arm/probes/decode.c

0001 // SPDX-License-Identifier: GPL-2.0-only
0002 /*
0003  * arch/arm/probes/decode.c
0004  *
0005  * Copyright (C) 2011 Jon Medhurst <tixy@yxit.co.uk>.
0006  *
0007  * Some contents moved here from arch/arm/include/asm/kprobes-arm.c which is
0008  * Copyright (C) 2006, 2007 Motorola Inc.
0009  */
0010
0011 #include <linux/kernel.h>
0012 #include <linux/types.h>
0013 #include <asm/system_info.h>
0014 #include <asm/ptrace.h>
0015 #include <linux/bug.h>
0016
0017 #include "decode.h"
0018
0019
0020 #ifndef find_str_pc_offset
0021
0022 /*
0023  * For STR and STM instructions, an ARM core may choose to use either
0024  * a +8 or a +12 displacement from the current instruction's address.
0025  * Whichever value is chosen for a given core, it must be the same for
0026  * both instructions and may not change.  This function measures it.
0027  */
0028
0029 int str_pc_offset;
0030
0031 void __init find_str_pc_offset(void)
0032 {
0033     int addr, scratch, ret;
0034
0035     __asm__ (
0036         "sub    %[ret], pc, #4      \n\t"
0037         "str    pc, %[addr]     \n\t"
0038         "ldr    %[scr], %[addr]     \n\t"
0039         "sub    %[ret], %[scr], %[ret]  \n\t"
0040         : [ret] "=r" (ret), [scr] "=r" (scratch), [addr] "+m" (addr));
0041
0042     str_pc_offset = ret;
0043 }
0044
0045 #endif /* !find_str_pc_offset */
0046
0047
0048 #ifndef test_load_write_pc_interworking
0049
0050 bool load_write_pc_interworks;
0051
0052 void __init test_load_write_pc_interworking(void)
0053 {
0054     int arch = cpu_architecture();
0055     BUG_ON(arch == CPU_ARCH_UNKNOWN);
0056     load_write_pc_interworks = arch >= CPU_ARCH_ARMv5T;
0057 }
0058
0059 #endif /* !test_load_write_pc_interworking */
0060
0061
0062 #ifndef test_alu_write_pc_interworking
0063
0064 bool alu_write_pc_interworks;
0065
0066 void __init test_alu_write_pc_interworking(void)
0067 {
0068     int arch = cpu_architecture();
0069     BUG_ON(arch == CPU_ARCH_UNKNOWN);
0070     alu_write_pc_interworks = arch >= CPU_ARCH_ARMv7;
0071 }
0072
0073 #endif /* !test_alu_write_pc_interworking */
0074
0075
0076 void __init arm_probes_decode_init(void)
0077 {
0078     find_str_pc_offset();
0079     test_load_write_pc_interworking();
0080     test_alu_write_pc_interworking();
0081 }
0082
0083
0084 static unsigned long __kprobes __check_eq(unsigned long cpsr)
0085 {
0086     return cpsr & PSR_Z_BIT;
0087 }
0088
0089 static unsigned long __kprobes __check_ne(unsigned long cpsr)
0090 {
0091     return (~cpsr) & PSR_Z_BIT;
0092 }
0093
0094 static unsigned long __kprobes __check_cs(unsigned long cpsr)
0095 {
0096     return cpsr & PSR_C_BIT;
0097 }
0098
0099 static unsigned long __kprobes __check_cc(unsigned long cpsr)
0100 {
0101     return (~cpsr) & PSR_C_BIT;
0102 }
0103
0104 static unsigned long __kprobes __check_mi(unsigned long cpsr)
0105 {
0106     return cpsr & PSR_N_BIT;
0107 }
0108
0109 static unsigned long __kprobes __check_pl(unsigned long cpsr)
0110 {
0111     return (~cpsr) & PSR_N_BIT;
0112 }
0113
0114 static unsigned long __kprobes __check_vs(unsigned long cpsr)
0115 {
0116     return cpsr & PSR_V_BIT;
0117 }
0118
0119 static unsigned long __kprobes __check_vc(unsigned long cpsr)
0120 {
0121     return (~cpsr) & PSR_V_BIT;
0122 }
0123
0124 static unsigned long __kprobes __check_hi(unsigned long cpsr)
0125 {
0126     cpsr &= ~(cpsr >> 1); /* PSR_C_BIT &= ~PSR_Z_BIT */
0127     return cpsr & PSR_C_BIT;
0128 }
0129
0130 static unsigned long __kprobes __check_ls(unsigned long cpsr)
0131 {
0132     cpsr &= ~(cpsr >> 1); /* PSR_C_BIT &= ~PSR_Z_BIT */
0133     return (~cpsr) & PSR_C_BIT;
0134 }
0135
0136 static unsigned long __kprobes __check_ge(unsigned long cpsr)
0137 {
0138     cpsr ^= (cpsr << 3); /* PSR_N_BIT ^= PSR_V_BIT */
0139     return (~cpsr) & PSR_N_BIT;
0140 }
0141
0142 static unsigned long __kprobes __check_lt(unsigned long cpsr)
0143 {
0144     cpsr ^= (cpsr << 3); /* PSR_N_BIT ^= PSR_V_BIT */
0145     return cpsr & PSR_N_BIT;
0146 }
0147
0148 static unsigned long __kprobes __check_gt(unsigned long cpsr)
0149 {
0150     unsigned long temp = cpsr ^ (cpsr << 3); /* PSR_N_BIT ^= PSR_V_BIT */
0151     temp |= (cpsr << 1);             /* PSR_N_BIT |= PSR_Z_BIT */
0152     return (~temp) & PSR_N_BIT;
0153 }
0154
0155 static unsigned long __kprobes __check_le(unsigned long cpsr)
0156 {
0157     unsigned long temp = cpsr ^ (cpsr << 3); /* PSR_N_BIT ^= PSR_V_BIT */
0158     temp |= (cpsr << 1);             /* PSR_N_BIT |= PSR_Z_BIT */
0159     return temp & PSR_N_BIT;
0160 }
0161
0162 static unsigned long __kprobes __check_al(unsigned long cpsr)
0163 {
0164     return true;
0165 }
0166
0167 probes_check_cc * const probes_condition_checks[16] = {
0168     &__check_eq, &__check_ne, &__check_cs, &__check_cc,
0169     &__check_mi, &__check_pl, &__check_vs, &__check_vc,
0170     &__check_hi, &__check_ls, &__check_ge, &__check_lt,
0171     &__check_gt, &__check_le, &__check_al, &__check_al
0172 };
0173
0174
0175 void __kprobes probes_simulate_nop(probes_opcode_t opcode,
0176     struct arch_probes_insn *asi,
0177     struct pt_regs *regs)
0178 {
0179 }
0180
0181 void __kprobes probes_emulate_none(probes_opcode_t opcode,
0182     struct arch_probes_insn *asi,
0183     struct pt_regs *regs)
0184 {
0185     asi->insn_fn();
0186 }
0187
0188 /*
0189  * Prepare an instruction slot to receive an instruction for emulating.
0190  * This is done by placing a subroutine return after the location where the
0191  * instruction will be placed. We also modify ARM instructions to be
0192  * unconditional as the condition code will already be checked before any
0193  * emulation handler is called.
0194  */
0195 static probes_opcode_t __kprobes
0196 prepare_emulated_insn(probes_opcode_t insn, struct arch_probes_insn *asi,
0197               bool thumb)
0198 {
0199 #ifdef CONFIG_THUMB2_KERNEL
0200     if (thumb) {
0201         u16 *thumb_insn = (u16 *)asi->insn;
0202         /* Thumb bx lr */
0203         thumb_insn[1] = __opcode_to_mem_thumb16(0x4770);
0204         thumb_insn[2] = __opcode_to_mem_thumb16(0x4770);
0205         return insn;
0206     }
0207     asi->insn[1] = __opcode_to_mem_arm(0xe12fff1e); /* ARM bx lr */
0208 #else
0209     asi->insn[1] = __opcode_to_mem_arm(0xe1a0f00e); /* mov pc, lr */
0210 #endif
0211     /* Make an ARM instruction unconditional */
0212     if (insn < 0xe0000000)
0213         insn = (insn | 0xe0000000) & ~0x10000000;
0214     return insn;
0215 }
0216
0217 /*
0218  * Write a (probably modified) instruction into the slot previously prepared by
0219  * prepare_emulated_insn
0220  */
0221 static void  __kprobes
0222 set_emulated_insn(probes_opcode_t insn, struct arch_probes_insn *asi,
0223           bool thumb)
0224 {
0225 #ifdef CONFIG_THUMB2_KERNEL
0226     if (thumb) {
0227         u16 *ip = (u16 *)asi->insn;
0228         if (is_wide_instruction(insn))
0229             *ip++ = __opcode_to_mem_thumb16(insn >> 16);
0230         *ip++ = __opcode_to_mem_thumb16(insn);
0231         return;
0232     }
0233 #endif
0234     asi->insn[0] = __opcode_to_mem_arm(insn);
0235 }
0236
0237 /*
0238  * When we modify the register numbers encoded in an instruction to be emulated,
0239  * the new values come from this define. For ARM and 32-bit Thumb instructions
0240  * this gives...
0241  *
0242  *  bit position      16  12   8   4   0
0243  *  ---------------+---+---+---+---+---+
0244  *  register     r2  r0  r1  --  r3
0245  */
0246 #define INSN_NEW_BITS       0x00020103
0247
0248 /* Each nibble has same value as that at INSN_NEW_BITS bit 16 */
0249 #define INSN_SAMEAS16_BITS  0x22222222
0250
0251 /*
0252  * Validate and modify each of the registers encoded in an instruction.
0253  *
0254  * Each nibble in regs contains a value from enum decode_reg_type. For each
0255  * non-zero value, the corresponding nibble in pinsn is validated and modified
0256  * according to the type.
0257  */
0258 static bool __kprobes decode_regs(probes_opcode_t *pinsn, u32 regs, bool modify)
0259 {
0260     probes_opcode_t insn = *pinsn;
0261     probes_opcode_t mask = 0xf; /* Start at least significant nibble */
0262
0263     for (; regs != 0; regs >>= 4, mask <<= 4) {
0264
0265         probes_opcode_t new_bits = INSN_NEW_BITS;
0266
0267         switch (regs & 0xf) {
0268
0269         case REG_TYPE_NONE:
0270             /* Nibble not a register, skip to next */
0271             continue;
0272
0273         case REG_TYPE_ANY:
0274             /* Any register is allowed */
0275             break;
0276
0277         case REG_TYPE_SAMEAS16:
0278             /* Replace register with same as at bit position 16 */
0279             new_bits = INSN_SAMEAS16_BITS;
0280             break;
0281
0282         case REG_TYPE_SP:
0283             /* Only allow SP (R13) */
0284             if ((insn ^ 0xdddddddd) & mask)
0285                 goto reject;
0286             break;
0287
0288         case REG_TYPE_PC:
0289             /* Only allow PC (R15) */
0290             if ((insn ^ 0xffffffff) & mask)
0291                 goto reject;
0292             break;
0293
0294         case REG_TYPE_NOSP:
0295             /* Reject SP (R13) */
0296             if (((insn ^ 0xdddddddd) & mask) == 0)
0297                 goto reject;
0298             break;
0299
0300         case REG_TYPE_NOSPPC:
0301         case REG_TYPE_NOSPPCX:
0302             /* Reject SP and PC (R13 and R15) */
0303             if (((insn ^ 0xdddddddd) & 0xdddddddd & mask) == 0)
0304                 goto reject;
0305             break;
0306
0307         case REG_TYPE_NOPCWB:
0308             if (!is_writeback(insn))
0309                 break; /* No writeback, so any register is OK */
0310             fallthrough;
0311         case REG_TYPE_NOPC:
0312         case REG_TYPE_NOPCX:
0313             /* Reject PC (R15) */
0314             if (((insn ^ 0xffffffff) & mask) == 0)
0315                 goto reject;
0316             break;
0317         }
0318
0319         /* Replace value of nibble with new register number... */
0320         insn &= ~mask;
0321         insn |= new_bits & mask;
0322     }
0323
0324     if (modify)
0325         *pinsn = insn;
0326
0327     return true;
0328
0329 reject:
0330     return false;
0331 }
0332
0333 static const int decode_struct_sizes[NUM_DECODE_TYPES] = {
0334     [DECODE_TYPE_TABLE] = sizeof(struct decode_table),
0335     [DECODE_TYPE_CUSTOM]    = sizeof(struct decode_custom),
0336     [DECODE_TYPE_SIMULATE]  = sizeof(struct decode_simulate),
0337     [DECODE_TYPE_EMULATE]   = sizeof(struct decode_emulate),
0338     [DECODE_TYPE_OR]    = sizeof(struct decode_or),
0339     [DECODE_TYPE_REJECT]    = sizeof(struct decode_reject)
0340 };
0341
0342 static int run_checkers(const struct decode_checker *checkers[],
0343         int action, probes_opcode_t insn,
0344         struct arch_probes_insn *asi,
0345         const struct decode_header *h)
0346 {
0347     const struct decode_checker **p;
0348
0349     if (!checkers)
0350         return INSN_GOOD;
0351
0352     p = checkers;
0353     while (*p != NULL) {
0354         int retval;
0355         probes_check_t *checker_func = (*p)[action].checker;
0356
0357         retval = INSN_GOOD;
0358         if (checker_func)
0359             retval = checker_func(insn, asi, h);
0360         if (retval == INSN_REJECTED)
0361             return retval;
0362         p++;
0363     }
0364     return INSN_GOOD;
0365 }
0366
0367 /*
0368  * probes_decode_insn operates on data tables in order to decode an ARM
0369  * architecture instruction onto which a kprobe has been placed.
0370  *
0371  * These instruction decoding tables are a concatenation of entries each
0372  * of which consist of one of the following structs:
0373  *
0374  *  decode_table
0375  *  decode_custom
0376  *  decode_simulate
0377  *  decode_emulate
0378  *  decode_or
0379  *  decode_reject
0380  *
0381  * Each of these starts with a struct decode_header which has the following
0382  * fields:
0383  *
0384  *  type_regs
0385  *  mask
0386  *  value
0387  *
0388  * The least significant DECODE_TYPE_BITS of type_regs contains a value
0389  * from enum decode_type, this indicates which of the decode_* structs
0390  * the entry contains. The value DECODE_TYPE_END indicates the end of the
0391  * table.
0392  *
0393  * When the table is parsed, each entry is checked in turn to see if it
0394  * matches the instruction to be decoded using the test:
0395  *
0396  *  (insn & mask) == value
0397  *
0398  * If no match is found before the end of the table is reached then decoding
0399  * fails with INSN_REJECTED.
0400  *
0401  * When a match is found, decode_regs() is called to validate and modify each
0402  * of the registers encoded in the instruction; the data it uses to do this
0403  * is (type_regs >> DECODE_TYPE_BITS). A validation failure will cause decoding
0404  * to fail with INSN_REJECTED.
0405  *
0406  * Once the instruction has passed the above tests, further processing
0407  * depends on the type of the table entry's decode struct.
0408  *
0409  */
0410 int __kprobes
0411 probes_decode_insn(probes_opcode_t insn, struct arch_probes_insn *asi,
0412            const union decode_item *table, bool thumb,
0413            bool emulate, const union decode_action *actions,
0414            const struct decode_checker *checkers[])
0415 {
0416     const struct decode_header *h = (struct decode_header *)table;
0417     const struct decode_header *next;
0418     bool matched = false;
0419     /*
0420      * @insn can be modified by decode_regs. Save its original
0421      * value for checkers.
0422      */
0423     probes_opcode_t origin_insn = insn;
0424
0425     /*
0426      * stack_space is initialized to 0 here. Checker functions
0427      * should update is value if they find this is a stack store
0428      * instruction: positive value means bytes of stack usage,
0429      * negitive value means unable to determine stack usage
0430      * statically. For instruction doesn't store to stack, checker
0431      * do nothing with it.
0432      */
0433     asi->stack_space = 0;
0434
0435     /*
0436      * Similarly to stack_space, register_usage_flags is filled by
0437      * checkers. Its default value is set to ~0, which is 'all
0438      * registers are used', to prevent any potential optimization.
0439      */
0440     asi->register_usage_flags = ~0UL;
0441
0442     if (emulate)
0443         insn = prepare_emulated_insn(insn, asi, thumb);
0444
0445     for (;; h = next) {
0446         enum decode_type type = h->type_regs.bits & DECODE_TYPE_MASK;
0447         u32 regs = h->type_regs.bits >> DECODE_TYPE_BITS;
0448
0449         if (type == DECODE_TYPE_END)
0450             return INSN_REJECTED;
0451
0452         next = (struct decode_header *)
0453                 ((uintptr_t)h + decode_struct_sizes[type]);
0454
0455         if (!matched && (insn & h->mask.bits) != h->value.bits)
0456             continue;
0457
0458         if (!decode_regs(&insn, regs, emulate))
0459             return INSN_REJECTED;
0460
0461         switch (type) {
0462
0463         case DECODE_TYPE_TABLE: {
0464             struct decode_table *d = (struct decode_table *)h;
0465             next = (struct decode_header *)d->table.table;
0466             break;
0467         }
0468
0469         case DECODE_TYPE_CUSTOM: {
0470             int err;
0471             struct decode_custom *d = (struct decode_custom *)h;
0472             int action = d->decoder.action;
0473
0474             err = run_checkers(checkers, action, origin_insn, asi, h);
0475             if (err == INSN_REJECTED)
0476                 return INSN_REJECTED;
0477             return actions[action].decoder(insn, asi, h);
0478         }
0479
0480         case DECODE_TYPE_SIMULATE: {
0481             int err;
0482             struct decode_simulate *d = (struct decode_simulate *)h;
0483             int action = d->handler.action;
0484
0485             err = run_checkers(checkers, action, origin_insn, asi, h);
0486             if (err == INSN_REJECTED)
0487                 return INSN_REJECTED;
0488             asi->insn_handler = actions[action].handler;
0489             return INSN_GOOD_NO_SLOT;
0490         }
0491
0492         case DECODE_TYPE_EMULATE: {
0493             int err;
0494             struct decode_emulate *d = (struct decode_emulate *)h;
0495             int action = d->handler.action;
0496
0497             err = run_checkers(checkers, action, origin_insn, asi, h);
0498             if (err == INSN_REJECTED)
0499                 return INSN_REJECTED;
0500
0501             if (!emulate)
0502                 return actions[action].decoder(insn, asi, h);
0503
0504             asi->insn_handler = actions[action].handler;
0505             set_emulated_insn(insn, asi, thumb);
0506             return INSN_GOOD;
0507         }
0508
0509         case DECODE_TYPE_OR:
0510             matched = true;
0511             break;
0512
0513         case DECODE_TYPE_REJECT:
0514         default:
0515             return INSN_REJECTED;
0516         }
0517     }
0518 }