Volume 3A System Programming Guide_ Part 1 (794103), страница 46
Текст из файла (страница 46)
Keeping the CPL at the level of a calling code segment when switching to aconforming code segment prevents an application program from accessing nonconforming code segments while at the privilege level (DPL) of a conforming codesegment and thus prevents it from accessing more privileged data.Most code segments are nonconforming. For these segments, program control canbe transferred only to code segments at the same level of privilege, unless thetransfer is carried out through a call gate, as described in the following sections.4.8.2Gate DescriptorsTo provide controlled access to code segments with different privilege levels, theprocessor provides special set of descriptors called gate descriptors. There are fourkinds of gate descriptors:••••Call gatesTrap gatesInterrupt gatesTask gatesTask gates are used for task switching and are discussed in Chapter 6, “Task Management”.
Trap and interrupt gates are special kinds of call gates used for calling exception and interrupt handlers. The are described in Chapter 5, “Interrupt and ExceptionHandling.” This chapter is concerned only with call gates.4-18 Vol. 3PROTECTION4.8.3Call GatesCall gates facilitate controlled transfers of program control between different privilege levels. They are typically used only in operating systems or executives that usethe privilege-level protection mechanism. Call gates are also useful for transferringprogram control between 16-bit and 32-bit code segments, as described in Section16.4, “Transferring Control Among Mixed-Size Code Segments.”Figure 4-8 shows the format of a call-gate descriptor. A call-gate descriptor mayreside in the GDT or in an LDT, but not in the interrupt descriptor table (IDT).
Itperforms six functions:•••It specifies the code segment to be accessed.It defines an entry point for a procedure in the specified code segment.It specifies the privilege level required for a caller trying to access the procedure.3116 15 14 13 12 11Offset in Segment 31:1631PDPL8 7Type60 0 00 1 1 0 016 15Segment Selector05 4Param.Count40Offset in Segment 15:000DPL Descriptor Privilege LevelPGate ValidFigure 4-8. Call-Gate Descriptor•If a stack switch occurs, it specifies the number of optional parameters to becopied between stacks.•It defines the size of values to be pushed onto the target stack: 16-bit gates force16-bit pushes and 32-bit gates force 32-bit pushes.•It specifies whether the call-gate descriptor is valid.The segment selector field in a call gate specifies the code segment to be accessed.The offset field specifies the entry point in the code segment.
This entry point isgenerally to the first instruction of a specific procedure. The DPL field indicates theprivilege level of the call gate, which in turn is the privilege level required to accessthe selected procedure through the gate. The P flag indicates whether the call-gatedescriptor is valid.
(The presence of the code segment to which the gate points isindicated by the P flag in the code segment’s descriptor.) The parameter count fieldindicates the number of parameters to copy from the calling procedures stack to thenew stack if a stack switch occurs (see Section 4.8.5, “Stack Switching”). The parameter count specifies the number of words for 16-bit call gates and doublewords for32-bit call gates.Vol. 3 4-19PROTECTIONNote that the P flag in a gate descriptor is normally always set to 1. If it is set to 0, anot present (#NP) exception is generated when a program attempts to access thedescriptor.
The operating system can use the P flag for special purposes. Forexample, it could be used to track the number of times the gate is used. Here, the Pflag is initially set to 0 causing a trap to the not-present exception handler. Theexception handler then increments a counter and sets the P flag to 1, so that onreturning from the handler, the gate descriptor will be valid.4.8.3.1IA-32e Mode Call GatesCall-gate descriptors in 32-bit mode provide a 32-bit offset for the instruction pointer(EIP); 64-bit extensions double the size of 32-bit mode call gates in order to store64-bit instruction pointers (RIP). See Figure 4-9:•The first eight bytes (bytes 7:0) of a 64-bit mode call gate are similar but notidentical to legacy 32-bit mode call gates.
The parameter-copy-count field hasbeen removed.•Bytes 11:8 hold the upper 32 bits of the target-segment offset in canonical form.A general-protection exception (#GP) is generated if software attempts to use acall gate with a target offset that is not in canonical form.•16-byte descriptors may reside in the same descriptor table with 16-bit and32-bit descriptors. A type field, used for consistency checking, is defined in bits12:8 of the 64-bit descriptor’s highest dword (cleared to zero). A generalprotection exception (#GP) results if an attempt is made to access the upper halfof a 64-bit mode descriptor as a 32-bit mode descriptor.4-20 Vol.
3PROTECTION13 12 11 10 9 8 731Type0ReservedReserved160 0 0 0 03108Offset in Segment 63:3131Offset in Segment 31:1631PDPL08 716 15 14 13 12 11Type016 15Segment Selector.40 1 1 0 00Offset in Segment 15:000DPL Descriptor Privilege LevelPGate ValidFigure 4-9. Call-Gate Descriptor in IA-32e Mode•Target code segments referenced by a 64-bit call gate must be 64-bit codesegments (CS.L = 1, CS.D = 0). If not, the reference generates a generalprotection exception, #GP (CS selector).•Only 64-bit mode call gates can be referenced in IA-32e mode (64-bit mode andcompatibility mode). The legacy 32-bit mode call gate type (0CH) is redefined inIA-32e mode as a 64-bit call-gate type; no 32-bit call-gate type exists in IA-32emode.•If a far call references a 16-bit call gate type (04H) in IA-32e mode, a generalprotection exception (#GP) is generated.When a call references a 64-bit mode call gate, actions taken are identical to thosetaken in 32-bit mode, with the following exceptions:•••Stack pushes are made in eight-byte increments.A 64-bit RIP is pushed onto the stack.Parameter copying is not performed.Use a matching far-return instruction size for correct operation (returns from 64-bitcalls must be performed with a 64-bit operand-size return to process the stackcorrectly).Vol.
3 4-21PROTECTION4.8.4Accessing a Code Segment Through a Call GateTo access a call gate, a far pointer to the gate is provided as a target operand in aCALL or JMP instruction. The segment selector from this pointer identifies the callgate (see Figure 4-10); the offset from the pointer is required, but not used orchecked by the processor. (The offset can be set to any value.)When the processor has accessed the call gate, it uses the segment selector from thecall gate to locate the segment descriptor for the destination code segment. (Thissegment descriptor can be in the GDT or the LDT.) It then combines the base addressfrom the code-segment descriptor with the offset from the call gate to form the linearaddress of the procedure entry point in the code segment.As shown in Figure 4-11, four different privilege levels are used to check the validityof a program control transfer through a call gate:••••The CPL (current privilege level).The RPL (requestor's privilege level) of the call gate’s selector.The DPL (descriptor privilege level) of the call gate descriptor.The DPL of the segment descriptor of the destination code segment.The C flag (conforming) in the segment descriptor for the destination code segmentis also checked.Far Pointer to Call GateSegment SelectorOffsetRequired but not used by processorDescriptor TableOffsetSegment SelectorBase+OffsetBaseBaseProcedureEntry PointFigure 4-10.
Call-Gate Mechanism4-22 Vol. 3Call-GateDescriptorCode-SegmentDescriptorPROTECTIONCS RegisterCPLCall-Gate SelectorRPLCall Gate (Descriptor)DPLPrivilegeCheckDestination CodeSegment DescriptorDPLFigure 4-11. Privilege Check for Control Transfer with Call GateThe privilege checking rules are different depending on whether the control transferwas initiated with a CALL or a JMP instruction, as shown in Table 4-1.Table 4-1. Privilege Check Rules for Call GatesInstructionPrivilege Check RulesCALLCPL ≤ call gate DPL; RPL ≤ call gate DPLDestination conforming code segment DPL ≤ CPLDestination nonconforming code segment DPL ≤ CPLJMPCPL ≤ call gate DPL; RPL ≤ call gate DPLDestination conforming code segment DPL ≤ CPLDestination nonconforming code segment DPL = CPLThe DPL field of the call-gate descriptor specifies the numerically highest privilegelevel from which a calling procedure can access the call gate; that is, to access a callgate, the CPL of a calling procedure must be equal to or less than the DPL of the callgate.
![](https://s.studizba.com/z.php?f=/templates/si/i/noavatar.png&w=100&h=100&t=1"){kind=avatar}
