1

I'm learning interrupt in operating system now and got this question. I know that we cannot directly call system functions in user mode because the CPL in CS is 3 and the DPL of system_call is 0. I'm wondering that if we can just set CPL in CS to 0 and then call the kernel functions?

The reason that it seems doable to me is that interrupt (int 0x80) can change CPL from 3 to 0, which means we should also be able to do the same thing. But if we can, this is a security issue because then any malware will be able to access system resources.

Changda Li
  • 123
  • 1
  • 8
  • 2
    Raising the CPL is priviledged, so if a program (tries to) do it, is causes a GP fault. The resulting interrupt (probably) changes CPL to 0, but under the control of whoever set up the interrupt handler (which is the OS) – Chris Dodd Jul 14 '19 at 00:34
  • Seems that ljmp or jumpi can change CS: https://docs.oracle.com/cd/E19455-01/806-3773/instructionset-73/index.html https://kernel.googlesource.com/pub/scm/linux/kernel/git/nico/archive/+/v0.99-pl8/boot/setup.S#240 So can we call these instructions in program code? – Changda Li Jul 15 '19 at 06:53
  • And by "interrupt", I meant “int 0x80” rather than the interrupt handler function -- "int 0x80" will change CPL from 3 to 0 so that the following interrupt handler function can be successfully executed. Sorry for not making it clear! – Changda Li Jul 15 '19 at 07:03
  • 2
    long jumps (in protected mode) check the CPL of the requested segment, and give a GP fault if it is lower than the current segment. int 0x80 jumps to the kernel, so gives control to the kernel, not to any user/potentially malicious code. – Chris Dodd Jul 15 '19 at 19:26
  • Thanks! So the only way for user to raise CPL is through interrupt (int 0x80), is that correct? – Changda Li Jul 16 '19 at 03:06
  • 2
    Or any other interrupt. Any interrupt will transfer control to the interrupt handler set up for it. The setup is done by the kernel, so if the kernel is secure (not buggy), it will never set up an interrupt handler in an insecure manner so as to invoke user code at higher priority than it should. But that does depend on there not being bugs in the kernel software. – Chris Dodd Jul 16 '19 at 18:32

0 Answers0