Reputation: 2748
RPL of CS while transferring control to a conforming code segment in intel microprocessor
RPL of CS doesn't always match with the DPL of a conforming code segment. But shouldn't it always match with the DPL of the calling code segment (the code from where the control has been transferred) ? And what will happen with the RPL bits when we return from the conforming code segment? Will the RPL bits be equal to the DPL of the conforming code segment then?
Upvotes: 1
Views: 788
Answers (1)
Reputation: 44126
First a bit of terminology fix:
The RPL (Requested Privilege Level) is the bits 0 and 1 of every segment selector.
The CPL (Current Privilege Level) is the bits 0 and 1 of the segment register CS.
The DPL (Descriptor Privilege Level) is the two bits in a segment descriptor controlling its protection.
There can be a bit of confusion since the segment registers hold segment selectors and thus they also have an RPL.
However, we must exclude CS because we cannot move directly into it - we can change it only through specific instructions.
The idea is to use the RPL to lower the CPL when accessing data segments: while the RPL is freely editable by any application, the CPU will use the most restrictive between the RPL and the CPL (effectively the max between the twos).
When accessing code segment the RPL has little effect (with call gates it is used the same as with data segment, with non-conforming segments it must be RPL <= CPL and with conforming code segment it is ignored) and the rule to set the CPL depend on the instruction and type of segment used.
RPL of CS doesn't always match with the DPL of a conforming code segment.
Thus CS doesn't have an RPL, it has a CPL, the rest is true as confirmed by the Intel SDM:
5.8.1.2
When program control is transferred to a conforming code segment, the CPL does not change, even if the DPL of the destination code segment is less than the CPL. This situation is the only one where the CPL may be different from the DPL of the current code segment. Also, since the CPL does not change, no stack switch occurs.
This quote also answer your first question
But shouldn't it always match with the DPL of the calling code segment (the code from where the control has been transferred)?
No, if the code segments B and C are conforming with DPL 1 and 0 respectively and the code in segment A with DPL 3 is flown into B and subsequently in C then the CPL is 3, the DPL of A, even if the caller code segment (B) has DPL 1.
Basically is a conforming code segment calling another conforming code segment.
And what will happen with the RPL bits when we return from the conforming code segment? Will the RPL bits be equal to the DPL of the conforming code segment then?
I assume you mean the CPL bits as the RPL bits are never touched by the CPU.
When accessing other code segments a far call or jump is used (there are other mechanisms which we ignore here as they are all equivalent to the two named) so the caller's CS is saved on the stack (with or without a stack switch first) and restored upon return if access is still granted.
Upvotes: 1
Related Questions
- What would happen if the CS segment register is changed? (And how would you do so?)
- Where does RPL come from?
- Change CS:IP in Assembly Language
- Why is the x86 CR1 control register reserved?
- Overriding x86 SS segment for PUSH and POP instructions (SS:SP, SS:ESP, SS:RSP)
- Assembly language programming transfer of control from one segment to another
- Difference between DPL and RPL in x86
- What does CS:IP mean in assembly and how it works?
- Accessing underprivileged stack by weakening the CPL with RPL in intel microprocessor
- Privilege level checking when accessing code segment