25 replies to this topic

[dargueta]

1. Yes...kind of. The address is calculated like so:

uint16_t segment, offset;
address = (segment << 4) + offset;

Addresses in v8086 mode wrap around at 20 bits, so you can address a maximum of 2^20 = 1 MiB. This was done back in the 70s because they didn't need that much memory, and didn't want to waste space with equipment that they didn't need at the time.

2. The segment selector is an offset into the global descriptor table that describes the access permissions, IOPL, and limits for memory segments. This is used to implement page and process protection.

3. The ring is set using the above descriptor tables.

4. Not sure, as I've never done it myself. I'll scrounge around and let you know what I find.

5. Memory is accessed in protected mode using the segment selectors. A complete address consists of two parts: the segment selector and the offset. The segment selector is really an offset into the global descriptor table (GDT), where it's used to retrieve information on the access privileges, execution ring, etc. before the access is made. Then the offset is added to the base address in the GDT, and the memory is accessed.

Quote

i would like every instruction (checking tlb?) what else.

Not sure what you're asking here.

That answer most of your questions?

[dargueta]

You can have multiple segment selectors for the same range of addresses; this allows one program to share memory with another, but grant it only read access, etc. The execution permissions (i.e. the ring, IOPL) depend on CS, which is itself a segment selector. So if you ever try to execute a segment that doesn't have the execution privilege set, the processor chokes.

My guess is that the null segment descriptor is not in the table because it acts as a null pointer - used as an invalid return value or something like that.

By the way, you can't set CS except with a long jump.

[dargueta]

ES is used by some string instructions, such as movs.

Quote

es,fs,gs are not used at all only if you override default ds. mhmhmhmm i can see that i will make nice ring0 backdoor using those, well thanx intel. just override it, and make fs point to selector with dpl 0.

You can't always override, and even then you'd need to know the exact segment selector that will get you the correct privileges for your block of code. To do that you need to be in ring 0 to check the GDT...but you can't be in ring 0 because you're operating in ring 3 and you can't touch the GDT to get into ring 0...

I have to go to class right now, but I'll tell you exactly how the whole thing works once I get back in a few hours.

[dargueta]

Assuming you know:
1) Which segment selectors are ring 0
2) The block of memory those ring 0 segment selectors are valid for

I'm pretty sure there's some mechanism to stop this. Anyway, the way memory access in protected mode works is very simple. Say we have the following code:

mov    eax, [00001F48h]

The default segment is DS. So the processor looks up in the GDT the entry corresponding to DS's value, and checks the read permission (since that's what we;re doing here). If there's read permission specified, then the operation continues. Otherwise the processor throws a general protection exception.

[dargueta]

The ring being executed in is specified in the GDT record indexed by CS. Modification to the GDT, LDT, and IDT require ring 0 access.

I think what you're not understanding is that the segment registers are just indices into the GDT and LDT. Kernel memory is specified by the GDT, and process memory is specified by the LDT. I suggest you check out Volume 3, Chapter 3 of the Intel Architecture Software Developer's Manual. There's a diagram of the process that does a better job of explaining it than I can with words.