zoukankan      html  css  js  c++  java
  • 【译】x86程序员手册20-6.3.4门描述符守卫程序入口

    6.3.4 Gate Descriptors Guard Procedure Entry Points 门描述符守卫程序入口

    To provide protection for control transfers among executable segments at different privilege levels, the 80386 uses gate descriptors. There are four kinds of gate descriptors:


    • Call gates 调用门
    • Trap gates 陷阱门
    • Interrupt gates 中断门
    • Task gates 任务门

    This chapter is concerned only with call gates. Task gates are used for task switching , and therefore are discussed in Chapter 7Chapter 9 explains how trap gates and interrupt gates are used by exceptions and interrupts. Figure 6-5 illustrates the format of a call gate. A call gate descriptor may reside in the GDT or in an LDT, but not in the IDT. A call gate has two primary functions:


    1. To define an entry point of a procedure. 定义程序入口点
    2. To specify the privilege level of the entry point. 指定入口点的特权级别


    Call gate descriptors are used by call and jump instructions in the same manner as code segment descriptors. When the hardware recognizes that the destination selector refers to a gate descriptor, the operation of the instruction is expanded as determined by the contents of the call gate.


    The selector and offset fields of a gate form a pointer to the entry point of a procedure. A call gate guarantees that all transitions to another segment go to a valid entry point, rather than possibly into the middle of a procedure (or worse, into the middle of an instruction). The far pointer operand of the control transfer instruction does not point to the segment and offset of the target instruction; rather, the selector part of the pointer selects a gate, and the offset is not used.Figure 6-6 illustrates this style of addressing.



    As Figure 6-7 shows, four different privilege levels are used to check the validity of a control transfer via a call gate:


    1. The CPL (current privilege level). 当前特权级CPL
    2. The RPL (requestor's privilege level) of the selector used to specify the call gate. 选择子的RPL用来指定调用门
    3. The DPL of the gate descriptor. 门描述符的DPL
    4. The DPL of the descriptor of the target executable segment.目标可执行段描述符的DPL


    The DPL field of the gate descriptor determines what privilege levels can use the gate. One code segment can have several procedures that are intended for use by different privilege levels. For example, an operating system may have some services that are intended to be used by applications, whereas others may be intended only for use by other systems software.


    Gates can be used for control transfers to numerically smaller privilege levels or to the same privilege level (though they are not necessary for transfers to the same level). Only CALL instructions can use gates to transfer to smaller privilege levels. A gate may be used by a JMP instruction only to transfer to an executable segment with the same privilege level or to a conforming segment.


    For a JMP instruction to a nonconforming segment, both of the following privilege rules must be satisfied; otherwise, a general protection exception results.


    MAX (CPL,RPL) <= gate DPL

    target segment DPL = CPL


    For a CALL instruction (or for a JMP instruction to a conforming segment), both of the following privilege rules must be satisfied; otherwise, a general protection exception results.


    MAX (CPL,RPL) <= gate DPL

    target segment DPL <= CPL

  Stack Switching 栈切换

    If the destination code segment of the call gate is at a different privilege level than the CPL, an interlevel transfer is being requested.


    To maintain system integrity, each privilege level has a separate stack. These stacks assure sufficient stack space to process calls from less privileged levels. Without them, a trusted procedure would not work correctly if the calling procedure did not provide sufficient space on the caller's stack.


    The processor locates these stacks via the task state segment (see Figure 6-8). Each task has a separate TSS, thereby permitting tasks to have separate stacks. Systems software is responsible for creating TSSs and placing correct stack pointers in them. The initial stack pointers in the TSS are strictly read-only values. The processor never changes them during the course of execution.



    When a call gate is used to change privilege levels, a new stack is selected by loading a pointer value from the Task State Segment (TSS). The processor uses the DPL of the target code segment (the new CPL) to index the initial stack pointer for PL 0, PL 1, or PL 2.


    The DPL of the new stack data segment must equal the new CPL; if it does not, a stack exception occurs. It is the responsibility of systems software to create stacks and stack-segment descriptors for all privilege levels that are used. Each stack must contain enough space to hold the old SS:ESP, the return address, and all parameters and local variables that may be required to process a call.


    As with intralevel calls, parameters for the subroutine are placed on the stack. To make privilege transitions transparent to the called procedure, the processor copies the parameters to the new stack. The count field of a call gate tells the processor how many doublewords (up to 31) to copy from the caller's stack to the new stack. If the count is zero, no parameters are copied.

    对于特权级间的调用,子例程的参数被放在栈上。为使用特权转换对于被调用程序透明,处理器拷贝这些参数到新栈。调用门的数量段(count field)告诉处理器需要从调用者栈上拷贝多少双字(最多为31个)到新栈。如果数量为0,没有参数被拷贝。

    The processor performs the following stack-related steps in executing an interlevel CALL.


    1. The new stack is checked to assure that it is large enough to hold the parameters and linkages; if it is not, a stack fault occurs with an error code of 0.


    1. The old value of the stack registers SS:ESP is pushed onto the new stack as two doublewords.


    1. The parameters are copied.


    1. A pointer to the instruction after the CALL instruction (the former value of CS:EIP) is pushed onto the new stack. The final value of SS:ESP points to this return pointer on the new stack.


    Figure 6-9 illustrates the stack contents after a successful interlevel call.



    The TSS does not have a stack pointer for a privilege level 3 stack, because privilege level 3 cannot be called by any procedure at any other privilege level.


    Procedures that may be called from another privilege level and that require more than the 31 doublewords for parameters must use the saved SS:ESP link to access all parameters beyond the last doubleword copied.


    A call via a call gate does not check the values of the words copied onto the new stack. The called procedure should check each parameter for validity. A later section discusses how the ARPLVERRVERWLSL, and LAR instructions can be used to check pointer values.


  Returning from a Procedure 从程序返回

    The "near" forms of the RET instruction transfer control within the current code segment and therefore are subject only to limit checking. The offset of the instruction following the corresponding CALL, is popped from the stack. The processor ensures that this offset does not exceed the limit of the current executable segment.


    The "far" form of the RET instruction pops the return pointer that was pushed onto the stack by a prior far CALL instruction. Under normal conditions, the return pointer is valid, because of its relation to the prior CALL or INT. Nevertheless, the processor performs privilege checking because of the possibility that the current procedure altered the pointer or failed to properly maintain the stack. The RPL of the CS selector popped off the stack by the return instruction identifies the privilege level of the calling procedure.


    An intersegment return instruction can change privilege levels, but only toward procedures of lesser privilege. When the RET instruction encounters a saved CS value whose RPL is numerically greater than the CPL, an interlevel return occurs. Such a return follows these steps:


    1. The checks shown in Table 6-3 are made, and CS:EIP and SS:ESP are loaded with their former values that were saved on the stack.


    1. The old SS:ESP (from the top of the current stack) value is adjusted by the number of bytes indicated in the RET instruction. The resulting ESP value is not compared to the limit of the stack segment. If ESP is beyond the limit, that fact is not recognized until the next stack operation. (The SS:ESP value of the returning procedure is not preserved; normally, this value is the same as that contained in the TSS.)


    1. The contents of the DS, ES, FS, and GS segment registers are checked. If any of these registers refer to segments whose DPL is greater than the new CPL (excluding conforming code segments), the segment register is loaded with the null selector (INDEX = 0, TI = 0). The RET instruction itself does not signal exceptions in these cases; however, any subsequent memory reference that attempts to use a segment register that contains the null selector will cause a general protection exception. This prevents less privileged code from accessing more privileged segments using selectors left in the segment registers by the more privileged procedure.

    DS、ES、FS和GS段寄存器中的内容被检验。如果这些寄存器中任何一个引用 的段,其DPL大于新的CPL(不包括一致性代码段),这个段寄存器会被装入一个空(null)选择子(Index = 0, TI = 0)。返回指令(RET)本身在这种情况下不能发送异常信号;然而,接下来任何使用段寄存器来进行的内存引用,由于其中包含的是一个空选择子,将会引发一个一般性保护异常。这将阻止低特权级代码通过高级特权程序留在寄存器中的选择子来访问高特权级的段。

  • 相关阅读:
    mysql 练习题
    mysql 语法
  • 原文地址:https://www.cnblogs.com/mqmelon/p/6692591.html
Copyright © 2011-2022 走看看