flat assembler
Message board for the users of flat assembler.

Index > Compiler Internals > Bug in mov to/from control register

Author
Thread Post new topic Reply to topic
CandyMan



Joined: 04 Sep 2009
Posts: 413
Location: film "CandyMan" directed through Bernard Rose OR Candy Shop
CandyMan 02 Mar 2020, 21:23
Code:
        use32
        mov     eax,cr8         ;\ fasm 1.73.22 generates the same code
        mov     eax,cr9         ;/
        mov     cr8,eax         ;\ same as above
        mov     cr9,eax         ;/    

_________________
smaller is better
Post 02 Mar 2020, 21:23
View user's profile Send private message Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 8351
Location: Kraków, Poland
Tomasz Grysztar 02 Mar 2020, 21:38
Probably CR9 should not be allowed at all here. Looking at recent AMD manuals I see that only CR8 has ever been documented for F0-prefixed variant.
Post 02 Mar 2020, 21:38
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20299
Location: In your JS exploiting you and your system
revolution 02 Feb 2023, 10:20
Intel manuals mention that cr8 is not encodable in 32-bit mode.

https://www.felixcloutier.com/x86/mov-1
Post 02 Feb 2023, 10:20
View user's profile Send private message Visit poster's website Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 8351
Location: Kraków, Poland
Tomasz Grysztar 02 Feb 2023, 10:29
That's because this is an AMD-specific feature.
AMD64 Architecture Programmer’s Manual Volume 3 wrote:
CR8 can be read and written in 64-bit mode, using a REX prefix. CR8 can be read and written in all modes using a LOCK prefix instead of a REX prefix to specify the additional opcode bit. To verify whether the LOCK prefix can be used in this way, check for support of this feature. CPUID Fn8000_0001_ECX[AltMovCr8] = 1, indicates that this feature is supported.
Post 02 Feb 2023, 10:29
View user's profile Send private message Visit poster's website Reply with quote
Roman



Joined: 21 Apr 2012
Posts: 1766
Roman 02 Feb 2023, 12:05
Windows 10 CPU AMD Ryzen 3500
I try this. Fasmw 1.73 compiled ok.
Code:
lock mov rax,cr15 ;this crash. IDA Pro show priveleged instruction
mov rax,cr15 ;this crash.
mov     rax,cr0  ;funny IDA Pro show mov     rax,cr8d
    
Post 02 Feb 2023, 12:05
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20299
Location: In your JS exploiting you and your system
revolution 02 Feb 2023, 12:43
All the CR0...CR15 require PL=0.

You need kernel code to execute them. And CR15 doesn't exist anyway, so even PL=0 isn't going to work for that.
Post 02 Feb 2023, 12:43
View user's profile Send private message Visit poster's website Reply with quote
Roman



Joined: 21 Apr 2012
Posts: 1766
Roman 02 Feb 2023, 17:27
What is PL = 0?
How set PL to 0 ?
Post 02 Feb 2023, 17:27
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20299
Location: In your JS exploiting you and your system
revolution 02 Feb 2023, 17:36
Privilege level 0. The kernel code.

If you use Windows then you need a kernel mode driver. Or hack the kernel binaries.

You can't get there from user code, unless you can find a vulnerability.
Post 02 Feb 2023, 17:36
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.