flat assembler
Message board for the users of flat assembler.

Index > OS Construction > switching to ring3

Goto page 1, 2  Next
Author
Thread Post new topic Reply to topic
asmmsa



Joined: 06 Feb 2010
Posts: 45
asmmsa 10 Feb 2010, 11:20
im having problems switching from ring0 to ring3.

when i enter protected mode, my cpl = 0.
i setup GDT with 4 entries.
0, code, data, tss.

in tss i put valid address in esp0, and data selector in ss0.

i load this tss selector using ltr. where do i put ring3 esp/ss?

now i want to switch my cpl to 3. what do i do?
i cant call/jmp any higher segment, its impossible. if i call interrupt, it also must point to equal or lower privilege. it seems i stuck. i cant directly modify cpl, and i cant call anything higher using it.

how do i switch to ring3 then? what do i do?
Post 10 Feb 2010, 11:20
View user's profile Send private message Reply with quote
egos



Joined: 10 Feb 2009
Posts: 144
egos 10 Feb 2010, 12:54
Firstly, look at Intel manuals.

Then add to GDT code & data segment descriptors for user mode (with DPL=3) and jump to user code by retf (or iret) instruction with proper code & data segment selectors (with RPL=3) stored in the stack.
Post 10 Feb 2010, 12:54
View user's profile Send private message Reply with quote
asmmsa



Joined: 06 Feb 2010
Posts: 45
asmmsa 10 Feb 2010, 13:49
doesnt work.
iret only want to return to equal cpl.

Bochs is exiting with the following message:
[CPU0 ] check_cs(0x0018): conforming code seg descriptor dpl > cpl, dpl=3, cpl=0

could you give me simple example of calling code in ring3 from ring0?
Post 10 Feb 2010, 13:49
View user's profile Send private message Reply with quote
ouadji



Joined: 24 Dec 2008
Posts: 1081
Location: Belgium
ouadji 10 Feb 2010, 15:12

a Call Gate ?

_________________
I am not young enough to know everything (Oscar Wilde)- Image
Post 10 Feb 2010, 15:12
View user's profile Send private message Send e-mail Reply with quote
asmmsa



Joined: 06 Feb 2010
Posts: 45
asmmsa 10 Feb 2010, 15:27
Please dont throw random terms at me.


Im really confused about this gdt/idt stuff. Well 30 years of backward compatibility is not easy to learn.

gdt has 1 special bit, wich define if the segment is code/data, or special segment such as call gate.

Quote:
The DPL field indicates the
privilege level of the call gate, which in turn is the privilege level required to access
the selected procedure through the gate.

so what, i want to change my CPL to HIGHER (ring0 to ring3). Why must i go through DPL?


Please give me sample code of calling something at diffrent ring, and i will be ok.


Is call gate only way to lower CPL? i dont think so, every time i return from interrupt its ring0 > ring3. What am i missing?
Post 10 Feb 2010, 15:27
View user's profile Send private message Reply with quote
asmmsa



Joined: 06 Feb 2010
Posts: 45
asmmsa 10 Feb 2010, 15:35
i get it now
Quote:
For example, in Figure 5-15, call gate A has a DPL of 3. So calling procedures at
all CPLs (0 through 3) can access this call gate, which includes calling procedures in
code segments A, B, and C. Call gate B has a DPL of 2, so only calling procedures at
a CPL or 0, 1, or 2 can access call gate B, which includes calling procedures in code


but what about iret/retf? it works under all OS, why not for me? Sad
Post 10 Feb 2010, 15:35
View user's profile Send private message Reply with quote
ouadji



Joined: 24 Dec 2008
Posts: 1081
Location: Belgium
ouadji 10 Feb 2010, 17:02

"Call gate", a random term ?

http://www.ivanlef0u.tuxfamily.org/?p=86 <--- in French, but very interesting!

http://www.intel.com/Assets/PDF/manual/253668.pdf <-- (Intel book 3A) page 5-22 (chap 5.8.4)


_________________
I am not young enough to know everything (Oscar Wilde)- Image
Post 10 Feb 2010, 17:02
View user's profile Send private message Send e-mail Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr 10 Feb 2010, 17:30
asmmsa

Several conditions have to be met:
1. RPL of selector on stack should be not less than CPL (i.e. same or less-privileged).
2. DPL of it's descriptor should be not greater than RPL of selector on stack (or equal if that segment is not conforming).

These conditions are mirrored conditions for inter-privilege-level call/jmp (RPL of selector on stack was CPL of caller).

Can you show a sample of failing code? Value of selector in cs and on stack, and corresponding segment descriptor — that would be enough.
Post 10 Feb 2010, 17:30
View user's profile Send private message Reply with quote
asmmsa



Joined: 06 Feb 2010
Posts: 45
asmmsa 10 Feb 2010, 20:08
i know this code is *SIMPLE* but its just a test, i wont make os like that.
its just testing things, nothing serious.
Code:
use16
org 0x7C00

lgdt fword [gdt] ;load GDTR, will setup table later

mov eax,cr0
inc al
mov cr0,eax
jmp 0x0008:start ;flush CS cache and reset it



use32 ;now cpu in protected mode mode
start:


mov ax,0x0010 ;data segment
mov ds,ax

mov eax,TSS_DATA ;TSS

mov word [TSS+2],ax ;i hope i didnt mixed this up
ror eax,16
mov byte [TSS+4],al
mov byte [TSS+7],ah

ror eax,16

mov dword [eax+0x04],0 ;esp0, 0 is valid address used by ivt.
mov word [eax+0x0A],0x0010 ;ss0, i use ring0 r/w selector
mov dword [eax+0x38],0 ;esp ring3. i can use same stack for both
mov word [eax+0x52],0x0020 ;ss ring3


mov ax,0x0028
ltr ax ;load TR. note that bochs doesnt throw error here. load success.



push 0x0018 ;ring3
push ring3_eip
retf ;fucked Sad
;
;Bochs is exiting with the following message:
;[CPU0 ] check_cs(0x0018): non-conforming code seg descriptor dpl != cpl, dpl=3, cpl=0
;
;or, i know that conforming has nothing to do with it....
;
;Bochs is exiting with the following message:
;[CPU0 ] check_cs(0x0018): conforming code seg descriptor dpl > cpl, dpl=3, cpl=0
;
;




ring3_eip:

mov word [0x000b8000],0x0F40 ;simple test to check if i made it here







cli
hlt














gdt:
dw 47
dd gdttable

gdttable:
dq 0 ;0
execute db 0xFF, 0xFF, 0x00, 0x00, 0x00, 10011000b, 11001111b, 0x00 ;8
read_write db 0xFF, 0xFF, 0x00, 0x00, 0x00, 10010010b, 11001111b, 0x00 ;10
ring3_execute db 0xFF, 0xFF, 0x00, 0x00, 0x00, 11111100b, 11001111b, 0x00 ;18
ring3_read_write db 0xFF, 0xFF, 0x00, 0x00, 0x00, 11110010b, 11001111b, 0x00 ;20
TSS db 0xFF, 0xFF, 0x00, 0x00, 0x00, 11101001b, 10001111b, 0x00 ;28

TSS_DATA:
rb 0x64


db 510 - ($ - $$) dup 0, 0x55, 0xAA
   
    
Post 10 Feb 2010, 20:08
View user's profile Send private message Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr 10 Feb 2010, 20:17
asmmsa,

0x0018 is ring 0 selector (RPL==0).
Ring 3 selector for ring3_execute descriptor and corresponding segment is 0x001B.
Post 10 Feb 2010, 20:17
View user's profile Send private message Reply with quote
asmmsa



Joined: 06 Feb 2010
Posts: 45
asmmsa 10 Feb 2010, 21:50
this code was wrong very


Last edited by asmmsa on 10 Feb 2010, 22:59; edited 1 time in total
Post 10 Feb 2010, 21:50
View user's profile Send private message Reply with quote
asmmsa



Joined: 06 Feb 2010
Posts: 45
asmmsa 10 Feb 2010, 22:59
Code:
use16
org 0x7C00

lgdt fword [gdt]

mov eax,cr0
inc al
mov cr0,eax
jmp 0x0008:start



use32
start:


mov ax,0x0010
mov ds,ax
mov ss,ax
mov esp,stack0



mov eax,TSS_DATA

mov word [TSS+2],ax
ror eax,16
mov byte [TSS+4],al
mov byte [TSS+7],ah
ror eax,16

mov dword [eax+0x38],stack3
mov word [eax+0x52],0x0023
mov dword [eax+0x04],stack0
mov word [eax+0x0A],0x0010




mov ax,0x0028
ltr ax


push 0x00000023
push stack3
push 0x0000001B
push ring3_eip
retf





ring3_eip:

mov word [0x000b8000],0x0F40



jmp $

cli
hlt









gdt:
dw 47
dd gdttable

gdttable:
dq 0 ;0
execute db 0xFF, 0xFF, 0x00, 0x00, 0x00, 10011000b, 11001111b, 0x00 ;8
read_write db 0xFF, 0xFF, 0x00, 0x00, 0x00, 10010010b, 11001111b, 0x00 ;10
ring3_execute db 0xFF, 0xFF, 0x00, 0x00, 0x00, 11111000b, 11001111b, 0x00 ;18
ring3_read_write db 0xFF, 0xFF, 0x00, 0x00, 0x00, 11110010b, 11001111b, 0x00 ;20
TSS db 0xFF, 0xFF, 0x00, 0x00, 0x00, 11101001b, 10001111b, 0x00 ;28

TSS_DATA:
rb 0x64

rb 0x20
stack0:

rb 0x20
stack3:

db 510 - ($ - $$) dup 0, 0x55, 0xAA
   
    


ive managed to write this. strictly by the manual, still doesnt work.
im getting general protection fault.
WTF! tell me thats wrong, i have no basic understanding of that crap, i really dont know whats the diffrence between TSS based saving and pushing on stack!
Post 10 Feb 2010, 22:59
View user's profile Send private message Reply with quote
asmmsa



Joined: 06 Feb 2010
Posts: 45
asmmsa 10 Feb 2010, 23:26
ok i did it.

forgot that DS is nullified when changing privileges, so i was making null ds write.
overriden with ss and works fine!

thx for he... umm take that back, i did it myself.
Post 10 Feb 2010, 23:26
View user's profile Send private message Reply with quote
Coddy41



Joined: 18 Jan 2009
Posts: 384
Location: Ohio, USA
Coddy41 10 Feb 2010, 23:33
> thx for he... umm take that back, i did it myself.

Are you sure? It looks like allot of help was given...

_________________
Want hosting for free for your asm project? You can PM me. (*.fasm4u.net)
Post 10 Feb 2010, 23:33
View user's profile Send private message Visit poster's website Reply with quote
asmmsa



Joined: 06 Feb 2010
Posts: 45
asmmsa 11 Feb 2010, 12:30
can you point me where in intel manuals is descriptopn of TSS entry in GDT?
i cant find it, and interrupt from ring0 to ring3 ends with 'ss selector null' even if i have TSS loaded into TR and it has ss0 and esp0 valid.
Post 11 Feb 2010, 12:30
View user's profile Send private message Reply with quote
asmmsa



Joined: 06 Feb 2010
Posts: 45
asmmsa 11 Feb 2010, 12:44
never mind, it was my fault as always.
some ASSHOLE put offsets in idffrent order on osdev, ss0 is under 0x08 not 0x0A.

memory grows this >>>>> way in little endian, not <<< that way, remember that plz.
left is >>>>, right is <<<<<. its easier for notation.
when you erite db 0,1,2, 2 is most significant, most left.


Code:
use16
org 0x7C00

lgdt fword [gdt]
lidt fword [idt]

mov eax,intt
mov word [ido1],ax
shr eax,16
mov word [ido2],ax

mov eax,cr0
inc al
mov cr0,eax
jmp 0x0008:start



use32
start:


mov ax,0x0010
mov ds,ax
mov ss,ax
mov esp,stack0



mov eax,TSS_DATA
mov word [TSS],104
mov word [TSS+2],ax
ror eax,16
mov byte [TSS+4],al
mov byte [TSS+7],ah
ror eax,16

mov dword [eax+4],stack0
mov word [eax+8],0x0010






mov ax,0x0028
ltr ax


push 0x00000023
push stack3
push 0x0000001B
push ring3_eip
retf

;im in ring3 now, using 0x23 SS and stack3 esp.

ring3_eip:


xor al,al
idiv al

mov ecx,0x01000000
loopd $


cli ;exception because im in ring3
hlt


intt:

mov ax,0x10
mov ds,ax
mov word [ds:0x000b8000],0x0F40




iret






idt:
dw 15
dd idttable
idttable:
ido1 dw 0
dw 0x0008
db 0
db 10001111b
ido2 dw 0
dq 0


gdt:
dw 47
dd gdttable
gdttable:
dq 0 ;0
execute db 0xFF, 0xFF, 0x00, 0x00, 0x00, 10011000b, 11001111b, 0x00 ;8
read_write db 0xFF, 0xFF, 0x00, 0x00, 0x00, 10010010b, 11001111b, 0x00 ;10
ring3_execute db 0xFF, 0xFF, 0x00, 0x00, 0x00, 11111000b, 11001111b, 0x00 ;18
ring3_read_write db 0xFF, 0xFF, 0x00, 0x00, 0x00, 11110010b, 11001111b, 0x00 ;20
TSS db 0x00, 0x00, 0x00, 0x00, 0x00, 11101001b, 10000000b, 0x00 ;28

TSS_DATA:
rd 26

rd 10
stack0:

rd 10
stack3:

db 510 - ($ - $$) dup 0, 0x55, 0xAA     

working code ring0>3>0 exception Smile


now, i wil ltry long mode.
i ve read about it, and have 1 question:
is it possible to enter long mode without paging?
Post 11 Feb 2010, 12:44
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20421
Location: In your JS exploiting you and your system
revolution 11 Feb 2010, 13:03
asmmsa wrote:
never mind, it was my fault as always.
some ASSHOLE put offsets in idffrent order on osdev, ss0 is under 0x08 not 0x0A.
Hehe, never blindly rely upon other people's code.
asmmsa wrote:

is it possible to enter long mode without paging?
No.
Post 11 Feb 2010, 13:03
View user's profile Send private message Visit poster's website Reply with quote
a115433



Joined: 05 Mar 2010
Posts: 144
a115433 05 Mar 2010, 17:50
ive lost pass to my previous account, but its still asmmsa

call gate cant be used to switch from ring0 to ring3.
only returns or propably a task switch
Post 05 Mar 2010, 17:50
View user's profile Send private message Reply with quote
ouadji



Joined: 24 Dec 2008
Posts: 1081
Location: Belgium
ouadji 05 Mar 2010, 18:24

Quote:

call gate cant be used to switch from ring0 to ring3.
only returns or propably a task switch
of course it can.

CallGate allows the transfer between any privilege level.
ring3 to ring0, but also ring0 to ring 3

_________________
I am not young enough to know everything (Oscar Wilde)- Image
Post 05 Mar 2010, 18:24
View user's profile Send private message Send e-mail Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr 05 Mar 2010, 19:06
ouadji,

Are you sure? I've skimmed Intel SDM on the call and jmp instructions, privilege level restrictions state quite contrary: jmp through call gate can't change CPL, same for call to conforming segment; non-conforming segment can't be less-privileged.
Post 05 Mar 2010, 19:06
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.