|
|
/*++
Module Name: ia32trap.c
Abstract:
This module contains iA32 trap handling code. Only used by kernel.
Fault can ONLY be initiated from user mode code. There is no support for iA32 code in the kernel mode.
For common pratice, we always return to the caller (lower level fault handler) and have the system do a normal ia64 exception dispatch. The wow64 code takes that exception and passes it back to the ia32 code as needed.
Revision History:
1 Feb. 1999 Initial Version 16 Feb. 2000 SamerA Don't break on POPF/POPFD instructions and alignment faults for Wow64 processes.
17 Oct. 2000 v-cspira Fix the emulation of smsw to handle the SIB byte 31 Oct. 2000 SamerA Ia32 Lock prefix emulation. 25 Sep. 2001 SamerA Stack-Selector (SS) Load instruction emulation. 02 Mar. 2002 SamerA Security fixes.
--*/
#if DBG
// Get all the iadebugging stuff when running a checked build
#define IADBG 1
#endif
#include "ki.h"
#include "ia32def.h"
�BOOLEANKiIsTrapFrameModifiedAtApcLevel ( IN PKTRAP_FRAME TrapFrame, BOOLEAN *IrqlChanged, KIRQL *OldIrql )/*++
Routine Description This function verifies we are running at APC level, and if not, elevates the current thread's IRQL to APC level. It checks whether the trap frame has been modified.
Arguments: Frame - Supply a pointer to an iA32 TrapFrame IrqlChanged - Pointer to boolean to indicate whether this function changed OldIrql - Old Irql value.
Return: TRUE - Trap frame has been modified since established. FALSE - Trap frame has not been modified yet.--*/{ //
// Aquire APC_LEVEL so that SetContext calls on this thread are blocked.
//
if (KeGetCurrentIrql () < APC_LEVEL) { KeRaiseIrql (APC_LEVEL, OldIrql); *IrqlChanged = TRUE; } else { *OldIrql = PASSIVE_LEVEL; *IrqlChanged = FALSE; }
return (((TrapFrame->EOFMarker & MODIFIED_FRAME) != 0) ? TRUE : FALSE);}�VOIDKiIA32CommonArgs ( IN PKTRAP_FRAME Frame, IN NTSTATUS ExceptionCode, IN PVOID ExceptionAddress, IN ULONG_PTR Argument0, IN ULONG_PTR Argument1, IN ULONG_PTR Argument2 )/*++
Routine Description This routine sets up the ExceptionFrame
Arguments: Frame - Supply a pointer to an iA32 TrapFrame
ExceptionCode - Supplies a Exception Code
ExceptionAddress - Supplies a pointer to user exception address
Argument0, Argument1, Argument2 - Possible ExceptionInformation
Return: Nothing--*/{ PEXCEPTION_RECORD ExceptionRecord;
ExceptionRecord = (PEXCEPTION_RECORD)&Frame->ExceptionRecord;
ExceptionRecord->ExceptionRecord = (PEXCEPTION_RECORD)NULL;
ExceptionRecord->ExceptionCode = ExceptionCode; ExceptionRecord->ExceptionFlags = 0; ExceptionRecord->ExceptionAddress = ExceptionAddress; ExceptionRecord->NumberParameters = 5; ExceptionRecord->ExceptionInformation[0] = Argument0; ExceptionRecord->ExceptionInformation[1] = Argument1; ExceptionRecord->ExceptionInformation[2] = Argument2; ExceptionRecord->ExceptionInformation[3] = (ULONG_PTR)Frame->StIIPA; ExceptionRecord->ExceptionInformation[4] = (ULONG_PTR)Frame->StISR;}�BOOLEANKiIA32ExceptionDivide( IN PKTRAP_FRAME Frame )/*++
Routine Description: iA-32_Exception(Divide) - fault
Handle divide error fault.
Called from iA32_Exception() with ISR.vector : 0
The divide error fault occurs if a DIV or IDIV instructions is executed with a divisor of 0, or if the quotient is too big to fit in the result operand.
An INTEGER DIVIDED BY ZERO exception will be raised for the fault. The Faults can only come from user mode.
Arguments: Frame - Supply a pointer to an iA32 TrapFrame
Return value:
--*/{ //
// Setup exception and back to caller
//
KiIA32CommonArgs(Frame, Ki386CheckDivideByZeroTrap(Frame), (PVOID) (ULONG_PTR) EIP(Frame), 0, 0, 0); return TRUE;}
BOOLEANKiIA32ExceptionDebug( IN PKTRAP_FRAME Frame )/*++
Routine Description: iA-32_Exception(Debug)
Called from iA32_Exception() with ISR.Vector = 1
Depend on ISR.Code 0: It is Code BreakPoint Trap TrapCode: Can be Concurrent Single Step | Taken Branch | Data BreakPoint Trap Handler needs to decode ISR.Code to distinguish Note: EFlag isn't saved yet, so write directly to ar.24
Arguments: Frame - Supply a pointer to an iA32 TrapFrame
Return Value: No return
--*/{ ULONGLONG EFlag;
#if defined(IADBG)
IF_IA32TRAP_DEBUG( DEBUG ) DbgPrint( "IA32 Debug: Eip 0x%p\n", EIP(Frame) );#endif // IADBG
// Turn off the TF bit
EFlag = __getReg(CV_IA64_AR24); EFlag &= ~EFLAGS_TF_BIT; __setReg(CV_IA64_AR24, EFlag);
KiIA32CommonArgs(Frame, STATUS_WX86_SINGLE_STEP, (PVOID) (ULONG_PTR) EIP(Frame), 0, 0, 0); return TRUE;}
BOOLEANKiIA32ExceptionBreak( IN PKTRAP_FRAME Frame )/*++
Routine Description: iA-32_Exception(Break) - Trap
BreakPoint instruction (INT 3) trigged a trap. Note: EFlag isn't saved yet, so write directly to ar.24Arguments: Frame - Supply a pointer to an iA32 TrapFrame
Return Value:
--*/{ ULONGLONG EFlag;
#if defined(IADBG)
IF_IA32TRAP_DEBUG( BREAK ) DbgPrint( "IA32 Break: Eip 0x%p\n", EIP(Frame) );#endif // IADBG
// Turn off the TF bit
EFlag = __getReg(CV_IA64_AR24); EFlag &= ~EFLAGS_TF_BIT; __setReg(CV_IA64_AR24, EFlag);
KiIA32CommonArgs(Frame, STATUS_WX86_BREAKPOINT, (PVOID) (ULONG_PTR) EIP(Frame), BREAKPOINT_X86_BREAK, ECX(Frame), EDX(Frame)); return TRUE;}
BOOLEANKiIA32ExceptionOverflow( IN PKTRAP_FRAME Frame )/*++
Routine Description: iA-32_Exception(Overflow) - Trap ISR.Vector = 4
Handle INTO overflow
Eip - point to the address that next to the one causing INTO
Occurres when INTO instruction as well as EFlags.OF is ON Trap only initiated from user mode
Arguments: Frame - Supply a pointer to an iA32 TrapFrame
Return Value:
--*/{#if defined(IADBG)
IF_IA32TRAP_DEBUG( OVERFLOW ) DbgPrint( "IA32 OverFlow: Eip 0x%p\n", EIP(Frame) );#endif // IADBG
//
// All error, generate exception and Eip point to INTO instruction
//
KiIA32CommonArgs(Frame, STATUS_INTEGER_OVERFLOW, (PVOID) (ULONG_PTR) (EIP(Frame) - 1), 0, 0, 0); return TRUE;}
BOOLEANKiIA32ExceptionBound( IN PKTRAP_FRAME Frame )/*++
Routine Description: iA-32_Exception(Bound) - Fault Handle Bound check fault ISR.Vector = 5 Eip - point to BOUND instruction
The bound check fault occurs if a BOUND instruction finds that the tested value is outside the specified range.
For bound check fault, an ARRAY BOUND EXCEEDED exception will be raised.
Arguments: Frame - Supply a pointer to an iA32 TrapFrame
Return Value:
--*/{#if defined(IADBG)
IF_IA32TRAP_DEBUG( BOUND ) DbgPrint( "IA32 Bound: Eip 0x%p\n", EIP(Frame) );#endif // IADBG
//
// All error, generate exception with Eip point to BOUND instruction
//
KiIA32CommonArgs(Frame, STATUS_ARRAY_BOUNDS_EXCEEDED, (PVOID) (ULONG_PTR) EIP(Frame), 0, 0, 0); return TRUE;}
�ULONGIA32EmulateSmsw( IN PKTRAP_FRAME Frame )/*++
Routine Description: Emulate the SMSW instruction Arguments:
Frame: Pointer to iA32 TrapFrame in the stack
Return Value: Exception code
--*/{ ULONG Code; PUCHAR InstAddr; UINT_PTR EffectiveAddress; PUSHORT toAddr; // SMSW deals with 16 bits all the time...
BOOLEAN RegisterMode; NTSTATUS status = STATUS_SUCCESS;
//
// Get the code for the prefix bytes that have already been grabbed
// and placed into the IIM
//
Code = ISRCode(Frame);
//
// The operand size is always 16 for this instruction. We don't care about
// overrides as the segment registers all contain the same thing.
//
//
// Find the instruction in memory and point the Effective Address
// at the byte after the opcode
// Inst Address is start of ia32 inst + length of prefix + number of
// bytes in opcode
//
InstAddr = (PUCHAR) (Frame->StIIP + ((Code >> 12) & 0xf) + 2);
if (!KiIa32Compute32BitEffectiveAddress(Frame, &InstAddr, &EffectiveAddress, &RegisterMode)) { status = STATUS_ACCESS_VIOLATION; } if (NT_SUCCESS(status)) { //
// The adress given to us hasn't been checked for user-space
// validity, so check it now
//
toAddr = (PUSHORT) EffectiveAddress; try { //
// Make sure we can write to the address
//
if (RegisterMode == FALSE) { ProbeForWriteSmallStructure(toAddr, sizeof(SHORT), 2); } //
// and do the write
//
*toAddr = (SHORT) (__getReg(CV_IA64_AR27) & 0xffff); } except (EXCEPTION_EXECUTE_HANDLER) { //
// return the exception
//
status = GetExceptionCode(); }
if (NT_SUCCESS(status)) { //
// the store worked, so update the IIP so we can continue
// executing
//
Frame->StIIP = (UINT_PTR) InstAddr; } }
return status;}
�NTSTATUSIA32CheckOpcode( IN PKTRAP_FRAME Frame )/*++
Routine Description: To identify the Opcode violation state Arguments:
Frame: Pointer to iA32 TrapFrame in the stack
Return Value: Exception code
--*/{ UCHAR OpCodeByte0; UCHAR OpCodeByte1; UCHAR OpCodeByte2; OpCodeByte0 = (UCHAR) Frame->StIIM & 0xff; OpCodeByte1 = (UCHAR) (Frame->StIIM >> 8) & 0xff; OpCodeByte2 = (UCHAR) (Frame->StIIM >> 16) & 0xff;
switch (OpCodeByte0) { case MI_HLT: return (STATUS_PRIVILEGED_INSTRUCTION); break;
case MI_TWO_BYTE: if ((OpCodeByte1 == MI_SMSW) && ((OpCodeByte2 & MI_MODRM_MASK) == MI_SMSW_REGOP)) { //
// We have the SMSW instruction
// So now need to emulate it...
//
return (IA32EmulateSmsw(Frame)); } else if ((OpCodeByte1 == MI_LTR_LLDT) || (OpCodeByte2 == MI_LGDT_LIDT_LMSW)) {
OpCodeByte2 &= MI_MODRM_MASK; // get bit 3-5 of ModRM byte
if (OpCodeByte2==MI_LLDT_MASK || OpCodeByte2==MI_LTR_MASK || OpCodeByte2==MI_LGDT_MASK || OpCodeByte2==MI_LIDT_MASK || OpCodeByte2==MI_LMSW_MASK) { return (STATUS_PRIVILEGED_INSTRUCTION); } else { return (STATUS_ACCESS_VIOLATION); }
} else { if (OpCodeByte1 & MI_SPECIAL_MOV_MASK) { //
// mov may have special_mov_mask
// but they are not 2 bytes OpCode
//
return (STATUS_PRIVILEGED_INSTRUCTION); } else { //
// Do we need to further check if it is INVD, INVLPG ... ?
//
return (STATUS_ACCESS_VIOLATION); } } break;
default: //
// All other
//
return (STATUS_ILLEGAL_INSTRUCTION); break; }}
BOOLEANKiIA32InterceptInstruction( IN PKTRAP_FRAME Frame )/*++
Routine Description: iA-32_Exception(InstructionIntercept Opcode)
Program entry for either 1. IA-32 Invalid Opcode Fault #6, or 2. IA-32 interceptions(Inst)
Execution of unimplemented IA-32 opcodes, illegal opcodes or sensitive privileged IA32 operating system instructions results this interception.
Possible Opcodes: Privileged Opcodes: CLTS, HLT, INVD, INVLPG, LIDT, LMSW, LTR, mov to/from CRs, DRs RDMSR, RSM, SMSW, WBINVD, WRMSR
Arguments:
Frame - Supply a pointer to an iA32 TrapFrame
Return Value:
--*/{ NTSTATUS status;
#if defined(IADBG)
IF_IA32TRAP_DEBUG( INSTRUCTION ) DbgPrint( "IA32 Instruction: Eip 0x%p\n", EIP(Frame) );#endif // IADBG
status = IA32CheckOpcode(Frame); switch (status) { case STATUS_PRIVILEGED_INSTRUCTION: KiIA32CommonArgs(Frame, STATUS_PRIVILEGED_INSTRUCTION, (PVOID) (ULONG_PTR) EIP(Frame), 0, 0, 0); break;
case STATUS_ACCESS_VIOLATION: KiIA32CommonArgs(Frame, STATUS_ACCESS_VIOLATION, (PVOID) (ULONG_PTR) EIP(Frame), 0, (ULONG_PTR)-1, 0); break;
case STATUS_ILLEGAL_INSTRUCTION: KiIA32CommonArgs(Frame, STATUS_ILLEGAL_INSTRUCTION, (PVOID) (ULONG_PTR) EIP(Frame), 0, (ULONG_PTR)-1, 0); break;
case STATUS_SUCCESS: //
// This means the OpCode was dealt with, so let the code continue
//
return FALSE;
default: KiIA32CommonArgs(Frame, status, (PVOID) (ULONG_PTR) EIP(Frame), 0, (ULONG_PTR)-1, 0); break; }
return TRUE;}�BOOLEANKiIA32ExceptionNoDevice( IN PKTRAP_FRAME Frame )/*++
Routine Description:
iA-32_Exception(Coprocessor Not Available) - fault
This routine is called from iA32_Exception() with ISR.Vector = 7
Note: At this time, the AR registers have not been saved. This includes, CFLAGS (AR.27), EFLAGS (AR.24), FCR (AR.21), FSR (AR.28), FIR (AR.29) and FDR (AR.30).
Arguments:
Frame - iA32 TrapFrame that was saved in the memory stack
Return Value:
--*/{ NTSTATUS ErrorCode; ULONG FirOffset, FdrOffset; ULONG FpState; ULONGLONG FcrRegister, FsrRegister; #if defined(IADBG)
IF_IA32TRAP_DEBUG( NODEVICE ) DbgPrint( "IA32 NoDevice: Eip 0x%p\n", EIP(Frame) );#endif // IADBG
FcrRegister = __getReg(CV_IA64_AR21); FsrRegister = __getReg(CV_IA64_AR28);
FirOffset = (ULONG) (__getReg(CV_IA64_AR29) & 0xFFFFFFFF); FdrOffset = (ULONG) (__getReg(CV_IA64_AR30) & 0xFFFFFFFF);
//
// According to the floating error priority,
// we test what is the cause of the NPX error
// and raise an appropriate exception
//
FpState = (ULONG) (~(FcrRegister & (FSW_INVALID_OPERATION | FSW_DENORMAL | FSW_ZERO_DIVIDE | FSW_OVERFLOW | FSW_UNDERFLOW | FSW_PRECISION)) & (FsrRegister & FSW_ERR_MASK));
ErrorCode = 0;
if (FpState & FSW_INVALID_OPERATION) {
if (FpState & FSW_STACK_FAULT) { KiIA32CommonArgs(Frame, STATUS_FLOAT_STACK_CHECK, (PVOID) (ULONG_PTR) FirOffset, 0, FdrOffset, 0); return TRUE; } else { KiIA32CommonArgs(Frame, STATUS_FLOAT_INVALID_OPERATION, (PVOID) (ULONG_PTR) FirOffset, 0, 0, 0); return TRUE; } } else {
//
// Follow the x86 priority of which exception to report if
// multiple bits are set
//
if (FpState & FSW_ZERO_DIVIDE) { ErrorCode = STATUS_FLOAT_DIVIDE_BY_ZERO; } else if (FpState & FSW_DENORMAL) { ErrorCode = STATUS_FLOAT_INVALID_OPERATION; } else if (FpState & FSW_OVERFLOW) { ErrorCode = STATUS_FLOAT_OVERFLOW; } else if (FpState & FSW_UNDERFLOW) { ErrorCode = STATUS_FLOAT_UNDERFLOW; } else if (FpState & FSW_PRECISION) { ErrorCode = STATUS_FLOAT_INEXACT_RESULT; } }
//
// If we get here, we either have the error code, or
// we went through everything and saw nothing
//
if (ErrorCode) { KiIA32CommonArgs(Frame, ErrorCode, (PVOID) (ULONG_PTR) FirOffset, 0, 0, 0); return TRUE; }
//
// FpState indicates no error, then something is wrong
// Panic the system !!!
//
// KeBugCheckEx(TRAP_CAUSE_UNKNOWN, (ULONG_PTR)Frame, 0, 0, 2);
//
// Turns out there is a bug in the chip and it can cause an fp fault even
// with a masked fp exception... So, don't bug check, count it
// as non-error and reset the fsr.es bit to try and avoid getting this
// exception in the future.
//
#if defined(IADBG)
DbgPrint( "IA32 Debug: Saw FP exception when FP exceptions are masked. Reseting fsr.es bit\n");#endif // IADBG
FsrRegister &= ~((ULONGLONG) FSW_ERROR_SUMMARY); __setReg(CV_IA64_AR28, FsrRegister);
return FALSE;}�BOOLEANKiIA32ExceptionSegmentNotPresent( IN PKTRAP_FRAME Frame )/*++
Routine Description: iA-32_Exception(Not Present) - fault
Handle Segment Not Present fault. ISR.Vector = 11
This exception occurs when the processor finds the P bit 0 when accessing an otherwise valid descriptor that is not to be loaded in SS register.
Arguments:
Frame - iA32 TrapFrame that was saved in the memory stack
Return Value:
--*/{#if defined(IADBG)
IF_IA32TRAP_DEBUG( NOTPRESENT ) DbgPrint( "IA32 NotPresent: Eip 0x%p\n", EIP(Frame) );#endif // IADBG
//
// Generate Exception for all other errors
//
KiIA32CommonArgs(Frame, STATUS_ACCESS_VIOLATION, (PVOID) (ULONG_PTR) EIP(Frame), 0, ISRCode(Frame) | RPL_MASK, 0); return TRUE;}
BOOLEANKiIA32ExceptionStack( IN PKTRAP_FRAME Frame )/*++
Routine Description: iA-32_Exception(Stack) - fault
ISR.Vector = 12
This exception occurs when the processor detects certain problem with the segment addressed by the SS segment register:
1. A limit violation in the segment addressed by the SS (error code = 0) 2. A limit vioalation in the inner stack during an interlevel call or interrupt (error code = selector for the inner stack) 3. If the descriptor to be loaded into SS has its present bit 0 (error code = selector for the not-present segment)
The exception only occurred from user mode
Arguments:
Frame - iA32 TrapFrame that was saved in the memory stack
Return Value:
--*/{ USHORT Code;
#if defined(IADBG)
IF_IA32TRAP_DEBUG( STACK ) DbgPrint( "IA32 Stack: Eip 0x%p\n", EIP(Frame) );#endif // IADBG
//
// Dispatch Exception to user
//
Code = ISRCode(Frame);
//
// Code may contain the faulting selector
//
KiIA32CommonArgs(Frame, STATUS_ACCESS_VIOLATION, (PVOID) (ULONG_PTR) EIP(Frame), Code ? (Code | RPL_MASK) : ESP(Frame), Code ? EXCEPT_UNKNOWN_ACCESS : EXCEPT_LIMIT_ACCESS, 0); return TRUE;}
BOOLEANKiIA32ExceptionInvalidOp( IN PKTRAP_FRAME Frame )/*++
Routine Description: iA-32_Exception(Invalid Opcode) - fault
PKTRAP_FRAME Frame Eip : virtual iA-32 instruction address ISR.vector : 6
Note: Only MMX and KNI instructions can cause this fault based on values in CR0 and CR4
Arguments:
Frame - iA32 TrapFrame that was saved in the memory stack
Return Value:--*/{#if defined(IADBG)
IF_IA32TRAP_DEBUG( INSTRUCTION ) DbgPrint( "IA32 Invalid Opcode: Eip 0x%p\n", EIP(Frame) );#endif // IADBG
KiIA32CommonArgs(Frame, STATUS_ILLEGAL_INSTRUCTION, (PVOID) (ULONG_PTR) EIP(Frame), 0, 0, 0); return TRUE;}�BOOLEANKiIA32ExceptionGPFault( IN PKTRAP_FRAME Frame )/*++
Routine Description: iA-32_Exception(General Protection) - fault
PKTRAP_FRAME Frame Eip : virtual iA-32 instruction address ISR.vector : 13 ISR.code : ErrorCode
Note: Previlidged instructions are intercepted, see KiIA32InterceptInstruction
Arguments:
Frame - iA32 TrapFrame that was saved in the memory stack
Return Value:
--*/{ UCHAR OpCode; NTSTATUS Status;
#if defined(IADBG)
IF_IA32TRAP_DEBUG( GPFAULT ) DbgPrint( "IA32 GpFault: Eip 0x%p\n", EIP(Frame) );#endif // IADBG
try { ProbeForReadSmallStructure((VOID *)Frame->StIIP, sizeof(UCHAR), sizeof(UCHAR)); OpCode = *(UCHAR *)Frame->StIIP; } except (EXCEPTION_EXECUTE_HANDLER) { OpCode = 0xcc; } // This table comes from the IOInstructionTable in i386\trap.asm
switch (OpCode) { case CLI_OP: case STI_OP: case 0xe4: case 0xe5: case 0xec: case 0xed: // IN
case 0x6c: case 0x6d: // INS
case 0xe6: case 0xe7: case 0xee: case 0xef: // OUT
case 0x6e: case 0x6f: // OUTS
Status = STATUS_PRIVILEGED_INSTRUCTION; break;
default: Status = STATUS_ACCESS_VIOLATION; break; }
KiIA32CommonArgs(Frame, Status, (PVOID) (ULONG_PTR) EIP(Frame), 0, 0, 0); return TRUE;}
�
BOOLEANKiIA32ExceptionKNI( IN PKTRAP_FRAME Frame )/*++
iA32_Exception(KNI) - Fault
Unmasked KNI IA32 Error. ISR.Vector = 19
--*/{ NTSTATUS ErrorCode; ULONG FpState; ULONGLONG FcrRegister, FsrRegister;
#if defined(IADBG)
IF_IA32TRAP_DEBUG( FPFAULT ) DbgPrint( "IA32 KNI Fault: Eip 0x%p\n", EIP(Frame) );#endif // IADBG
FcrRegister = __getReg(CV_IA64_AR21); FsrRegister = __getReg(CV_IA64_AR28);
//
// Get the Katmai error state
// The trick here is that the state is in the same registers as the FP
// state and the bit positions are in the same relative location
// so just need to shift the bits and can use the same constants
// that we had for the x87 case
//
FpState = (ULONG) (~((FcrRegister >> KATMAI_SHIFT_CONTROL) & FSW_ERR_MASK) & ((FsrRegister >> KATMAI_SHIFT_STATUS) & FSW_ERR_MASK));
//
// FpState now has a 1 for any error that was unmasked
//
//
// Follow the x86 priority of which exception to report if
// multiple bits are set
//
if (FpState & FSW_INVALID_OPERATION) { ErrorCode = STATUS_FLOAT_MULTIPLE_TRAPS; } else if (FpState & FSW_ZERO_DIVIDE) { ErrorCode = STATUS_FLOAT_MULTIPLE_TRAPS; } else if (FpState & FSW_DENORMAL) { ErrorCode = STATUS_FLOAT_MULTIPLE_TRAPS; } else if (FpState & FSW_OVERFLOW) { ErrorCode = STATUS_FLOAT_MULTIPLE_FAULTS; } else if (FpState & FSW_UNDERFLOW) { ErrorCode = STATUS_FLOAT_MULTIPLE_FAULTS; } else if (FpState & FSW_PRECISION) { ErrorCode = STATUS_FLOAT_MULTIPLE_FAULTS; } else { //
// We have a problem... Shouldn't get here
// as that means we took the exception, but no
// unmasked errors were found...
//
ErrorCode = 0; }
//
// If we get here, we either have the error code, or
// we went through everything and saw nothing
//
if (ErrorCode) { KiIA32CommonArgs(Frame, ErrorCode, (PVOID) (ULONG_PTR) EIP(Frame), 0, 0, 0); return TRUE; }
//
// FpState indicates no error, then something is wrong
// Panic the system !!!
//
KeBugCheckEx(TRAP_CAUSE_UNKNOWN, (ULONG_PTR)Frame, ISRVector(Frame), 0, 3);}
BOOLEANKiIA32ExceptionFPFault( IN PKTRAP_FRAME Frame )/*++
iA32_Exception(Floating Point) - Fault
Handle Coprocessor Error. ISR.Vector = 16
This exception is used on 486 or above only. For i386, it uses IRQ 13 instead. JMPE instruction should flush all FP delayed exception, and the traps will goto Device Not Available trap
--*/{#if defined(IADBG)
IF_IA32TRAP_DEBUG( FPFAULT ) DbgPrint( "IA32 FpFault: Eip 0x%p\n", EIP(Frame) );#endif // IADBG
return(KiIA32ExceptionNoDevice(Frame));}
BOOLEANKiIA32ExceptionAlignmentFault( IN PKTRAP_FRAME Frame )/*++
iA32_Exception(Alignment Check) - fault
Handle alignment faults. ISR.Vector = 17
This exception occurs when an unaligned data access is made by a thread with alignment checking turned on.
This fault occurred when unaligned access on EM PSR.AC is ON Note that iA32 EFLAFS.AC, CR0.AM and CPL!=3 does not unmask the fault.
So, for now, let the ia64 alignment handler handle this...
--*/{ PPSR IntPSR;
#if defined(IADBG)
IF_IA32TRAP_DEBUG( ALIGNMENT ) DbgPrint( "IA32 Alignment: Eip 0x%p\n", EIP(Frame) );#endif // IADBG
//
// Win32 x86 apps don't expect any alignment faults, so
// let's mask them out.
//
IntPSR = (PPSR)&Frame->StIPSR; IntPSR->sb.psr_ac = 0;
return FALSE;}
BOOLEANKiIA32InterruptVector( IN PKTRAP_FRAME Frame )/*++
iA32_Interrupt(Vector #) - trap
Handle INTnn trap
Under EM system mode, iA32 INT instruction forces a mandatory iA-32 interrupt trap through iA-32 Interrupt(SoftWare Interrupt)
--*/{#if defined(IADBG)
IF_IA32TRAP_DEBUG( INTNN ) DbgPrint( "IA32 Intnn: Eip 0x%p INT 0x%x\n", EIP(Frame), ISRVector(Frame));#endif // IADBG
KiIA32CommonArgs(Frame, STATUS_PRIVILEGED_INSTRUCTION, (PVOID) (ULONG_PTR) EIP(Frame), 0, 0, 0); return TRUE;}
�BOOLEANKiIA32InterceptGate( IN PKTRAP_FRAME Frame )/*++
Routine Description:
iA32_Intercept(Gate) - trap
If an iA32 control transfer is initiated through a GDT or LDT descriptor that results in an either a promotion of privilege level (interlevel Call or Jump Gate and IRET) or an iA32 task switch (TSS segment or Gate), the intercept trap is generated.
Possible instructions intercepted: CALL, RET, IRET, IRETD and JMP
Handling No CaLL, RET, JMP, IRET, IRETD are allowed in any mode, STATUS_ACCESS_VIOLATION is returned
Arguments: Frame - iA32 TrapFrame that was saved in the memory stack
Return Value:
--*/{#if defined(IADBG)
IF_IA32TRAP_DEBUG( GATE ) DbgPrint( "IA32 Gate: Eip 0x%p GateSelector 0x%x OpcodeId 0x%x\n", EIP(Frame), (ULONG) (Frame->StIFA & 0xff), (ULONG) (ISRCode(Frame) >> 14));#endif // IADBG
//
// all error fall through here
//
KiIA32CommonArgs(Frame, STATUS_ILLEGAL_INSTRUCTION, (PVOID) (ULONG_PTR) EIP(Frame), 0, 0, 0); return TRUE;}
/*++
iA32_intercept(System Flag) - trap
Possible Causes: 1. if CFLAG.ii==1 and EFLAG.if changes state 2. Generated after either EFLAG.ac, tf or rf changes state if no IOPL or CPL to modify bits then no interception. 3. if CFLG.nm==1 then successful execution of IRET also intercepted
Possible instructions: CLI, POPF, POFD, STI and IRET
Currently, we set both CFLAG.ii and nm to 0, so that we will only possiblly get case #2. But in EM/NT, it should always come from user land which we hard-set EFLAG.IOPL to 0, so there if we do get case #2, then it is user play around EFLAG.IOPL through JMPE. We should fail it.
--*/
BOOLEANKiIA32InterceptSystemFlag( IN PKTRAP_FRAME Frame ){ BOOLEAN TrapFrameModified; BOOLEAN RestoreIrql; KIRQL OldIrql; NTSTATUS NtStatus;
#if defined(IADBG)
IF_IA32TRAP_DEBUG( FLAG ) DbgPrint( "IA32 FLAG: Eip 0x%p Old EFlag: 0x%x OpcodeId 0x%x\n", EIP(Frame), (ULONG) (Frame->StIIM & 0xff), (ULONG) (ISRCode(Frame) >> 14));#endif // IADBG
//
// Don't trap on POPF/POPFD instructions from ia32 code.
// Allow Eflags.TF and/or Eflags.AC to be changed.
//
if ((ISRCode(Frame) >> 14) == 2) { return FALSE; }
TrapFrameModified = KiIsTrapFrameModifiedAtApcLevel (Frame, &RestoreIrql, &OldIrql);
//
// If the frame has been modified, then restart execution.
//
if (TrapFrameModified == TRUE) { NtStatus = STATUS_SUCCESS; } else {
//
// Validate the instruction.
//
NtStatus = KiIa32ValidateInstruction (Frame); }
if (RestoreIrql == TRUE) { KeLowerIrql (OldIrql); }
if (NT_SUCCESS (NtStatus)) { return FALSE; }
KiIA32CommonArgs( Frame, NtStatus, (PVOID) (ULONG_PTR) EIP(Frame), 0, 0, 0); return TRUE;}
BOOLEANKiIA32InterceptLock( IN PKTRAP_FRAME Frame )/*++
Routine Description: iA32_Intercept(Lock) - trap
Lock intercepts occurred if platform or firmware code has disabled locked transactions and atomic memory update requires a processor external indication
Arguments: Frame - Point to iA32 TrapFrame
Return:
--*/{ BOOLEAN TrapFrameModified; BOOLEAN RestoreIrql; KIRQL OldIrql; NTSTATUS NtStatus;
#if defined(IADBG)
IF_IA32TRAP_DEBUG( LOCK ) DbgPrint( "IA32 LOCK: Eip 0x%p\n", EIP(Frame) );#endif // IADBG
TrapFrameModified = KiIsTrapFrameModifiedAtApcLevel (Frame, &RestoreIrql, &OldIrql);
//
// If the frame has been modified, then restart execution.
//
if (TrapFrameModified == TRUE) { NtStatus = STATUS_SUCCESS; } else {
//
// Emulate the lock prefix
//
NtStatus = KiIa32InterceptUnalignedLock (Frame); } if (RestoreIrql == TRUE) { KeLowerIrql (OldIrql); }
if (!NT_SUCCESS (NtStatus)) { KiIA32CommonArgs( Frame, NtStatus, (PVOID) (ULONG_PTR) EIP(Frame), 0, 0, 0 ); } return (!NT_SUCCESS (NtStatus)) ? TRUE : FALSE;}
BOOLEANKiIA32ExceptionPanic( IN PKTRAP_FRAME Frame ){ //
// Panic the system
//
KeBugCheckEx(TRAP_CAUSE_UNKNOWN, (ULONG_PTR)Frame, ISRVector(Frame), 0, 0);} �
CONST BOOLEAN (*KiIA32ExceptionDispatchTable[])(PKTRAP_FRAME) = { KiIA32ExceptionDivide, KiIA32ExceptionDebug, KiIA32ExceptionPanic, KiIA32ExceptionBreak, KiIA32ExceptionOverflow, KiIA32ExceptionBound, KiIA32ExceptionInvalidOp, KiIA32ExceptionNoDevice, KiIA32ExceptionPanic, KiIA32ExceptionPanic, KiIA32ExceptionPanic, KiIA32ExceptionSegmentNotPresent, KiIA32ExceptionStack, KiIA32ExceptionGPFault, KiIA32ExceptionPanic, KiIA32ExceptionPanic, KiIA32ExceptionFPFault, KiIA32ExceptionAlignmentFault, KiIA32ExceptionPanic, KiIA32ExceptionKNI};
CONST BOOLEAN (*KiIA32InterceptionDispatchTable[])(PKTRAP_FRAME) = { KiIA32InterceptInstruction, KiIA32InterceptGate, KiIA32InterceptSystemFlag, KiIA32ExceptionPanic, KiIA32InterceptLock};�#pragma warning(disable:4702) // unreachable code
BOOLEANKiIA32InterceptionVectorHandler( IN PKTRAP_FRAME Frame )/*++
Routine Description:
KiIA32InterceptionVectorHandler
Called by first label KiIA32InterceptionVector() to handle further iA32 interception processing. Arguments:
Frame - iA32 TrapFrame that was saved in the memory stack
Return Value: TRUE - go to dispatch exception FALSE - Exception was handled, do an RFI
--*/{#if defined(IADBG)
IF_IA32TRAP_DEBUG( INTERCEPTION ) DbgPrint("IA32 Interception: ISRVector 0x%x Frame 0x%p\n", ISRVector(Frame), Frame);#endif // IADBG
ASSERT(UserMode == Frame->PreviousMode);
//
// Make sure we have an entry in the table for this interception
//
if (ISRVector(Frame) <= (sizeof(KiIA32InterceptionDispatchTable) / sizeof(PVOID))) return (*KiIA32InterceptionDispatchTable[ISRVector(Frame)])(Frame); else return (KiIA32ExceptionPanic(Frame));}#pragma warning(default:4702)
#pragma warning(disable:4702) // unreachable code
BOOLEANKiIA32ExceptionVectorHandler( IN PKTRAP_FRAME Frame )/*++
Routine Description:
KiIA32ExceptionVectorHandler
Called by first label KiIA32ExceptionVector() to handle further iA32 interception processing. Arguments:
Frame - iA32 TrapFrame that was saved in the memory stack
Return Value: TRUE - go to dispatch exception FALSE - Exception was handled, do an RFI
--*/{#if defined(IADBG)
IF_IA32TRAP_DEBUG( EXCEPTION ) DbgPrint("IA32 Exception: ISRVector 0x%x Frame 0x%p\n", ISRVector(Frame), Frame);#endif // IADBG
ASSERT(UserMode == Frame->PreviousMode); //
// Make sure we have an entry in the table for this exception
//
if (ISRVector(Frame) <= (sizeof(KiIA32ExceptionDispatchTable) / sizeof(PVOID))) return (*KiIA32ExceptionDispatchTable[ISRVector(Frame)])(Frame); else return(KiIA32ExceptionPanic(Frame));}#pragma warning(default:4702)
BOOLEANKiIA32InterruptionVectorHandler( IN PKTRAP_FRAME Frame )/*++
Routine Description:
KiIA32InterruptionVectorHandler
Called by first label KiIA32InterruptionVector() to handle further iA32 interruption processing. Only get here on INT xx instructions Arguments:
Frame - iA32 TrapFrame that was saved in the memory stack
Return Value: TRUE - go to dispatch exception FALSE - Exception was handled, do an RFI
--*/{#if defined(IADBG)
IF_IA32TRAP_DEBUG( INTERRUPT ) DbgPrint("IA32 Interruption: ISRVector 0x%x Frame 0x%p\n", ISRVector(Frame), Frame);#endif // IADBG
ASSERT(UserMode == Frame->PreviousMode);
//
// Follow the ia32 way of INT xx as an Access Violation
//
// INT 3 should be handled via a debug exception and should
// never get here...
//
ASSERT(3 != ISRVector(Frame)); KiIA32CommonArgs(Frame, STATUS_ACCESS_VIOLATION, (PVOID) (ULONG_PTR) EIP(Frame), 0, 0, 0); return TRUE;}
|
