PROTECTION

The following is a description of the protection checks performed while transferring control (with the CALL instruction) through a call gate:

Verifying that access to the call gate is allowed. One of the protection features provided by call gates is the access checks made to determine if the call gate may be used (i.e., checking if the privilege level of the calling program is adequate).

Determining the destination address and whether a privilege transition is required. This feature makes privilege transitions transparent to the caller.

Performing the privilege transition, if required.

Verifying access to a call gate is the same for any call gate and is independent of whether a JMP or CALL instruction was used. The rules of privilege used to determine whether a data segment may be accessed are employed to check if a call gate may be jumped-to or called. Thus, privileged subroutines can be hidden from untrusted programs by the absence of a call gate.

When an inter-segment CALL or JMP instruction selects a call gate, the gate's privilege and presence will be checked. The gate's DPL (in the access byte) is checked against the EPL (MAX (task CPL, selector RPL)). If EPL > CPL, the program is less privileged than the gate and therefore it may not make a transition. In this case, a general protection fault occurs with an error code identifying the gate. Otherwise, the gate is accessible from the program executing the call, and the control transfer is allowed to continue. After the privilege checks, the descriptor presence is checked. If the present bit of the gate access rights byte is 0 (Le., the target code segment is not present), not present fault occurs with an error code identifying the gate.

The checks indicated in table 7-3 are applied to the contents of the call gate. Violating any of them causes the exception shown. The low order two bits of the error code are zero for these exceptions.

7.5.1.2 INTRA-LEVEL TRANSFERS VIA CALL GATE

The transfer is Intra-level if the destination code segment is at the same privilege level as CPL. Either the code segment is non-conforming with DPL = CPL, or it is conforming, with DPL :$ CPL (see section 11.2 for this case). The 32-bit destination address in the gate is loaded into CS:IP.

Table 7-3. Call Gate Checks

Type of Check

Fault(1)

Se!eC!0r j" ,,(It NIIII

GP

Selector is within Descriptor Table Limit

GP

Descriptor is a Code Segment

GP

Code Segment is Present

NP

Nonconforming Code Segment DPL > CPL

GP

NOTES:

 

(1) GP = General Protection, NP = Not-Present Exception.

 

Error Code

0

Selector id

Code Segment id Code Segment id Code Segment id

The offset portion of the JMP or CALL destination address which refers to a call gate is always ignored.

7-18

Page 144
Image 144
Intel 80287, 80286 manual INTRA-LEVEL Transfers VIA Call Gate, Call Gate Checks, Se!eC!0r j ,,It Niiii