TSS switch failed.
Posted: Mon Sep 16, 2013 7:07 pm
Hi, help please.
Win NT, x86, P4 processor.
Result:
Esp(ESP1) = 0xB2855A80
Esp(ESP2) = 0x85424F5C
Esp(ESP1) = 0xB355AA80
Esp(ESP2) = 0x85424F5C
...
Esp for ESP2 label is fixed(0x85424F5C), for any threads
TSS:
TR=0028 BASE=80042000 LIMIT=20AB
LDT=0000 GS=0855 FS=5501 DS=0F56 SS=8B24 CS=8510 ES=EC8B CR3=10F19000
EAX=1875FFEC EBX=FFFF02E8 ECX=FF1475FF EDX=55FF8B00 EIP=001CC2C9
ESI=14C25DFF EDI=55FF8B00 EBP=FFFF02E8 ESP=0875FF00 EFL=8B55FF8B
SS0=0010:B2855A80 SS1=4338:D0685000 SS2=C483:FFFF33B5
How is this possible ?
Where does the stack ?
Win NT, x86, P4 processor.
Code: Select all
; Current CPL = 0.
mov eax,esp ; Current stack.
ESP1:
mov ecx,D fs:[PcTss] ; PKTSS: pointer to TSS.
xchg D[ecx + TssEsp0],eax ; Use new stack(for switch R3 -> R0).
; Jump to user mode(R3). Interrupts are masked(IF = 0).
; There instruction Nop, after the execution of which will be #DB.
push KGDT_ST or RPL_MASK ; rSs
push 0 ; rEsp
push EFLAGS_MASK or EFLAGS_TF ; rEFlags
push KGDT_R3_CODE or RPL_MASK ; rCs, DPL = 3.
push edx ; rEip
iretd
; #DB handler:
; IDT desc. is trap(NOT TASK) gate.
mov eax,KGDT_R0_PCR
mov ecx,KGDT_R3_DATA or RPL_MASK
mov fs,eax
mov ds,ecx
mov es,ecx
ESP2:
...Esp(ESP1) = 0xB2855A80
Esp(ESP2) = 0x85424F5C
Esp(ESP1) = 0xB355AA80
Esp(ESP2) = 0x85424F5C
...
Esp for ESP2 label is fixed(0x85424F5C), for any threads
TSS:
TR=0028 BASE=80042000 LIMIT=20AB
LDT=0000 GS=0855 FS=5501 DS=0F56 SS=8B24 CS=8510 ES=EC8B CR3=10F19000
EAX=1875FFEC EBX=FFFF02E8 ECX=FF1475FF EDX=55FF8B00 EIP=001CC2C9
ESI=14C25DFF EDI=55FF8B00 EBP=FFFF02E8 ESP=0875FF00 EFL=8B55FF8B
SS0=0010:B2855A80 SS1=4338:D0685000 SS2=C483:FFFF33B5
How is this possible ?
Where does the stack ?