flat assembler
Message board for the users of flat assembler.

Index > OS Construction > Page protection violation on user instruction fetch...

Author
Thread Post new topic Reply to topic
Adan



Joined: 30 Mar 2007
Posts: 17
Adan 01 Nov 2008, 13:25
Hi all Smile, I have a little problem with a fragment of code that must run on RING 3, the problem is that after doing a jump from RING 0 to 3, I have a page protection violation after the first instruction fetch from that code in RING 3. I've checked all paging perms stuff and that and it seems to be all right. The memory region where this code resides is mapped 1:1 in the kernel
address space, but I'm not changing CR3 at all, so I suppose there is no problem with
doing a privilege change keeping the same address space, am I right? Could anyone
throw a hint on what's going on? Thanks in advance.
Post 01 Nov 2008, 13:25
View user's profile Send private message MSN Messenger Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20289
Location: In your JS exploiting you and your system
revolution 01 Nov 2008, 14:12
Post your code.
Post 01 Nov 2008, 14:12
View user's profile Send private message Visit poster's website Reply with quote
Adan



Joined: 30 Mar 2007
Posts: 17
Adan 01 Nov 2008, 14:29
This is the privilege change fragment, sorry, all in spanish:

Code:
         ;; Salto a DPL 3.
           ;;;;;;;;;;;;;;;;;
           push    qword [val.__PRIM_pml4_addr]
                push    qword (PAG_PRESENTE | PAG_LEER_ESCR | PAG_USUARIO)
          push    qword 0xc00000
              push    qword 0xc00000
              call    K_Mapear_Marco_Pag
          mov     rsi, codigo
         mov     rdi, 0xc00000
               mov     rcx, fin_codigo - codigo
            rep     movsb
               ltr     [info_TR]
           push    SS_USUARIO64
                push    0xc00600                ;; RSP
              push    0x3000                  ;; RFLAGS
           push    CS_USUARIO64
                push    0xc00000                ;; RIP
              iretq

codigo:
    mov     rax, 1
      jmp codigo
fin_codigo:
    


This is the rest:

Code:

;; TSS para el kernel.
;;;;;;;;;;;;;;;;;;;;;;
TSS0:
      dd 0                                                    ;; 0..31 Reservado.
 
    dd fin_pila_kernel_tareas                               ;; RSP0 0..31.
      dd 0                                                    ;; RSP0 32..63.

 dd 0                                                    ;; RSP1 0..31.
      dd 0                                                    ;; RSP1 32..63.
     
    dd 0                                                    ;; RSP2 0..31.
      dd 0                                                    ;; RSP2 32..63.

reservado_a_0:
times GDT_TAM_TSS - (reservado_a_0 - TSS0) db 0

fin_TSS0:

;; Valor para TR (desplazamiento del descriptor de TSS dentro de la GDT).
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
info_TR:
     dw SEL_TSS0_KERNEL64

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

;; Tabla global de descriptores de segmento (GDT de 64 bits).
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
GDT64:

  ;; 0x00
     CREAR_DESCRIPTOR_GDT nulo64, 0, 0, 0, 0, 0, 0
       ;; 0x08
     CREAR_DESCRIPTOR_GDT descr_cod_kernel64, GDT_LIMITE_4GB_015, 0, 0, \
               GDT_CODIGO | GDT_SEG_APLICAC | GDT_DPL0 | GDT_SEG_PRESENTE, \
              GDT_LIMITE_4GB_1619 | GDT_MODO_64BIT | GDT_LIMITE_EN_PAGINAS, 0
     ;; 0x10
     CREAR_DESCRIPTOR_GDT descr_dat_kernel64, GDT_LIMITE_4GB_015, 0, 0, \
               GDT_DATOS | GDT_DAT_LEER_ESCR | GDT_SEG_APLICAC | GDT_DPL0 |
                GDT_SEG_PRESENTE, \
                GDT_LIMITE_4GB_1619 | GDT_MODO_64BIT | GDT_LIMITE_EN_PAGINAS, 0
     ;; 0x18
     CREAR_DESCRIPTOR_GDT descr_cod_usuario64, GDT_LIMITE_4GB_015, 0, 0, \
              GDT_CODIGO | GDT_SEG_APLICAC | GDT_DPL3 | GDT_SEG_PRESENTE, \
              GDT_LIMITE_4GB_1619 | GDT_MODO_64BIT | GDT_LIMITE_EN_PAGINAS, 0
     ;; 0x20
     CREAR_DESCRIPTOR_GDT descr_dat_usuario64, GDT_LIMITE_4GB_015, 0, 0, \
              GDT_DATOS | GDT_DAT_LEER_ESCR | GDT_SEG_APLICAC |
           GDT_DPL3 | GDT_SEG_PRESENTE, \
             GDT_LIMITE_4GB_1619 | GDT_MODO_64BIT | GDT_LIMITE_EN_PAGINAS, 0
     ;; 0x28: TSS0
   times GDT_TAM_TSS db 0 ;; Initialized before.
finGDT64:

;; Valor para GDTR.
;;;;;;;;;;;;;;;;;;;
info_GDT64:

     dw      finGDT64 - GDT64 - 1    ;; Limite de GDT.
   dd      GDT64                           ;; Direccion de GDT.
    


And some constants:

Code:
%define CS_USUARIO64                              0x1b

%define SS_USUARIO64                                0x23

%define SEL_TSS0_KERNEL64                   0x28

%define GDT_TAM_TSS                         0x68
    
Post 01 Nov 2008, 14:29
View user's profile Send private message MSN Messenger Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20289
Location: In your JS exploiting you and your system
revolution 01 Nov 2008, 14:47
What about the page tables for 0xc00000, are they set for executable and writeable/readable? Have you flushed the cache after setting the page tables?
Post 01 Nov 2008, 14:47
View user's profile Send private message Visit poster's website Reply with quote
Adan



Joined: 30 Mar 2007
Posts: 17
Adan 01 Nov 2008, 15:55
I've set up (USER | PRESENT | RW | EXEC) perms for the entry in the pagetable of the lowest level, would it be necessary to apply the same perms through all the hierarchy starting from the PML4 entry? I think it would be incorrect as it would change perms in other branches of the paging structs tree and that's not good. I'm a little confused... (I've already flushed the cache)
Post 01 Nov 2008, 15:55
View user's profile Send private message MSN Messenger Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20289
Location: In your JS exploiting you and your system
revolution 01 Nov 2008, 17:15
When I say cache I also mean things like BTB and TLBs. Changing page tables can be tricky sometimes.
Post 01 Nov 2008, 17:15
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.