flat assembler
Message board for the users of flat assembler.

Index > Main > swapgs?

Author
Thread Post new topic Reply to topic
Azu



Joined: 16 Dec 2008
Posts: 1159
Azu
Where is a website or manual that I can find a description of this instruction? All I could find searching is that it does something to the gs register that is somehow important for ring0->ring3 transitions in FreeBSD. Confused
Post 03 Sep 2009, 23:51
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17348
Location: In your JS exploiting you and your system
revolution
Azu wrote:
Where is a website or manual that I can find a description of this instruction? All I could find searching is that it does something to the gs register that is somehow important for ring0->ring3 transitions in FreeBSD. Confused
Have you looked in TFM? Rolling Eyes
Post 04 Sep 2009, 03:41
View user's profile Send private message Visit poster's website Reply with quote
MazeGen



Joined: 06 Oct 2003
Posts: 977
Location: Czechoslovakia
MazeGen
Get either Intel manual, 253667.pdf, or AMD manual, 24594.pdf.
Post 04 Sep 2009, 06:58
View user's profile Send private message Visit poster's website Reply with quote
Azu



Joined: 16 Dec 2008
Posts: 1159
Azu
revolution wrote:
Azu wrote:
Where is a website or manual that I can find a description of this instruction? All I could find searching is that it does something to the gs register that is somehow important for ring0->ring3 transitions in FreeBSD. Confused
Have you looked in TFM? Rolling Eyes
Yes, and told you what I found. Have you? Rolling Eyes



MazeGen wrote:
Get either Intel manual, 253667.pdf, or AMD manual, 24594.pdf.
Thank you. 253667.pdf has it. Smile
Post 04 Sep 2009, 07:22
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17348
Location: In your JS exploiting you and your system
revolution
Your google-foo is not so strong Wink
Post 04 Sep 2009, 07:31
View user's profile Send private message Visit poster's website Reply with quote
Azu



Joined: 16 Dec 2008
Posts: 1159
Azu
Right.. coming from the guy who couldn't find it either. Razz


Thanks again MazeGen! ^^
Post 04 Sep 2009, 07:35
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
Feryno



Joined: 23 Mar 2005
Posts: 454
Location: Czech republic, Slovak republic
Feryno
Knowing this instruction is usefull if you do kernel programming.

when ring3 executes code, GS base points to ring3 GS base (under windows x64, its name is ThreadLocalBase, the name of ring0 GS base under win x64 is KPRCB = processor control block, K means perhaps kernel, KPRCB is unique constant per every CPU in SMP system, every CPU has its own)
at that point, e.g. keyboard interrupt (or timer interrupt, or harddisk interrupt, ...) may hit, or ring3 code calls ring0 code (e.g. the SYSCALL instruction)

when it is the SYSCALL instruction, then kernel knows about ring3-ring0 transition and the kernel executes the SWAPGS instruction very early (usually the first instruction) and then ring3 and ring0 GS bases are swapped, so now GS base points to ring0 data. When then ring0 passes control back to ring3, this is typically by instruction pair SWAPGS + SYSRETQ

when it is e.g. timer interrupt, then the interrupt could hit when ring0 code was executing, or when e.g. ring3 code was executing
the kernel handler typically tests qword [rsp+8*1] where CS is pushed, it tests low 2 bits of the code selector (ms windows tests only the lowest bit, bit 0.), so then kernel is able to determine whether interrupt occured from ring0 or from ring3. If the interrupt was from ring0, then there is no need to execute SWAPGS (kernel doesn't execute it), when the interrupt was from ring3, then kernel executes SWAPGS.
CS for ring3 has bit 0., 1. set to 1
CS for ring0 has bit 0., 1. set to 0
so int handler skeleton should begin with something like:
; qword [rsp+8*4] = SS
; qword [rsp+8*3] = RSP
; qword [rsp+8*2] = RFLAGS
; qword [rsp+8*1] = CS
; qword [rsp+8*0] = RIP
test byte [rsp+8*1],11b
jz L0
swapgs
L0:

on the way back, when kernel is going to pass control to thread, it checks whether it is ring0 thread or ring3 thread
if it is ring0 thread, then there is no need to execute SWAPGS
if the control is going to pass to ring3 thread, then the typical code sequence to do that is:
swapgs
iretq

the swapgs instruction was implemented into CPUs because when there is a transfer into ring0 (no matter it is from ring0 or ring3), then GS base may be efficiently loaded and immediatelly give a valid pointer into ring0 data even in case ring0 stack would be destroyed, pointer into valid ring0 stack may be loaded from GS base, e.g. mov rsp,[gs:xxxx]
Post 04 Sep 2009, 08:30
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17348
Location: In your JS exploiting you and your system
revolution
Azu wrote:
Right.. coming from the guy who couldn't find it either. Razz
Haha, if you look closely you will see that I linked "TFM" (the full manual), thus suggesting that you search for the full manual. Searching naively for 'swapgs' is only likely to find pages where someone has used it in some code somewhere, hardly likely to give you a detailed description of what it does.
Post 04 Sep 2009, 10:32
View user's profile Send private message Visit poster's website Reply with quote
Azu



Joined: 16 Dec 2008
Posts: 1159
Azu
Ah. I thought you were referring to Google as the manual (since you made a link to Google called TFM), and suggesting I search for the instruction in it. Razz

I got kind of frustrated by that since I already searched for the instruction in it.


I'm sorry for misinterpreting you.
Post 04 Sep 2009, 10:34
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17348
Location: In your JS exploiting you and your system
revolution
Post 04 Sep 2009, 10:42
View user's profile Send private message Visit poster's website Reply with quote
Azu



Joined: 16 Dec 2008
Posts: 1159
Azu
I'll search longer before asking here next time. Embarassed
Post 04 Sep 2009, 10:45
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.