s06_03.htm

Programmer s Reference Manual is an improtant book on Intel processor architecture and programming.

<P>
<H3>6.3.4.2  Returning from a Procedure</H3>
The "near" forms of the 
<A HREF="RET.htm">RET</A> instruction transfer control within the current
code segment and therefore are subject only to limit checking. The offset of
the instruction following the corresponding 
<A HREF="CALL.htm">CALL</A>, is popped from the stack.
The processor ensures that this offset does not exceed the limit of the
current executable segment.
<P>
The "far" form of the 
<A HREF="RET.htm">RET</A> instruction pops the return pointer that was
pushed onto the stack by a prior far 
<A HREF="CALL.htm">CALL</A> instruction. Under normal
conditions, the return pointer is valid, because of its relation to the
prior <A HREF="CALL.htm">CALL</A> or 
<A HREF="INT.htm">INT</A>. 
Nevertheless, the processor performs privilege checking
because of the possibility that the current procedure altered the pointer or
failed to properly maintain the stack. The RPL of the CS selector popped
off the stack by the return instruction identifies the privilege level of
the calling procedure.
<P>
An intersegment return instruction can change privilege levels, but only
toward procedures of lesser privilege. When the 
<A HREF="RET.htm">RET</A> instruction encounters a
saved CS value whose RPL is numerically greater than the CPL, an interlevel
return occurs. Such a return follows these steps:
<OL>
<LI> The checks shown in Table 6-3 are made, and CS:EIP and SS:ESP are
loaded with their former values that were saved on the stack.
<LI> The old SS:ESP (from the top of the current stack) value is adjusted
by the number of bytes indicated in the 
<A HREF="RET.htm">RET</A> instruction. The resulting
ESP value is not compared to the limit of the stack segment. If ESP is
beyond the limit, that fact is not recognized until the next stack
operation. (The SS:ESP value of the returning procedure is not
preserved; normally, this value is the same as that contained in the
TSS.)
<LI> The contents of the DS, ES, FS, and GS segment registers are checked.
If any of these registers refer to segments whose DPL is greater than
the new CPL (excluding conforming code segments), the segment register
is loaded with the null selector (INDEX = 0, TI = 0). The 
<A HREF="RET.htm">RET</A>
instruction itself does not signal exceptions in these cases;
however, any subsequent memory reference that attempts to use a
segment register that contains the null selector will cause a general
protection exception. This prevents less privileged code from
accessing more privileged segments using selectors left in the
segment registers by the more privileged procedure.
</OL>

<H2>6.3.5  Some Instructions are Reserved for Operating System</H2>
Instructions that have the power to affect the protection mechanism or to
influence general system performance can only be executed by trusted
procedures. The 80386 has two classes of such instructions:
<OL>
<LI> Privileged instructions -- those used for system control.
<LI> Sensitive instructions -- those used for I/O and I/O related
activities.
</OL>
<PRE>
Table 6-3. Interlevel Return Checks

SF = Stack Fault
GP = General Protection Exception
NP = Segment-Not-Present Exception

Type of Check                                  Exception   Error Code

ESP is within current SS segment               SF          0
ESP + 7 is within current SS segment           SF          0
RPL of return CS is greater than CPL           GP          Return CS
Return CS selector is not null                 GP          Return CS
Return CS segment is within descriptor
  table limit                                  GP          Return CS
Return CS descriptor is a code segment         GP          Return CS
Return CS segment is present                   NP          Return CS
DPL of return nonconforming code
  segment = RPL of return CS, or DPL of
  return conforming code segment <= RPL
  of return CS                                 GP          Return CS
ESP + N + 15 is within SS segment
N   Immediate Operand of RET N Instruction     SF          Return SS
SS selector at ESP + N + 12 is not null        GP          Return SS
SS selector at ESP + N + 12 is within
  descriptor table limit                       GP          Return SS
SS descriptor is writable data segment         GP          Return SS
SS segment is present                          SF          Return SS
Saved SS segment DPL = RPL of saved
  CS                                           GP          Return SS
Saved SS selector RPL = Saved SS
  segment DPL                                  GP          Return SS
</PRE>

<H3>6.3.5.1  Privileged Instructions</H3>
The instructions that affect system data structures can only be executed
when CPL is zero. If the CPU encounters one of these instructions when CPL
is greater than zero, it signals a general protection exception. These
instructions include:
<UL>
<LI><A HREF="CLTS.htm">CLTS -- Clear Task-Switched Flag</A>
<LI><A HREF="HLT.htm">HLT -- Halt Processor</A>
<LI><A HREF="LGDT.htm">LGDT -- Load GDL Register</A>
<LI><A HREF="LGDT.htm">LIDT -- Load IDT Register</A>
<LI><A HREF="LLDT.htm">LLDT -- Load LDT Register</A>
<LI><A HREF="LMSW.htm">LMSW -- Load Machine Status Word</A>
<LI><A HREF="LTR.htm">LTR -- Load Task Register</A>
<LI><A HREF="MOVRS.htm">MOV to/from CRn -- Move to Control Register n</A>
<LI><A HREF="MOVRS.htm">MOV to /from DRn -- Move to Debug Register n</A>
<LI><A HREF="MOVRS.htm">MOV to/from TRn -- Move to Test Register n</A>
</UL>

<H3>6.3.5.2  Sensitive Instructions</H3>
Instructions that deal with I/O need to be restricted but also need to be
executed by procedures executing at privilege levels other than zero. The
mechanisms for restriction of I/O operations are covered in detail in

<A HREF="c08.htm">Chapter 8</A>, "Input/Output".

<H2>6.3.6  Instructions for Pointer Validation</H2>
Pointer validation is an important part of locating programming errors.
Pointer validation is necessary for maintaining isolation between the
privilege levels. Pointer validation consists of the following steps:
<OL>
<LI> Check if the supplier of the pointer is entitled to access the
segment.
<LI> Check if the segment type is appropriate to its intended use.
<LI> Check if the pointer violates the segment limit.
</OL>
Although the 80386 processor automatically performs checks 2 and 3 during
instruction execution, software must assist in performing the first check.
The unprivileged instruction 
<A HREF="ARPL.htm">ARPL</A> is provided for this purpose. Software can
also explicitly perform steps 2 and 3 to check for potential violations
(rather than waiting for an exception). The unprivileged instructions 
<A HREF="LAR.htm">LAR</A>,
<A HREF="LSL.htm">LSL</A>, 
<A HREF="VERR.htm">VERR</A>, and 
<A HREF="VERR.htm">VERW</A> are provided for this purpose.
<P>
<A HREF="LAR.htm">LAR</A> (Load Access Rights) is used to verify that a pointer refers to a
segment of the proper privilege level and type. 
<A HREF="LAR.htm">LAR</A> has one operand
selector for a descriptor whose access rights are to be examined. The
descriptor must be visible at the privilege level which is the maximum of
the CPL and the selector's RPL. If the descriptor is visible, 
<A HREF="LAR.htm">LAR</A> obtains a
masked form of the second doubleword of the descriptor, masks this value
with 00FxFF00H, stores the result into the specified 32-bit destination
register, and sets the zero flag. (The x indicates that the corresponding
four bits of the stored value are undefined.) Once loaded, the access-rights
bits can be tested. All valid descriptor types can be tested by the 
<A HREF="LAR.htm">LAR</A>
instruction. If the RPL or CPL is greater than DPL, or if the selector is
outside the table limit, no access-rights value is returned, and the zero
flag is cleared. Conforming code segments may be accessed from any privilege
level.
<P>
<A HREF="LSL.htm">LSL</A> 
(Load Segment Limit) allows software to test the limit of a descriptor.
If the descriptor denoted by the given selector (in memory or a register) is
visible at the CPL, 
<A HREF="LSL.htm">LSL</A> loads the specified 32-bit register with a 32-bit,
byte granular, unscrambled limit that is calculated from fragmented limit
fields and the G-bit of that descriptor. This can only be done for segments
(data, code, task state, and local descriptor tables); gate descriptors are
inaccessible. (Table 6-4 lists in detail which types are valid and which
are not.) Interpreting the limit is a function of the segment type. For
example, downward expandable data segments treat the limit differently than
code segments do. For both 
<A HREF="LAR.htm">LAR</A> and 
<A HREF="LSL.htm">LSL</A>, the zero flag (ZF) is set if the
loading was performed; otherwise, the ZF is cleared.
<PRE>
Table 6-4. Valid Descriptor Types for LSL

Type   Descriptor Type             Valid?
Code

0      (invalid)                   NO
1      Available 286 TSS           YES
2      LDT                         YES
3      Busy 286 TSS                YES
4      286 Call Gate               NO
5      Task Gate                   NO
6      286 Trap Gate               NO
7      286 Interrupt Gate          NO
8      (invalid)                   NO
9      Available 386 TSS           YES
A      (invalid)                   NO
B      Busy 386 TSS                YES
C      386 Call Gate               NO
D      (invalid)                   NO
E      386 Trap Gate               NO
F      386 Interrupt Gate          NO

</PRE>
<H3>6.3.6.1  Descriptor Validation</H3>
The 80386 has two instructions, 
<A HREF="VERR.htm">VERR</A> and 
<A HREF="VERR.htm">VERW</A>, which determine whether a
selector points to a segment that can be read or written at the current
privilege level. Neither instruction causes a protection fault if the result
is negative.
<P>
<A HREF="VERR.htm">VERR</A> (Verify for Reading) 
verifies a segment for reading and loads ZF with
1 if that segment is readable from the current privilege level. 
<A HREF="VERR.htm">VERR</A> checks
that:
<UL>
<LI> The selector points to a descriptor within the bounds of the GDT or
LDT.
<LI> It denotes a code or data segment descriptor.
<LI> The segment is readable and of appropriate privilege level.
</UL>
The privilege check for data segments and nonconforming code segments is
that the DPL must be numerically greater than or equal to both the CPL and
the selector's RPL. Conforming segments are not checked for privilege level.
<P>
<A HREF="VERR.htm">VERW</A> (Verify for Writing) 
provides the same capability as <A HREF="VERR.htm">VERR</A> for
verifying writability. Like the 
<A HREF="VERR.htm">VERR</A> instruction, 
<A HREF="VERR.htm">VERW</A> loads ZF if the
result of the writability check is positive. The instruction checks that the
descriptor is within bounds, is a segment descriptor, is writable, and that
its DPL is numerically greater or equal to both the CPL and the selector's
RPL. Code segments are never writable, conforming or not.

<H3>6.3.6.2  Pointer Integrity and RPL</H3>
The Requestor's Privilege Level (RPL) feature can prevent inappropriate use
of pointers that could corrupt the operation of more privileged code or data
from a less privileged level.
<P>
A common example is a file system procedure, FREAD (file_id, n_bytes,
buffer_ptr). This hypothetical procedure reads data from a file into a
buffer, overwriting whatever is there. Normally, FREAD would be available at
the user level, supplying only pointers to the file system procedures and
data located and operating at a privileged level. Normally, such a procedure
prevents user-level procedures from directly changing the file tables.
However, in the absence of a standard protocol for checking pointer
validity, a user-level procedure could supply a pointer into the file tables
in place of its buffer pointer, causing the FREAD procedure to corrupt them
unwittingly.
<P>
Use of RPL can avoid such problems. The RPL field allows a privilege
attribute to be assigned to a selector. This privilege attribute would
normally indicate the privilege level of the code which generated the
selector. The 80386 processor automatically checks the RPL of any selector
loaded into a segment register to determine whether the RPL allows access.
<P>
To take advantage of the processor's checking of RPL, the called procedure
need only ensure that all selectors passed to it have an RPL at least as
high (numerically) as the original caller's CPL. This action guarantees that
selectors are not more trusted than their supplier. If one of the selectors
is used to access a segment that the caller would not be able to access
directly, i.e., the RPL is numerically greater than the DPL, then a
protection fault will result when that selector is loaded into a segment
register.
<P>
<A HREF="ARPL.htm">ARPL</A> 
(Adjust Requestor's Privilege Level) adjusts the RPL field of a
selector to become the larger of its original value and the value of the RPL
field in a specified register. The latter is normally loaded from the image
of the caller's CS register which is on the stack. If the adjustment changes
the selector's RPL, ZF (the zero flag) is set; otherwise, ZF is cleared.
<P>
<HR>
<P>
<B>up:</B> <A HREF="c06.htm">
Chapter 6 -- Protection</A><BR>
<B>prev:</B> <A HREF="s06_02.htm">6.2  Overview of 80386 Protection Mechanisms</A><BR>
<B>next:</B> <A HREF="s06_04.htm">6.4  Page-Level Protection</A>
</BODY>