switching to ring3

Index > OS Construction > switching to ring3

Goto page 1, 2 Next

Author

Thread

asmmsa

Joined: 06 Feb 2010
Posts: 45

asmmsa 10 Feb 2010, 11:20

im having problems switching from ring0 to ring3.

when i enter protected mode, my cpl = 0.
i setup GDT with 4 entries.
0, code, data, tss.

in tss i put valid address in esp0, and data selector in ss0.

i load this tss selector using ltr. where do i put ring3 esp/ss?

now i want to switch my cpl to 3. what do i do?
i cant call/jmp any higher segment, its impossible. if i call interrupt, it also must point to equal or lower privilege. it seems i stuck. i cant directly modify cpl, and i cant call anything higher using it.

how do i switch to ring3 then? what do i do?

10 Feb 2010, 11:20

egos

Joined: 10 Feb 2009
Posts: 144

egos 10 Feb 2010, 12:54

Firstly, look at Intel manuals.

Then add to GDT code & data segment descriptors for user mode (with DPL=3) and jump to user code by retf (or iret) instruction with proper code & data segment selectors (with RPL=3) stored in the stack.

10 Feb 2010, 12:54

asmmsa

Joined: 06 Feb 2010
Posts: 45

asmmsa 10 Feb 2010, 13:49

doesnt work.
iret only want to return to equal cpl.

Bochs is exiting with the following message:
[CPU0 ] check_cs(0x0018): conforming code seg descriptor dpl > cpl, dpl=3, cpl=0

could you give me simple example of calling code in ring3 from ring0?

10 Feb 2010, 13:49

ouadji

Joined: 24 Dec 2008
Posts: 1080
Location: Belgium

ouadji 10 Feb 2010, 15:12

a Call Gate ?

_________________
I am not young enough to know everything (Oscar Wilde)-

10 Feb 2010, 15:12

asmmsa

Joined: 06 Feb 2010
Posts: 45

asmmsa 10 Feb 2010, 15:27

Please dont throw random terms at me.

Im really confused about this gdt/idt stuff. Well 30 years of backward compatibility is not easy to learn.

gdt has 1 special bit, wich define if the segment is code/data, or special segment such as call gate.

Quote:

The DPL field indicates the
privilege level of the call gate, which in turn is the privilege level required to access
the selected procedure through the gate.

so what, i want to change my CPL to HIGHER (ring0 to ring3). Why must i go through DPL?

Please give me sample code of calling something at diffrent ring, and i will be ok.

Is call gate only way to lower CPL? i dont think so, every time i return from interrupt its ring0 > ring3. What am i missing?

10 Feb 2010, 15:27

asmmsa

Joined: 06 Feb 2010
Posts: 45

asmmsa 10 Feb 2010, 15:35

i get it now

Quote:

For example, in Figure 5-15, call gate A has a DPL of 3. So calling procedures at
all CPLs (0 through 3) can access this call gate, which includes calling procedures in
code segments A, B, and C. Call gate B has a DPL of 2, so only calling procedures at
a CPL or 0, 1, or 2 can access call gate B, which includes calling procedures in code

but what about iret/retf? it works under all OS, why not for me? Sad

10 Feb 2010, 15:35

ouadji

Joined: 24 Dec 2008
Posts: 1080
Location: Belgium

ouadji 10 Feb 2010, 17:02

"Call gate", a random term ?

http://www.ivanlef0u.tuxfamily.org/?p=86 <--- in French, but very interesting!

http://www.intel.com/Assets/PDF/manual/253668.pdf <-- (Intel book 3A) page 5-22 (chap 5.8.4)

_________________
I am not young enough to know everything (Oscar Wilde)-

10 Feb 2010, 17:02

baldr

Joined: 19 Mar 2008
Posts: 1651

baldr 10 Feb 2010, 17:30

asmmsa

Several conditions have to be met:
1. RPL of selector on stack should be not less than CPL (i.e. same or less-privileged).
2. DPL of it's descriptor should be not greater than RPL of selector on stack (or equal if that segment is not conforming).

These conditions are mirrored conditions for inter-privilege-level call/jmp (RPL of selector on stack was CPL of caller).

Can you show a sample of failing code? Value of selector in cs and on stack, and corresponding segment descriptor — that would be enough.

10 Feb 2010, 17:30

asmmsa

Joined: 06 Feb 2010
Posts: 45

asmmsa 10 Feb 2010, 20:08

i know this code is *SIMPLE* but its just a test, i wont make os like that.
its just testing things, nothing serious.

Code:

use16
org 0x7C00

lgdt fword [gdt] ;load GDTR, will setup table later

mov eax,cr0
inc al
mov cr0,eax
jmp 0x0008:start ;flush CS cache and reset it



use32 ;now cpu in protected mode mode
start:


mov ax,0x0010 ;data segment
mov ds,ax

mov eax,TSS_DATA ;TSS

mov word [TSS+2],ax ;i hope i didnt mixed this up
ror eax,16
mov byte [TSS+4],al
mov byte [TSS+7],ah

ror eax,16

mov dword [eax+0x04],0 ;esp0, 0 is valid address used by ivt.
mov word [eax+0x0A],0x0010 ;ss0, i use ring0 r/w selector
mov dword [eax+0x38],0 ;esp ring3. i can use same stack for both
mov word [eax+0x52],0x0020 ;ss ring3


mov ax,0x0028
ltr ax ;load TR. note that bochs doesnt throw error here. load success.



push 0x0018 ;ring3
push ring3_eip
retf ;fucked 
;
;Bochs is exiting with the following message:
;[CPU0 ] check_cs(0x0018): non-conforming code seg descriptor dpl != cpl, dpl=3, cpl=0
;
;or, i know that conforming has nothing to do with it....
;
;Bochs is exiting with the following message:
;[CPU0 ] check_cs(0x0018): conforming code seg descriptor dpl > cpl, dpl=3, cpl=0
;
;




ring3_eip:

mov word [0x000b8000],0x0F40 ;simple test to check if i made it here







cli
hlt














gdt:
dw 47
dd gdttable

gdttable:
dq 0 ;0
execute db 0xFF, 0xFF, 0x00, 0x00, 0x00, 10011000b, 11001111b, 0x00 ;8
read_write db 0xFF, 0xFF, 0x00, 0x00, 0x00, 10010010b, 11001111b, 0x00 ;10
ring3_execute db 0xFF, 0xFF, 0x00, 0x00, 0x00, 11111100b, 11001111b, 0x00 ;18
ring3_read_write db 0xFF, 0xFF, 0x00, 0x00, 0x00, 11110010b, 11001111b, 0x00 ;20
TSS db 0xFF, 0xFF, 0x00, 0x00, 0x00, 11101001b, 10001111b, 0x00 ;28

TSS_DATA:
rb 0x64


db 510 - ($ - $$) dup 0, 0x55, 0xAA

10 Feb 2010, 20:08

baldr

Joined: 19 Mar 2008
Posts: 1651

baldr 10 Feb 2010, 20:17

asmmsa,

0x0018 is ring 0 selector (RPL==0).
Ring 3 selector for ring3_execute descriptor and corresponding segment is 0x001B.

10 Feb 2010, 20:17

asmmsa

Joined: 06 Feb 2010
Posts: 45

asmmsa 10 Feb 2010, 21:50

this code was wrong very

Last edited by asmmsa on 10 Feb 2010, 22:59; edited 1 time in total

10 Feb 2010, 21:50

asmmsa

Joined: 06 Feb 2010
Posts: 45

asmmsa 10 Feb 2010, 22:59

Code:

use16
org 0x7C00

lgdt fword [gdt]

mov eax,cr0
inc al
mov cr0,eax
jmp 0x0008:start



use32
start:


mov ax,0x0010
mov ds,ax
mov ss,ax
mov esp,stack0



mov eax,TSS_DATA

mov word [TSS+2],ax
ror eax,16
mov byte [TSS+4],al
mov byte [TSS+7],ah
ror eax,16

mov dword [eax+0x38],stack3
mov word [eax+0x52],0x0023
mov dword [eax+0x04],stack0
mov word [eax+0x0A],0x0010




mov ax,0x0028
ltr ax


push 0x00000023
push stack3
push 0x0000001B
push ring3_eip
retf





ring3_eip:

mov word [0x000b8000],0x0F40



jmp $

cli
hlt









gdt:
dw 47
dd gdttable

gdttable:
dq 0 ;0
execute db 0xFF, 0xFF, 0x00, 0x00, 0x00, 10011000b, 11001111b, 0x00 ;8
read_write db 0xFF, 0xFF, 0x00, 0x00, 0x00, 10010010b, 11001111b, 0x00 ;10
ring3_execute db 0xFF, 0xFF, 0x00, 0x00, 0x00, 11111000b, 11001111b, 0x00 ;18
ring3_read_write db 0xFF, 0xFF, 0x00, 0x00, 0x00, 11110010b, 11001111b, 0x00 ;20
TSS db 0xFF, 0xFF, 0x00, 0x00, 0x00, 11101001b, 10001111b, 0x00 ;28

TSS_DATA:
rb 0x64

rb 0x20
stack0:

rb 0x20
stack3:

db 510 - ($ - $$) dup 0, 0x55, 0xAA

ive managed to write this. strictly by the manual, still doesnt work.
im getting general protection fault.
WTF! tell me thats wrong, i have no basic understanding of that crap, i really dont know whats the diffrence between TSS based saving and pushing on stack!

10 Feb 2010, 22:59

asmmsa

Joined: 06 Feb 2010
Posts: 45

asmmsa 10 Feb 2010, 23:26

ok i did it.

forgot that DS is nullified when changing privileges, so i was making null ds write.
overriden with ss and works fine!

thx for he... umm take that back, i did it myself.

10 Feb 2010, 23:26

Coddy41

Joined: 18 Jan 2009
Posts: 384
Location: Ohio, USA

Coddy41 10 Feb 2010, 23:33

> thx for he... umm take that back, i did it myself.

Are you sure? It looks like allot of help was given...

_________________
Want hosting for free for your asm project? You can PM me. (*.fasm4u.net)

10 Feb 2010, 23:33

asmmsa

Joined: 06 Feb 2010
Posts: 45

asmmsa 11 Feb 2010, 12:30

can you point me where in intel manuals is descriptopn of TSS entry in GDT?
i cant find it, and interrupt from ring0 to ring3 ends with 'ss selector null' even if i have TSS loaded into TR and it has ss0 and esp0 valid.

11 Feb 2010, 12:30

asmmsa

Joined: 06 Feb 2010
Posts: 45

asmmsa 11 Feb 2010, 12:44

never mind, it was my fault as always.
some ASSHOLE put offsets in idffrent order on osdev, ss0 is under 0x08 not 0x0A.

memory grows this >>>>> way in little endian, not <<< that way, remember that plz.
left is >>>>, right is <<<<<. its easier for notation.
when you erite db 0,1,2, 2 is most significant, most left.

Code:

use16
org 0x7C00

lgdt fword [gdt]
lidt fword [idt]

mov eax,intt
mov word [ido1],ax
shr eax,16
mov word [ido2],ax

mov eax,cr0
inc al
mov cr0,eax
jmp 0x0008:start



use32
start:


mov ax,0x0010
mov ds,ax
mov ss,ax
mov esp,stack0



mov eax,TSS_DATA
mov word [TSS],104
mov word [TSS+2],ax
ror eax,16
mov byte [TSS+4],al
mov byte [TSS+7],ah
ror eax,16

mov dword [eax+4],stack0
mov word [eax+8],0x0010






mov ax,0x0028
ltr ax


push 0x00000023
push stack3
push 0x0000001B
push ring3_eip
retf

;im in ring3 now, using 0x23 SS and stack3 esp.

ring3_eip:


xor al,al
idiv al

mov ecx,0x01000000
loopd $


cli ;exception because im in ring3
hlt


intt:

mov ax,0x10
mov ds,ax
mov word [ds:0x000b8000],0x0F40




iret






idt:
dw 15
dd idttable
idttable:
ido1 dw 0
dw 0x0008
db 0
db 10001111b
ido2 dw 0
dq 0


gdt:
dw 47
dd gdttable
gdttable:
dq 0 ;0
execute db 0xFF, 0xFF, 0x00, 0x00, 0x00, 10011000b, 11001111b, 0x00 ;8
read_write db 0xFF, 0xFF, 0x00, 0x00, 0x00, 10010010b, 11001111b, 0x00 ;10
ring3_execute db 0xFF, 0xFF, 0x00, 0x00, 0x00, 11111000b, 11001111b, 0x00 ;18
ring3_read_write db 0xFF, 0xFF, 0x00, 0x00, 0x00, 11110010b, 11001111b, 0x00 ;20
TSS db 0x00, 0x00, 0x00, 0x00, 0x00, 11101001b, 10000000b, 0x00 ;28

TSS_DATA:
rd 26

rd 10
stack0:

rd 10
stack3:

db 510 - ($ - $$) dup 0, 0x55, 0xAA

working code ring0>3>0 exception Smile

now, i wil ltry long mode.
i ve read about it, and have 1 question:
is it possible to enter long mode without paging?

11 Feb 2010, 12:44

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 20761
Location: In your JS exploiting you and your system

revolution 11 Feb 2010, 13:03

asmmsa wrote:

never mind, it was my fault as always.
some ASSHOLE put offsets in idffrent order on osdev, ss0 is under 0x08 not 0x0A.

Hehe, never blindly rely upon other people's code.

asmmsa wrote:

is it possible to enter long mode without paging?

No.

11 Feb 2010, 13:03

a115433

Joined: 05 Mar 2010
Posts: 144

a115433 05 Mar 2010, 17:50

ive lost pass to my previous account, but its still asmmsa

call gate cant be used to switch from ring0 to ring3.
only returns or propably a task switch

05 Mar 2010, 17:50

ouadji

Joined: 24 Dec 2008
Posts: 1080
Location: Belgium

ouadji 05 Mar 2010, 18:24

Quote:

call gate cant be used to switch from ring0 to ring3.
only returns or propably a task switch

of course it can.

CallGate allows the transfer between any privilege level.
ring3 to ring0, but also ring0 to ring 3

_________________
I am not young enough to know everything (Oscar Wilde)-

05 Mar 2010, 18:24

baldr

Joined: 19 Mar 2008
Posts: 1651

baldr 05 Mar 2010, 19:06

ouadji,

Are you sure? I've skimmed Intel SDM on the call and jmp instructions, privilege level restrictions state quite contrary: jmp through call gate can't change CPL, same for call to conforming segment; non-conforming segment can't be less-privileged.

05 Mar 2010, 19:06

Goto page 1, 2 Next

< Last Thread | Next Thread >

Forum Rules:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum