1 | /* $Id: invop.c 62509 2016-07-22 19:12:22Z vboxsync $ */
|
---|
2 | /** @file
|
---|
3 | * Real mode invalid opcode handler.
|
---|
4 | */
|
---|
5 |
|
---|
6 | /*
|
---|
7 | * Copyright (C) 2013-2016 Oracle Corporation
|
---|
8 | *
|
---|
9 | * This file is part of VirtualBox Open Source Edition (OSE), as
|
---|
10 | * available from http://www.virtualbox.org. This file is free software;
|
---|
11 | * you can redistribute it and/or modify it under the terms of the GNU
|
---|
12 | * General Public License (GPL) as published by the Free Software
|
---|
13 | * Foundation, in version 2 as it comes in the "COPYING" file of the
|
---|
14 | * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
|
---|
15 | * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
|
---|
16 | */
|
---|
17 |
|
---|
18 | #include <stdint.h>
|
---|
19 | #include <string.h>
|
---|
20 | #include "biosint.h"
|
---|
21 | #include "inlines.h"
|
---|
22 |
|
---|
23 | //#define EMU_386_LOADALL
|
---|
24 |
|
---|
25 | /* The layout of 286 LOADALL descriptors. */
|
---|
26 | typedef struct tag_ldall_desc {
|
---|
27 | uint16_t base_lo; /* Bits 0-15 of segment base. */
|
---|
28 | uint8_t base_hi; /* Bits 16-13 of segment base. */
|
---|
29 | uint8_t attr; /* Segment attributes. */
|
---|
30 | uint16_t limit; /* Segment limit. */
|
---|
31 | } ldall_desc;
|
---|
32 |
|
---|
33 | /* The 286 LOADALL memory buffer at physical address 800h. From
|
---|
34 | * The Undocumented PC.
|
---|
35 | */
|
---|
36 | typedef struct tag_ldall_286 {
|
---|
37 | uint16_t unused1[3];
|
---|
38 | uint16_t msw; /* 806h */
|
---|
39 | uint16_t unused2[7];
|
---|
40 | uint16_t tr; /* 816h */
|
---|
41 | uint16_t flags; /* 818h */
|
---|
42 | uint16_t ip; /* 81Ah */
|
---|
43 | uint16_t ldt; /* 81Ch */
|
---|
44 | uint16_t ds; /* 81Eh */
|
---|
45 | uint16_t ss; /* 820h */
|
---|
46 | uint16_t cs; /* 822h */
|
---|
47 | uint16_t es; /* 824h */
|
---|
48 | uint16_t di; /* 826h */
|
---|
49 | uint16_t si; /* 828h */
|
---|
50 | uint16_t bp; /* 82Ah */
|
---|
51 | uint16_t sp; /* 82Ch */
|
---|
52 | uint16_t bx; /* 82Eh */
|
---|
53 | uint16_t dx; /* 830h */
|
---|
54 | uint16_t cx; /* 832h */
|
---|
55 | uint16_t ax; /* 834h */
|
---|
56 | ldall_desc es_desc; /* 836h */
|
---|
57 | ldall_desc cs_desc; /* 83Ch */
|
---|
58 | ldall_desc ss_desc; /* 842h */
|
---|
59 | ldall_desc ds_desc; /* 848h */
|
---|
60 | ldall_desc gdt_desc; /* 84Eh */
|
---|
61 | ldall_desc ldt_desc; /* 854h */
|
---|
62 | ldall_desc idt_desc; /* 85Ah */
|
---|
63 | ldall_desc tss_desc; /* 860h */
|
---|
64 | } ldall_286_s;
|
---|
65 | ct_assert(sizeof(ldall_286_s) == 0x66);
|
---|
66 |
|
---|
67 | #ifdef EMU_386_LOADALL
|
---|
68 |
|
---|
69 | /* The layout of 386 LOADALL descriptors. */
|
---|
70 | typedef struct tag_ldal3_desc {
|
---|
71 | uint32_t attr; /* Segment attributes. */
|
---|
72 | uint32_t base; /* Expanded segment base. */
|
---|
73 | uint32_t limit; /* Expanded segment limit. */
|
---|
74 | } ldal3_desc;
|
---|
75 |
|
---|
76 | /* The 386 LOADALL memory buffer pointed to by ES:EDI.
|
---|
77 | */
|
---|
78 | typedef struct tag_ldall_386 {
|
---|
79 | uint32_t cr0; /* 00h */
|
---|
80 | uint32_t eflags; /* 04h */
|
---|
81 | uint32_t eip; /* 08h */
|
---|
82 | uint32_t edi; /* 0Ch */
|
---|
83 | uint32_t esi; /* 10h */
|
---|
84 | uint32_t ebp; /* 14h */
|
---|
85 | uint32_t esp; /* 18h */
|
---|
86 | uint32_t ebx; /* 1Ch */
|
---|
87 | uint32_t edx; /* 20h */
|
---|
88 | uint32_t ecx; /* 24h */
|
---|
89 | uint32_t eax; /* 28h */
|
---|
90 | uint32_t dr6; /* 2Ch */
|
---|
91 | uint32_t dr7; /* 30h */
|
---|
92 | uint32_t tr; /* 34h */
|
---|
93 | uint32_t ldt; /* 38h */
|
---|
94 | uint32_t gs; /* 3Ch */
|
---|
95 | uint32_t fs; /* 40h */
|
---|
96 | uint32_t ds; /* 44h */
|
---|
97 | uint32_t ss; /* 4Ch */
|
---|
98 | uint32_t cs; /* 48h */
|
---|
99 | uint32_t es; /* 50h */
|
---|
100 | ldal3_desc tss_desc; /* 54h */
|
---|
101 | ldal3_desc idt_desc; /* 60h */
|
---|
102 | ldal3_desc gdt_desc; /* 6Ch */
|
---|
103 | ldal3_desc ldt_desc; /* 78h */
|
---|
104 | ldal3_desc gs_desc; /* 84h */
|
---|
105 | ldal3_desc fs_desc; /* 90h */
|
---|
106 | ldal3_desc ds_desc; /* 9Ch */
|
---|
107 | ldal3_desc ss_desc; /* A8h */
|
---|
108 | ldal3_desc cs_desc; /* B4h */
|
---|
109 | ldal3_desc es_desc; /* C0h */
|
---|
110 | } ldall_386_s;
|
---|
111 | ct_assert(sizeof(ldall_386_s) == 0xCC);
|
---|
112 |
|
---|
113 | #endif
|
---|
114 |
|
---|
115 | /*
|
---|
116 | * LOADALL emulation assumptions:
|
---|
117 | * - MSW indicates real mode
|
---|
118 | * - Standard real mode CS and SS is to be used
|
---|
119 | * - Segment values of non-RM segments (if any) do not matter
|
---|
120 | * - Standard segment attributes are used
|
---|
121 | */
|
---|
122 |
|
---|
123 | /* A wrapper for LIDT. */
|
---|
124 | void load_idtr(uint32_t base, uint16_t limit);
|
---|
125 | #pragma aux load_idtr = \
|
---|
126 | ".286p" \
|
---|
127 | "mov bx, sp" \
|
---|
128 | "lidt fword ptr ss:[bx]"\
|
---|
129 | parm caller reverse [] modify [bx] exact;
|
---|
130 |
|
---|
131 | /* A wrapper for LGDT. */
|
---|
132 | void load_gdtr(uint32_t base, uint16_t limit);
|
---|
133 | #pragma aux load_gdtr = \
|
---|
134 | ".286p" \
|
---|
135 | "mov bx, sp" \
|
---|
136 | "lgdt fword ptr ss:[bx]"\
|
---|
137 | parm caller reverse [] modify [bx] exact;
|
---|
138 |
|
---|
139 | /* Load DS/ES as real-mode segments. May be overwritten later.
|
---|
140 | * NB: Loads SS with 80h to address the LOADALL buffer. Must
|
---|
141 | * not touch CX!
|
---|
142 | */
|
---|
143 | void load_rm_segs(int seg_flags);
|
---|
144 | #pragma aux load_rm_segs = \
|
---|
145 | "mov ax, 80h" \
|
---|
146 | "mov ss, ax" \
|
---|
147 | "mov ax, ss:[1Eh]" \
|
---|
148 | "mov ds, ax" \
|
---|
149 | "mov ax, ss:[24h]" \
|
---|
150 | "mov es, ax" \
|
---|
151 | parm [cx] nomemory modify nomemory;
|
---|
152 |
|
---|
153 | /* Briefly switch to protected mode and load ES and/or DS if necessary.
|
---|
154 | * NB: Trashes high bits of EAX, but that should be safe. Expects flags
|
---|
155 | * in CX.
|
---|
156 | */
|
---|
157 | void load_pm_segs(void);
|
---|
158 | #pragma aux load_pm_segs = \
|
---|
159 | ".386p" \
|
---|
160 | "smsw ax" \
|
---|
161 | "inc ax" \
|
---|
162 | "lmsw ax" \
|
---|
163 | "mov ax, 8" \
|
---|
164 | "test cx, 1" \
|
---|
165 | "jz skip_es" \
|
---|
166 | "mov es, ax" \
|
---|
167 | "skip_es:" \
|
---|
168 | "test cx, 2" \
|
---|
169 | "jz skip_ds" \
|
---|
170 | "mov bx,ss:[00h]" \
|
---|
171 | "mov ss:[08h], bx" \
|
---|
172 | "mov bx,ss:[02h]" \
|
---|
173 | "mov ss:[0Ah], bx" \
|
---|
174 | "mov bx,ss:[04h]" \
|
---|
175 | "mov ss:[0Ch], bx" \
|
---|
176 | "mov ds, ax" \
|
---|
177 | "skip_ds:" \
|
---|
178 | "mov eax, cr0" \
|
---|
179 | "dec ax" \
|
---|
180 | "mov cr0, eax" \
|
---|
181 | parm nomemory modify nomemory;
|
---|
182 |
|
---|
183 | /* Complete LOADALL emulation: Restore general-purpose registers, stack
|
---|
184 | * pointer, and CS:IP. NB: The LOADALL instruction stores registers in
|
---|
185 | * the same order as PUSHA. Surprise, surprise!
|
---|
186 | */
|
---|
187 | void ldall_finish(void);
|
---|
188 | #pragma aux ldall_finish = \
|
---|
189 | ".286" \
|
---|
190 | "mov sp, 26h" \
|
---|
191 | "popa" \
|
---|
192 | "mov sp, ss:[2Ch]" \
|
---|
193 | "sub sp, 6" \
|
---|
194 | "mov ss, ss:[20h]" \
|
---|
195 | "iret" \
|
---|
196 | parm nomemory modify nomemory aborts;
|
---|
197 |
|
---|
198 | #ifdef EMU_386_LOADALL
|
---|
199 |
|
---|
200 | /* 386 version of the above. */
|
---|
201 | void ldal3_finish(void);
|
---|
202 | #pragma aux ldal3_finish = \
|
---|
203 | ".386" \
|
---|
204 | "mov sp, 28h" \
|
---|
205 | "popad" \
|
---|
206 | "mov sp, ss:[18h]" \
|
---|
207 | "sub sp, 6" \
|
---|
208 | "mov ss, ss:[48h]" \
|
---|
209 | "iret" \
|
---|
210 | parm nomemory modify nomemory aborts;
|
---|
211 |
|
---|
212 | /* 386 version of load_rm_segs.
|
---|
213 | * NB: Must not touch CX!
|
---|
214 | */
|
---|
215 | void load_rm_seg3(int seg_flags, uint16_t ss_base);
|
---|
216 | #pragma aux load_rm_seg3 = \
|
---|
217 | "mov ss, ax" \
|
---|
218 | "mov ax, ss:[44h]" \
|
---|
219 | "mov ds, ax" \
|
---|
220 | "mov ax, ss:[50h]" \
|
---|
221 | "mov es, ax" \
|
---|
222 | parm [ax] [cx] nomemory modify nomemory;
|
---|
223 |
|
---|
224 | #endif
|
---|
225 |
|
---|
226 | #define LOAD_ES 0x01 /* ES needs to be loaded in protected mode. */
|
---|
227 | #define LOAD_DS 0x02 /* DS needs to be loaded in protected mode. */
|
---|
228 |
|
---|
229 | /*
|
---|
230 | * The invalid opcode handler exists to work around fishy application
|
---|
231 | * code and paper over CPU generation differences:
|
---|
232 | *
|
---|
233 | * - Skip redundant LOCK prefixes (allowed on 8086, #UD on 286+).
|
---|
234 | * - Emulate just enough of 286 LOADALL.
|
---|
235 | *
|
---|
236 | */
|
---|
237 | void BIOSCALL inv_op_handler(uint16_t ds, uint16_t es, pusha_regs_t gr, volatile iret_addr_t ra)
|
---|
238 | {
|
---|
239 | void __far *ins = ra.cs :> ra.ip;
|
---|
240 |
|
---|
241 | if (*(uint8_t __far *)ins == 0xF0) {
|
---|
242 | /* LOCK prefix - skip over it and try again. */
|
---|
243 | ++ra.ip;
|
---|
244 | } else if (*(uint16_t __far *)ins == 0x050F) {
|
---|
245 | /* 286 LOADALL. NB: Same opcode as SYSCALL. */
|
---|
246 | ldall_286_s __far *ldbuf = 0 :> 0x800;
|
---|
247 | iret_addr_t __far *ret_addr;
|
---|
248 | uint32_t seg_base;
|
---|
249 | int seg_flags = 0;
|
---|
250 |
|
---|
251 | /* One of the challenges is that we must restore SS:SP as well
|
---|
252 | * as CS:IP and FLAGS from the LOADALL buffer. We copy CS/IP/FLAGS
|
---|
253 | * from the buffer just below the SS:SP values from the buffer so
|
---|
254 | * that we can eventually IRET to the desired CS/IP/FLAGS/SS/SP
|
---|
255 | * values in one go.
|
---|
256 | */
|
---|
257 | ret_addr = ldbuf->ss :> (ldbuf->sp - sizeof(iret_addr_t));
|
---|
258 | ret_addr->ip = ldbuf->ip;
|
---|
259 | ret_addr->cs = ldbuf->cs;
|
---|
260 | ret_addr->flags.u.r16.flags = ldbuf->flags;
|
---|
261 |
|
---|
262 | /* Examine ES/DS. */
|
---|
263 | seg_base = ldbuf->es_desc.base_lo | (uint32_t)ldbuf->es_desc.base_hi << 16;
|
---|
264 | if (seg_base != (uint32_t)ldbuf->es << 4)
|
---|
265 | seg_flags |= LOAD_ES;
|
---|
266 | seg_base = ldbuf->ds_desc.base_lo | (uint32_t)ldbuf->ds_desc.base_hi << 16;
|
---|
267 | if (seg_base != (uint32_t)ldbuf->ds << 4)
|
---|
268 | seg_flags |= LOAD_DS;
|
---|
269 |
|
---|
270 | /* The LOADALL buffer doubles as a tiny GDT. */
|
---|
271 | load_gdtr(0x800, 4 * 8 - 1);
|
---|
272 |
|
---|
273 | /* Store the ES base/limit/attributes in the unused words (GDT selector 8). */
|
---|
274 | ldbuf->unused2[0] = ldbuf->es_desc.limit;
|
---|
275 | ldbuf->unused2[1] = ldbuf->es_desc.base_lo;
|
---|
276 | ldbuf->unused2[2] = (ldbuf->es_desc.attr << 8) | ldbuf->es_desc.base_hi;
|
---|
277 | ldbuf->unused2[3] = 0;
|
---|
278 |
|
---|
279 | /* Store the DS base/limit/attributes in other unused words. */
|
---|
280 | ldbuf->unused1[0] = ldbuf->ds_desc.limit;
|
---|
281 | ldbuf->unused1[1] = ldbuf->ds_desc.base_lo;
|
---|
282 | ldbuf->unused1[2] = (ldbuf->ds_desc.attr << 8) | ldbuf->ds_desc.base_hi;
|
---|
283 |
|
---|
284 | /* Load the IDTR as specified. */
|
---|
285 | seg_base = ldbuf->idt_desc.base_lo | (uint32_t)ldbuf->idt_desc.base_hi << 16;
|
---|
286 | load_idtr(seg_base, ldbuf->idt_desc.limit);
|
---|
287 |
|
---|
288 | /* Do the tricky bits now. */
|
---|
289 | load_rm_segs(seg_flags);
|
---|
290 | load_pm_segs();
|
---|
291 | ldall_finish();
|
---|
292 | #ifdef EMU_386_LOADALL
|
---|
293 | } else if (*(uint16_t __far *)ins == 0x070F) {
|
---|
294 | /* 386 LOADALL. NB: Same opcode as SYSRET. */
|
---|
295 | ldall_386_s __far *ldbuf = (void __far *)es :> gr.u.r16.di; /* Assume 16-bit value in EDI. */
|
---|
296 | ldall_286_s __far *ldbuf2 = 0 :> 0x800;
|
---|
297 | iret_addr_t __far *ret_addr;
|
---|
298 | uint32_t seg_base;
|
---|
299 | int seg_flags = 0;
|
---|
300 |
|
---|
301 | /* NB: BIG FAT ASSUMPTION! Users of 386 LOADALL are assumed to also
|
---|
302 | * have a 286 LOADALL buffer at physical address 800h. We use unused fields
|
---|
303 | * in that buffer for temporary storage.
|
---|
304 | */
|
---|
305 |
|
---|
306 | /* Set up return stack. */
|
---|
307 | ret_addr = ldbuf->ss :> (ldbuf->esp - sizeof(iret_addr_t));
|
---|
308 | ret_addr->ip = ldbuf->eip;
|
---|
309 | ret_addr->cs = ldbuf->cs;
|
---|
310 | ret_addr->flags.u.r16.flags = ldbuf->eflags;
|
---|
311 |
|
---|
312 | /* Examine ES/DS. */
|
---|
313 | seg_base = ldbuf->es_desc.base;
|
---|
314 | if (seg_base != (uint32_t)ldbuf->es << 4)
|
---|
315 | seg_flags |= LOAD_ES;
|
---|
316 | seg_base = ldbuf->ds_desc.base;
|
---|
317 | if (seg_base != (uint32_t)ldbuf->ds << 4)
|
---|
318 | seg_flags |= LOAD_DS;
|
---|
319 |
|
---|
320 | /* The LOADALL buffer doubles as a tiny GDT. */
|
---|
321 | load_gdtr(0x800, 4 * 8 - 1);
|
---|
322 |
|
---|
323 | /* Store the ES base/limit/attributes in the unused words (GDT selector 8). */
|
---|
324 | ldbuf2->unused2[0] = ldbuf->es_desc.limit;
|
---|
325 | ldbuf2->unused2[1] = (uint16_t)ldbuf->es_desc.base;
|
---|
326 | ldbuf2->unused2[2] = (ldbuf->es_desc.attr & 0xFF00) | (ldbuf->es_desc.base >> 16);
|
---|
327 | ldbuf2->unused2[3] = 0;
|
---|
328 |
|
---|
329 | /* Store the DS base/limit/attributes in other unused words. */
|
---|
330 | ldbuf2->unused1[0] = ldbuf->ds_desc.limit;
|
---|
331 | ldbuf2->unused1[1] = (uint16_t)ldbuf->ds_desc.base;
|
---|
332 | ldbuf2->unused1[2] = (ldbuf->ds_desc.attr & 0xFF00) | (ldbuf->ds_desc.base >> 16);
|
---|
333 |
|
---|
334 | /* Load the IDTR as specified. */
|
---|
335 | seg_base = ldbuf->idt_desc.base;
|
---|
336 | load_idtr(seg_base, ldbuf->idt_desc.limit);
|
---|
337 |
|
---|
338 | /* Do the tricky bits now. */
|
---|
339 | load_rm_seg3(es, seg_flags);
|
---|
340 | load_pm_segs();
|
---|
341 | ldal3_finish();
|
---|
342 | #endif
|
---|
343 | } else {
|
---|
344 | /* There isn't much point in executing the invalid opcode handler
|
---|
345 | * in an endless loop, so halt right here.
|
---|
346 | */
|
---|
347 | int_enable();
|
---|
348 | halt_forever();
|
---|
349 | }
|
---|
350 | }
|
---|