sysret causes cpu reset
Posted: Mon Jul 15, 2019 1:20 pm
I'm trying to switch to user-mode (ring 3) on x86_64 with the following code:
I have some virtual memory mapped at 0x80000000 with the flags Flags::PRESENT | Flags::WRITABLE | Flags::USER_ACCESSIBLE. At 0x80000000 I wrote a simple nop instruction (0x90).
I'm expecting the cpu to load rcx (0x80000000) into rip and execute the nop instruction, but the cpu resets before the nop is executed.
I enabled the system call extensions in EFER and wrote the segment selector to STAR.
I have interrupt handlers for almost all cpu exceptions enabled (including double fault), but the cpu resets without causing an exception/calling the handlers when the sysretq instruction is executed.
The qemu log shows the cpu reset:
Code: Select all
mov rcx, 0x80000000
xor r11, r11
sysretq
I'm expecting the cpu to load rcx (0x80000000) into rip and execute the nop instruction, but the cpu resets before the nop is executed.
I enabled the system call extensions in EFER and wrote the segment selector to STAR.
I have interrupt handlers for almost all cpu exceptions enabled (including double fault), but the cpu resets without causing an exception/calling the handlers when the sysretq instruction is executed.
The qemu log shows the cpu reset:
Code: Select all
CPU Reset (CPU 0)
RAX=0000000080000001 RBX=0000000000006882 RCX=0000000080000000 RDX=0000000000000000
RSI=0000000080000001 RDI=000057ac001fffcc RBP=000000000000626a RSP=000057ac001fff38
R8 =fffffffffffffffd R9 =0000000000000802 R10=0000000000000001 R11=0000000000000000
R12=000000000000626a R13=0000000140200000 R14=000000b0071f0000 R15=0000000000006882
RIP=0000000080000000 RFL=00010002 [-------] CPL=3 II=0 A20=1 SMM=0 HLT=0
ES =0010 0000000000000000 ffffffff 00c09300 DPL=0 DS [-WA]
CS =001b 0000000000000000 ffffffff 00a0fb00 DPL=3 CS64 [-RA]
SS =0013 0000000000000000 ffffffff 00c0f300 DPL=3 DS [-WA]
DS =0010 0000000000000000 ffffffff 00c09300 DPL=0 DS [-WA]
FS =0000 0000000000000000 0000ffff 00009300 DPL=0 DS [-WA]
GS =0000 0000000000000000 0000ffff 00009300 DPL=0 DS [-WA]
LDT=0000 0000000000000000 0000ffff 00008200 DPL=0 LDT
TR =0020 000000000024a209 00000067 00008b00 DPL=0 TSS64-busy
GDT= 000000000024a288 0000003f
IDT= 00000000002491f0 00000fff
CR0=80010011 CR2=fffffffffffffff8 CR3=0000000000001000 CR4=00000020
DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000
DR6=00000000ffff0ff0 DR7=0000000000000400
CCS=0000000000000000 CCD=0000000000000000 CCO=DYNAMIC
EFER=0000000000000d01
FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80
FPR0=0000000000000000 0000 FPR1=0000000000000000 0000
FPR2=0000000000000000 0000 FPR3=0000000000000000 0000
FPR4=0000000000000000 0000 FPR5=0000000000000000 0000
FPR6=0000000000000000 0000 FPR7=0000000000000000 0000
XMM00=00000000000000000000000000000000 XMM01=00000000000000000000000000000000
XMM02=00000000000000000000000000000000 XMM03=00000000000000000000000000000000
XMM04=00000000000000000000000000000000 XMM05=00000000000000000000000000000000
XMM06=00000000000000000000000000000000 XMM07=00000000000000000000000000000000
XMM08=00000000000000000000000000000000 XMM09=00000000000000000000000000000000
XMM10=00000000000000000000000000000000 XMM11=00000000000000000000000000000000
XMM12=00000000000000000000000000000000 XMM13=00000000000000000000000000000000
XMM14=00000000000000000000000000000000 XMM15=00000000000000000000000000000000