ive read many manuals since last post about segment selectors in virtual 8086 mode, but i dont understand all.
1. segment = 16 bits. offset = 16 bits.
address = segment+offset = 32 biits.
2. segment selector, i dont get it.
its 8 but what is it?!
3. task switch, how its done?
when cpu execute any interrupt, at the end called task scheduler check if it should switch task. if yes, it do what? load tss? what else? and how it switch from ring0 to ring3 and other side?
4. how do i programm pic. well programmable interrupt controller, so i ask how do i programm it.
5. when i access address in protected mode, how its done?
i would like every instruction (checking tlb?) what else.
and last question, is that knowleadge really nessecary? is there out technology litle simplier? maybe itanium? should i really go into it? i read that 90% is obsolete.
1. Yes...kind of. The address is calculated like so:
Addresses in v8086 mode wrap around at 20 bits, so you can address a maximum of 2^20 = 1 MiB. This was done back in the 70s because they didn't need that much memory, and didn't want to waste space with equipment that they didn't need at the time.Code:uint16_t segment, offset; address = (segment << 4) + offset;
2. The segment selector is an offset into the global descriptor table that describes the access permissions, IOPL, and limits for memory segments. This is used to implement page and process protection.
3. The ring is set using the above descriptor tables.
4. Not sure, as I've never done it myself. I'll scrounge around and let you know what I find.
5. Memory is accessed in protected mode using the segment selectors. A complete address consists of two parts: the segment selector and the offset. The segment selector is really an offset into the global descriptor table (GDT), where it's used to retrieve information on the access privileges, execution ring, etc. before the access is made. Then the offset is added to the base address in the GDT, and the memory is accessed.
Not sure what you're asking here.i would like every instruction (checking tlb?) what else.
That answer most of your questions?
sudo rm -rf /
yes thanks.
so each selector has start adress and limit.
all programs executing at (physical? virtual?) memory between start and limit have DPL and granulity (whatever it means, perhaps page size) of the selector.
i have here gdtdump, and:
0008 00000000 FFFFFFFF 0 P 4Kb Execute/Read, accessed
0010 00000000 FFFFFFFF 0 P 4Kb Read/Write, accessed
0018 00000000 FFFFFFFF 3 P 4Kb Execute/Read, accessed
0020 00000000 FFFFFFFF 3 P 4Kb Read/Write, accessed
these are virtual addreses, right? and as u see, 3rd and 4th has dpl 3, so?
when cpu execute in ring0, wich selector it use? if ring3, wich?
or wait, isnt it just like cpu set CS segment regiaster on proper selector?
ring0 = 8 and 10, ring3 = 18, 20?
and whe there is no rwe selector?
if i want to write, i just do it, i dont recall setting cs either in source or binary.
and whats on 0 selector? why it start from 8?
and what is something has read/write but no access?
You can have multiple segment selectors for the same range of addresses; this allows one program to share memory with another, but grant it only read access, etc. The execution permissions (i.e. the ring, IOPL) depend on CS, which is itself a segment selector. So if you ever try to execute a segment that doesn't have the execution privilege set, the processor chokes.
My guess is that the null segment descriptor is not in the table because it acts as a null pointer - used as an invalid return value or something like that.
By the way, you can't set CS except with a long jump.
sudo rm -rf /
i found another description, better suited for me and:
cs is used only by eip, instruction fetching only.
ss is used only by esp and instruction involving it (or wait, does mov esp,666 also go through ss?).
ds is used by all except 2 above
es,fs,gs are not used at all only if you override default ds. mhmhmhmm i can see that i will make nice ring0 backdoor using those, well thanx intel. just override it, and make fs point to selector with dpl 0.
do other selectors are used?
what is:
0028 80042000 000020AB 0 P 1b 32-Bit TSS (Busy)
tss = task switch, but isnt it too big?
its all virtual memory, right? i think so, because ...i dont know. you tell me.
well i think i understand segments/selectors enough for now, thx.
Lets focus on virtual translation now.
so... i want to fetch instruction.
cs:eip fetch from 0x00123456
how does the cpu handle it?
ES is used by some string instructions, such as movs.
You can't always override, and even then you'd need to know the exact segment selector that will get you the correct privileges for your block of code. To do that you need to be in ring 0 to check the GDT...but you can't be in ring 0 because you're operating in ring 3 and you can't touch the GDT to get into ring 0...es,fs,gs are not used at all only if you override default ds. mhmhmhmm i can see that i will make nice ring0 backdoor using those, well thanx intel. just override it, and make fs point to selector with dpl 0.
I have to go to class right now, but I'll tell you exactly how the whole thing works once I get back in a few hours.
sudo rm -rf /
thx waiting!
i cant modify CS, or i think i cant.
so since its the only thing keeping cpu aware of ring, i wont change ring.
i can however change any other register.
so if i change ds to have selector of ring0 segment? will i be able to write in kernel land?
Assuming you know:
1) Which segment selectors are ring 0
2) The block of memory those ring 0 segment selectors are valid for
I'm pretty sure there's some mechanism to stop this. Anyway, the way memory access in protected mode works is very simple. Say we have the following code:
The default segment is DS. So the processor looks up in the GDT the entry corresponding to DS's value, and checks the read permission (since that's what we;re doing here). If there's read permission specified, then the operation continues. Otherwise the processor throws a general protection exception.Code:mov eax, [00001F48h]
sudo rm -rf /
ok but how cpu know in wich ring it execute?
i can imagine CS if its about instruction fetching, but access kernel memory via changed ds?
how does it do it?
and what exactly dpl field in gdt mean?
does iopl flags are checked agnist dpl, and if not match throw GPF?
if that, each instruction must do it and is SUCKS. plz tell me that.
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
Bookmarks