a memory location.
243	273	* If operand is a register, return as many bytes as the operand
244	274	* size. If operand is memory, return only the two least
245		- * siginificant bytes of CR0.
	275	+ * siginificant bytes.
246	276	*/
247	277	if (X86_MODRM_MOD(insn->modrm.value) == 3)
248	278	*data_size = insn->opnd_bytes;
..	..	@@ -250,7 +280,6 @@
250	280	*data_size = 2;
251	281
252	282	memcpy(data, &dummy_value, *data_size);
253		- /* STR and SLDT are not emulated */
254	283	} else {
255	284	return -EINVAL;
256	285	}
..	..	@@ -271,19 +300,13 @@
271	300	*/
272	301	static void force_sig_info_umip_fault(void __user addr, struct pt_regs regs)
273	302	{
274		- siginfo_t info;
275	303	struct task_struct *tsk = current;
276	304
277	305	tsk->thread.cr2 = (unsigned long)addr;
278	306	tsk->thread.error_code = X86_PF_USER \| X86_PF_WRITE;
279	307	tsk->thread.trap_nr = X86_TRAP_PF;
280	308
281		- clear_siginfo(&info);
282		- info.si_signo = SIGSEGV;
283		- info.si_errno = 0;
284		- info.si_code = SEGV_MAPERR;
285		- info.si_addr = addr;
286		- force_sig_info(SIGSEGV, &info, tsk);
	309	+ force_sig_fault(SIGSEGV, SEGV_MAPERR, addr);
287	310
288	311	if (!(show_unhandled_signals && unhandled_signal(tsk, SIGSEGV)))
289	312	return;
..	..	@@ -296,11 +319,10 @@
296	319	* fixup_umip_exception() - Fixup a general protection fault caused by UMIP
297	320	* @regs: Registers as saved when entering the #GP handler
298	321	*
299		- * The instructions sgdt, sidt, str, smsw, sldt cause a general protection
300		- * fault if executed with CPL > 0 (i.e., from user space). If the offending
301		- * user-space process is not in long mode, this function fixes the exception
302		- * up and provides dummy results for sgdt, sidt and smsw; str and sldt are not
303		- * fixed up. Also long mode user-space processes are not fixed up.
	322	+ * The instructions SGDT, SIDT, STR, SMSW and SLDT cause a general protection
	323	+ * fault if executed with CPL > 0 (i.e., from user space). This function fixes
	324	+ * the exception up and provides dummy results for SGDT, SIDT and SMSW; STR
	325	+ * and SLDT are not fixed up.
304	326	*
305	327	* If operands are memory addresses, results are copied to user-space memory as
306	328	* indicated by the instruction pointed by eIP using the registers indicated in
..	..	@@ -313,79 +335,41 @@
313	335	*/
314	336	bool fixup_umip_exception(struct pt_regs *regs)
315	337	{
316		- int not_copied, nr_copied, reg_offset, dummy_data_size, umip_inst;
317		- unsigned long seg_base = 0, *reg_addr;
	338	+ int nr_copied, reg_offset, dummy_data_size, umip_inst;
318	339	/* 10 bytes is the maximum size of the result of UMIP instructions */
319	340	unsigned char dummy_data[10] = { 0 };
320	341	unsigned char buf[MAX_INSN_SIZE];
	342	+ unsigned long *reg_addr;
321	343	void __user *uaddr;
322	344	struct insn insn;
323		- int seg_defs;
324	345
325	346	if (!regs)
326	347	return false;
327	348
328		- /*
329		- * If not in user-space long mode, a custom code segment could be in
330		- * use. This is true in protected mode (if the process defined a local
331		- * descriptor table), or virtual-8086 mode. In most of the cases
332		- * seg_base will be zero as in USER_CS.
333		- */
334		- if (!user_64bit_mode(regs))
335		- seg_base = insn_get_seg_base(regs, INAT_SEG_REG_CS);
336		-
337		- if (seg_base == -1L)
338		- return false;
339		-
340		- not_copied = copy_from_user(buf, (void __user *)(seg_base + regs->ip),
341		- sizeof(buf));
342		- nr_copied = sizeof(buf) - not_copied;
	349	+ nr_copied = insn_fetch_from_user(regs, buf);
343	350
344	351	/*
345		- * The copy_from_user above could have failed if user code is protected
346		- * by a memory protection key. Give up on emulation in such a case.
347		- * Should we issue a page fault?
	352	+ * The insn_fetch_from_user above could have failed if user code
	353	+ * is protected by a memory protection key. Give up on emulation
	354	+ * in such a case. Should we issue a page fault?
348	355	*/
349	356	if (!nr_copied)
350	357	return false;
351	358
352		- insn_init(&insn, buf, nr_copied, user_64bit_mode(regs));
353		-
354		- /*
355		- * Override the default operand and address sizes with what is specified
356		- * in the code segment descriptor. The instruction decoder only sets
357		- * the address size it to either 4 or 8 address bytes and does nothing
358		- * for the operand bytes. This OK for most of the cases, but we could
359		- * have special cases where, for instance, a 16-bit code segment
360		- * descriptor is used.
361		- * If there is an address override prefix, the instruction decoder
362		- * correctly updates these values, even for 16-bit defaults.
363		- */
364		- seg_defs = insn_get_code_seg_params(regs);
365		- if (seg_defs == -EINVAL)
366		- return false;
367		-
368		- insn.addr_bytes = INSN_CODE_SEG_ADDR_SZ(seg_defs);
369		- insn.opnd_bytes = INSN_CODE_SEG_OPND_SZ(seg_defs);
370		-
371		- insn_get_length(&insn);
372		- if (nr_copied < insn.length)
	359	+ if (!insn_decode_from_regs(&insn, regs, buf, nr_copied))
373	360	return false;
374	361
375	362	umip_inst = identify_insn(&insn);
376	363	if (umip_inst < 0)
377	364	return false;
378	365
379		- umip_pr_warning(regs, "%s instruction cannot be used by applications.\n",
	366	+ umip_pr_warn(regs, "%s instruction cannot be used by applications.\n",
380	367	umip_insns[umip_inst]);
381	368
382		- /* Do not emulate SLDT, STR or user long mode processes. */
383		- if (umip_inst == UMIP_INST_STR \|\| umip_inst == UMIP_INST_SLDT \|\| user_64bit_mode(regs))
384		- return false;
	369	+ umip_pr_warn(regs, "For now, expensive software emulation returns the result.\n");
385	370
386		- umip_pr_warning(regs, "For now, expensive software emulation returns the result.\n");
387		-
388		- if (emulate_umip_insn(&insn, umip_inst, dummy_data, &dummy_data_size))
	371	+ if (emulate_umip_insn(&insn, umip_inst, dummy_data, &dummy_data_size,
	372	+ user_64bit_mode(regs)))
389	373	return false;
390	374
391	375	/*