1

I can't find any specific info about what really hapens to a standard CPU (ie.: x86) when some Kernel code (Ring 0) makes a 'call' to a User code (Ring 3) routine.

1) When executing that routine the CPU Mode status gets changed to User mode?

2) After executing the final 'ret' instruction at the User level routine, an Exception is raised because of trying to return to a Kernel space code?

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
fante
  • 2,475
  • 1
  • 16
  • 17

2 Answers2

6

calls can only elevate the privilege, while the rets can only lower it.
Chapter 5 of the Intel Manual 3A will give the full details.

If the kernel performs a far call to a user mode segment then a #GP is raised and it may panic/bugcheck the system.
If the call was near the privilege'd stay the same; assuming a flat model and a mapped target, this is a common attack vector for privilege escalation.

If an application tries to perform a ret to a more privileged segment a #GP is raised.

Margaret Bloom
  • 41,768
  • 5
  • 78
  • 124
  • I apologize for my basic knowledge but I don't understand your 2nd "if" explanation. Please if possible explain a little bit. – fante Dec 29 '18 at 03:26
  • 1
    @fante The one about near calls? Near calls don't change segment, so the privilege cannot change by definition (since the privilege is a property of the segment). When a kernel routine is executed, it is generally unknown which user mode application is currently mapped in memory but in few circumstances this is known to correspond to the application that called the kernel routine. If the kernel can be tricked into making a *near* call to an address where a user mode routine is present, that routine would execute with kernel privileges. The link was just a, once famous, example of that. – Margaret Bloom Dec 30 '18 at 13:00
2

You use iret from the kernel to return to user-space.

System calls and interrupts run kernel code; in a normal OS the kernel doesn't call far to lower privilege levels.

And yes, I think ret far would be unable to raise the privilege level back to ring 0 from ring 1..3.

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847