User's Manual
ADVANCED TOPICS
For both LAR and LSL, the zero flag (ZF)
is
set if the loading
was
performed; otherwise, the zero flag
is
cleared. Both instructions are undefined
in
real address mode, causing an invalid opcode exception
(interrupt #6).
11.3.1 Descriptor Validation
The 80286 has
two
instructions, VERR and VERW, which determine whether a selector points
to
a
segment that can be read or written at the current privilege level. Neither instruction causes a protec-
tion fault if the result
is
negative.
VERR verifies a segment
for
reading and loads ZF with 1 if that segment
is
readable from the current
privilege level. The validation process checks that:
1)
the selector points
to
a descriptor within the
bounds of the GDT or LDT,
2)
it denotes a segment descriptor (as opposed
to
a control descriptor),
and
3)
the segment
is
readable and of appropriate privilege level. The privilege check
for
data segments
and non-conforming code segments
is
that the DPL must be numerically greater than or equal to both
the
CPL and the selector's RPL. Conforming segments are not checked
for
privilege level.
VERW provides the same capability
as
VERR for verifying writ ability. Like the VERR instruction,
VER W loads
ZF
if the result of the writability check
is
positive. The instruction checks that the
descriptor
is
within bounds,
is
a segment descriptor,
is
writable, and that its DPL
is
numerically greater
than
or
equal
to
both the CPL and the selector's RPL. Code segments are never writable, conforming
or not.
11.3.2
Pointer Integrity:
RPL
and the "Trojan Horse Problem"
The Requested Privilege Level (RPL) feature can prevent inappropriate use of pointers that could
corrupt the operation of more privileged code or data from a
less
privileged level.
A common example
is
a file system procedure, FREAD (file_id, nybytes, buffer-ptr). This hypothetical
procedure reads data from a file into a buffer, overwriting whatever
is
there. Normally, FREAD would
be available at the user level, supplying only pointers
to
the
file
system procedures and data located
and operating at a privileged level. Normally, such a procedure prevents user-level procedures from
directly changing the file tables. However,
in
the absence of a standard protocol
for
checking pointer
validity, a user-level procedure could supply a pointer into the file tables
in
place of its buffer pointer,
causing the FREAD procedure
to
corrupt them unwittingly.
By
llsing the RPL,
you
can avoid such problems. The RPL field allows a privilege attribute
to
be
assigned
to
a selector. This privilege attribute would normally indicate the privilege level of the code
which generated the selector. The 80286 hardware will automatically check the
RPL of any selector
loaded into a segment register or a control register
to
see if the RPL
allows
access.
To
guard against invalid pointers, the called procedure need
only
ensure that all selectors passed
to
it
have an
RPL at least as high (numerically)
as
the original caller's CPL. This indicates that the selec-
Lvi'5
',;,'Ci'C
i'iGt
ir.Gre
tr~eted
t!"!~!!
t!"!eir
5l'vr
1i
p.T
If
one of the selectors
is
used
to
access a segment that
the caller would not be able
to
access directly, i.e., the RPL
is
numerically greater than the DPL, then
a protection fault will result when loaded into a segment or control register.
The caller's
CPL
is
available
in
the CS selector that
was
pushed
on
the stack
as
the return address. A
special instruction,
ARPL, can be used
to
appropriately adjust the RPL field of the pointer. ARPL
(Adjust RPL field of selector instruction) adjusts the RPL field of a selector
to
become the larger of
its original value and the value of the
RPL field
in
a specified register. The latter
is
normally loaded
from the caller's
CS register which can be found
on
the stack.
If
the adjustment changes the selector's
RPL, ZF
is
set; otherwise, the zero flag
is
cleared.
11-4