x86_64: Entering user mode

[daveATseclogs]

HEEEEEeeellloooooooooOOoOoo
can someone post me how to enter in usermode (ring3) in x86-64!?!?! I've tried using the classic IRET method but i cant figure out why it doesn't work...

This is my GDT

Code: Select all

align 0x10
global gdt64
gdt64:
; null descriptor   
    dw  0,0,0,0   
; ring 0 code segment descriptor
    dw  0x0             ; limit 15:0 = 0
    dw  0x0             ; base low = 0
    db  0x0             ; base middle = 0
    db  10011000b       ; access 
    db  00100000b       ; flags + limit 19:16
    db  0x0             ; base high
; ring 0 data segment descriptor
    dw  0x0             ; limit 15:0 = 0
    dw  0x0             ; base address = 0
    db  0x0             ; base middle = 0
    db  10010000b    ; access
    db  00000000b       ; flags + limit 19:16
    db  0x0             ; base high
; ring 3 code segment descriptor
    dw  0x0
    dw  0x0
    db  0x0
    db  11111000b
    db  00100000b
    db  0x0
; ring 3 data segment descriptor
    dw  0x0             
    dw  0x0
    db  0x0
    db  10010000b
    db  00000000b
    db  0x0

And this is how, for now using the iret way, i'm trying to get into ring3

Code: Select all

global enter_usermode
enter_usermode:
    push    0x0                                        ; ss
    mov     rax, qword 0x7f7ffffffff0         ; rsp
    push    rax
    pushfq                                               ; rflags
    push    0x1b                                      ; cs
    mov     rax, qword um                       ; rip
    push    rax
    iretq
um:

The stack pointer is a user mode writeable page....Maybe im wrong with the SS=0!?!?! But if i put in the CS 0x8 (the ring0 selector in the gdt) it works, clearly i'l end up in the ring0 again but this is just for testing.

I'm interested in how to enter in user mode using the SYSRET instruction as well (STAR;LSTAR etch).

I can't find any documentation about this topic for x86_64 so if someone know where is the problem...

Thanks a lot
D

[Combuster]

You have two big problems:

it doesn't work

Did you need to literally insert the worst problem description ever? Define "Does not work"

I can't find any documentation

I have 494 pages of it. It's called volume 2 of the AMD processor manual. You should've gotten that one already.

[daveATseclogs]

Thank you combuster... i know about the AMD sys manual...but i just ask if someone can answer me why it does not work (i get a GP fault)...

[gerryg400]

Maybe im wrong with the SS=0

Definitely wrong.

In IA-32e mode, IRET is allowed to load a NULL SS under certain conditions. If the target mode is 64-bit mode and the target CPL <> 3, IRET allows SS to be loaded with a NULL selector.

The DPL of your ring 3 data selector is 0. It should be 3. Then use this selector as your ring 3 stack selector as well.

[edit] deleted comment about alignment

[daveATseclogs]

Oh OK jerry... i've ignored the DPL in the data descriptor because i've readed this in the AMD manual 2:

A data-segment-descriptor DPL field is ignored in 64-bit mode, and segment-privilege checks are not
performed on data segments. System software can use the page-protection mechanisms to isolate and
protect data from unauthorized access.

Anyway...i've tried to set the dpl to 3 in the data selector and to push 0x23 for the SS but a GP fault happens anyway

[daveATseclogs]

Ok...solved i have to put the dpl bits to 3, load the ss with the user data descriptor and SET THE RW BIT in the data descriptor.
The manual is not very clear about this...since at page 89/90 specify that all the fields except the P bit are ignored in the data selector in 64-bit mode MUAH :/

[gerryg400]

Ok...solved i have to put the dpl bits to 3, load the ss with the user data descriptor and SET THE RW BIT in the data descriptor.
The manual is not very clear about this...since at page 89/90 specify that all the fields except the P bit are ignored in the data selector in 64-bit mode MUAH :/

The manuals say that the fields are ignored during a memory access.

However, your GP was caused by a selector load, not memory access. Intel 2A says for the IRET instruction that you get a #GP(selector) if "If the stack segment is not a writable data segment."