Intel 253668-032US User Manual
5-30 Vol. 3
PROTECTION
5. (If the RET instruction includes a parameter count operand.) Adds the parameter
count (in bytes obtained from the RET instruction) to the current ESP register
value, to step past the parameters on the calling procedure’s stack. The resulting
ESP value is not checked against the limit of the stack segment. If the ESP value
is beyond the limit, that fact is not recognized until the next stack operation.
value, to step past the parameters on the calling procedure’s stack. The resulting
ESP value is not checked against the limit of the stack segment. If the ESP value
is beyond the limit, that fact is not recognized until the next stack operation.
6. (If the return requires a privilege level change.) Checks the contents of the DS,
ES, FS, and GS segment registers. If any of these registers refer to segments
whose DPL is less than the new CPL (excluding conforming code segments), the
segment register is loaded with a null segment selector.
whose DPL is less than the new CPL (excluding conforming code segments), the
segment register is loaded with a null segment selector.
See the description of the RET instruction in Chapter 4 of the Intel® 64 and IA-32
Architectures Software Developer’s Manual, Volume 2B, for a detailed description of
the privilege level checks and other protection checks that the processor performs on
a far return.
Architectures Software Developer’s Manual, Volume 2B, for a detailed description of
the privilege level checks and other protection checks that the processor performs on
a far return.
5.8.7
Performing Fast Calls to System Procedures with the
SYSENTER and SYSEXIT Instructions
The SYSENTER and SYSEXIT instructions were introduced into the IA-32 architecture
in the Pentium II processors for the purpose of providing a fast (low overhead) mech-
anism for calling operating system or executive procedures. SYSENTER is intended
for use by user code running at privilege level 3 to access operating system or exec-
utive procedures running at privilege level 0. SYSEXIT is intended for use by privilege
level 0 operating system or executive procedures for fast returns to privilege level 3
user code. SYSENTER can be executed from privilege levels 3, 2, 1, or 0; SYSEXIT
can only be executed from privilege level 0.
The SYSENTER and SYSEXIT instructions are companion instructions, but they do not
constitute a call/return pair. This is because SYSENTER does not save any state infor-
mation for use by SYSEXIT on a return.
The target instruction and stack pointer for these instructions are not specified
through instruction operands. Instead, they are specified through parameters
entered in MSRs and general-purpose registers.
For SYSENTER, target fields are generated using the following sources:
in the Pentium II processors for the purpose of providing a fast (low overhead) mech-
anism for calling operating system or executive procedures. SYSENTER is intended
for use by user code running at privilege level 3 to access operating system or exec-
utive procedures running at privilege level 0. SYSEXIT is intended for use by privilege
level 0 operating system or executive procedures for fast returns to privilege level 3
user code. SYSENTER can be executed from privilege levels 3, 2, 1, or 0; SYSEXIT
can only be executed from privilege level 0.
The SYSENTER and SYSEXIT instructions are companion instructions, but they do not
constitute a call/return pair. This is because SYSENTER does not save any state infor-
mation for use by SYSEXIT on a return.
The target instruction and stack pointer for these instructions are not specified
through instruction operands. Instead, they are specified through parameters
entered in MSRs and general-purpose registers.
For SYSENTER, target fields are generated using the following sources:
•
Target code segment — Reads this from IA32_SYSENTER_CS.
•
Target instruction — Reads this from IA32_SYSENTER_EIP.
•
Stack segment — Computed by adding 8 to the value in IA32_SYSENTER_CS.
•
Stack pointer — Reads this from the IA32_SYSENTER_ESP.
For SYSEXIT, target fields are generated using the following sources:
•
Target code segment — Computed by adding 16 to the value in the
IA32_SYSENTER_CS.
IA32_SYSENTER_CS.
•
Target instruction — Reads this from EDX.