flat assembler
Message board for the users of flat assembler.
Index
> OS Construction > long mode, NULL ss |
Author |
|
ouadji 06 Mar 2010, 22:56
Perhaps an answer here :
Intel 3A/5.8.5 : Stack Switching "Whenever a call gate is used to transfer program control to a more privileged ... .... the processor automatically switches .... etc" Intel 3A/5.8.5.1 : Stack Switching in 64-bit Mode "The new SS is set to NULL in order to handle nested far transfers ... etc" ... "On the subsequent RETF, the NULL SS on the stack acts as a flag to tell the processor not to load a new SS descriptor ..... etc " ... Intel books |
|||
06 Mar 2010, 22:56 |
|
a115433 06 Mar 2010, 23:17
so performance is the answer.
retf return always to higher privilege. cpu null ss anyway, as any other segment register wich is loaded with less priviliged data! could you tell me the exact reason, why they did that? or it was just an random decission? why then cpu loads RSP from TSS? |
|||
06 Mar 2010, 23:17 |
|
ouadji 06 Mar 2010, 23:29
5.8.6 : Returning from a Called Procedure The RET instruction can be used to perform - a near return, - a far return at the same privilege level - a far return to a different privilege level 1. / 2. /3. 4. : (If the return requires a privilege level change.) Loads the SS and ESP registers with the saved SS and ESP values and switches ... etc ... here too, in the same book (3A) Table 5-2. 64-Bit-Mode Stack Layout After CALLF with CPL Change you should read yourself the intel doc, it's very interesting. Intel books |
|||
06 Mar 2010, 23:29 |
|
a115433 07 Mar 2010, 11:26
tell me something i dont know.
or never mind, you dont know either i guess. |
|||
07 Mar 2010, 11:26 |
|
ouadji 07 Mar 2010, 11:59
Quote:
everything you are looking for is in the Intel book. |
|||
07 Mar 2010, 11:59 |
|
a115433 07 Mar 2010, 12:31
Quote: When stacks are switched as part of a 64-bit mode privilege-level change through a yes i know it but WHY? why disconnest RSP rfom SS in manner of switching?! Quote: The new SS is set to NULL in order to handle how does value of SS affect nested transfers? i dont get it, when i issue int/call/interrupt, ss should be ALWAYS (in 64 bit mode not only when cpl change) pushed along with RSP. Quote: On the subsequent RETF, the NULL SS on the stack acts as a flag to does it mean, when i return from something and ss is null, i may keep it? returning is always to more priviliged area, so its kernel > user. kernel set SS to for example kernel only segment with DPL = 0, and then it pass down via ret unmodified segment register. what will happen? i can access kernel segment from userland! remember that cpl is onlr checked when loading segment register! i have full access to kernel segment! of course if its in flat mode there is no danger. now lets think is it possible for userland app to push null ss. user code (ss != 0) is interrupted by something. ss = 0, ss on stack = old ss wich is != 0. interrupt happend with CPL = 2. next interrupt occur, with CPL = 0. null ss is pushed on stack. ring0 code load special secret descriptor into ss, and return to higher, cpl = 2. ss on stack was 0, so now ring2 can access ring0 data. great. did i just found a bug? |
|||
07 Mar 2010, 12:31 |
|
ouadji 07 Mar 2010, 12:42
yes i know it, but WHY ? ok, i understand, i don't know "why" either. a bug ? it is not impossible, but it would surprise me. (sorry, my english is bad, i do my best) |
|||
07 Mar 2010, 12:42 |
|
a115433 07 Mar 2010, 13:40
ive noticed long mode enforce flat memory model in few ways.
this 'bug' might be 1 of those ways. if only ring 0 and 3 are used, its ok. |
|||
07 Mar 2010, 13:40 |
|
baldr 07 Mar 2010, 15:25
a115433,
Interrupt/exception handler returns with iret, AFAIK. Loading ss with NULL by retf/iret when 64-bit target CPL<3 simply does not cause descriptor load (and #GP thereof). Access via NULL ss still causes exception afterward. |
|||
07 Mar 2010, 15:25 |
|
a115433 07 Mar 2010, 15:37
Quote: Loading ss with NULL by retf/iret when 64-bit target CPL<3 simply does not cause descriptor load (and #GP thereof). code is in cpl = 3. it escalate to cpl = 2 via call gate. stack: ss rsp rflags cs rip code is now in cpl = 2, with RSP from TSS. ss is null, in order to use any stack operations it has to load it. before loading ss exception fires, lets say clock. ss is 0, and #GP fires instead. ss is still 0, so #GP cant continue, and another #GP fires. this continue untill machine is physicly RESET. |
|||
07 Mar 2010, 15:37 |
|
baldr 07 Mar 2010, 17:26
a115433,
Why #GP fires when clock interrupt occurs? Ring 2 code isn't established valid stack segment selector yet, but processor interrupt handling doesn't use ss anyway, it uses proper ring stack (corresponding to handler's code segment DPL) to save registers. NULL ss disallows your code to access data via it, not processor itself (as it does even before ring 2 code begins execution). |
|||
07 Mar 2010, 17:26 |
|
a115433 07 Mar 2010, 17:41
it uses proper ring stack (corresponding to handler's code segment DPL) to save registers.
you mean it take rsp from IST, and bypass SS? so, reason for passing null stack is just to make me add code to load ss? there must be a reason! |
|||
07 Mar 2010, 17:41 |
|
baldr 07 Mar 2010, 19:10
a115433,
Yes, from RSP0…2 (or IST if told to do so). 64-bit TSS doesn't contain selectors for stack segment, can you propose any other reasonable value to load into ss when privilege level changes? |
|||
07 Mar 2010, 19:10 |
|
a115433 07 Mar 2010, 20:20
right i get it now.
ss and rsp both must be changed, and zeroing ss is just a consequence of lack ss's in TSS. oh well, i guess its the end of this thread, all secrets solved. |
|||
07 Mar 2010, 20:20 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.