IRET

[justin]

In the Intel manuals (5-18 vol 3), it says "If a stack switch occurred when calling the handler procedure, the IRET instruction
switches back to the interrupted procedure’s stack on the return."

How does the processor know that a stack switch occurred when the handler procedure was called, so that it can take the appropriate action during an IRET instruction?

[AJ]

Hi,

The only way it knows is by the PL of the return CS selector. If the return CS PL is greater than that of the handler, SS and ESP are popped off the stack.

Cheers,
Adam

[blackoil]

when executing IRET, it need to pop CS:EIP pair, if CS value to be popped is greater the current value in CS register, then after pop CS:EIP pair, SS:ESP pair follows implicitly.

customly switch to any greater previlege ring task, you need to set up CS:EIP SS:ESP pairs on your current stack, manually.

[AJ]

when executing IRET, it need to pop CS:EIP pair, if CS value to be popped is greater the current value in CS register, then after pop CS:EIP pair, SS:ESP pair follows implicitly.

This is a bit misleading. It's not the CS value that matters - only the DPL of CS (the lower 2 bits). Also, the order of popped arguments is EIP, CS, EFLAGS, ESP and then SS.

Cheers,
Adam

[blackoil]

yes, the DPL of CS register

SS <---high address
ESP
EFLAGs
EIP
CS <---low address, current SS:ESP

[egos]

Open your eyes:

SS <---high address
ESP
EFLAGs
CS
EIP <---low address, current SS:ESP

Edited: the low two bits of selector are RPL, not DPL.

[blackoil]

Oh yeah, I got asleep while typing