1. The 80386 manual says it's possible to load DS with a selector of a readable, executable segment. It also says if it's a conforming segment, CPL doesn't have to be <= DPL. In this case I wonder what's the restriction for RPL?

2. For far JMP/CALL (not via gates, not to TSS), is RPL checked? The manual says no but my text book says yes.
Posted on 2003-03-27 04:42:17 by C.Z.
1.) Access to a conforming segment will lead to a #GP-exception if CPL < DPL. The code within such a conforming segment will run in same priv-level as the caller.

2. ) Yes, of course. Access is always checked when selectors are involved! Only near CALLs/JMPs are 'for free' ;)
Posted on 2003-03-28 06:20:03 by aweX
1. I mean to load DS with code segment and read data in it.
From Intel's document:
The following methods of accessing data in code segments are possible:

1. Load a data-segment register with a selector of a nonconforming, readable, executable segment.
2. Load a data-segment register with a selector of a conforming, readable, executable segment.
3. Use a CS override prefix to read a readable, executable segment whose selector is already loaded in the CS register.

Case 2 is always valid because the privilege level of a segment whose conforming bit is set is effectively the same as CPL regardless of its DPL.


2.

As Figure 6-4 shows, two different privilege levels enter into a privilege check for a control transfer that does not use a call gate:

1. The CPL (current privilege level).
2. The DPL of the descriptor of the target segment.
So despite the manual saying something else, RPL is checked? Thanks!!
Posted on 2003-03-28 06:34:50 by C.Z.
Could you state an example? A scenario of code/data access, to show what you
are trying to do. I could then tell you more easily whether or not it'll fail.

Remember that RPL (Requestor Priviledge Level) is ensured to be correct by the
operating system, which uses the ARPL instruction to adjust (overwrite)
the RPL of every caller to its actual CPL, which is - in turn - stored in bits 0 and 1 of the
caller-selector, residing on the stack (the return address to the caller!). If the OS wouldn't
do that, any ring3 code could call ring0 OS routines to read ring0 data by simply passing
an RPL of 0 in the call-selector.

aweX <-

BTW: Why is bomb01 standing in the forum overview as thread starter :confused:
Posted on 2003-03-28 07:58:11 by aweX
Sorry, but I forgot another important thing ( sorry, tired already :o )

Regarding RPL and CPL, only the lower priv-level of those two will
be checked against the DPL! So if CPL indicates ring3 and RPL indicates
ring2/1/0, CPL will be compared with DPL nevertheless.

HTH! :alright:


aweX <-
Posted on 2003-03-28 08:31:26 by aweX
Case 1:
CPL = 3; the second descriptor in GDT is "comforming" and "readable" and DPL = 0.
MOV AX, 0000000000001011B ; RPL = 3
MOV DS, AX

Case 2:
CPL = 0; the second descriptor in GDT is "comforming" and "readable" and DPL = 3.
MOV AX, 0000000000001011B ; RPL = 3
MOV DS, AX

Could you tell me whether it triggers GPF in each case?

If the OS wouldn't do that, any ring3 code could call ring0 OS routines to read ring0 data by simply passing an RPL of 0 in the call-selector.
Well since caller's CPL is on the stacker, why can't RING0 code check it at first, to see if this CPL is allowed to access the data pointed to by the parameter?

Thanks for your time!!

I asked Hiro to change my user name after it's posted. bomb doesn't sound like fun now. :)
Posted on 2003-03-28 08:56:40 by C.Z.
I guess that, case 1 has no GPF but case 2 has. Since DPL will be overwritten with CPL even when loaded to DS/ES/FS/GS, "comparing RPL with DPL" becomes "comparing RPL with CPL". (yes I know hell well my guesses are 80% wrong. :grin: )
Hope to hear from you soon!
Posted on 2003-03-28 09:16:04 by C.Z.
Correct! Case 1 works, case 2 triggers #GP. Ring3 can access any conforming segment out there since ring3 is considered highest-priviledge-level by conforming segments. So, for better understanding, I would first learn how the 'common' protection-mechanism works before dealing with specialities.
Still, I can't see the link between your example and your first post in this thread... data access is one thing, code access another.

Also you misunderstood somthing: of course there is always checked DPL! The question is: against CPL or against RPL? The one with the lowest priviledge-level (numerical: the highest ring-number) is taken for comparison with DPL. I hope you got it now.


C.Z. wrote:
> since caller's CPL is on the stacker, why can't RING0 code check it at first,

Because priviledge checking is done by the CPU. Why should we do it in our code? If there's unallowed data access, it'll trigger a GPF anyways. So just set CPL to the caller's CPL and see what happens :grin:


aweX <-
Posted on 2003-03-29 17:14:34 by aweX
Some further information about control transfers:

http://webster.cs.ucr.edu/Page_TechDocs/Doc386/s03_05.html

Would be nice to see you replying one day :cool:
Posted on 2003-04-10 03:31:08 by aweX
Hi hi aweX shame on me for a late reply, but I'm still not clear about it even though I read intel doc and your link.
Yes I admit I gave the wrong example. :(

What I understand so far:
For direct jmp/call to a conforming seg, CPL must >= DPL, and RPL isn't checked.
For accessing data in a conforming seg (load DS with code seg), CPL isn't checked.
What I dont have a clue about:
For accessing data in a conforming seg (load DS with code seg), what value should RPL be, without invoking GPF?

CPL = 3; the second descriptor in GDT is "comforming" and "readable" and DPL = 1.
MOV AX, 0000000000001011B ; RPL = 3
MOV DS, AX
CPL = 3; the second descriptor in GDT is "comforming" and "readable" and DPL = 1.
MOV AX, 0000000000001011B ; RPL = 0
MOV DS, AX

The RPLs differ, so which gives GPF?
Posted on 2003-04-10 06:58:10 by C.Z.
I don't know how I could have overlooked it but the problem here seems
to be that you don't know that there are no conforming data segments.

Also, you cannot load a data segment register (DS, ES, FS, GS, SS) with a
selector pointing to a code-segment descriptor. The type of a segment is
saved in its descriptor:

Code segment -> Sys/App-Bit = 1 , Bit #11 of 3rd descriptor-word = 1
Data segment -> Sys/App-Bit = 1 , Bit #11 of 3rd descriptor-word = 0

General rule for data access: CPL <= DPL
General rule for code access (control transfer): CPL == DPL


aweX <-
Posted on 2003-04-11 09:50:44 by aweX
Also, you cannot load a data segment register (DS, ES, FS, GS, SS) with a
selector pointing to a code-segment descriptor.

Yes it's possible, at least IA Software Developer?s Manual, Volume 3 says so:

4.6.1. Accessing Data in Code Segments
In some instances it may be desirable to access data structures that are contained in a code
segment. The following methods of accessing data in code segments are possible:
? Load a data-segment register with a segment selector for a nonconforming, readable, code
segment.
? Load a data-segment register with a segment selector for a conforming, readable, code
segment.

? Use a code-segment override prefix (CS) to read a readable, code segment whose selector
is already loaded in the CS register.
The same rules for accessing data segments apply to method 1. Method 2 is always valid because
the privilege level of a conforming code segment is effectively the same as the CPL, regardless
of its DPL. Method 3 is always valid because the DPL of the code segment selected by the CS
register is the same as the CPL.
Posted on 2003-04-11 11:04:24 by C.Z.
Oops ... well so the whole mechanism of 'Aliasing' is completely useless, I see.

Ok, so after this round trip we're at the same point as in the beginning of this thread.
But now it's clear to me what your first two questions are about. That's indeed an
interesting topic, but I think the rules are self-explanatory.

It says that Methods 2 and 3 are always valid, so what about Moethod 1?
Well, it seems like we have to use the usual pmode rule for data access which is:

CPL <= DPL

Now since there is no OS or foreign code called which could do a ARPL, I'm sure that
RPL is not even looked at ... why should it? Since the current CPL is, in EVERY case, stored in
bits 0 and 1 of the current CS selector and the DPL is in the descriptor of the adressed Data-segment,
we can perfectly and easily compare it and check it against the above rule.

Also, your recent two examples are answered in the document here:

Method 2 is always valid because the privilege level of a conforming code segment is effectively the same as the CPL, regardless of its DPL.



aweX <-
Posted on 2003-04-11 12:13:53 by aweX
Thank you aweX! now I'm convinced RPL isn't checked in method 2. Doesn't have to be!

About method 1:
Now since there is no OS or foreign code called which could do a ARPL, I'm sure that
RPL is not even looked at ... why should it? Since the current CPL is, in EVERY case, stored in
bits 0 and 1 of the current CS selector and the DPL is in the descriptor of the adressed Data-segment,
we can perfectly and easily compare it and check it against the above rule.

I don't quite get it! If ring3 transfers via call gate to ring0 code, and with bad intent, a ring0 nonconforming code segment (which ring3 code can't access) selector is copied to ring0's stack, isn't it necessary to APRL? :confused:

"The same rules for accessing data segments apply to method 1."
If as you said RPL isn't looked at, why it says "rules"...


About aliasing: I think it's the only way around to write to code seg.
Posted on 2003-04-11 21:55:16 by C.Z.
... To understand. Im a bit confused. So how to Set DS value?



LGDT AX
mov ds,ax
....?

Posted on 2003-04-12 00:43:22 by realvampire