Volume 3A System Programming Guide_ Part 1 (794103), страница 45
Текст из файла (страница 45)
The following methods of accessing data in code segments arepossible:Vol. 3 4-13PROTECTION•Load a data-segment register with a segment selector for a nonconforming,readable, code segment.•Load a data-segment register with a segment selector for a conforming,readable, code segment.•Use a code-segment override prefix (CS) to read a readable, code segmentwhose selector is already loaded in the CS register.The same rules for accessing data segments apply to method 1.
Method 2 is alwaysvalid because the privilege level of a conforming code segment is effectively thesame as the CPL, regardless of its DPL. Method 3 is always valid because the DPL ofthe code segment selected by the CS register is the same as the CPL.4.7PRIVILEGE LEVEL CHECKING WHEN LOADING THE SSREGISTERPrivilege level checking also occurs when the SS register is loaded with the segmentselector for a stack segment. Here all privilege levels related to the stack segmentmust match the CPL; that is, the CPL, the RPL of the stack-segment selector, and theDPL of the stack-segment descriptor must be the same.
If the RPL and DPL are notequal to the CPL, a general-protection exception (#GP) is generated.4.8PRIVILEGE LEVEL CHECKING WHEN TRANSFERRINGPROGRAM CONTROL BETWEEN CODE SEGMENTSTo transfer program control from one code segment to another, the segment selectorfor the destination code segment must be loaded into the code-segment register(CS). As part of this loading process, the processor examines the segment descriptorfor the destination code segment and performs various limit, type, and privilegechecks. If these checks are successful, the CS register is loaded, program control istransferred to the new code segment, and program execution begins at the instruction pointed to by the EIP register.Program control transfers are carried out with the JMP, CALL, RET, SYSENTER,SYSEXIT, INT n, and IRET instructions, as well as by the exception and interruptmechanisms.
Exceptions, interrupts, and the IRET instruction are special casesdiscussed in Chapter 5, “Interrupt and Exception Handling.” This chapter discussesonly the JMP, CALL, RET, SYSENTER, and SYSEXIT instructions.A JMP or CALL instruction can reference another code segment in any of four ways:••The target operand contains the segment selector for the target code segment.The target operand points to a call-gate descriptor, which contains the segmentselector for the target code segment.4-14 Vol. 3PROTECTION•The target operand points to a TSS, which contains the segment selector for thetarget code segment.•The target operand points to a task gate, which points to a TSS, which in turncontains the segment selector for the target code segment.The following sections describe first two types of references.
See Section 6.3, “TaskSwitching,” for information on transferring program control through a task gateand/or TSS.The SYSENTER and SYSEXIT instructions are special instructions for making fast callsto and returns from operating system or executive procedures. These instructionsare discussed briefly in Section 4.8.7, “Performing Fast Calls to System Procedureswith the SYSENTER and SYSEXIT Instructions.”4.8.1Direct Calls or Jumps to Code SegmentsThe near forms of the JMP, CALL, and RET instructions transfer program controlwithin the current code segment, so privilege-level checks are not performed. The farforms of the JMP, CALL, and RET instructions transfer control to other code segments,so the processor does perform privilege-level checks.When transferring program control to another code segment without going through acall gate, the processor examines four kinds of privilege level and type information(see Figure 4-6):•The CPL. (Here, the CPL is the privilege level of the calling code segment; that is,the code segment that contains the procedure that is making the call or jump.)CS RegisterCPLSegment SelectorFor Code SegmentRPLDestination CodeSegment DescriptorDPLPrivilegeCheckCFigure 4-6.
Privilege Check for Control Transfer Without Using a Gate•The DPL of the segment descriptor for the destination code segment thatcontains the called procedure.Vol. 3 4-15PROTECTION••The RPL of the segment selector of the destination code segment.The conforming (C) flag in the segment descriptor for the destination codesegment, which determines whether the segment is a conforming (C flag is set)or nonconforming (C flag is clear) code segment. See Section 3.4.5.1, “Codeand Data-Segment Descriptor Types,” for more information about this flag.The rules that the processor uses to check the CPL, RPL, and DPL depends on thesetting of the C flag, as described in the following sections.4.8.1.1Accessing Nonconforming Code SegmentsWhen accessing nonconforming code segments, the CPL of the calling proceduremust be equal to the DPL of the destination code segment; otherwise, the processorgenerates a general-protection exception (#GP).
For example in Figure 4-7:•Code segment C is a nonconforming code segment. A procedure in code segmentA can call a procedure in code segment C (using segment selector C1) becausethey are at the same privilege level (CPL of code segment A is equal to the DPL ofcode segment C).•A procedure in code segment B cannot call a procedure in code segment C (usingsegment selector C2 or C1) because the two code segments are at differentprivilege levels.4-16 Vol.
3PROTECTIONCodeSegment BCPL=33Segment Sel. D2RPL=3Segment Sel. C2RPL=3Lowest PrivilegeCodeSegment ACPL=22Segment Sel. C1RPL=2Segment Sel. D1RPL=2CodeSegment CDPL=2NonconformingCode SegmentCodeSegment DDPL=1ConformingCode Segment10Highest PrivilegeFigure 4-7. Examples of Accessing Conforming and Nonconforming Code SegmentsFrom Various Privilege LevelsThe RPL of the segment selector that points to a nonconforming code segment has alimited effect on the privilege check. The RPL must be numerically less than or equalto the CPL of the calling procedure for a successful control transfer to occur.
So, in theexample in Figure 4-7, the RPLs of segment selectors C1 and C2 could legally be setto 0, 1, or 2, but not to 3.When the segment selector of a nonconforming code segment is loaded into the CSregister, the privilege level field is not changed; that is, it remains at the CPL (whichis the privilege level of the calling procedure). This is true, even if the RPL of thesegment selector is different from the CPL.4.8.1.2Accessing Conforming Code SegmentsWhen accessing conforming code segments, the CPL of the calling procedure may benumerically equal to or greater than (less privileged) the DPL of the destination codesegment; the processor generates a general-protection exception (#GP) only if theCPL is less than the DPL.
(The segment selector RPL for the destination code segmentis not checked if the segment is a conforming code segment.)Vol. 3 4-17PROTECTIONIn the example in Figure 4-7, code segment D is a conforming code segment. Therefore, calling procedures in both code segment A and B can access code segment D(using either segment selector D1 or D2, respectively), because they both have CPLsthat are greater than or equal to the DPL of the conforming code segment.
Forconforming code segments, the DPL represents the numerically lowest privilege level that a calling procedure may be at to successfully make a call tothe code segment.(Note that segments selectors D1 and D2 are identical except for their respectiveRPLs. But since RPLs are not checked when accessing conforming code segments,the two segment selectors are essentially interchangeable.)When program control is transferred to a conforming code segment, the CPL does notchange, even if the DPL of the destination code segment is less than the CPL. Thissituation is the only one where the CPL may be different from the DPL of the currentcode segment. Also, since the CPL does not change, no stack switch occurs.Conforming segments are used for code modules such as math libraries and exception handlers, which support applications but do not require access to protectedsystem facilities. These modules are part of the operating system or executive software, but they can be executed at numerically higher privilege levels (less privilegedlevels).
![](https://s.studizba.com/z.php?f=/templates/si/i/noavatar.png&w=100&h=100&t=1"){kind=avatar}
