PROTECTION

Since stacks normally occupy different offset ranges (lower limit to OFFFFH) than data segments, the limit field of a segment descriptor can be interpreted in two ways. The Expand Down (ED) bit in the access byte allows offsets for stack segments to be greater than the limit field. When ED is 1, the allowed range of offsets within the segment is limit +1 to OFFFFH. To allow a full stack segment, set ED to 1 and the limit to OFFFFH. The ED bit of a data segment descriptor does not have to be set for use in SS (i.e., it will not cause an exception). Section 7.5.4 discusses stack segment usage in greater detail. An expand down (ED= 1) segment can also be loaded into ES or DS.

Limit and access checks are performed before any memory reference is started. For stack push instruc- tions (PUSH, PUSHA, ENTER, CALL, INT), a possible limit violation is identified before any inter- nal registers are updated. Therefore, these instructions are fully restartable after a stack size violation.

7.4.2 Code Segment Access

Code segments are accessed via CS for execution. Segments that are execute-only can ONLY be executed; they cannot be accessed via DS or ES, nor read via CS with a CS override prefix. If a segment is executable (bit 3 = 1 in the access byte), access via DS or ES is possible only if it is also readable. Thus, any code segment that also contains data must be readable. (Refer to Chapter 2 for a discussion of segment override prefixes.)

An execute-only segment preserves the privacy of the code against any attempt to read it; such an attempt causes a general protection fault with an error code of O. A code segment cannot be loaded into SS and is never writable. Any attempted write will cause a general protection fault with an error code of O.

The limit field of a code segment descriptor identifies the last byte in the segment. Any offset greater than the limit value will cause a general protection fault. The prefetcher of the 80286 can never cause a code segment limit violation with an error code of O. The program must actually attempt to execute an instruction beyond the end of the code segment to cause an exception.

If a readable non-conforming code segment is to be loaded into DS or ES, the privilege level require- ments are the same as those stated for data segments in 7.4.1.

Code segments are subject to different privilege checks when executed. The normal privilege require- ment for a jump or call to another code segment is that the current privilege level equal the descriptor privilege level of the new code segment. Jumps and calls within the current code segment automatically obey this rule.

Return instructions may pass control to code segments at the same or less (numerically greater) privi- leged level. Code segments at more privileged levels may only be reached via a call through a call gate as described in section 7.5.

An exception to this, previously stated, is the conforming code segment that allows the DPL of the requested code segment to be numerically less than (of greater privilege than) the CPL. Conforming code segments are discussed in section 11.2.

7.4.3 Data Access Restriction by Privilege Level

This section describes privilege verification when accessing either data segments (loading segment selectors into DS, ES, or SS) or readable code segments. Privilege verification when loading CS for transfer of control across privilege levels is described in the next section.

7-13

Page 139
Image 139
Intel 80286, 80287 manual Code Segment Access, Data Access Restriction by Privilege Level