Intel® ISA Extensions
Use hardware-based isolation and memory encryption to provide more code protection in your solutions.
1095 Discussions

#SS on inter-privilege IRET

Konstantin_B_
Novice
‎07-15-2017 12:44 AM
472 Views

I am talking about latest SDM rev. 63 there. In the description of the #SS exception 'Stack Fault', it is stated that the exception is raised when

· A not-present stack segment is detected when attempting to load the SS register. This violation can occur

 during the execution of a task switch, a CALL instruction to a different privilege level, a return to a different

 privilege level, an LSS instruction, or a MOV or POP instruction to the SS register.

Experiments on the real hardware demonstrate that this exception can occur if inter-privilege IRET is executed and popped an %ss segment register value which references a non-present descriptor.  Small issue is that the explanation above does not list IRET explicitely, but it arguably falls under the 'return to a different privilege level' enumerator.

Much more serious problem is that IRET instruction lists #NP (segment not present) in this situation:

#NP(selector) If the return code or stack segment is not present.

In particular, it seems that QEMU emulates #NP, following the documentation.

Of course I may be wrong with interpreting the experiment results, but it would be useful clarify either the IRET instruction specification, and/or #SS description.

0 Kudos

Link Copied

2 Replies
Konstantin_B_
Novice
‎10-17-2017 03:40 AM
472 Views

And the SDM was updated in rev. 064, thank you.

0 Kudos
Copy link
jimdempseyatthecove
Honored Contributor III
‎10-19-2017 09:26 AM
472 Views

The SS register will hold either a segment number (Real Mode or V86 Mode) or a selector (Protected Mode). When in Real/V86 mode, the current  selector is used ( that on transition to V86 or power-up/0x0 for Real Mode), to which the segment number *10 is applied as an offset to the base of the memory referenced by the current SS selector. The Selector itself could be invalid, or the address resolved by the SS (selector) + Segment offset (Real/V86) or SIB reference off of SS: could potentially point to an unmapped page in memory, and fault.

I think the document is interchanging segment and selector when it ought not.

Jim Dempsey

0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.